In what is my third post looking at aspects of IT Strategy I thought I would write a little about moving to the cloud. I note that the ISC Digital group recommends schools move to using Office 365 or G-Suite, both of which are cloud based services, as part of their bursars 6 pack advice.
There has a long been worries about security and control over cloud-based solutions. My feeling is that largely these concerns have decreased with time and as cloud services have matured. Additionally, understanding of cloud services has developed however I note recently a conversation in relation to a school which hosted its data locally and was building its own solutions for reasons of data security, so the concerns haven’t gone away. In discussing cloud services, I love the idea of the cloud simply equating to “someone else’s computer”. This description works for me. In using cloud services for your solutions you are simply replacing your on-site servers with servers someone else owns, located somewhere out on the internet. The question though in using cloud services is one of asking whether the someone else you are using can offer something you cannot and whether or not you trust them.
Looking at G-Suite and Office 365 as cloud hosted productivity suites I can see a number of things which are being offered which aren’t available in a locally hosted solution. Both Microsoft and Google have significant technical support teams plus resiliency and redundancy capabilities way beyond what is possible with a schools IT support staff and on-prem solutions. They are able to collate threat intelligence from vast numbers of systems and users to help protect all those using their services. They offer a consistent revenue based costing model rather than the capital heavy costing model associated with on-premise data centres and servers, plus they offer easy scalability in terms of adding users, storage, services, etc.
As with most things this isn’t however a one-sided argument and there are other considerations which need to be taken into account. The need for internet access is one of the key considerations as if your internet connectivity is unreliable or if your bandwidth is limited then deciding on cloud hosting is likely to be a bad idea. Access to data may be another concern, as with locally hosted solutions you will have full unfettered access to the databases containing your data whereas in the cloud you may have limited access, through APIs for example, or may have no access other than that provided by a solutions user interface. Sharing of data may be a concern as your third party, such as Google or Microsoft in the above case, will have access to your data so we must consider how much we trust them to not misuse this access. Another consideration might be in relation to solutions which don’t need internet access, only requiring local network access, which therefore may be safer kept locally hosted. It isn’t simply a case of just jumping to the cloud, there are considerations and concerns which need to be weighed up.
One of the main concerns in relation to cloud services is the terms and conditions and understanding your rights and responsibilities under these terms. The terms and conditions should identify the overall approach to security which a vendor takes including how they may or may not share data, what happens should you cease using the vendor, their approach to breach and vulnerability notification, and any provision allowing for you to audit a vendors activities. Now I am not going to write much on this here as I will share some thoughts on this specific issue in a future post where I can explore it in more detail. What is key however is the need to carefully check the terms and conditions especially in relation to complying with your data protection/GDPR obligations and also in relation to business continuity and disaster recovery. It is important to take a risk based approach and weigh up the benefits and potential risks and assure yourself and your organisation that risks are acceptable and that benefits are worth any risk.
I continue to view the use of cloud based solutions or the use of the cloud to host an organisations own solutions positively. I can see lots of advantages and benefits. I also so more and more of our systems, data and services moving to the cloud in the coming years however I am also conscious that the cloud is not a silver bullet and is not necessarily appropriate for all situations. We need to consider moving to the cloud or cloud based solutions carefully. That said, I am not sure how that is different from normal behaviour as any change or introduction of new solutions should be considered carefully with a view to advantages, drawbacks and risk management.
Technology and Learning