29 Jan Put Your Head in the Clouds
With the launch of Salesforce.com in 1999, cloud computing took its first big step into the spotlight. Other major milestones came with the launch of Amazon Web Services (AWS) and Google Doc Services in the mid-aughts. Within a handful of years, there were innumerable cloud-based software providers of all sizes, serving all industries.
Today, its estimated that 93% of companies use some type of cloud services for software, platforms, and/or infrastructure1. Enterprise-sized companies estimated spend of $3.5M on cloud software in 20182. Moreover, 65% of companies are utilizing a cloud-first strategy for their technology initiatives, meaning cloud services will be their default solutions1.
It’s safe to say that the cloud is here to stay. We don’t need to ramble on about the laundry list of benefits of cloud-based vs. on-prem solutions, there’s plenty of information out there on that topic. And it’s pretty universally understood that the biggest driver is that the total cost of ownership (TCO) of on-prem solutions tends to be multiples higher than cloud-based solutions, both early on and over time.
However, Manufacturing has been a bit slower on the cloud adoption trend. Per a 2017 study by the American Enterprise Institute, 66% of manufacturing companies surveyed actively used cloud-based software, and it’s estimated that cloud-based solutions will make up nearly half of software usage in Manufacturing by 20234.
Those certainly aren’t insubstantial numbers but are markedly different than average. Especially given that a large number of executives at manufacturing companies are pressuring their companies to make large steps to cloud-based solutions3.
Why This Disconnect?
As we talk with our Manufacturing clients and prospects, the disconnect is driven by lingering concerns about the safety of the cloud. Whether it’s the risk of data breach, lack of visibility into information, or lack of control. This is a topic of concern for nearly every type of software manufacturers are using – CRMs, ERPs, Content Management platforms, and more.
How Secure is the Cloud?
To answer this question, we have to recognize that there’s no such thing as “the cloud”. There are many, many clouds. “The Cloud” is really a broad term that includes Software as a Service (SaaS), Infrastructure as a Service (IaaS), and really any technology that is hosted by some service provider. Instead of asking how secure is the cloud, what we really want to ask is “How secure are specific cloud software vendors?” and “How can we leverage cloud technology in a secure way?”.
We’re not suggesting cloud software is inherently unsafe. What we’re saying is that there’s inherent risk in ALL software, on-premise and cloud alike; the risk that an unknown (or sometimes a known) vulnerability exists that puts your data at risk of exposure.
The key difference between on-premise software and cloud software is the resources being dedicated to reducing this risk.
The Real Risk
When you purchase on-premise software, your IT staff provisions the servers and installs the software following the documentation provided by the vendor. Presumably, this is all behind your corporate firewalls in your data centers. Often teams assume that the security is top notch and perpetual. But when was the last time your IT staff hired security researchers to do penetration and vulnerability testing? How sure are you that no one, outside of your office can access these systems?
What about critical software updates? On-premise vendors release updates and patches so frequently that IT departments are forced to establish upgrade schedules and cram all of the updates into an annual or semi-annual upgrade window. That is if they bother to install these updates at all. The time lag between the release of the update and the upgrade window can mean weeks or months that defects and vulnerabilities are left unchecked. The same is true for operating system upgrades, network infrastructure upgrades, firewall updates, etc. The reason? Managing these updates are time-consuming and impactful to the business, involving system downtime and risk of something going wrong – including data loss or data breaches – that your staff may be ill-equipped to fix.
Every company has that piece of software that nobody wants to touch because it might break, and nobody knows how to fix it. You’re probably nodding your head and thinking about it right now.
Your IT infrastructure and technology isn’t your business. Your business is making and/or distributing products. IT is just a necessary cost of doing business. And has a limited budget that is allocated to buying software, buying computers, paying salaries of the people who manage that software and those computers, and maintaining a secure infrastructure. It’s no wonder your IT team looks exhausted and doesn’t respond to your requests as quickly as you’d like.
