Wednesday, 10 August 2022

As cloud costs spiral upward, enterprises turn to a thing called FinOps

Organizations waste 32% of cloud spend, up from 30% a year ago. 'More and more users are swimming in the FinOps side of the pool, even if they may not know it - or call it FinOps yet.'

In the first few years of cloud computing, cost savings was the driving reason for adopting the cloud. Nowadays, however, businesses are faced with spiraling cloud costs. There's even a word for the emerging process to deal with it: "FinOps."

According to Flexera's recently released 2022 State of the Cloud Report, organizations continue to waste significant cloud spending, based on survey responses from 753 global cloud decision-makers and users. 66% of executives said cloud usage is "higher than initially planned this year," They estimated that their organizations waste 32% of cloud spend, up from 30% in last year's survey. 

In addition, "spend is likely less efficient and likely even higher on average, as many organizations tend to underestimate their amount of waste," the survey's authors report. In addition, respondents said their public cloud spend was over budget by an average of 13% for the previous year. They expect their cloud spend to further increase by 29% in the next twelve months. 

Among small to medium businesses, 53% are now spending $1.2 million annually on cloud computing, up from 38%in 2021. While the survey's authors do not provide a similar composite spending figure for larger enterprises, they report that many spend $12 million or more annually on selected public cloud services -- 18% of enterprises spend this on AWS, 15% spend this on Microsoft Azure, and 7% on Google Cloud Platform.

So there is a lot of money being poured into cloud services. A lot of the monthly subscription bills are likely going to a raft of unused or underused services for which no one is really able to account. Someone in some department signed on to a cloud instance to run some tests three years ago abandoned it, and the company still keeps paying for its usage. 

Enter FinOps. This practice is intended to help organizations get maximum business value from the cloud "by helping engineering, finance, technology and business teams to collaborate on data-driven spending decisions," according to the FinOps Foundation. (Yes, there's now even an entire foundation devoted to the practice.)  In many cases, they are practicing the art of FinOps without even calling it that. Respondents are actively involved in the ongoing usage and cost management for both SaaS (69%) and public cloud IaaS and PaaS (66%). "More and more users are swimming in the FinOps side of the pool, even if they may not know it -- or call it FinOps yet," the Flexera survey's authors state.

In addition, for the sixth year in a row, "optimizing the existing use of cloud is the top initiative for all respondents, underscoring the need for FinOps teams or similar ways to improve cost savings initiatives," they also note.

While the survey doesn't explicitly ask about FinOps adoption, the authors also state that some organizations have organized FinOps teams to assist in evaluating cloud computing metrics and value. (A specific percentage is not provided.) They also observe that "for the sixth year in a row, optimizing the existing use of cloud is the top initiative among 59%, followed by migrating more workloads to the cloud (57%).

The survey's authors appear very optimistic about what the cloud can do to boost the value of technology to enterprises: "As organizations move more workloads to the cloud, they can retire the technical debt associated with maintaining and operating traditional data centers," they state. (We'll have to check back on that one, right?)

What are organizations doing to better understand and keep a lid on cloud costs? Close to two-thirds, 64%, focus on maximizing resource utilization, while 50% engage in deleting or removing unused or idle resources. This means that half of the respondents are not actively reviewing cloud services for which they pay a monthly fee. 

Another 41% look into provider discounts such as reserved instances. Another 39% are pursuing a pure FinOps approach: employing the unit economics model, considered a key component of the FinOps disciple. (Unit economics, as explained by Apptio's Andrew Midgley, is "the average revenue or costs, or the margin, directly associated with a specific unit delivered by an organization.") As illustrated at the FinOps foundation site, "for a customer-facing application, that unit might be a user or customer subscription; for an e-commerce platform, it might be a transaction; and for an airline, it might be a seat. By calculating cloud spend for total revenue, you can attach growth in cloud spending to your overall business growth. When these are in line, it makes sense that cloud spend isn't wasted. When cloud spend is growing faster than the business, there may be cause for concern."

Automation is a key tool for optimizing cloud costs, the survey shows. More than 40% of respondents are using automated policies to shut down workloads after hours and to rightsize underutilized instances. Another 33% are using automated policies to implement required tags, while 43% still perform this labor-intensive process manually. 

