The advantages of cloud computing are well-documented yet security concerns about this delivery model appear to be dampening its widespread adoption in a number of emerging markets. This is particularly the case among larger enterprises and, one would expect, Small and Medium-size Businesses (SMBs). After all, if the large enterprises – which are in a better position to understand the technology and its application – are concerned about security in the cloud, then surely the smaller organisation must be equally concerned? Apparently not. 

Misplaced beliefs 

A recent survey carried out among 250 SMBs in the UK provided surprising results.  Apart from revealing a disturbiing lack of understanding of the terminology of cloud computing, security was seen as the lowest priority in terms of influencing a change in strategy towards the cloud. What needs to be addressed, UK SMBs say, are issues of complexity, pricing and fear of vendor lock-in. 

When asking those who do not want to use a hosted or managed service what the main reasons were, 56% said their needs were met by the existing set-up, 44% said the service was too expensive, 30% said the service was too complex for a business like theirs and – confirming the lack of understanding of what the cloud is all about – 26% said these services were only suitable for large companies. A total of 17% said they couldn’t see the benefit of it all while only 12% cited security as a concern.  

In another question asking what would encourage them to use a hosted or managed service, only 22% chose a guaranteed high level of security. Better vendor terms (43%), no lock-in terms, no contracts (40%) and pay-as-you-go (31%) were all considered higher priority issues.  

The research appears to indicate that the industry’s viewpoint on cloud-based services differs somewhat from that of the small and medium business. Whereas vendors have pushed hard on the savings benefits of hosted/managed services, it appears that SMBs are not too convinced. And while the industry perception is that security is hampering adoption, SMBs have indicated that security may not be so important after all. Why? 

“If it comes to the crunch, a business will spend money to grow the business and not to secure its network” 

Poor vision 

Firstly it has a lot to do with our perception of the SMB. The typical SMB is running on a tight budget, with few resources (financial and technical) and its main concern is the efficient and profitable running of the company. So the primary concern of SMBs is a positive cashflow at the end of the year. This would explain why these companies look at prices, contracts and vendor terms with such scrutiny. Security, in a large number of SMBs, is regrettably often too far down the list to be of concern. If it comes to the crunch, a business will spend money to grow the business and not to secure its network.

But what about those businesses that do invest in security and see this investment as an insurance policy against future losses or security breaches? If they are aware of the importance of the security, the existing threats and consequences, then the security of cloud-based services is surely a pain point (given their efforts to protect their network and data on premise)? Yes and no. 

Reasons given by SMBs for not using a hosted or managed service.

• Vendors are too technical  6% 
• Security concerns  12% 
• Cannot see the benefit  17%
• Services suitable only for large companies  26% 
• Services is too complex  30%
• Too expensive  44%  
• Needs met by existing set-up  56% 

Q&A 

Three of the most common questions that the SMB often asks are: 

• ‘How is my data protected?’
• ‘Where is my data?’
• ‘Who has access to my data?’

Are these security concerns any different from those that businesses have been facing for the past 30 years? Has anything changed just because the delivery model is now in the cloud?

Logic would dictate not. So while these concerns are justified, they appear to be unsubstantiated because the approach to security should be no different if it’s in the cloud or on-premise.  

‘How is my data protected?’ 

It is in the interest of every vendor offering cloud-based services that clients’ data is secure and protected. In a country like the US, where a lawsuit could result in material punitive damages for a business, cloud-based solution vendors do their utmost to protect the data they are managing. They have to out-perform because they know that a single breach could lead to litigation and significant risk and materially impact the corporate brand. 

“If a business’s security concerns are being addressed, the location of its data should be of little concern” 

Therefore, cloud-based solution vendors not only have the latest technology, the latest firewalls, the best datacentres and the highest levels of redundancy possible, they also apply multiple layers of defence in-depth that your average business can never have. Thus, if the cloudbased vendor can offer such a high level of security that is beyond what an SMB can provide, isn’t this concern irrational? 

‘Where is my data?’

If cloud-based solution vendors are going to extremes to protect their clients’ data, rest assured that they are also using optimised mechanisms to replicate and secure that data across multiple disks, servers and locations. If a business’ security concerns are being addressed, the location of its data should be of little concern. That is why this fear is also not justifiable provided the provider is of substantial size.

‘Who has access to my data?’  

Clients’ concerns should focus on how flexible the service provider is in meeting their requirements. In choosing a vendor, the existing security policies adopted must meet the needs of the business paying for the service. Moreover, if the client’s security requirements change, these changes must also be reflected in the security policies implemented by the cloud-based solution vendors.

“They see cloud-based solution vendors as the answer to offloading their security concerns. With security no longer a priority, it makes sense that SMBs are focusing on the business aspects of the model” 

What has changed with the cloud is the extent to which security policies can change. For example, when employees are made redundant, you would delete their accounts and block all access to the network. When using a cloud-based service, you now also have to block any access rights to the data that is stored in the cloud. The concern that employees could take confidential data with them is the same in both cases. The process to stop that requires additional policies. This is why it is so important that a vendor’s security policies are flexible and can change as their clients’ needs change.

Is it all the same? 

Security issues may have changed slightly with this delivery model but the approach to security should be the same irrespective of where the data is kept – on-premise or hosted/managed in the cloud. The same best practices apply and good business judgement is still required. However, security in the cloud will be better than anything a small or mid-size business can implement.

