From On-Premises to Cloud Computing

Historically, applications were standalone, they were usually installed on a single computer, accessed by a single User at a time, performed a select set of single-stream functions, & provided an output which was then stored on that same computer. Need for sharing, multitasking & being interconnected did not exist as a concept. This was during very early stages of computing. Soon, interconnected networks started becoming commonplace and internal networks allowed sharing of data and information within a single network. This started changing with the advent of the internet. Applications became capable of communicating with the outside world and they started receiving information from the outside world. This rapid change in interconnectedness became a trigger for the start of cloud computing. Before the internet, everything was “On-Premises”, also known as “Shrinkwrap” (as in Software which came in a box which was shrinkwrapped!). Workflows, storage, security, protocols and usage was all centered around this idea that an application will be located within the premises of an office. As internal networks grew larger, on-premises changed from “within Office” to “within Network”. Nevertheless, applications were still located within a set perimeter and their communication with the outside world was either non-existent or heavily restricted. There was no real need for them to communicate outside their network. All its Users were after all located within the same network. This inclination towards having everything onpremises changed as bandwidth, transfer speeds and a need to constantly drive IT costs down led to the first set of cloud-based applications. “Cloud computing” as a term was popularized by Amazon.com when it announced its Elastic Compute Cloud in 2006 (although, there are mentions of this term dating as back as 1996).

It is an interesting fact that the idea of “Cloud” itself comes from a practice where Network Engineers would draw circles which represented subnets, and when multiple subnets overlapped, their outer profile would resemble a cloud! Availability of highly scalable computer networks which could be connected to using high-speed connectivity allowed a lot of new-age software developers to start offering solutions to problems to a larger user-base. Several Users could simultaneously access this software using web-browsers installed on their computers. This idea of application-sharing was based on initial concepts of timesharing which had become prevalent in the 1960s and 70s. On-Premises and Cloud computing both present several advantages, disadvantages and risks while this article focuses on a narrower aspect of security as far as both are concerned.

Comparison on Security: On-Premises vs Cloud Security Focus

Large enterprises are required to invest a lot in security since global threat levels to information and data security has been continuously rising. Cyber-attacks continue to remain a persistent and increasing threat to enterprises worldwide. Cloud providers are well aware of this trend & they have also been investing equally heavily in security. At the minimum, Cloud is as secure as the security an enterprise can build up, but in reality, owing to greater economies of scale and fewer operational complexities in implementation, Cloud providers are usually able to invest much more time, effort, resources and money into building and managing security for their infrastructure. This security includes both physical and virtual security. For an enterprise, security is one of several objectives to be achieved in their course of business, for Cloud providers, securing their Product, Platform and Infrastructure is a primary objective. This is why the security of a Cloud service should be expected to be better than any that an enterprise can put together for their On-premises solution.

Certification Standards and Regulations

 Enterprises are required to focus on their core business. Protecting and securing information and data, while important, is usually not their core. For this reason, enterprises may not be able to get themselves certified in global standards pertaining to information and data security. On the other hand, Cloud providers not only need to reinforce their security with higher standards, they are usually mandated to adhere to industry-wide Certifications and Regulations. Adhering to and complying with these standards is usually very difficult, which in turn reaffirms the practices that Cloud providers follow. It is common for Cloud providers to be certified in one or many industry standards such as ISO 27001, PCI DSS, HIPAA and for them to keep a constant watch of changes to regulations in the form of Data Privacy and Protection Laws of various countries such as EU GDPR, Singapore PDPA, Indian Data Protection Law and China’s Data Privacy Law. Ensuring that services provided by Cloud providers adhere to various applicable local regulations is also a necessity if their products have any possibility of being purchased by Customers.

Maintaining a Reputation

 Enterprises are bound to focus on aspects that their Customers care about; things like cost, service, speed, quality, reliability and usually a combination of several of these factors. Yet, it is likely that customers of an enterprise may not worry much about security; at least not until there is a security breach. Since security is not a primary focus area for Customers, Enterprises may not be able to or may be unwilling to, allocate adequate budget or attention to security. Cloud providers, just like Enterprises, need to manage their own reputation among their Customers, and if they fail, then there will be a significant loss in their sales. Since security is a primary focus area for Enterprises, it becomes that much more important for Cloud providers to invest their time and energy in reinforcing security.