While at least half of IT executives recognize the value cloud is bringing to the business, the prime measure of success is still cost savings. This is likely the easiest and most demonstrable pitch to the C-level and board. Speed to market is also a highly tangible benefit and thus also ranks high as a success metric. Innovation and competitive advantage resulting from cloud flexibility are perhaps the most long-term advantages of a cloud-based enterprise but are a bit squishier in terms of metrics. The following are the top metrics for assessing progress against cloud goals identified in the survey:

  • Cost efficiency/savings: 74%
  • Delivery speed of new products/services: 68%
  • Increased speed of innovation: 48%
  • Value delivered to business units: 47%
  • Increase in competitive advantage: 47%
  • Number of workloads migrated: 45%
  • Retirement/decrease of technical debt: 37%

As is obvious from the survey, FinOps is still an emerging way of operating in the cloud that has not yet been well defined. The following are principles formulated by the FinOps Foundation to help bring clarity to the roles involved and purpose of the practice. 

Teams need to collaborate

  • Finance moves at the speed and granularity of IT
  • Engineering considers cost as a new efficiency metric
  • Continuously improve your practice to gain efficiency and innovation
  • Define governance and controls for cloud usage

Everyone takes ownership for their cloud usage

  • Empower feature and product teams to manage their own usage of cloud against their budget
  • Gain visibility into cloud spend at all levels
  • Track team-level targets to drive accountability

A centralized team drives FinOps

  • Centrally govern and control Committed Use Discounts, Reserved Instances, and Volume/Custom Discounts with Cloud Providers
  • Centralized discount buying process removes rate negotiations from engineering team consideration
  • Granular allocation of all costs, direct or shared, to the teams and cost centers responsible for them

Reports should be accessible and timely

  • Fast feedback loops result in more efficient behavior
  • Visibility helps determine if resources are under- or over-provisioned
  • Automation of resources drives continuous improvement

Decisions are driven by business value of cloud

  • Trending and variance analysis helps to understand why costs increased
  • Internal team benchmarking drives best practices and celebrates wins
  • Industry peer-level benchmarking determines how your company is performing

Take advantage of the variable cost model of the cloud

  • Rightsizing instances and services help drive appropriate resourcing levels
  • Comparing pricing between services and resource types drives better decisions
Courtesy: ZDNet

Wednesday, 3 August 2022

How the cloud can make supply chains greener

 Aside from net-zero datacentres, cloud computing can do more to tackle climate change by addressing emissions created along global supply chains

Greening of the cloud is happening at pace, shifting computing en masse to remote datacentres powered by renewables. However, energy consumption is just one part of the picture. In the lead up to COP26, the United Nations Climate Change Conference, later this year in Glasgow, attention is being directed at the cloud’s ability to drive greater sustainability in supply chains

The focus is on data and lots of it. When it’s organised and analysed on the cloud, via a single, uniform platform, organisations can start to reconfigure how they do business in a more environmentally friendly way. This can be achieved by driving efficiencies, fine-tuning logistics and transport routes, as well as by using natural resources. 

“Sustainable supply chains aren’t driven by technology, they’re enabled by technology,” explains Mark Griffiths, global head of climate business at WWF. “Cloud-based technologies enable near real-time visibility, as well as greater accountability.”

The World Wide Fund for Nature isn’t the only organisation involved. Unilever has teamed up with Google Cloud to fight deforestation and source sustainable commodities, particularly palm oil. The idea is to connect satellite images of forested and deforested areas with data on suppliers, to make sure Unilever is buying products from reputable partners. The cloud acts as the ultimate ledger for such activity.

“Transparency, data analytics and better decision-making is the cloud’s unique selling point when it comes to sustainability,” says Vishal Patel, vice president at Ivalua, a procurement software provider. 

“Then there’s the ability to monitor and track suppliers. Procurement can help drive green initiatives by selecting and rewarding companies for sustainable practices. This is done by validating environmental impact data from suppliers and tracking them against sustainability goals. Cloud-based procurement tools can certainly help identify these opportunities.”

