Cloud vs Onsite – a few things to consider if you’re a Public Sector organisation
The recently-launched YPO Data Centres, Maintenance Cloud Hosting and Security 944 Framework aims at putting top-notch IT services within easy reach of public-sector organisations.
Many organisations still feel that having their own, dedicated, onsite equipment is the best solution, yet the shift towards Cloud services is getting increasingly stronger. This raises the obvious questions: Is Cloud the right move for you? And, if yes, how to pick the right services?
So firstly, Yes or No?
Cloud can cost as much as 40% less than physical-server equivalents.
When it comes to cost, the first question you should probably ask is: Is the service a pay-as-you-go, or will you be locked in a contract for a long period of time? PAYG (or a 30-day rolling contract from Venom IT) has the advantage of easy scalability, while contract represents a fixed cost making budgeting easier. Ultimately, you need to ask: “What’s best for the business?”
Remember that PAYG could be seen as a fixed cost as long as you don’t make any changes or upgrades, which means budgeting isn’t really that much of an issue, so perhaps consider PAYG as an option. Some Cloud providers use very sneaky tactics to try and indefinitely lock you in – such as resetting the 3-year contract duration each time a new user is added or removed. A PAYG service, however, gives you the flexibility to add or remove users as they join or leave the organisation, and you only pay for the actual usage (caveat: make sure this is in your SLA or contract. Venom IT offers this as standard).
One way of looking at costing is to add all expenses of your IT infrastructure and then dividing that by the life expectancy of the infrastructure. Because different machines have different life cycles, you’re probably better off breaking this down into smaller chunks, e.g. ‘Desktops’, ‘Servers’, ‘Firewalls’ etc.
Remember to consider staffing when doing this exercise – if you have virtual cloud-hosted servers, support & maintenance is someone else’s problem; support & maintenance of your own servers, however, is your problem and requires a higher level of technician/engineer to look after them.
Other prorated items to add to your costing is UPS, electricity consumption, fire protection, air conditioning for the server room, floor space occupied by the server room, and licensing costs, to name the most obvious ones. Having your own servers generally cost more than what most people realise.
Let’s take servers as an example. When expressed as a monthly figure, the total costs divided by life expectancy of owning, managing and maintaining your own fleet of physical servers, is often quite a bit more than renting virtual cloud-hosted servers. The cost benefit of cloud services hinges on economies of scale.
Another factor to consider is whether the cloud offering is focused on consumer service or business service. Consumer-aimed cloud services often have very limited functionality but costs less, making it the shiny apple for smaller organisations. Business-grade cloud services, however, typically offer more flexibility, easy expansion, better security and full support.
An example of this is 365 mail vs. Hosted Exchange. The former (supplied directly by Microsoft, albeit via resellers) seems cheaper at a glance, but once you add support, third-party backup and third-party archiving (remember you don’t get those features with 365 but, as a Public Sector organisation, you definitely need them) you’ll quickly discover that hosted Exchange (provided by Microsoft partners such as Venom IT) will probably serve you better and cost the same or less.
Think long-term when making this decision and make sure you’ll have the right functionality at the end of the day.
The two middle letters of GDPR stand for Data Protection. Ultimately, that is what it’s all about – keeping data safe, in particular the Personal Data of your clients and the sensitive data of your organisation. Most organisations can’t afford, for example, to invest in military-grade firewalls (which cost in the region of £50,000-£80,000 each), but using a Cloud provider who has such equipment means your organisation can reap the benefit without having to pay the full cost.
Also check the credentials of the cloud provider:
- Do they have ISO 27001?
- Do they have multiple data centres? If one data centre (DC) goes down, there should be a second ‘fail-over’ site located in a completely different geographic area.
- What Tier rating does the DC have? Tier 4 is currently the highest, but most Tier 4 DCs are dedicated to military, governmental or banking operations. Tier 3 is, however, very close to Tier 4 in terms of security, making it an attractive and more cost-effective choice – Venom IT’s 2 main data centres are Tier 3. Our passive backup DC is Tier 2, which is perfect for standby/backup.
- Is there proper physical security at the data centres? IL3 or IL4 should be a minimum.
- Do the data centres have proper UPS systems in case of protracted power failures? What about fire suppression technology?
- What is the encryption level? A standard office server uses 256-bit encryption, a good Cloud server uses 1024-bit encryption, and a superior Cloud server uses 2048-bit encryption.
