The Cloud Transformation and the De-Emphasis of Servers
Enterprises’ move to the cloud brings the potential for improved security and reliability, but it also can cause unease for some IT professionals who are accustomed to operating servers. Effective workload security can provide the foundation for successful cloud transformation.
Servers have long been considered the foundational element of IT.
IT pros are used to operating and maintaining servers. In many cases, their professional identity is strongly linked to their server expertise.
As technology evolves, though, it is time for IT professionals who retain a server-hugging mindset to accept and embrace the new reality. To borrow a phrase from Fred Kost of HyTrust, workloads are the new atomic unit of IT. Workloads have the computing, software, data and networking capabilities necessary to perform a desired function.
This cloud-driven evolution can be unsettling for some IT professionals who are much more comfortable knowing where systems are running. While cloud adoption has been rising – the global public cloud market will be US $146 billion in 2017, up from $87 billion in 2015, according to Forrester [1] – that old-school mentality, combined with a variety of privacy and regulatory challenges, has given some organizations pause about retooling their IT infrastructure.
With few exceptions, enterprises with less than 1,000 employees that are not seriously considering moving 100 percent of their operation to public cloud are missing the mark. Major cloud providers are equipped to provide a level of reliability, security and business continuity with which smaller companies are unable to compete.
Workload security is the key element in the cloud transformation. It can eliminate privileged account misuse, halt data breaches, remove costly infrastructure gaps and stop accidental downtime. The privileged user component can have an especially profound impact. Without the proper workload security, privileged users have the ability to move workloads around or even delete thousands of them in one fell swoop. A bank that would not permit an individual admin to write a $100 check could allow that same person to essentially topple the bank’s production systems in a matter of seconds, highlighting the need for sound administrative controls – such as the ones determined by following the COBIT framework – to be in place.
Containers – rapidly becoming the new normal – will be key to how these workloads function. Containerization is becoming popular among developers and data centers as a method to separate an application from the operating system and the physical infrastructure that it uses to connect to the network. Containers have similarities to virtual machines but do not each contain a copy of the operation like a virtual machine does. This means they can be started and stopped much more quickly than virtual machines. Containers often exist for short durations, sometimes seconds, and like virtual machines, they move around.
Once enterprises opt to move to cloud, there are important decisions to make, such as which type of cloud provider – public, private, hybrid, multicloud – best fits the organization’s needs. It may not be easy to migrate an enterprise’s data from one provider to another, so organizations should be careful to avoid becoming locked into a vendor that is not the right fit.
It is also necessary to understand where the service provider’s responsibility ends and the enterprise’s responsibility begins relative to security and reliability. Details such as agreeing on the notification and severity level for incident management and understanding how business continuity and disaster recovery plans align must be clearly defined.
Another critical choice is who controls and manages the encryption keys. At first blush, many would think the company, not the cloud provider, should own the keys. Not so fast. What’s a more likely risk – that a seasoned cloud provider managing the keys will fail to safeguard the data and the keys, or that the enterprise will lose its keys and be unable to access its data? For many small businesses, the better option might be to let the cloud provider manage the keys. Larger organizations with strong key management capabilities are likely to want control over the keys.
Moving to the cloud can improve an enterprise’s IT efficiency and security, but the decision must be made thoughtfully. We’re rapidly moving toward an IT landscape that will be reliant on continuous security monitoring and continuous auditing – and all of that automated. The roles of technology professionals will continue drifting away from maintaining servers and toward ensuring the automation is functioning correctly.
[1] Forrester, Predictions 2017: Customer-Obsessed Enterprises Launch Cloud’s Second Decade, November 2016