Data and supply chain visibility are stumbling blocks

The cloud as a force for green good in the lead up to the biggest climate summit since the Paris Agreement sounds remarkable, but there are challenges. Data and visibility along supply chains is notoriously difficult to achieve if they stretch between Glasgow, Gurugram and Guangzhou, involving many data silos and tiers of suppliers, who now have to adopt cloud solutions. There’s a lot of inertia. 

“Climate change is a big challenge for organisations, with effects that are far reaching, but addressing these is a long-term and more iterative process, so investment usually takes longer to prove its worth. It can be difficult for such investments to gain buy-in,” says David Basson, UK manufacturing lead at Fujitsu. 

Cloud is more likely to be deployed as a supply chain solution because it creates efficiencies, reduces lead times and allows companies to respond, adapt and act faster, saving them money and time. Some of these wins could be future sustainability wins too. 

“The cloud helps companies build a common infrastructure. Once supply chain partners adopt this, it gives them the foundation to evolve and adapt to any new challenge; this includes climate change,” Dan Martines, managing director at BCG Platinion, points out. 

Cloud also provides an agile, just-in-time, elastic environment that is easy to configure for supply chains. It’s cheaper to build, with recognised standards and off-the-shelf tools as well as data services. This is likely to drive its adoption when it comes to sustainability. 

“Arguably you could deliver the same systems out of the cloud to trace upstream and downstream value chains for sustainability. The challenge is the complexity of doing this,” says Grant Caley, chief technology officer (CTO) for UK and Ireland at NetApp.

“For instance, data from operational technologies can be combined with transportation internet of things sensor information and then cleaned with data services in the cloud, before running this against artificial intelligence (AI) models. This is then used as the basis to build cloud-based value-chain applications. The cloud makes all this a lot easier, more cost effective and accessible.” 

Another driver will be government procurement, as adoption of cloud-based solutions that drive sustainability are being championed by the public sector, which is increasingly aware of emissions and the race to net zero. The cloud offers transparency and accountability when it comes to the public purse. 

“Government requires sustainability and corporate social responsibility (CSR) issues to be addressed as part of procurement. This is happening in local government where up to 5 per cent of an evaluation could be assigned to this. We regularly see the CSR aspect of bids given equal weighting to technical functionality. The result is that it has become a core part of any offer,” says Nick Cobley, managing director of cloud at Agilisys. 

New cloud-based tools deliver change

The cloud can be leveraged to generate sustainable supply chains in many industries, yet some represent more opportunities than others, such as manufacturing, retail and energy. There are also easy gains within sectors such as greener logistics. This has come to light during COVID lockdowns. 

“Retailers have been collaborating with each other and acting more intelligently over the last mile, cutting their emissions as well as delivery costs and fulfilment processes. Without the flexibility the cloud offers, they would not be able to re-engineer their supply chains quickly enough to take advantage of this kind of opportunity,” says Matt Waldbusser, global field CTO at Blue Yonder.

AI and machine learning can also assist in generating more sustainable supply chains, since these technologies can be articulated on the cloud more easily, joining the data dots and providing new levels of insight, such as reducing overstocking or solving complex logistical issues. 

“Amazon is a good example. It’s not surprising that an organisation with such strong cloud pedigree is connecting customers in-store directly into the supply chain through sensors, AI and the cloud. In the process they can make the entire supply chain more efficient and so more sustainable,” Alex Guillen, technology strategist at Insight, explains. 

There are also new cloud-based tools that are assisting the sustainability drive. Virtual digital twins are becoming more common. This allows companies to model, simulate and analyse more environmentally friendly concepts and hypotheses in the virtual world. Then apply them in real life.

“You can use a virtual twin to create an entire supply chain. The pharmaceutical and energy industries are now deploying this approach to offer more accurate data across their supply chains and reduce their carbon emissions and waste,” says John Kitchingman, managing director, EuroNorth, at Dassault Systèmes.

So what of the future? More cloud-based data will enable supply chains to be reconfigured. The hope is we will transition to a circular economy, moving away from a take, make, dispose linear model. That involves an ecosystem of partners, recalibrating how they interact, which is easier on the cloud. 

