ITCOMO

OK, first a little blurb on the etymology of the word "cloud" as it applies to computing. If you've read many of my articles then you know how much I love to open with a bit of history and primer.

 

Engineers that design and describe networks -- that is, how computers and other devices connect to each other, may draw a diagram that shows all these devices and how they are connected. Within the area under direct organizational control; the computers, printers, networking devices, and interconnects are generally specified and drawn. You can see how everything connects.

​

But areas of a network outside of an organization's control, such as the internet, are often drawn as a puffy cloud. That cloud signifies a segment of the connection that "just works" and knowing the details of that segment aren't always necessary or relevant.

​

The cloud, from that perspective, is simply a utility to be tapped, not too unlike how the public water supply works. You turn a faucet handle and water comes out. You, personally, aren't particularly interested in how that water got to your faucet.

​

Early cloud

​

Let's take that idea further. In the old days of the internet, in order to use email, a company had to set up and maintain an onsite email server. All incoming and outgoing email passed through that company-owned server.

 

Today, pretty much only large corporations run their own email servers. Small and medium sized businesses use email servers, such as Microsoft Exchange or Google Workspace, that are located in large data centers. These customers don't know or care about how that data center is run, so long as its secure and reliable -- that it "just works".

​

This makes email one of the earliest cloud applications. Since the very nature of email is communicating with other people, then locating that system on a cloud server makes some sense.

​​

This discussion centers around business computer use. Although the facts discussed could apply to personal-use cloud services as well.

​

Cloud Service Providers (CSP)

​​

These are companies that provide "Software as a Service", often abbreviated in the I.T. world as "SaaS".

​

What's that, you ask?

​

SaaS is software that is centrally hosted and accessed over the internet, typically through a web browser rather than installed locally. Unlike most traditional software, SaaS operates on a subscription basis, providing software makers with more predictable revenue while also enabling continuous updates and scalability.

 

While the subscription model was a strong business driver, SaaS emerged due to advancements that made cloud-based software delivery more practical and efficient for some use-cases.

​​​​

But the "cloud" isn't the panacea that some cloud pundits might imply, especially those that offer cloud services, funnily enough. Cloud services have their downsides that must be considered.

​​​

Such as...

​

More Costly

​

Cloud Service Providers (CSPs) are all subscription-based. You'll pay monthly or yearly fees, generally per user or based on how much of the cloud service you make use of, depending on the service. These fees can be pretty high, sometimes far exceeding the cost of essentially similar functionality as a local implementation, assuming a local solution is available. Sometimes there isn't.

​

Leaving a CSP

​

Another aspect of cost is disentanglement. If you become dissatisfied with your cloud-service provider for whatever reason (cost escalation, feature/need misalignment, performance decline, up-time issues, CSP change of strategy, etc.) then leaving could be an arduous affair.

​

Just like gym memberships, where signing-up is a cinch, but leaving almost requires an act of congress, so to can a CSP make leaving painful. They can do this by making it difficult to export your data (numerous ways they can do that) and charging steep exit fees.

​

Loss of data autonomy

​

Depending on the service, your critical company data might be stored in a data center somewhere, possibly in another country. It takes a lot of faith to entrust your data to some cloud provider. How good are their internal and external access controls and security? If in another country, what are that country's privacy laws?

Dependency on internet

​

By definition, cloud solutions require internet access to work. Granted, we all have internet pretty much all the time, so this isn't a biggie. But if your internet is down for some reason, then whatever you do that's hosted on a cloud service will not work. If that need is critical, and it probably is, then you'd want a secondary internet provider as a fail-over. That costs money.

​

Performance penalty

​​

Performance can suffer for several reasons, most of which are outside your control.

​

CSPs can be "over subscribed" (too many customers sharing too few resources), meaning that performance suffers. This translates to slow web page loads, slow data-fetches on the service, and other ways that it's not snappy and responsive. The CSPs primary imperative is profits. Adding more resources to reduce over-subscription, or conversely, not accepting as many tenants, runs counter to that imperative. 

 

They'll generally try not to over-subscribe their servers too badly, after all, they don't want a bunch of customers tying up their support lines complaining. But you can be sure they'll operate right at the edge and sometimes over the edge.

​

Another source of slowdown is that modern web interfaces are far more complex than older, lightweight interfaces. Modern web apps rely on heavy JavaScript frameworks and dynamic rendering, which increases load times. I'm sure you've noticed how some websites are more sluggish while others not so much.

​

Case in point: I have symmetric gigabit fiber with 1ms latency and a hardwired, high-end workstation -- by any measure, a performance-oriented set up. I'm an I.T. guy, after all. Yet, UPS and FedEx, two websites I use frequently, are slower than molasses in January. Page loads take several seconds each. Verizon Wireless, my former mobile provider, was even worse. That site was nearly unusable, it was that bad. That's because these web pages were laden with code and assets that took forever to render. This is what many web UIs are like today.

By contrast, locally executed compiled code -- like that in a native, non-web-served product -- is much faster because it runs directly on the hardware without the overhead of browser rendering and internet latency.

​​

Poor internet performance specs (from your ISP) can also hurt your cloud-based experience. In most maarkets, businesses pay considerably more for internet access than do residential customers. A traffic-heavy cloud service could require you to upgrade to faster internet which could be costly.

​​

And getting more download speed isn't necessarily the answer, either. Cloud-services can make heavy use of upload. Most non-fiber ISPs limit upload speeds to a small fraction of the download speed. Getting high upload speeds could require a costly "dedicated" symmetric service with your ISP.

​

With on-premises systems (file server, CRM, database, whatever), your access speeds are far higher, running at LAN speeds, which is usually 1 gigabit. Local latency is also lower, resulting in quicker I/O from your server.

