Risk Reductions – The Cloud Benefit We Don’t Talk About

Most cloud decisions that I have been a part of in the past, or help clients with today, are typically dominated by budget, security, functionality, and adoption considerations. While these are all extremely important, risk reductions outside the security space often go unrecognized. These other risk reductions are the unsung benefits of the cloud, and they don’t receive the attention they should– They are also compelling reasons to start making the shift.

I am sure there are plenty more examples than the ones I outline below, but these are the risks I have personally been able to help organizations avoid with cloud solutions. 

Facility and Environmental Risks

These are the most obvious, but also the most common. Whether you are hosting your infrastructure yourself or at a colocation facility, these are all tough (and costly) to mitigate.

  • Local risks like power outages, wind, leaking pipes, and even a malfunctioning fire suppression system – I have seen all of these cause major outages in data centers that had redundant systems. Distributed SaaS and other cloud applications are designed to heal if something happens to one (or even multiple) data centers.
  • Environmental risks like hurricanes, earthquakes, ice storms, floods, and heat waves affect large areas and can impact both an organization’s primary and DR data centers. The geographic redundancies and application redundancies available in cloud solutions are far more robust than traditional systems and can recover much more quickly.
  • Network outages are common, and redundant connections are expensive (especially dedicated services).  Some cloud advantages to using the internet instead:
    • Internet transport is generally more resilient than your WAN and already available almost everywhere.
    • Distributed workforces or offices in other geographic areas using the internet instead of dedicated services can easily use multiple connections.
    • There is a smaller and simpler network footprint to manage overall, and much less to have to configure, patch, or have fail in the middle of the night.

Staffing Risks

On-premises systems often evolve over time and end up more complex, and not nearly as “standards-driven” as cloud deployments typically are.

  • In my experience, the variety and management of on-prem systems requires a considerable amount of familiarity with how things are built. This makes it especially tough when staff turns over or you need to ramp up someone new.  (Documentation is often..ahem…lacking…)
  • It is going to continually become easier to find people (either FTEs or vendors) with cloud skills that can jump in and get to work on standardized but highly configurable systems like Office 365 that have less variability than an on-premises application. The risk of disrupted systems and projects is significantly reduced.

Vendor Risks

Vendors can always present risk and require attention. That being said, large enterprise public cloud providers present less risk to an organization than smaller development, hosting, and colocation companies.

  • Self-hosting or traditional colocation vendors come with inherent limitations and risks when building out their platforms and facilities. They simply do not have the economies of scale that large cloud service providers do. It can also be difficult to get a clear understanding of the financial security and business risks carried by smaller firms.
  • The global enterprise scale and scope of vendors, like Microsoft, allows for far more investment in platforms, security, usability, and feature-completeness. The breadth of the portfolio is enormous and continues to improve. You get to benefit from the work and experience that they gain by serving so many customers.  This is especially evident in the security space.

Compliance Risks

As I have mentioned in previous posts, compliance is really an extension of security technologies in many ways. One of the easiest ways to simplify compliance efforts is to reduce what you have to manage and keep compliant yourself.

  • In a traditional environment, everything from the locks on the doors to the names of the governance policies need to be configured and managed constantly to meet compliance standards. Often this translates to literally thousands of elements that need to be tracked, documented and updated on a regular basis.
  • Using cloud technologies reduces this burden substantially, since the cloud vendor manages, maintains, and documents many of these controls for you as part of their platform offering. For example, maintaining NIST CSF compliance on Microsoft 365 requires over 2000 controls in total to be in place. Microsoft handles and documents over 1000 of those controls for you as part of the platform. The 1000 or so that remain are up to you to maintain, but a 50% reduction is significant.  You are on the hook for all 2000 in a traditional environment.

Recovery Risks

Despite everyone’s best efforts, disruptions and data loss can still occur. If they do, being able to recover quickly and reliably is much easier in the cloud. Geographic diversity and the sheer scale of the cloud environment opens up entirely new opportunities to improve recovery capabilities without enormous investments of time and money.

  • Local backup and recovery methods can be time consuming and unreliable, especially if there has been a facility issue or failed hardware.  Even if the on-prem backup is replicated to an alternate location, standby environments still need to be maintained and configured to serve as production systems. This can significantly lengthen RTO and increase the RPO gap.
  • Cloud backup and recovery like Azure Backup, Azure Site Recovery, geo-replication of data and even document versioning in Office 365 offer robust and scalable recovery methods in a shortened time. You can reduce both the RTO and the RPO gap significantly, and with less management overhead and investment than an on-premises solution.

All these risk reductions are real, they are valuable, and they should be a part of any discussion about moving systems or applications to the cloud. This isn’t to minimize the shared responsibility model that we all need to follow (see Microsoft’s diagram of this below), but up to half (half!!) of the boxes below are Microsoft’s responsibility, depending on the system. 
Oh, except for on-premises. You have to manage that. All on your own….🙂

Tom Papahronis

Tom Papahronis

Strategic Advisor - eGroup | Enabling Technologies

Last updated on July 31st, 2023 at 02:09 pm