“This will be a destination for sustainable supply chains, where no net waste occurs in the produce and consume cycle. At the moment it’s being pushed in Europe and Japan, but its principles will soon be introduced in the United States,” says Dr Raj Agnihotri at IBM’s Global Supply Chain Center of Competence.

Certainly, the cloud now offers a window onto the art of the possible. “We are only limited by our imagination, prioritisation and drive to leverage the cloud in meaningful ways to help address our climate crisis,” Aaron Oser, leader of global sourcing at Pillsbury Law, sums up. 


Tuesday, 26 July 2022

What SMEs should know when moving to the cloud

SMEs have as much to ponder as large companies do when considering cloud migrations. Even those on the tiniest budgets would be unwise to become preoccupied by providers’ headline prices

For several years, Peter Ambrose, MD of The Partnership, contemplated moving the 20 million files held by his business to the cloud.

Every evening, the 80 employees at the property law firm’s offices in London and Guildford would back up the day’s conveyancing documents, searches, emails and other correspondence to a huge bank of on-site servers.

“Each case generates about 160 documents,” he explains. “Every time we created a document, we stored it. We needed to back up our data and keep it safe because it is incredibly sensitive information that includes bank details and identity checks. My number-one concern – which literally kept me awake at night for years – was whether that data was vulnerable to a ransomware attack.”

Finally, after months of research and planning, in November last year, The Partnership migrated all archived and live case data to a cloud service. 

“It was scary – I’ll make no bones about it,” Ambrose admits. “Although we had done all the tests, until you’ve actually moved this huge amount of data, you worry about whether it’s going to work.”

The Partnership is one of a growing number of SMEs that have successfully moved their operations to the cloud. Another is Dakota Hotels. The luxury accommodation group needed a cost-effective cloud-based software solution that could be scaled up as the business grew. It also wanted to harness the potential of the cloud to help with the HR challenges that the pandemic had forced upon the hospitality sector. As an additional benefit, the company gained greater insights into its costs and commercial opportunities. 

“The time savings we’ve accrued by moving to the cloud have freed people up to focus on innovation,” says the company’s operations director, Andrew Ovenstone. “This has enabled our finance professionals to move away from number-crunching and become value creators.” 

All hotels under the Dakota brand compile their own profit-and-loss statements, which meant that a cloud-based solution would be an ideal solution to support multiple data entries. This has granted each hotel the autonomy to input data without compromising consolidation, reporting or intelligence at group level. 

For SMEs, there are several key factors to consider when contemplating a move to the cloud. The first of these is the issue of cost versus opportunity. 

“Cost matters for SMEs, but you also need to think about what moving to the cloud can enable for your business,” says Dr Antonio Weiss, senior partner at The PSC, a consultancy that helps providers of public services with their digital transformations.

“If you hold data and applications on your premises, you probably run quite a restricted service,” says Weiss, whose book, The Practical Guide to Digital Transformation, was published in February. “The cloud enables huge possibilities in terms of data processing and analysis. It also offers better security and improved performance for your customers and staff. So, while you should aim to keep costs low in any cloud transition, you need to focus on how it can make your business better and to ensure that you have a plan to capitalise on this.”

The second key factor to consider is flexibility. One of the challenges for The Partnership was to find a cloud provider that would store and register multiple versions of documents rather than providing a static record. This enables employees to return to the material and update it where necessary.

“We looked at Microsoft and Amazon Web Services, but found that they wouldn’t work for us,” Ambrose says. “We needed a system that could cope better with changeable data, which is why we partnered with Egnyte.”

The third consideration is the level of functionality required in the short, medium and long term. SMEs need to be realistic about what level of service and availability they are going to need, says Mairead O’Connor, executive for cloud engineering at AND Digital.

“Public cloud platforms enable SMEs to occupy the same playing field as big, cash-rich corporations,” she says. “All companies have been granted access to technology such as machine-learning tools. Only recently, functionality of this sort would have been out of reach to all but the most well-funded multinationals.” 

But firms should not adopt such tech without first considering their strategic direction. Cloud transformations are complex and, unless they are executed properly, they can lead to serious operational inefficiencies and data leakage. Before parting with any money, CIOs and CEOs should take a step back and review their current business model.

