I have begun preparations for the (ISC)2 CCSP (Certified Cloud Security Professional) examination. This would become my second (ISC)2 certification, supplementing my current CISSP and further reinforcing my knowledge as it relates to both the “cloud” and security.
I will be reviewing one of the introductory concepts covered in the material relating to the cost/benefits of a move to the cloud and relating my personal experiences to it. This means that the commentary will be heavily Microsoft-centric, and particularly to Office 365 and Exchange Online, but also Enterprise Mobility + Security (Azure AD Premium, InTune, etc.).
Five major cost-related reasons are covered:
- Reduction in Capital Expenditures (CapEx)
- Reduction in Personnel Costs
- Reduction in Operational Costs (OpEx)
- Transference of Regulatory Costs
- Reduction in Data Archival and Backup Costs
Below I will review some of the truths and what I have seen to the contrary in regards to each of the opportunities.
Reduction in Capital Expenditures
This is likely the easiest to justify of all of the measures. When operating on-premises you own the responsibilities for everything (or most everything), including the datacenter, electricity, cooling, physical security, racks, fire suppression, cabling, safety, hardware and maintenance, and software and maintenance.
Depending on the cloud model employed (Infrastructure as a Service – IaaS, Platform as a Service – SaaS, or Software as a Service – SaaS), most all of these CapEx items become OpEx, also at a lower cost.
Validation: True – under the majority of circumstances
I cannot really think of an experience where this has not been true with the exception of over purchasing. For instance, when moving to the cloud, many organizations have started with Exchange as the primary workload. However, these same organizations have typically purchased Office 365 suite licensing that includes far more than Exchange Online licensing and then claimed that it is too expensive. It is possible to purchase just Exchange Online licensing. If you purchase a suite and there are opportunities to purchase less based on business requirements, then the suite is a waste of money.
Reduction in Personnel Costs
IT departments have been operating notoriously lean. There is always an infinite list of work to be performed. Further, as long as we have data, we will need custodians of the data. I am not sure that I have ever witnessed a reduction in personnel costs because of the cloud. There are instances, for sure, and perhaps nuances of situations where a shift to the cloud meant a job loss for someone that was replaced by someone else (perhaps at a lower cost). I would say that these are fewer and far between. In situations where someone was replaced, I would attribute that to outsourcing more often than to cloud related expenditures and requirements reducing personnel requirements.
Validation: False – under a majority of circumstances
What I typically see happening is that IT staff are now able to shift their focus on more valuable tasks; moving up the “value ladder,” so to speak. Most organizations do not use all of the features of products that they use for one reason or another. Perhaps there is no business requirement. Many times, I would say that it is because of priorities. By eliminating the need to worry about datacenters, hardware, and much of the maintenance of upgrade cycles, attention can be turned to ever more highly prioritized things, like delivering business solutions, compliance, and the like.
Reduction in Operating Expenditures
This is definitely a mixed bag. From one perspective, this could most likely be considered a resounding: no; as I mentioned before, much of the CapEx spend gets shifted to OpEx spend, so it is going up. However, when isolating the previous OpEx items, these can largely be reduced. For instance, if your licensing model uses something like software assurance or an enterprise agreement, licensing can be acquired for only the required period of time that it is required. I might need to use Visio for a period of time to create some diagrams, but then I might go half a year or more before I need it again (for the record, I use Visio nearly daily, so this does not apply to me). In such a case, shifting to a subscription model might yield some savings. Dynamically scaling workloads is another opportunity to reduce OpEx. If there is a peak season, a cloud-centric system can scale up for that period and scale back down when no longer necessary.
Validation: Maybe – but requires significant deliberation and evaluation of opportunities
An example that I like to cite is related to the design for an Active Directory Federation Services (AD FS) infrastructure on-premises versus in an IaaS platform. If the AD FS infrastructure goes offline, then nobody can authenticate to the relying parties. On-premises, a fleshed out highly resilient Infrastructure will be split between two datacenters that are sufficiently geographically separated with their own Internet connections, each with two (2) AD FS servers and two (2) AD FS proxies load balanced at each layer, for a total of four (4) load balanced virtual IPs (vIPs). If we were to design this to live in Azure IaaS, we would not need to have all of the resiliency; we could cut the number of servers and load balancers in half so long as we chose the proper virtual machines because within an Azure region, they can be replicated between three (3) datacenters separated by at least 150 miles, and brought online quickly.
Transference of Regulatory Costs
From the perspective of security, regulatory costs are significant. Proving compliance at all levels is costly. By using a cloud service that meets some of these requirements out of the box, these costs are transferred to the provider as part of the overall spend in the cloud. It is through the immense scale that these costs can be greatly diminished. Simply bring up the Service Descriptions of the offerings that you are considering, see if they meet your requirements, have it vetted by legal and hold your provider accountable. Done.
Validation: True – under many circumstances
The one thing to keep in mind is that not all transference is possible. The provider can guarantee the facilities, hardware, and many of the operations. However, the provider can not guarantee what you decide to do in the services. For instance, if you have Personally Identifiable Information (PII), it is on you to limit the amount and duration of PII that you have and to use the available capabilities to implement sufficient controls and reporting.
In other areas, I hold Transference of Risk, another commonly cited benefit of outsourcing, in generally, as mostly a myth.
Reduction in Data Archiving and Backup Costs
The costs to archive and backup data are rather significant. Let us say that we have 10TB of email data (single instance, not including replicas for production availability). If we archive 8TB of that data, we need other systems for this and they generally have their own availability requirements. This means, hardware, software, maintenance, electricity, and cooling for all of these systems. Also, if it is split between datacenters, double that and cover WAN expenses for replication and the necessary high availability for it.
Backups are pretty much the same but with added complexities. If you have disk-to-disk-to-tape (D2D2T), the disk part is generally replicated so it will have the redundancy requirements for hardware, software, maintenance, WAN circuits, etc., but then you will like have numerous copies to meet recovery point objects (RPOs) for the required period of time, which could be months or years.
Validation: True – under most circumstances
With Exchange Online, for instance, the Plan 2 licensing (included in Office 365 E3 licensing) includes compliance and archival features that can be used for backups, as well. For starters, the infrastructure is highly available if we consider the Preferred Architecture. This includes four (4) replicas of the data split between two datacenters, with Auto Reseed spare disks, and one replica having lagged transaction logs that can be used to recover from logical corruption. Now take into consideration that each licensed mailbox has a 100GB primary mailbox and an unlimited archive mailbox, each meeting these same availability sets. Archive costs covered. Implementing a Litigation or In-Place hold makes the data immutable for the required period of time, be that a week or indefinitely. Coupled with the unlimited archive, you could retain data forever (for as long as forever is). These holds are used for regulatory and compliance purposes but can also be used for backup requirements as part of Exchange Native Data Protection.
I see companies acquire this licensing and then look at third party backup software that stores it elsewhere, duplicating the backup costs. In these situations, the costs are not reduced.
Other models include using IaaS capabilities as the destination backup system in a more traditional setup. The costs of the IaaS infrastructure are generally lower than incurring the costs on-premises.
If properly evaluated and planned, the cloud can reduce many costs. There are common scenarios that do not seem to hold true, as well.