Cybersecurity Exec Order: “OK, You Can Go to the Cloud Now (with Major Caveats)”
Last week President Biden issued a new Cybersecurity Executive Order, acknowledging the malicious cyber threats that continue to plague the public and private sector. In an effort to combat today’s dynamic threat landscape, the order states that the Federal Government must modernize its approach to cybersecurity, in particular, accelerating the migration of workloads to a secure cloud. In other words, “We told you years ago to move your data to the cloud. Now do it.”
For chief technology officers (CTO) and advisors to government agencies, there is now a sense of urgency to move to the cloud. But in all likelihood, there are some good reasons you haven’t moved to the cloud yet. Moving workloads to the cloud is hard, and you’re not sure if it’s safe. If you are worried that some of your workloads do not belong in a public cloud, you are probably right. If you are considering making a move, here are some things to consider before your workloads go to the cloud.
Sharing isn’t always caring
We have come a long way in terms of the perception of the public cloud. A decade ago, you probably wouldn’t have even considered moving your workloads to a public cloud. Now, the government is saying, “Come to the cloud, it is safe.” But public cloud is inherently shared infrastructure, meaning your infrastructure is on the same box as someone else’s. This shared infrastructure can deliver cost benefits but produces tremendous risk. Is the organization you are sharing your space with introducing threats to the shared environment? Are they managing access and other security controls effectively? If they are targeted by a sophisticated threat actor, could your workloads be caught in the cyber impact zone? These potential risks are enough to make a CISO’s head spin.
Getting to the cloud isn’t as easy as you think
“We’ve built many of our applications on legacy infrastructure, and they simply do not work the same way in the cloud.” This is a common – and very real – challenge for many enterprises, and to make them work you may be looking at additional risk and a significant development project.
In addition, many organizations also experience vendor lock-in once they have migrated workloads to the public cloud. Moreover, many find themselves suffering from IT sprawl in public cloud environments, where there are no protocols in place for spinning up new environments. You need a DevOps mindset and a maturity model to take full advantage of the cloud ecosystem. Unfortunately, not all organizations have this. CTOs must be able to run legacy apps without having to rebuild the code base. And, they need the security and control of colocation environments with the elasticity, agility, and scalability of the cloud.
Sensitive government workloads require absolute control over where the data sets reside and who can access them. Public clouds don’t necessarily grant the necessary level of control. For example, with a service such as AWS GovCloud, you either agree to their terms for data and network traffic management, or you don’t; there is no in between.
Without sovereignty over your access rights and data in AWS, you may also face extra fees for taking your data out of certain environments. It’s death by a thousand cuts if you’re constantly charged to actually “use” your data. If you are going to the cloud because you think it is cheaper, you are going for the wrong reasons. Generally speaking, data moves in and out of the cloud; most cloud providers allow you to input your data for free (ingress), but will charge large network fees to move your data out of the cloud elsewhere (egress).
When cloud is not an option, consider Enterprise Bare Metal
For the reasons we’ve discussed above, the government simply can’t put everything in the cloud. The flipside of the cloud being cheap and flexible is that cloud service providers must be able to move your workloads wherever it makes the most financial sense. But if a government security auditor demands, “Show me the data,” the granular visibility they need may not be available.
Enter Cyxtera Enterprise Bare Metal offered through our highly-secure, software-defined digital exchange. It offers low start-up costs and the OpEx (vs. CapEx) consumption-based perks of the cloud, but with the benefits of actually owning the infrastructure. Bare metal servers provide enterprise users with access to hardware resources, while offering enhanced physical isolation for greater security and regulatory benefits. Users get complete control of their software stack, core consistent disk and network I/O performance, greater processing power, and the ability to scale workloads, plus a greater quality of service (QoS) by eliminating the noisy neighbor phenomenon.
Bare metal servers offer organizations an important option in their infrastructure mix, where performance and control are required, and cloud is simply not an option. Being cloud smart means analyzing your application environments to make educated platform decisions based on criteria that make business sense. Not all applications are created equal, and not all applications run or operate well in the public cloud. Moving to the cloud can be disruptive operationally and commercially, and if not done properly, can introduce intrinsic risk to the business.
The cloud discussion has come a long way – 10 years ago we were all afraid to go to the cloud because we thought it was unsafe. Now, people think the cloud is safe, but as with every policy decision, the devil is in the details.
Views and opinions expressed in our blog posts are those of the employees who made them and do not necessarily reflect the views of the Company. A reader should not unduly rely on any statements made therein.
When cloud is not an option for government, consider Enterprise Bare Metal
Cyxtera Enterprise Bare Metal offers consumption-based perks of the cloud, but with the benefits of actually owning the infrastructureLearn more about Cyxtera’s Enterprise Bare Metal offering