Ash Finnegan digital transformation officer at Conga, an enterprise cloud computing and data company, observes that a lot of SMEs have been rushing their digital transformations.

“Regardless of their size, organisations need to complete a thorough assessment and understand where they are with regard to their digital maturity today,” she says. “This involves analysing their current operational model, identifying strengths and weaknesses, and establishing how they can better connect with their customers and serve them.”

The fourth key factor to consider is the likely level of service and tech support required. Despite the hurdles involved, migration to the cloud can yield many benefits, as The Partnership and Dakota Hotels have discovered. 

Using subscription cloud services eliminates the need to maintain and upgrade technology, which can be costly and time-consuming processes for SMEs. But it is vital to establish exactly how much support you expect from your cloud provider and to be realistic about your own IT abilities.

The provision of adequate tech support is key for smaller firms, stresses Charlie Dawson, marketing and channel director at cloud provider Imscad Global. “There will be some SMEs with the resources to support their own cloud migration and provide ongoing support, but they should ensure that the provider they choose offers a good level of support, including the ability to have issues resolved using in-person communication,” he says. 

Security is the fifth major consideration. For Ambrose, his decision to use a cloud service was prompted by the ongoing challenge of protecting The Partnership’s in-house servers. Yet price and performance are often the first considerations for many SMEs, even though a loss of data could have catastrophic ramifications. 

While factors such as affordability and capacity are clearly fundamental, most cloud providers offer only the most basic security features, especially at the budget end of the spectrum, warns Trevor Morgan, product manager at data security specialist Comforte.

“This simply won’t be enough if your highly sensitive information – on your firm’s finances, intellectual property and customers – is destined for the cloud,” he says.

Concerns about regulatory compliance will come to the fore here, especially for businesses in industries that require very strict risk controls – for example, defence, healthcare and financial services. 

“Each particular market will present different constraints, but companies operating in the same space may still have different appetites for risk,” notes Dean Clark, chief technology officer at digital consultancy GFT Group. “The ideal balance between security, compliance, cost and functionality will depend on the individual organisation.”

SMEs should determine whether the solution they are considering has the right level of security in place. Two-factor authentication (2FA) should be a minimum standard, according to Lee Wrall, director at managed services provider Everything Tech.

“We’re seeing that some cloud solutions are putting 2FA into their future roadmap, but we believe it should already be there,” he says. “For more robust infrastructure requirements, we’d recommend opting for bigger, more established solutions such as Microsoft or Amazon, as these provide features such as security, compliance and the ability to scale up as standard. For businesses using simpler cloud applications, the primary driver should be functionality, followed by security, compliance, scalability and cost.”

Database requirements constitute the sixth and final key consideration. In the cloud, storage capacity is one of the measures that service providers use to charge for their offering. If you do not have significant volumes of data, the cloud may not provide value for money.

“For any company that needs some level of scale and availability, the cloud is usually the best option,” says Andrew Oliver, senior director of product marketing at MariaDB, an open-source database provider. “For a very small database with merely internal users, hosting in house might be more cost-effective if the company has the time and expertise – and a careful plan for off-site backup.”


Friday, 22 July 2022

So, you’ve upgraded to the cloud…now what?

Shifting to the cloud is no mean feat, but success depends on what comes next. CIOs must balance technical demands with training needs

Any experienced sailor knows it’s easy to launch a vessel – the hard part is keeping it afloat once you’re out at sea. The same can apply to chief information officers (CIOs) who’ve successfully upgraded their business to the cloud.

Finding your sea legs quickly as wave after wave of problems hit – including creaking legacy technology, belligerent employees and the ever-present threat of cyberattacks – is key to post-cloud survival.

Helen Ashton helped power fashion giant ASOS through several technological shifts, moves which ultimately made them the market leader in online shopping, earning £3.26bn last year. Now founder of Shape Beyond, a business transformation consultancy, Ashton says the key to success at ASOS was full migration to the cloud.

However, new technology only brings the expected benefits when people are kept on board with the processes needed for success.

“Businesses either plan for months in minute detail or they jump straight in to work on the sexy stuff, such as analytics or digital CX,” says Ashton. “But success comes from winning hearts and aligning incentives. It is amazing how easily focus can shift through overzealous project management to ticking off activities on the plan rather than keeping sight of delivery of the outcomes identified as indicators of success.”

