Out of sight, out of mind? When placing software in a cloud environment this is not the case, as many people would probably think. Actually, as a company you have a great deal of responsibility for operating and maintaining various parts of your infrastructure as well as the applications built on top of it – even though the software is placed in the Cloud.
Great possibilities – high risk of frustration
Let’s start out with the fun part. More and more companies move software to the Cloud, and the number of successful projects is rising. Although the Cloud is not necessarily the right choice for everyone, the possibilities for those companies choosing to move in this direction are great. In addition, the public cloud environment has matured tremendously during the past years with the largest providers, such as Amazon Web Service, Microsoft Azure and Google Cloud Platform, constantly raising the bar for what a public cloud solution should contain.
Besides that several new providers have entered the scene. They cover more specialized areas, and they are companies such as Salesforce, Oracle and Alibaba Cloud. Each with a unique set of qualities.
And then to the not so fun part. If you think moving your software to the Cloud not only outsources the software itself, but also the service and operational tasks involved, you are mistaken. And this may bring about frustration, also of the economic kind.
The principle of Shared Responsibility
The Shared Responsibility Model
This is not just something we experience at Netic. Gartner talks about the “aha experience!” when companies realize that a public cloud solution involves what cloud providers refer to as The Shared Responsibility Model. As indicated by its name, the model argues that the responsibility is to be shared between the company and the cloud provider. When this principle of shared responsibility comes as a surprise, it is typically due to the fact that companies perceive it as an outsourcing process while it in fact is just the opposite, namely an insourcing process.
Though, let’s take one step back and take a look at some of the advantages of a public cloud solution. It gives you speed, operational reliability and lots of possibilities for customization of the setup. Together with IaC (Infrastructure as Code) and IaaS (Infrastructure as a Service) you have a solution with scope for action.
However, it would be wrong to think that you are outsourcing your application operations just because of the IaaS solution. Actually, it is the other way around. Especially when it comes to those parts of the software which are typically placed in the infrastructure layer: the application network, firewall rules, the operating system, the software on the servers, encryption, identity management, access rights and much more.
Your public cloud provider does not take care of these things and most often, nor do your developers. In short, they provide you with a set of tools. What you choose to do with these tools is up to you. Likewise, they take no responsibility for what has been built.
The reason is that it is an operational task. It is your responsibility to make sure that your team is able to handle the task. If your team is too small or you haven’t got an operations team, you need to establish one. Suddenly your outsourcing project changed to something completely different.
Your hand on the digital stove
But what does the shared responsibility imply for the involved parties - you on one side and the public cloud provider on the other? Amazon has defined it as follows: The provider is responsible for "the security of the Cloud", while the customer is responsible for "the security in the Cloud." This means that the provider is responsible for the operating system, the virtual layer and the physical part of the setup, while the customer is responsible for configuring and managing the security aspects concerning the “guest operating system” and associated applications, firewalls and encryption of data.
The overall focus is security, but there is another and perhaps more important aspect, namely responsibility in the broad sense. It is not just a matter of security in the form of information and data protection. It also has to do with the willingness of the public cloud provider and the company to put their hands on the hot stove.
In other words: The public cloud provider presents you with the framework, but you have to do the work yourself. Unfortunately, not all providers make sure to clarify the shared responsibility. For this reason, some cloud projects reach a deadlock simply because the customer’s expectations aren't fulfilled. Perhaps you are hesitant to place your software in the Cloud, because you have been told that it is a demanding process with many surprises along the way. If this is the case, you’ve probably heard about projects in which the cloud provider hasn't done a very good job explaining the principle of Shared Responsibility or helping the customer navigating through the process. This is what you call poor balancing of expectations. When you fail to balance expectations prior to large projects, they have a tendency to derail and leave disappointed customers behind.
Demand transparency from your public cloud provider
As a decision-maker in a company, it would be completely fair of you to expect that your provider takes responsibility for informing and educating you and your employees in the reality of IaaS.
This became highly relevant the 16th of July 2020 with the Schrems II verdict which, among other things, has to do with the use of The EU Commission's standard contracts. All of a sudden the basis for transfer of personal information to third countries, based on Privacy Shield, was invalid.
This means that for companies considering a public cloud solution, the complexity and requirements have increased. It is no longer sufficient to think about the technical aspects of using public cloud. Now you also need to keep the legal and organizational aspects in mind.
This is probably a new way for you to think about responsibility and structure, but the public cloud provider deals with this constantly. This might be the reason why things are left unsaid. The provider simply takes it for granted.
If you want to know more about how the principle of Shared Responsibility relates to your cloud transformation, we are more than happy to go on a Cloud Date with you.