Cloud or On-Premise? When Would The Question End?
By Kevin Soh, CIO and Director, e-Strategies, BH Global Corporation
The same old question of “Cloud or On-Premise?” has been asked countless times in the industry. Correspondingly, massive number of opinions has also been shared in papers and conferences. Collectively, there seems to be a “mega-trend” or “mega-advocation” that cloud is certainly the way to go. Most of the time such claim sounds merely like a fashion statement. It is at best a seemingly sensible advice promoted by a cloud service provider, and at worst, a misconception that business owners may just be “mis-educated” and misled.
In my opinion, the answer is simply “it depends on the use case”, or the nature of the business involved. There is no blanket framework that fits all businesses. With that, I would like to share the thought via a few simple considerations as follows.
“Let’s focus on our core business and let the professional handle the IT”
On the surface, this common statement sounds perfectly sensible. On deeper considerations, it might be too simplistic. Firstly, letting professional handle IT does not necessarily mean cloudification. Secondly, not all systems are the best candidates for migrating to the cloud. Some of which include systems that work on non-standard, proprietary platforms, applications or processes that are subject to statutory or group policies to be on-premise, systems that are latency sensitive, enterprises which are weak in network connectivity due to location or competency.
“Our applications are now more secured having them managed by the professionals”
I am not sure when would “cloud security” stop being an oxymoron, judging from the ongoing high profile compromised incidents in especially strongly branded cloud platforms and services.
Yes, the professionals certainly have much deeper security know-hows, however, to have the belief that they could certainly offer better security than on-premise may not be always right. I am not advocating that on-premise is more secured, but more of addressing the misconception that the cloud service platform is always more secured than the in-house, on-premise implementation. At the end of the day, the security posture still depends very much on the fundamental of now People, Process and Technology are managed and operationalized.
“We will achieve high availability riding on the resilient framework of the professionals”
Availability of services depends not just on the backend platform of cloud services. It too depends on the conduits and many other factors that make service accessibility possible. Unfortunately, not all these factors are directly under the control of the service providers. When I was evaluating ERP platforms for our group company a couple of years ago, a well-known cloud based ERP service provider cited that it has more than three DR sites in the U.S. Unfortunately, we are residing in Asia, and the availability depends so much on the cross continent connectivity. If we recall the 2018 sub-marine cable failure, even internet surfing was not possible in Asia during the outage. When the concern was raised, the vendor was brushing such risk aside, and explain matter-of-factly that when such outage happens, all else will be down anyway. Why such worry? They did not get our business eventually no just due to the unforthcoming attitude, but the fact that if our cloud-based ERP is down due to cross-continent connectivity, as CIO is may not even be able to answer to my board why the next doors’ ERP are still running? I reckon that no CIO would like to be put in such light.
“Let the professionals handle our security”
Yes, that is a no-brainer statement that can’t be more right. Only thing is I am not sure when would “cloud security” cease to be an oxymoron. If we look around, the landscape is not short of serious breaches and incidents surrounding high profile cloud service providers. The results simply tell it all.
In summary, I am not debunking the virtue and benefit of cloud based services. My view is that a thorough gap-fit analysis needs to be done prior to any decision to migrate to cloud. The analysis should consider the People (culture), Process (compliances) and Technology (readiness) aspects of the systems involved. Cloudification does not offer us a silver bullet to all ITOps and SecOps issues. Just like any tools, it would bring tremendous benefits only after a thorough due diligence has been done, and a good management structure is in place to oversight the migration and ongoing operations after which.