You can use some of the cloud’s metrics and data to demonstrate quick wins and progress. However, the key to ongoing cloud success is to share data in a way that empowers staff to problem solve within the business, creating a sense of shared responsibility that allows all parties to see bottlenecks and show who needs help and why, says Ashton.

Bucket spills

Before you share all your data internally, make sure a hole in your S3 bucket isn’t sharing it everywhere else. 

A simple S3 bucket exposure from an unknown public source leaked personal details of 120 million Brazilians – including banks, credit details and voting history – partly because an administrator had renamed the index.html by accident. In separate examples, a mobile app developer exposed 500,000 documents from a finance app and a cannabis retailer leaked 30,000 of its customers’ details, which all led to considerable fallout and organisations falling foul of data privacy regulations. 

“We’ve seen incidents on a frequent basis where cloud databases have been set to be publicly accessible, when they needed to be private,” says Javvad Malik, lead security awareness advocate at KnowBe4. “Similarly, having the appropriate authentication controls in place is vital to prevent account takeovers which exploit weak credentials.”

To prevent leaks, look for gaps where cloud migration shifts data centre responsibility from the traditional sysadmin to site reliability engineers and DevOps teams, says Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Center. “This shift creates a potential gap between those familiar with the application security requirements and those versed in cloud security topics. This can lead to situations where storage misconfigurations in the form of unsecured S3 buckets result in significant data leakage.”

Patch management is also an area of risk, particularly when long-running servers are upgraded but containerised microservices haven’t been redeployed, says Mackey. “If the pre-existing patch compliance dashboard was based on logging into all systems, it will need to be updated for a containerised deployment.”

Training needs

While you’re taking the lead, your team can only follow if they’ve been trained correctly. In the haste of initial deployment deadlines, the required level of understanding is often lacking across the team, says Mackey. While this should be remedied with training, security access should be kept on a need-to-know basis, not just given to those at senior levels, even if that requires diplomacy.

“Training efforts should focus on how to operate a cloud service using principles of least privilege. Once training is complete, a comprehensive review of gaps in implementation should be performed and any issues remediated.”

While not everyone needs access, staff should still be aware of all security settings and why they’re in place, with drill tests to ensure all such settings are as they should be. “A culture of security needs to be built that understands the risks of the cloud,” says Malik. “Use internal and external data sources to determine the root causes for most attacks against cloud infrastructure, and invest in the appropriate human, procedural and technical controls.”

It’s also important to know when to hand over control to the system. If you don’t automate quickly it can create sluggish staff, put off new hires and create extra labour and therefore costs. 

“If you don’t automate, organisations become less agile or adaptable to change and teams may also demotivate because of repetitive tasks,” says Sergio Loureiro, cloud security director at Outpost24, a cybersecurity specialist. “Today, when it is hard to find a skilled workforce, automation is a competitive advantage. Finally, customer perception can be impacted by longer response times.”

The human factor

Despite all the technological risks, many problems will come from humans. Even at ASOS, human nature states people always want to keep the status quo, says Ashton. “In more traditional businesses, there is a strong possibility of ‘adoption indigestion,’ which can derail cloud’s anticipated benefits if not effectively managed. There is no silver bullet solution here. It is a mix of training, communicating the benefits, real-time support, and measuring process and outputs to identify issues and successes.”

While cloud software does a lot of the work for you, keep peace of mind by inviting occasional outside input, says Andrew Whaley, senior technical director at Promon, white hat hackers that test large-scale organisations. “Businesses still need to check that security has been applied correctly. Periodic assessments by third party pen testers is a good way to check this.”

Testing how watertight your vessel is inside and outside of the water, while ensuring all those on deck understand the direction of travel, is key to charting a clear and positive course for your business on the cloud.


Thursday, 21 July 2022

Five Cloud Security risks your business needs to address

 The rise of cloud computing represents a potential bonanza for cybercriminals, who are constantly probing for weak links in defence. Could your firm be doing more to protect itself?

Cloud computing has become a key part of how businesses operate in the West. Research conducted for the European Commission in 2021 found that 41% of EU companies with more than 10 employees were using some form of cloud service, for instance.