And this may explain why SMBs are not overly concerned about security because they see in cloud-based services a level of security that they can never aspire to achieve. On the contrary, they see cloud-based solution vendors as the answer to offloading their security concerns. With security no longer a priority with this delivery model, it makes sense that SMBs are focusing on the business aspects of the model. How much is it going to cost them? Will they be lockedin? How much will it cost to migrate their data if they choose to return to an on-premise model? These are the real business concerns that have a direct impact on the bottom line.

It is perhaps the right time for vendors to re-assess how they position cloud-based services to SMBs and change their messaging.  

Food for thought, no doubt, and it certainly calls for additional research into what SMBs really think about a delivery model in the cloud. A readjustment in messaging and a new educational campaign – especially through the media – may contribute to a much wider and faster adoption of this new approach to managing security and boosting business. 

With the business world shrouded in uncertainty, companies need to make an explicit effort to improve their cost management processes, especially when it comes to cloud infrastructure and services. 

There is a huge opportunity for organizations to reduce costs in this area. A massive amount of cloud accounts are overspending on their infrastructure and services, resulting in an estimated $17.6 billion in wasted cloud spend. Most cloud providers bill by the second or by the hour, so each second without a cost-cutting strategy is a second that creates cost. 

By focusing on the low-hanging fruit,  business can start saving quickly and those savings will grow over time. Below are some strategies to begin, starting with the easiest and quickest approach and working through to the more long-term, complicated processes:

• Achieving Observability Into Your Cloud Ecosystem 

Before everything else, it’s important to set up some form of monitoring capability that lets you know if you’re doing things correctly. For example, AWS has tagging, which allows you to shed light on where the problems are, see who is over-provisioned or under-provisioned, and which applications are costing the most to run.

While specialized products can provide deep breakdowns with a bit of work, 99% of companies can use the cloud vendor’s own billing tracking services for creating budgets, alerts, tags or resource divisions. 

The more detailed the observability, the better. It helps to understand the ecosystem, find out how things are divided, and show how much money is being spent on every application in development, production or storage. Once you start applying cost-saving measures, you can leverage this high-level observability to assess their effectiveness over time. 

• Hacking Your Cloud Computing Billing Model 

Whichever cloud vendor you use, you need to understand how you’re being billed, what the alternative billing options are, and which option is the most appropriate for your business. There are several ways to “hack” these billing models to make the most of the service and keep costs to a minimum, tweaking the way you pay for cloud services to match your needs. 

For instance, AWS bills for servers in multiple different ways, mostly based on computing capacity, so the difference in cost can sometimes be as much as 75% for the same machine. One of the things we can do to address this is to lower the capacity of the main server and pay for a reserve capacity that would cover any increases for a few months. If there is no plan to scale capacity in the short to medium term, this solution is ideal as it’s undetectable on the user side and doesn’t require you to change your whole fleet.

Planning capacity changes in advance is another billing hack. Try to estimate your product’s growth and understand how much computing capacity you’ll need in the future. Capacity can always be increased, but with better planning, it’s possible to drastically reduce costs. 

• Automating the Simple Stuff 

With organizations racing against the clock to create savings, automation can help massively when it comes to short-term cost reduction in the cloud. 

In a lot of cases, companies keep unnecessary computing capacity running when not in use, often at a higher cost than the capacity generating income. There’s almost no reason to run at full computing capacity 24/7, except on the production servers or anything that generates revenue. With some simple automation, you can easily shut down development, quality assurance or user acceptance testing capacity when not in use, reducing those active hours and lowering your bill. 

Cloud storage cost is another area that lends itself well to automation. It should go without saying that more cloud storage costs more to provide, so implement a lifecycle policy that dictates how long to keep backups and which backups are with keeping. 

Most non-production environments don’t really need a backup. It’s actually bad practice to store historical data on developer actions on particular servers as it takes up unnecessary space. Combined with a robust lifecycle policy, automation can help reduce costs in storage overuse. 

While this is only one possible use case of many, it shows that by implementing automation you can generate some impactful cost savings in a relatively short space of time. 

Now that we’ve covered the easiest and quickest actions that will generate quick wins and impact, here are some of the more expensive, long-term things:

• Right-Sizing: Establish the Right Server Capacity 

After automation, one of the most complicated but impactful cost-reduction activities is right-sizing, which is all about finding the correct capacity for your servers or storage. 

Right sizing involves performance testing to help understand how much capacity will be required, then sizing the servers according to those results. These tests cost money and require an automated approach that can be modified to suit the process as it evolves. Developers also need to be capable of responding to the tests in a continuous manner. 

The process is expensive, complicated and demanding to perform, but the long-term payoff is a consistently more reasonable cloud services bill that reflects the true capacity your organization requires at any given time. 

•  Architecting for the Cloud

Most cloud adoptions start with a “lift and shift,” where companies migrate everything from a data center to a similar environment in the cloud. While this approach gets things up and running without much thought, it doesn’t really serve to get the most out of the cloud model.

One of the main advantages of the cloud is being able to use on-demand capacity and services, which often requires companies to re-think their product’s architecture. For instance, using a serverless approach to only pay for individual executions, rather than forking out for a full-blown server.

While the benefits are tempting, organizations must spend time planning and ensuring that their products are the right fit for certain cloud services, otherwise they run the risk of paying a lot more. It’s important to implement limiters, monitoring, alerts and budgeting configurations to keep risks at a minimum. Architecting for the cloud is huge and forces you to get down a design level on your applications and understand which services they really need, but it takes real commitment and requires a highly skilled team that can adopt a culture of cost-saving.

MatMax is a partnership of the main cloud service providers, has a qualified team and specialized products that help your company to better manage the infrastructure and reduce costs. Get in touch and learn more about our cloud strategies.