Hybrid IT is gaining traction but what exactly does is it mean and are you ready for it? In simple terms, Hybrid IT is an approach to information computing where an organisation provides and manages some IT resources internally, but also uses cloud based services for other aspects. There are many questions to consider before moving to a Hybrid IT model, but there are also many advantages involved in making the move, as long as your strategy and plan is right. At AC3, we have extensive experience in migrating and supporting the NSW Public Sector in GovDC and helping agencies adopt a Hybrid IT model. The following points will serve as a guide when considering shifting to a Hybrid IT model.
Recent, well-publicised data centre outages highlight the risk of running applications in a single data centre without failover to another. Public cloud providers commit significant resources to ensuring that their infrastructure is available and accessible whenever end users need it. However, in spite of a cloud provider's best efforts, problems are inevitable. Adopting a Hybrid cloud model can create more risk as it is a complex system that administrators have limited experience in managing.
Cloud architects need to design redundancy across data centres to mitigate the impact of an outage in a single data centre. A lack of redundancy can become a serious security risk to the Hybrid IT model, if redundant isn’t considered into the operating model.
Cloud architects can implement redundancy using multiple data centres from a single provider, multiple public cloud providers or a hybrid cloud. While you can improve business continuity with a hybrid cloud, that should not be the only reason to implement this model. You could save costs and attain similar levels of risk mitigation using multiple data centres from a single cloud provider, so there must be other issues that a Hybrid IT approach will help you solve to maximise your investment.
Maintaining and demonstrating compliance can be more difficult with a hybrid cloud. Not only do you have to ensure that the public cloud provider and private cloud are meeting your compliance standards, but you must also demonstrate that the means of coordination between the two clouds are compliant.
For example, if your company works with payment card data, you must be able to demonstrate that both the internal systems and the cloud provider are compliant with the Payment Card Industry Data Security Standard (PCI DSS). If you were to introduce a hybrid cloud, you would then also have to ensure that the data moving between the two clouds is protected. In addition, you would need to ensure that card data is not transferred from a compliant database on a private cloud to a less secure storage system in a public cloud. The methods you use to prevent a leak on an internal system may not directly translate to a public cloud.
Service Level Agreements
Most public cloud providers can consistently meet expectations detailed in a service level agreement (SLA), which in most cases are “availability” promises however can the private cloud live up to that same SLA? If not, you may need to create SLAs based on expectations of the lesser of the two clouds -- and that may be the private cloud.
Where should you start with this? A good first step is to collect data on the private cloud's availability and performance under realistic workloads. Look for potential problems with integrating public and private clouds that could disrupt service. For example, if a key business driver for the private cloud is keeping sensitive and confidential data on-premises, then the SLA should reflect the limits to which you use the public cloud for some services.
From a business perspective, information security is about managing risk. Cloud computing, and Hybrid IT in particular, uses new application programming interfaces (APIs), which requires complex network configurations and pushes the limits of traditional system administrators' knowledge and abilities.
These factors introduce new types of threats. Cloud computing is not more or less secure than internal infrastructures, but hybrid IT is a complex system that administrators have limited experience in managing – and that creates risk.
Existing security controls such as authentication, authorisation and identity management will need to work in both the private and public cloud. To integrate Hybrid IT and your existing security protocols, there are two options:
1. Replicate controls in both clouds and keep security data synchronised.
2. Use an identity management service that provides a single service to systems running in either cloud.
You should ensure that you allocate sufficient time during the planning and implementation phases to address, what could be, complex integration issues.
Implementing a Hybrid IT model introduces more than just technical challenges; IT administrators also need to address risk issues. By understanding and mastering these five hurdles, Hybrid IT could offer more reward than risk. AC3 is an ICT Managed Service Provider (MSP) specialising in delivering solutions to both the public and private sectors. We combine the best technology with the best people to deliver innovative IT solutions for your business. We have been designing, building and managing IT solutions since 1999. If you would like to discuss your Hybrid IT plan, please reach out on 1300 223 463, we would love to hear from you.