But with wider use of the cloud comes a greater likelihood that more things will go wrong. Cybersecurity should therefore be a prime concern for adopters. Here are five key issues that all cloud users would be well advised not to ignore.

1. Ensure that your configurations are… configured

“Misconfigurations remain a top risk for cloud applications and data,” says Paul Bischoff, privacy advocate and editor at Comparitech, a website that rates technologies on their cybersecurity. A misconfiguration happens when an IT team inadvertently leaves the door open for hackers by, say, failing to change a default security setting. This is often down to human error and/or a misunderstanding of how a firm’s systems operate and interact.

If misconfigurations happen on a non-cloud-connected network, they’re self-contained and, potentially, accessible only to those in the physical workplace. But, once your data is in the cloud, “it is subject to someone else’s security. You do not have any direct control or ability to test it,” notes Steven Furnell, professor of cybersecurity at the University of Nottingham. “This means trusting another party’s measures, so look for the appropriate assurances from them rather than making assumptions.”

Bischoff adds that oversights in this respect can “leave data vulnerable to unauthorised parties from the public internet. Attackers frequently scan and find cloud services with common misconfigurations. Comparitech’s ‘honey-pot’ experiments show that attackers can steal data from unprotected servers in a matter of hours. Our security team often finds and discloses exposures that occurred because of misconfigurations.”

2. Mitigate the risks of phishing

According to the government’s latest annual Cyber Security Breaches Survey, 39% of businesses in the UK experienced a cyber attack and/or breach in the year to March 2021. Of those firms, just over a quarter said that they were being targeted at least once a week. 

The most common attack method they reported was phishing, which accounts for four in every five attempted incursions. Phishing occurs when a criminal impersonating a well-known brand contacts people online and tries to fool them into visiting fake websites designed to extract key information from them.

Furnell notes that cloud services have become among the most common phishing lures, because of their ubiquity and importance in business. They are places where users would expect to have to share information, including passwords. 

Education is crucial in tackling phishing, says Furnell, who adds: “A combination of technical measures and interventions to improve user awareness are necessary to provide an effective safeguard.”

There is plenty of room for improvement in the latter area: the government survey found that only 20% of UK firms had used mock phishing exercises to test their employees’ knowledge in the year to March 2021.

3. Limit the amount of data shared to the cloud

It can be tempting for firms to outsource all their data to a cloud service provider. Doing so removes the need to manage data in different locations and eliminates a lot of maintenance hassle. But such convenience comes at a cost. Supply chain attacks – in which cloud providers are probed for weaknesses – are becoming more common.

Big players in the market are investing heavily in their defences. Google Cloud, for instance, recently added a feature called Virtual Machine Threat Detection. This continually scans tenants’ virtual machines for signs of crypto-mining operations, which can covertly hijack the processing power of their computers.

But even the most diligent providers cannot say with certainty that they are 100% invulnerable. For that reason, it’s vital that their clients audit what information they’re willing to share in the cloud. Thinking that the security of any material held in the cloud could be compromised is a useful – if pessimistic – way to approach this issue. 

“Careful attention should be given to the extent and level of access to cloud data and resources that is granted to third parties,” Furnell advises.

4. Keep a lid on the internet of things

Whether you have production lines that are connected to a cloud server for their instructions, a packing operation that monitors stock using cloud-based data or simply a smart fridge in your office kitchen, the threat to business continuity grows as more data is connected to the cloud. 

The internet of things (IoT) has enabled the smoother running of many processes, but it’s worth bearing in mind the risks if you’ve come to rely on the constant availability of a given cloud service, say, or if you’re storing proprietary manufacturing information on hackable servers. 

Don’t be surprised if such data disappears or ends up in the wrong hands, warns Christopher Boyd, lead malware intelligence analyst at Malwarebytes Labs. 

“Basic errors in cloud security will happen throughout 2022,” he says. “With so much IoT data stored in the cloud, there is no limit to what an attacker could do if it managed to compromise services.”

5. Lock up your application programming interfaces

It’s not only the cloud server and the data on it that you need to be concerned about. It’s also the way in which your business interacts with the cloud.