For software vendors, the technology is our business. We’re in the business of making and/or distributing software. Every dollar we spend on securing the system is a dollar invested in a better product. Many cloud vendors employ teams of people dedicated to security, whether that be network security or secure coding standards. When you purchase a cloud-based product, you’re taking advantage of getting updates as soon as they’re available, and you’re extending your technology team and leveraging the experts employed by these vendors.
For example, RhinoDox releases updates to our software on a monthly cadence. These releases often include new features and functionality, but also bug fixes and critical upgrades to infrastructure to prevent potential security issues. All of our customers benefit from these updates immediately. There’s no need for IT to schedule an upgrade, literally the next time you log in, you are using the newest version. We work with leading security researchers to scan our network and our software for vulnerabilities on a regular basis, and fix these issues as soon as they are identified.
So What Can You Do?
Unfortunately, all cloud vendors are not created equal. Every company is subject to financial limitations, pressures to move faster and operate cheaper. Even the most well-intentioned companies have holes in their processes and gaps in their security controls. That doesn’t mean you don’t have control, nor does it mean you can’t manage risks effectively.
First, ask questions. When you’re buying cloud software, or really any software, you need to understand the upgrade cycle. Ask how they secure their product and their infrastructure. Understand how they test the software. What is the underlying infrastructure? Are they using a well known cloud infrastructure provider like AWS or Google Cloud, or do they host their infrastructure in their own data centers? How is sensitive data identified and handled, and what controls do they have in place to safeguard this data? Do they employ encryption schemes on data at rest?
An important point to remember, while all the major cloud providers offer best in class security controls, that doesn’t mean every product hosted on AWS is magically secure. In fact, many high profile data breaches have occurred because of a misconfiguration or simply some system administrator not employing the controls they had at their disposal. Even huge corporations like Accenture, Verizon Wireless and Time Warner Cable have accidentally exposed their data simply by failing to properly secure AWS resources. Doing a bit of homework up front, and asking for the results of recent penetration testing can help you minimize this risk.
Second, do your research. Has this vendor had any security breaches in the past? If so, what have they done to correct the issues? What is their reputation? What about their staff, do they have dedicated information security resources? The Cloud Security Alliance provides excellent guidance on recommended control measures, along with certification programs. The control matrix from CSA can be a useful resource in evaluating potential vendors.
Lastly, evaluate your options and understand the trade-offs. When you purchase cloud software, you surrender a bit of control but gain rapid upgrade cycles and reduced cost of ownership. You gain a team of external experts instead of relying on in house resources. With on-premise software, you control the upgrade schedule, you control the security of the infrastructure – but you also take on the liability when your security measures fail.
Fear of the cloud can lead to “lost opportunity and inappropriate spending,” according to Jay Heisner, Vice President of Research at Gartner. Organizations need to develop a cloud strategy that fits their business needs without restricting growth and innovation opportunities. Cloud software is here to stay, and more and more vendors are pushing to cloud first and cloud only delivery models.
- Navigating a Cloudy Sky – Practical Guidance and the State of Cloud Security. 2018. McAfee.
- 2017 State Of Cloud Adoption And Security. 2017. Forbes.
- State Of Enterprise Cloud Computing, 2018. 2018. Forbes.
- How Cloud Computing Enables Modern Manufacturing. 2017. American Enterprise Institute.
- Is the Cloud Secure?. 2018. Gartner.
- CSA Security, Trust, and Assurance Registry. 2019. Cloud Security Alliance
- Leaky Buckets: 10 Worst Amazon S3 Breaches. 2018. Bitdefender
RhinoDox is a cloud-based, Intelligent Content Management platform for Manufacturing companies. Streamlining communication and visibility by connecting people, content and business processes to deliver the power of lean manufacturing. We help get more done in less time.
About the authors
Travis Whelan is an experienced technology leader with two decades of experience in software engineering spanning manufacturing, content and document management, and other industries. Travis leads Technology and Engineering at RhinoDox.