The hidden risks that cloud platforms do not solve
Large providers guarantee performance, but there is less room for effective 'It due diligence'. And the issue of data sovereignty remains
3' min read
Key points
3' min read
In the search for the 'perfect' balance to manage IT workloads, between migrating to the cloud on the one hand and maintaining on-premise infrastructures on the other, it is not uncommon for Chief Information Officers to be faced with unexpected surprises. Indeed, many companies tend to move towards the more structured and widespread cloud platforms such as AWS (Amazon Web Services), Microsoft Azure and Google Cloud Platform, pursuing an entirely understandable choice for reasons of reliability and performance (and in some respects also cost) and to ensure agility, resilience and innovation for their business. But there is a flip side to the coin, one that conceals pitfalls that are often underestimated and that require It managers to think carefully about risk governance.
How security levels are verified
.The most important problem, according to various experts, is structural: the adoption of standardised platforms reduces the space for truly effective 'IT due diligence'. With rare exceptions that concern large organisations, the verification of the levels of security, compliance and business continuity of cloud environments stops at basic reporting (such as compliance with the Gdpr regulation for data privacy) that is only temporarily valid. The picture becomes even more complicated with the adoption of multi-cloud or hybrid architectures, where the combination of software, infrastructure and application services (SaaS, IaaS and PaaS) multiplies the points of contact and vulnerability with external providers. So where does the risk lie? In the fact that corporate IT teams invest considerable resources to configure and customise cloud environments calibrated to specific operational and regulatory requirements, but this effort can be thwarted by changes applied globally by providers that overwrite (for their own optimisation needs) the settings created by the user company.
How is data sovereignty protected?
A second important topic, as topical as ever with respect to the geopolitical turmoil of recent weeks, is data sovereignty. In this sense, a recent proposal launched by the US Department of Commerce, which aims to prohibit the training of artificial intelligence models by Chinese companies in domestic cloud environments, gives food for thought. The global interconnections between companies and suppliers, however, make it difficult to draw the boundaries of responsibility and it is therefore also necessary to consider the 'fourth level risk': not only direct suppliers, but also partners of partners might violate international standards.
Transparency and Accountability Factors
.Not least, CI and IT managers have to reckon with the transparency and accountability components of the cloud (many platforms only offer access to logs of activities performed in the cloud for a fee) and that of effective scalability. The certainty that, when needed, the cloud will become a safe home for one's data and offer additional processing capacity indefinitely has already been shattered by catastrophic events such as the attacks on the Twin Towers in 2001 or the Covid-19 pandemic. The reality, as confirmed by several analysts, is that resources are not enough for everyone. What is needed, in other words, is a selective approach to scalability, and only in the presence of a careful contingency plan to ensure priority operation of essential services without which the company cannot operate, can the cloud be a truly sustainable response in extraordinary situations. And it is not so advisable, in order to ensure greater resilience and the ability to migrate abruptly to the cloud, to have an (albeit careful) strategy of supplier diversification, because it is precisely excessive fragmentation that introduces complexity, and complexity, as Gartner analysts point out, is not a friend to IT security. Instead of multiplying the environments in which to distribute one's information and applications, it is much more effective to take advantage of the availability offered by a single provider.
There is, in the final analysis, also an obstacle of a cultural nature, and it reflects the resistance to the automation of security management processes on the part of some Cio: at McKinsey they consider it one of the causes slowing down the grounding of the economic and operational benefits promised by computing in the cloud. The fact remains, and it is a point on which everyone converges, that the cloud is no longer an option: whether infrastructure, platforms or applications, this 'technology' is now an integral part of every business process and the real question is not whether to adopt it, but how to do so with vision and awareness.