That connection is often brokered through application programming interfaces (APIs). 

“These are often an initial attack vector, if not one of the most critical vectors, in complex attack chains,” says Michael Isbitski, technical evangelist at Salt Security. “Depending on your overall enterprise architecture, the potential security risks are numerous. They include data exposure, privilege escalation, system compromise, lateral movement within networks and the planting of malware or ransomware.”

APIs are a weak link that’s often overlooked. Several of the vulnerabilities identified in Microsoft Exchange Server in the first half of 2021 have been attributed to APIs, according to Isbitski. 

“Attackers regularly plant malicious software by accessing unprotected services via APIs or compromising dependencies and Git repositories that make up software supply chains,” he says. 

To stop the attackers in their tracks, IT professionals must monitor all API calls to and from cloud servers and contextualise them within normal business web traffic.


Tuesday, 12 July 2022

Public cloud spending grows 26% as AWS, Azure and Google Cloud cash in

Spending in the public cloud is soaring, meaning the hyperscale providers are investing heavily in their infrastructure.

public cloud server

Global spending on public cloud grew by 26% to reach $126bn in the first quarter of 2022, new figures show, with infrastructure as a service (IaaS) and platform as a service (PaaS) seeing the steepest increases.

The big three hyperscale public cloud providers – Amazon’s AWS, Microsoft Azure and Google Cloud – have been the biggest beneficiaries of this growth. To meet this growing demand, they are ramping up their data centre investments, the figures show.

Data from Synergy Research Group shows that total IaaS and PaaS revenue for the first quarter of 2022 was $44bn, up 36% on the 2021 figure, with strong growth also reported in other areas.

“Public cloud-related markets are typically growing at rates ranging from 15% to 40% per year, with PaaS and IaaS leading the charge,” said John Dinsdale, a chief analyst at Synergy Research Group. “Looking out over the next five years the growth rates will inevitably tail off as these markets become ever-more massive, but we are still forecasting annual growth rates that are generally in the 10% to 30% range.”

Public cloud revenue growth benefits the hyperscale cloud providers

The big three hyperscale cloud providers – AWS, Azure and Google Cloud – occupy nearly two-thirds of the public cloud market, according to Synergy’s analysis, with a combined 64% share. AWS has the largest public cloud market share, with 33%, followed by Azure with 21% and Google Cloud with 10%.

Elsewhere, the managed private cloud services and enterprise SaaS segments both saw revenues grow 21% year-on-year, while spending on content delivery networks (CDNs) was up 13%. Here companies outside the hyperscale cloud providers benefited, Synergy says, with IBM, Salesforce and Adobe cashing in, as well as specialist CDN providers Akamai and Cloudflare.

Indeed, Salesforce saw revenue up 26% in the first quarter of the year, while IBM grew hybrid cloud income by 17% (the company does not break out private cloud revenue) and Adobe reported a record Q1, with income of $4.26bn.

Spending is on the rise for public cloud data centres

As their revenues grow, the hyperscale cloud providers are building new data centres around the world, and in the first quarter of 2022 public cloud providers spent $28bn on building, leasing and equipping their data centre infrastructure, up 20% year-on-year.

Synergy reports that spending on new data centres grew 15% year-on-year in the first quarter of 2022, with investment in growing capacity at existing sites up 18%. The hyperscale cloud providers led the way on this, Synergy says.

Spending on data centre hardware and software, and on leasing server space, also saw big year-on-year growth.

What next for public cloud?

Microsoft expects to build 50-100 new data centres around the world each year for the foreseeable future, and Synergy Research Group's Dinsdale says this level of investment will need to continue to meet demand.

“To enable cloud service markets to keep up with demand by doubling in size in the next three-four years, the major cloud providers need an ever-larger footprint of hyperscale data centres and more raw computing power, which then drives the markets for data centre hardware and software," he says. "For sure the competition will be tough, but up and down the cloud ecosystem there will be a bright future for companies that bring the right products to market in a timely fashion.”

Courtesy: TechMonitor

As cloud costs spiral upward, enterprises turn to a thing called FinOps

Organizations waste 32% of cloud spend, up from 30% a year ago. 'More and more users are swimming in the FinOps side of the pool, even i...