Five cloud mistakes guaranteed to make your deployment fail

Opinion Davey Winder Jul 23, 2013

We've all seen advice for best cloud deployment but what about guidance for best way to fail?

There are plenty of guides out there offering advice on how to best go about moving your business successfully into the cloud, and on the whole the bullet-points are pretty much the same.

So to avoid falling into that trap, here's my top five guide offering the kind of advice that will ensure your deployment will be a massive fail. The savvy readers amongst you will spot how to use this to your advantage...

1. Don't choose the right cloud platform
If you really want your cloud deployment to come falling down around your ears in a compromised-security heap, then failing to choose the most appropriate cloud model (or mixture of platforms) is as good a way as any to achieve this. The cloud is no longer home to the dark computing arts where acronyms act as 'Keep Out' warnings for the technical non-believer, and publications such as Cloud Pro can take much of the credit for dispelling the mystery surrounding it.

If you want your cloud deployment to come falling down around your ears, then failing to choose the most appropriate cloud model is as good a way as any 

However, with far too much regularity those of us who inhabit the IT security space get to see the results of people choosing the wrong platform for the job. Of course, they think it's the right platform because bean counters often approve the 'this one is cheapest' message without thinking about the security implications of getting it wrong. Does it really take a genius to work out that the public cloud is not the right place for confidential, private data? here's another good tip if you want to fail: ignore the hybrid cloud where you can span deployment models to enable the secure movement of data between platforms.

2. Don't shine a light on the shadows
Rogue or shadow IT, call it what you like the end effect on a poorly thought-out cloud deployment is the same: your costs will go up not down. Here's the thing, when you get managers and users signing up for cloud services without the approval, or knowledge, of the IT department then you are leaving the enterprise open to unexpected support costs and totally predictable security risks.

A couple of years ago, PricewaterhouseCoopers was suggesting as much as 30 percent of IT spending in the enterprise was being siphoned off on departmental cloud services which were provisioned without IT approval.

I have seen nothing to suggest that such figures are not still valid, given the rush to accommodate BYOD in all guises and often without much thought for the real world implications beyond that tunnel-vision promise of increased productivity and lower hardware costs. Removing the rose-tinted specs would allow the security risks of shadow IT to shine through as well, risks that should be all too obvious when one recent survey showed 40 percent of respondents admitting confidential data had been exposed by shadow IT use and 25 percent saying accounts had been hacked, services mis-appropriated and web properties defaced. Oh, and 34 percent had been requested by a court to produce electronically stored information of which 41 percent couldn't as they didn't know where it was stored.

3. Keep your cloud security strategy separate from your enterprise security strategy
Yep, if you want to be absolutely sure that your data is as insecure as possible this tip is a must have: avoid integration of security policies so that your cloud approach and your general enterprise approach can bang heads at every opportunity.

Seriously, creating a totally new policy for the cloud rather than extending an existing one to mitigate the new risks introduced by a cloud deployment is the way to go if you want to introduce as much confusion and opportunity for compromise as possible. The clue is right there, after all, in the term 'IT Security Strategy'. I define this as a 'high level plan to achieve a goal' which most certainly does not mean throwing some piecemeal policy at problems as they occur and hoping for the best.

The basics of data security remain the same, cloud or not, and it's just a matter of understanding how to best modify and adapt existing policies to accommodate new platforms. Cloud Pro can help you here as well, just take the time to read our security section

4. Pass the buck
Why take responsibility for your corporate data when you can pass the buck to someone else and blame him or her when the data bucket springs a leak?

After all, you've found a third party provider to handle all your cloud data storage and when you asked its salespeople about data security they mumbled something about "yeah, 100% secure here guv'nor no need to worry about nuffink" so that must be OK, right?

The truth of the matter is that you cannot simply outsource your responsibility along with your applications and systems, the real world doesn't work like that. Think that you can, and you could be in for a mighty big, and mighty expensive, shock should a data breach occur.

Don't assume that your data is automatically secure because your CSP has been around for a year or two. Not bothering with due diligence when it comes to matters of data security, not doing your homework, not auditing (or obtaining evidence that they have been so audited via one of the cloud provider certification schemes) is not only asking for trouble, but pretty much guaranteeing it.

5. Ignore data sovereignty
Not knowing where your data is stored is the best defence. Seriously, go on, try it.

Actually, don't. Understanding data sovereignty is one of the most complicated parts of the cloud deployment equation, and consequently one of the most overlooked - or should that be willfully ignored?

As I have said before, and will undoubtedly keep saying until everyone listens or my teeth fall out, data sovereignty matters.

Why does it matter? Well, think about it like this: if you don't really give two hoots about international law, government snooping, customer privacy, corporate confidentiality or the data protection act then go ahead and keep your fingers in your ears and that blindfold on while contemplating which cloud provider you should contract with.

Everyone else should be aware that 'the cloud' is not some fantasy island floating around a virtual fluffy sky, and your data has to actually sit somewhere very real. Where it sits, and where the company who is sitting upon it has offices, can determine who can apply for legal access to it. If you are in an industry which requires your data to be under your control at all times, kept within a specific jurisdiction, or you just give a damn about data privacy then you might want to start taking the location quandary a little more seriously.

Hopefully, by now, the above bullet points to ensure a deployment disaster will have given you a bit of food for thought. If you know a company which could do with being force fed a little common sense before it goes any farther down the road to cloud adoption, please do feel free to them this link with a little salt and pepper...

Davey Winder

daveywinder (2).jpg

Davey Winder has been covering the IT security beat for the last 20 years. Along the way he has won the 'Information Security Journalist of the Year' title no less than three times, and in 2011 was bestowed with the Enigma award for his lifelong contribution to information security journalism.