• United States



Contributing Writer

Are there workloads in the cloud that don’t belong there?

May 27, 20164 mins
Cloud ComputingCloud SecurityData and Information Security

Enterprise organizations are willingly moving sensitive data, mission-critical applications and network-based business processes to the public cloud

According to ESG research, 75 percent of organizations currently use a public cloud service, while another 19 percent have plans or interest in doing so. Furthermore, 56 percent of all public cloud-based workloads are considered IT production workloads, while the remaining 44 percent are classified as non-production workloads (i.e., test, development, staging, etc.).

This trend has lots of traditional IT vendors somewhat worried, and they should be.  Nevertheless, some IT veterans believe there are limitations to this movement. Yes, pedestrian workloads may move to the public cloud over the next few years, but business-critical applications, key network-based business processes and sensitive data should (and will) remain firmly planted in enterprise data centers now and forever.

+ Also on Network World: The top 12 cloud security threats +

Poppycock I say. While this seems to be a logical, albeit self-serving perspective, this thesis doesn’t appear to hold any water. 

To be clear, enterprise organizations understand the risks of placing critical workloads and sensitive data in the public cloud, and some are more risk-averse than others, but these seem to be short-term processes rather than long-term philosophical barriers. 

Why organizations move to the public cloud

Now, this may change over time, but like other IT initiatives, public cloud computing is all about business risk and reward. In a recent survey, we asked 303 IT and cybersecurity professionals why their organizations decided to move workloads to the public cloud. The research indicates that:

  • 50 percent of organizations want to align their IT strategies with technology innovation. In other words, cloud computing is more innovative and strategic than traditional data center alternatives. It’s where the cool kids hang out, and that matters in our industry. 
  • 47 percent of organizations want to lower operating costs.
  • 42 percent of organizations want to lower capital costs. Hmm, doing more with less is a pretty basic business goal regardless of what you are doing.
  • 41 percent of organizations want to align IT strategy with their increasing use of Agile development. This is an important point: software developers are driving cloud adoption just as they did in the past with mobile devices and Windows PCs when dinosaurs ruled the earth. If developers go cloud, CIOs who put up roadblocks are fighting against the industry. 
  • 41percent of organizations want to reduce their number of physical data centers.  Once again it’s all about efficiency, efficiency, efficiency.

I live in the cybersecurity world, so I understand the logic of keeping full control of your most sensitive IT assets. But that’s not what’s happening. As a result of the business objectives and benefits described in the list above, CISOs aren’t able to block cloud proliferation. Rather, smart cybersecurity executives understand that the cloud computing ship has sailed and are busy figuring out ways to mitigate risk, monitor cloud-based activity and modify/enforce cloud computing policies accordingly. It’s all about secure cloud enablement rather than workload classification or traditional IT bigotry. 

Embracing public cloud while also managing risk

I recently chaired a cybersecurity panel discussion at an event in Texas. One participant, Shawn Wiora, is CIO and CISO of Creative Solutions in HealthCare, a Texas-based operator of eldercare facilities. Shawn’s highly regulated firm in the conservative health care industry uses public cloud infrastructure for 100 percent of its IT needs (across 43 different cloud providers). Shawn’s message to the audience was simple, “If I can embrace public cloud computing, manage risk and comply with HIPAA/HITECH, so can you.”

It is also noteworthy that for a lot of small enterprise and mid-market organizations, public cloud computing may actually be more secure than the traditional do-it-yourself model. After all, a company running 15 supermarkets in the greater Boston area won’t be able to match data center technical and process chops with the folks running AWS, Azure, the Google cloud or IBM SoftLayer.   

I get it that large organizations have layers of legacy IT infrastructure that won’t be moving to the cloud anytime soon. Nonetheless, I would argue that this is a function of resources, priorities and business justifications rather than technology. Like it or not, the IT industry has to get used to the fact that more and more IT assets are moving to the cloud—with few restrictions. Leading vendors will accept this reality and adjust their strategies rather than assume the unrealistic role of IT Cassandra. 

Contributing Writer

Jon Oltsik is a distinguished analyst, fellow, and the founder of the ESG’s cybersecurity service. With over 35 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help customers understand a CISO's perspective and strategies. Jon focuses on areas such as cyber-risk management, security operations, and all things related to CISOs.

More from this author