​

Subcontracted players

​

Your CSP likely doesn't even own the infrastructure they are renting out to you. Except for the largest players, most CSPs of specific, niche products, like that HR system you might be using, are themselves renting space from the big guys, like Amazon Web Services, Microsoft Azure, and Oracle Cloud, to name a few. These big players are called Hyperscale Cloud Providers. They provide wholesale cloud services to smaller players.

 

Additionally, different components of the full technology stack needed to make your CSP's product work are likely owned and operated by even more companies you've never heard of.

​

This isn't necessarily a bad thing but it is cause for pause and ponder. It illustrates how incredibly complex the world of cloud computing can be. Each of these numerous companies have their own strategies and roadmaps for the future which can affect your cloud product going forward.

​

Mergers, acquisitions, buyouts, strategic change, etc. are a constant feature of this industry. This industry roiling will certainly affect you at some point.

​​

Data integrity

​

One (of many) mistakes uninformed users make is assuming they don't need to backup their cloud-based data. "Hey, my files are in a big data center. Certainly they perform backups."

 

Um, not necessarily. To be sure, big CSPs do some backing up. But those backups are for the providers redundancy in case the server or storage array containing your data fails. They can spin up another server and reload your data, sometimes without you even noticing.

​

But those backups don't usually protect against faults that originate outside of the data center. e.g. You accidentally deleted an entire folder, deleted a calendar, deleted a user's email account, or an encrypting virus invaded the cloud server. Are you protected against that? Good chance you aren't unless you subscribe to a separate backup system. And cloud-based backup systems are definitely most costly then local.

​​

Malware, breach, and exfiltration

​

Any business, or private individual for that matter, can be infected with malware. That basic truth is just a sad fact of computing life today. But the attack surface* varies greatly. CSPs have a larger attack surface compared to a similar local (non-cloud) implementation.

​

* The attack surface is all the various ways that a system is vulnerable to attack.

​

The primary enabling reason is exposure to the internet. By necessity, CSPs must expose certain access methods to the internet in order for their customers (companies and people like you) to access them. Depending on how the cloud provider was breached, the damage may spread laterally to some or all of that provider's tenant customers.

​

This why most bad actors now are targeting CSPs. The potential payoff for a successful infiltration is far greater.

​

Furthermore, many attack campaigns against cloud infrastructure are automated. Bots that are constantly banging away at publicly-facing APIs, logins, or website vulnerabilities, looking for a toe hold.

​

Advantage local

​​

This isn't to say that small companies that keep everything in-house, e.g. no cloud services, are perfectly safe. But there is generally less focus on closed, in-house systems by bad actors because they are not as exposed to the internet thus reducing their attack surface. Attacking these systems may rely more on social engineering; tricking an employee into giving up sensitive credentials or installing malware.

 

For a small company using local-only implementations, there is less risk because it's more work for bad actors for what is more likely a lower payout.

​

Flying under the radar

​

One of the factors in helping to assess risk of breach is your company's visibility. If you're a small, private company, with a dozen or so employees, serving only your city, and not a large regional or national firm, then it's less likely that a bad actor would target you specifically.

​

The term for this is security through obscurity. That term is one (of many) risk measures. It's not intended by itself to inform proactive security measures. But it can be a valid component when developing a threat profile.

​

If you're using a CSP, this is where your relative invisibility (security through obscurity) might not provide much protection. Whereas your company might be "too small" for a targeted attack, your use of a CSP means inheriting the CSP's threat profile. Your CSP likely has many thousands of other tenants in addition to you. In such an attack, it's like being caught with many others in a longline fishing net, rather than biting a hook meant for you.

​​

So now what?

​​

Given the discussion above, what sort of things should stay local and off the cloud? One answer is things that aren't collaborative in nature outside your business especially if there's a local solution.

 

Things like...

​

Server or Workstation Backups

 

Data backups should be local. They are much faster, less prone to a data breach, and less costly. If you want a cloud solution as a secondary backup, a belt and suspenders approach, that's fine (depending on internet performance and quantity of data). But the primary backup system should be local.

​

QuickBooks

 

QuickBooks Online (QBO) has its up-sides but, boy howdy, does it have its downsides as well. Most of my clients that are heavy QB users have found that QuickBooks desktop is faster and more feature-filled. And it doesn't rely on the internet. And it's cheaper, too, since you can go several years between updates.

​​

But, alas, this ship is leaving port, never to return. Intuit is pressing hard toward moving customers to their hosted solution, QBO. Supposedly Enterprise edition users can keep using desktop software -- for now, anyway.

​

Company Data

 

All the files your company uses such as Word, Excel, PDFs, etc. should be local. They are safer in your possession (assuming you follow other best practices like backing up) than on a cloud-server somewhere and are accessible even without internet access. Same thing applies to databases that may contain customer data.

​

"Local" doesn't mean you can't access data from afar. But these access methods aren't exposed to the internet in the same way which makes them less vulnerable.

​

Closing comments​

​​

Using CSPs might seem convenient because it relieves your from needing to maintain as much local infrastructure and needing to be an I.T. geek.

 

But that comes at a cost: Reducing your control over your applications, data, and cost containment because it binds you more intimately to the makers of your applications in ways that local infrastructure does not.

​

None of this is to say that you should never use a cloud service. Just don't believe everything you read spouted by cloud service evangelists or salespeople.

 

As more complex cloud-hosted products are being offered at the "retail level" (directly to end-users) without benefit of professional, knowledgeable advice, the more mistakes are made by folks who don't understand the tech involved and the consequences of actions taken.

​

This is where having an I.T. pro that you can call is a good idea.

​​​