Complexity of Self-managing Security

 Implementing, maintaining and managing security is a complex business which Enterprises have been doing all these years. Advent of Cloud providers has allowed Enterprises to focus more on their own objectives, outcomes and permits them to become free of several non-core activities related to implementing, monitoring and enhancing security for their On-Premises deployment.

Large-scale Redundancy Enterprises usually find it difficult and costly to set up multiple, automated remote redundancy and backup sites for their primary On-Premises applications and databases. Costs quickly multiply with the addition of multiple sites and while backups are extremely important, their actual need and usage is infrequent. Economies of scale help Cloud providers in bundling redundancies and automated remote backups for multiple Clients in a more reliable and robust manner. Ensuring that backups are intact and usable are usually part of their regular security activities. It is very difficult for Enterprises to match up to these levels of performance.

Risks in Cloud Computing

Cloud computing no doubt offers several benefits over On-Premises solutions, but there are some inherent risks involved in their usage. These risks have reduced significantly over time & trends indicate that they are likely to be mitigated further.

Global Outages

Cloud solutions face a major danger due to their dependency on internet and data center providers. An outage in either of them easily leads to global outages. These outages are usually resolved much promptly, but their scale usually results in much more damage in a short period of time. Cloud providers are required to have redundancies in place and as long as their own service and infrastructure which is down, they are usually able to come back online in a short span of time. This is a risk which is not specific to Cloud providers but rather affects everyone equally.

Communication Latency

The speed of response of an application is a very important factor in User Experience. This becomes more important if a Cloud application involves Users who have a need for rapid response rates and they are used to fast internet connections. Since most Cloud applications share their computing resources over a large number of Users, and since they are located physically away from their end-users, latencies become a problem that needs consideration. OnPremises too suffer from this problem to some extent, but their close proximity to end-users and a closed nature of their network reduces this issue significantly. Latency issues used to be a major problem in the 1990s and 2000s, but with internet bandwidths and speeds improving rapidly, this problem has almost gone away now.

Lack of Trust

An Enterprise eventually needs to accept this fact that their data will reside with a service provider which is not entirely under their control. There will be limited visibility as to what practices this provider is likely to follow. This may cause some level of mistrust for an Enterprise and this mistrust is justified to some extent. On the other hand, it is well-known that the biggest threat to information security is in fact internal. Just because an Enterprise has everything in-house does not automatically make things more secure. Cloud providers are required by law to adhere to certain practices which make them more secure, they have a need to maintain their own reputation as a secure service provider and they usually do more to protect information and data than most Enterprises can afford to.

Regulatory Restrictions

 There are several restrictions set by Governments which make it difficult for Enterprises to move to Cloud solutions. Restrictions come in the form of data storage locations, visibility of private information to Customers, international data transfer restrictions, embargoes and adherence to security standards. Nevertheless, global trends in governmental regulations have made a quantum shift in these regulations where they include cloud computing as an option for Enterprises to choose from. A newer set of regulations set specific requirements on Enterprises which opt for cloud computing. Cloud providers keep a tab on such regulations and update their products so that they remain compliant with these regulations. Unless they make these changes, Enterprises will be unwilling to opt for their product and this will lead to loss of sales for Cloud providers. This effectively eliminates this problem for both Enterprises and Cloud providers.

Final Word

There was a time when Cloud computing would be considered an “alternative” to On-Premises, a notion which has changed significantly in recent times. Enterprises cannot expect to do everything in-house anymore. Security, costs, scalabilities, convenience, speed and interconnectedness across multiple work locations have made a switch-over to cloud a necessity. Moving to the Cloud was an option once upon a time. Now, in some cases, there is no other option but to move to the cloud. The advantages of taking the business to the cloud far outweigh keeping things “on-premises”.