Building Trust: Mitigating Impediments to Cloud Migration (Third in a three-part series)
In the information technology world, consumers’ “fear of change” is often characterized as a “cultural” matter. This cultural resistance to new technologies could be as simple as users feeling reluctant to move to a new email system.
The emergence of cloud computing has spawned deeper concerns among customers, such as how secure is data once a system is moved off-premises to a remote data center owned and managed by a cloud provider. Organizations ask: can the cloud be trusted with our customer’s data?
While this question is not unreasonable, the answer is yes, the cloud can be trusted. Cloud providers, such as Amazon Web Services (AWS), go to extraordinary lengths to maintain a secure environment and to protect customers’ data. They have to: it would take only one widely publicized breach to destroy their business and their brand—a most lucrative one at that. For cloud customers, the perception of a multi-billion dollar cloud provider having Fort Knox-like security brings them peace of mind.
AWS offers cloud consumers a range of high-level security options, including the ability to add extra layers of security to data at rest in the cloud and providing scalable and efficient encryption features. Security features can include:
- Data encryption capabilities, available in AWS storage and database services, such as EBS, S3, Glacier, Oracle RDS, SQL Server RDS, and Redshift.
- Flexible key management options, including AWS Key Management Service, which lets customers choose whether to have AWS manage the encryption keys or keep complete control over keys. Customers can even manage their own keys that are used for encryption before the data goes to the cloud, making decryption of the data by the cloud provider impossible.
- Dedicated, hardware-based cryptographic key storage using the AWS Cloud Hardware Security Module, which lets users easily generate and use their own encryption keys on the AWS Cloud similar to hardware modules used on-premises for highly sensitive data.
For government customers, the major cloud providers have designed these sophisticated encryption levels to meet Federal Information Security Management Act (FISMA) requirements and comply with Federal Risk and Authorization Management Program (FedRAMP) standards. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. CVP has found that getting adequate security controls and an authority-to-operate can be easier in the cloud than it is on-premises because we’re able to inherit (i.e., reuse) so many security features that we don’t have to set up on our own.
For our private customers, security standards for the cloud can come from organizations like the Payment Card Industry’s Digital Security Standards (PCI-DSS), a deep and broad set of requirements that effectively constitute best practices for most any electronic system. The bottom line for customers worried about security in the cloud is this: the CIA and DOD are AWS and Microsoft Azure users and their security personnel are expressing a preference for that over traditional infrastructure.
In addition to data encryption, the three large cloud providers (AWS, Microsoft Azure, and Google Cloud) have robust security platforms that provide a range of services and tools for things like Denial of Service (DoS) mitigation, inventory and configuration, monitoring and logging, identity and access control, and penetration testing.
Aside from security, organizations have other concerns about cloud migration: if we move our data to a commercial cloud, how well will it work? Will it be effective, efficient, and reliable? Understanding the cultural change dynamics, CVP data technologists recently developed a way to mitigate a government customer’s unease about moving voluminous amounts of highly sensitive data to the cloud by simulating a move to the cloud. CVP created a data generator that made data that behaved in the same way as on the in-house cluster, but that was randomized. Running the simulated process in AWS environments, as well as on the in-house cluster, the CVP team was able to prove to the customer not only that the simulated cloud would do the job, but that it would do it more efficiently. The flexibility afforded by the cloud, with scaling and the use of new hardware, let us demonstrate that the migration could cut costs by 90% and improve performance up to 500%.
During any changes in enterprise technology, end user resistance is often a major concern. To minimize any anxiety-inducing sense of change in the end-user experience with the cloud, CVP technologists can set up the systems and a network on the user side so that the user may not detect any differences—except that the system is more reliable. CVP recently moved a business-critical time-sheet system to the cloud because recurrent power outages threatened to disrupt a company’s government-billing process—a process which involved people from across the continental United States working in different time zones. It was a significant change technologically, but the software, URL, and underlying data were all transitioned seamlessly, so the end user experience remained the same, while the costs went down and the system became more reliable.