Many independent software vendors (ISVs) are already aware of the advantages that migrating to the cloud brings. These include:
FLEXIBILITY
Not having to buy the hardware means users are spared the long lead times that traditionally exist between the physical infrastructure’s arrival, departure and renewal.
SCALABILITY
Another facet of this flexibility is the possibility of growing and flexing as business requirements demand. Small ISVs or early stage start-ups can begin with the set-up they need and build out their capability to use more resources in the cloud as they grow.
WIDER MARKET
The cloud enables an ISV to reach a broader market more quickly and offer a better user experience in the process. Building in a data centre, all the data is in one place. It is possible to utilise something like a CDN (content distribution network) in order to get the content closer to end-users, but in the cloud, the application can be deployed in multiple different regions.
DATA SOVEREIGNTY
Deploying an application in multiple locations on-premises is possible, but requires finding data centres in all of those locations, then spinning all of them up and having the applications running all of the time. In the cloud, operations can be wound up and down to suit demand – running at a minimum at nighttime in Australia, for example, rather than operating at full capacity for a handful of users, which is an unnecessary expense.
ACCESS TO OTHER CLOUD SERVICES
It is possible to use these on-premises, but once in the cloud, it’s far easier for organisations to access such things as databases, storage and API gateways without having to build them themselves.
SPEED AND MACHINE LEARNING
The flexibility of the cloud also enables previously hard to access machine learning capabilities. For those who opt to use virtual machines (VMs), it’s possible to make another one quickly if necessary. Without having to buy the hardware or build up an entire VM from scratch, a user can take a snapshot of the original one and in just a couple of minutes, the new one is ready to go.
SECURITY
But perhaps the best reason of all for ISVs to migrate to the cloud is now simply security. Cloud is more secure than on-premises, says Greg Cockburn, Head of Hyperscale Cloud at AC3. “There’s encryption built into everything now,” he explains. “In fact, it’s becoming more common for you to get it out of the box with encryption enabled.” This means it’s no longer necessary to take that extra step and enable the encryption after purchase.
With physical access and data centres, the level of security may depend on the size of the ISV, but in the cloud all such concerns are addressed. Organisations do not have to manage the data centre or check whether unauthorised users are plugging into the server for some reason. They don’t need to do police checks or monitor who is in their cage; rather, their trusted cloud partner takes ownership of these security measures.
In an on-premises environment, organisations have to address such considerations all the way through the stack, not just the ingress into their own servers. In the cloud, on the other hand, this is all the cloud provider’s responsibility. AWS (Amazon Web Services), Microsoft Azure, or a community cloud provider like AC3 will make sure the security is watertight. They have a number of data stations from various auditors and providers to ensure this is the case.
COMPLIANCE
Part of the security capability the cloud now offers is compliance. ISVs looking to sell goods and services will likely need to have a credit card payment option. In such cases, they may need to be PCI DSS (Payment Card Industry Data Security Standard) compliant. In an on-premises environment, the ISV will have to prove their compliance to the auditor all the way down the stack to physical entry to their data centre.
In the cloud, the organisation can simply ask their cloud provider for their compliance, and this will all be done for them, with a certificate provided. There’s no need for keeping track of this, meaning the complexity of a significant amount of overhead is removed. The organisation only needs to worry about its responsibility for the particular services it is currently running in the cloud.
DOWNSIDES?
In fact, there are now few, if any, disadvantages of migrating to the cloud, though there is still a perception that it means handing over control. In a way this is true, in that a cloud provider like Azure, AWS or AC3 will now look after all the ‘bottom down stuff’ and are trusted by their customers to do so. But they prove that trust by the number of certifications they obtain from different auditors around the world. Realistically, an organisation may acquire two or three of these certifications itself, but would be unlikely to get the 20 or 30 certificates for all requirements, including the aforementioned PCI DSS, as well as ASIC (Australian Securities and Investments Commission), ISD (Instructional Systems Development) and GDPR (General Data Protection Regulation)... the list goes on.
“If you do two, you have control over that, but is it a false economy?” says Cockburn. “You’re going to spend a lot of money getting those two. But is it really giving you the level of protection you actually could get in the cloud?”
Cockburn says he’s seen this become less and less of an issue and, today, even those demanding the highest degrees of security, in areas like finance and defence, can rely on the cloud.
“Even the most secure workloads for the Australian Federal Government are now in a position to consider the cloud,” he says.
A bigger consideration is less the cloud per se, and more the fact that the entity is owned by a US company, notes Cockburn, but when considering this from the security angle specifically, rather than implications around local sourcing, this shouldn’t be an issue. “They put a lot of work into securing those workloads, so there are multilayers of encryption... I don’t know a bank today that isn’t using something in one of the hyperscalers.”
The only word of warning Cockburn offers is the reminder that when it comes to issues such as governance and compliance, the cloud is not a magic bullet and doesn’t solve everything.
“There is still a lot of work that you have to do,” he says. “We’re going to carve away all of the processes and all of the tech from here. You don’t have to think about that anymore. You get the piece of paper from the cloud provider. But everything above that and all your processes related to that are still your responsibility. So the cloud isn’t going to make that problem go away. You are still going to have some work to do. It’s just a lot less and a lot easier.”
The more tools provided by the cloud partner that are used, the easier it is. Cockburn mentions options like AWS’s Security Hub and Azure’s Sentinel, which can provide a posture of the user’s environment when accessing certification for the necessary standards.
Again, “PCI DSS is a very, very common one that many ISVs will need to be across,” he says.
In real time (or near real time) an organisation will be able to see its posture and what parts need to be fixed. “When it comes to audit time, you can say, ‘This has been running for the last 12 months. Here’s everything that we did to review it, to remediate the issues... It’s not a point in time when you come to that audit position of ‘what do we need to fix?’, then run around and get everything together, because it’s all ready to go,” says Cockburn.
“It’s a little bit of work up front, but the pay-off over many years will be enormous. And the pain when going through the audit for PCI DSS compliance is massively reduced. I’ve seen turnaround times go from months, all the way down to days for an audit,” he concludes.