Organisations in the Asia-Pacific still often assume cloud will always be the cheaper option, often overlooking the impact of fluctuations in consumption and data flow. However, governments looking to run their own private cloud over security concerns still should consider public cloud platforms as a viable option.
The common misconception that cloud always offers the cheaper route had driven several organisations to migrate their operations back to on-premise in order to avoid bill shocks from spiralling cloud costs, according to IBM's CTO for global technology services, Jim Freeman. The executive, who took on his current role in January, has spent the past several years consulting with IBM customers on their cloud journey.
In an e-mail interview with ZDNet, he noted that cloud adoption could result in high cost if not managed properly.
Freeman explained that cloud costs could be very sensitive to the volume of data moving in and out of the network. They could also fluctuate if overconsumption was not monitored closely as enterprises had processes to establish and provision capacity to cater to peak demand on-premise.
He noted that elasticity and consumption pricing, which were benefits that cloud was commonly touted to offer, were only effective if the enterprise shifted from capacity planning to demand management -- in particular, if they had the ability to turn off under-utilised cloud resources.
Another misconception Asian businesses had was that the majority of existing applications could run on public cloud, he said. Freeman said: "Existing applications were written with the expectation of low latency, uniform machine performance, perimeter security models, and other technical differences when comparing on-premise to off-premise, public [cloud] platforms."
And while this trend was slowing, he noted that there were still organisations that had opted to move everything to a single public cloud vendor.
"CIOs should be very wary of the two pitfalls in that thinking," he said. "Moving everything to a single cloud vendor will often present a concentration or resiliency risk, so care should be taken to establish a workload-placement policy that is [focused] on the application's functional and non-functional requirements and an independent process [to establish] the appropriate landing platform, whether that's hybrid or multi-cloud."
Furthermore, he added, on-premise infrastructures typically operated vastly different from off-premise, public platforms. "The days of believing that everything can move to public cloud are over. However, estimates of how much can move still tend to be exaggerated," he said.
Other key concerns amongst organisations in the region were the ability to leverage the agility as well as cost benefits of cloud deployment across their existing enterprise applications, Freeman said. A common obstacle they faced was having a limited budget to refactor applications to run on cloud platforms since there could be material differences in operating environments between existing, on-premise applications and those that running in a cloud environment.
They also could face additional complexities integrating operations across their existing environment with their cloud environment, he said.
"Often times the enterprise finds itself with more than one standard operating procedure, particularly for common enterprise services such as back-up and restoration, business continuity planning, identity and access, event monitoring, and others," he noted.
He added that regulatory or company policy compliance could also pose further challenges as these were established to manage applications running in a private data centre environment.
To avoid some of these common pitfalls, he recommended enterprises put in place a plan that encompassed both on- and off-premise computing as well as multiple cloud providers operating in an open environment, so as to avoid vendor lockin. They also should revise their security framework and operating model to accommodate for the fact that cloud vendors increasingly would provide design, build, and management services that typically were performed by existing administrators.
Freeman said: "Also, application design patterns will need to materially change from 'how do I build a function' to 'where can I find a service to provide that function'."
Public clouds can be secure enough for governments
The Singapore government, for one, was reengineering its existing IT infrastructure and leveraging commercial cloud services. However, systems that could not be moved to a commercial cloud platform--for data security and privacy considerations--would run on a private government cloud. Prime Minister Lee Hsien Loong in 2018 said a preliminary assessment determined that "many" of the government's systems, in principle, could operate within a commercial cloud and some of these systems would be migrated over the next few years.
Freeman acknowledged there was merit in governments' desire to host systems that required high levels of security, but he noted that public cloud providers could deliver services that offered customers more security and control. IBM Cloud users, for instance, had the option to retain their own encryption key, prohibiting IBM from viewing the data. They also could obtain a full audit trail of server access, activation, and deactivation that the organisation then could provide to establish compliance.
"Any government looking to create [its own] cloud should draw a clear line between what is common and can be provided by hyper-scalers as common, and it then can put a strong set of encryption and control framework in place, recognising that there are extremely secure approaches to using public cloud," he said.
The Singapore government also announced plans to spend SG$1 billion beefing up its cyber and data security systems. Asked how it should spend that money, Freeman pointed to approaches and constructs to establish security on top of any platform--be it private, on-premise, public off-premise, and increasingly, edge devices.
"A comprehensive security envelope that is firmly implanted on any target platform will permit even the most naïve application programmer to focus on delivering value quickly without concern for compromising any security or privacy," he said.
He also stressed the need to have "encryption everywhere"--encompassing data at rest, in motion, and in memory--as well as KYOK (Keep Your Own Keys).
He urged CIOs to adopt an integrated security operating model to reduce operational complexity and better facilitate the development of in-depth skills involving prevention, detection, and remediation--rather that spending time having employees learn disparate operating models.