In creating the framework, YPO has taken a lot of the guesswork out of this – all the suppliers on the framework have been checked for certain minimum requirements, but it’s still good to understand exactly what makes Cloud so much more secure than conventional, on-site solutions.
GDPR requires “technical measures” that are “state of the art” – not just policies, procedures and paper work. (Recitals 29 & 83)
GDPR is not the only regulatory compliance to consider –there are various industry-specific compliance regulations as well. There is increasing pressure on organisations to be Cyber Essentials certified, and the PECR and DPA 2018 add further layers of regulatory compliance.
If you are thinking of moving onto the Cloud purely for the sake of GDPR compliance, consider the following:
- Are the cloud data centres ISO 27001 certified? This is the main component for the technical aspect of GDPR compliance.
- Is the Cloud services provider itself (i.e. their offices) also ISO 27001 certified, adhering to either ISO 27017 or ISO 27018 code of practice?
- Is the Cloud provider ISO9001 certified, for quality assurance and organisational best practice?
- Where are the cloud servers located? And who owns the cloud servers?
The GDPR wants to keep everything within the EU or the ‘white listed’ countries such as Canada, Jersey, Guernsey, Isle of Man, New Zealand and Switzerland, to name a few. Although the United States is also considered to provide adequate data protection under the EU-US Privacy Shield, it has recently come under scrutiny yet again for amongst others, Facebook & WhatsApp being investigated by Belgium, the Netherlands, Germany and Spain for data privacy violations.
Moving to the Cloud could potentially put everyone on one, unified platform, thereby improving communication and collaboration.
Can your apps run on the Cloud? Most off-line, run-of-the-mill apps can, whereas others are already cloud-based. Either way, the data you would normally store on your desktop/laptop still need to be protected, and the manner in which you access your cloud-based apps needs to be secure. A unified, centrally managed Cloud platform, such as a full Platform-as-a-Service (PaaS) from Venom IT, could well be the answer to that.
Considering the plethora of devices and operating systems out there, and the fact that very often these different systems don’t really like talking to each other, moving to the cloud makes sense from a very different perspective: Cloud-hosted desktops, for instance, puts everyone on the same platform. This improves manageability, scalability and communication.
Going Digital and Collaboration
Cloud platforms offer various solutions that can help you streamline operations, thereby saving costs. Team discussions are easier across different locations with e.g. Skype for Business, emailing yourself important documents is something of the past due to built-in cloud backups, emailing a colleague a document is also a thing of the past due to cloud-based file sharing, and collaborating with your client’s bookkeeper/admin person is so much easier for the same reason. Proper data warehousing becomes achievable and managing user access rights also becomes easier.
Making the decision
Prohibitive costs, and the ongoing support and tech skills needed, prevent many organisatons from investing in truly high-end IT equipment. Take for example a high-end firewall, like the ones we use in our data centres. It will open emails, check for web links, click on them, check the target website for malicious content, open attachments, check them for links and do the same – click & check – and check the attachment for viruses. All within 300 milliseconds, at a cost of about £80,000. This type of firewall is simply out of reach for the average accounting firm, but by moving onto the Cloud, you could potentially have access to such protection, at a fraction of the cost, fully managed and supported.
In the final tally, with Cloud you get:
- Better security.
- Better failover.
- Cheaper on a like-for like basis.
What’s not to love about Cloud?
How to pick what’s best for you
Cloud services have become much more complicated over the past decade or so. From very basic offerings like backup and remote desktops, Cloud has grown to include just about anything as-a-service – AaaS, BaaS, CaaS, DaaS… pretty much all the way through the alphabet. This could get very confusing, which means that you should probably take one of 3 approaches:
- Make sure your in-house understanding of Cloud vs. on-site is more than adequate
- Hire an external IT consultant with no vested interest in which way your decision falls
- Look for a Cloud services company that has a consultative, client-centric approach
Option 1 means you might have to spend a lot of time researching and staying up-to-date with the latest offerings, whereas option 2 costs extra, for which there might not always be sufficient budget. Option 3, however, usually means you can get expert advice, for free, and pertinent to your organisation.
Suppliers who simply want to sell you their services without opening a dialogue or do any consultation first, are usually working on the assumption that you know what you’re doing, or that you have already engaged with a neutral consultant and already have a ‘shopping list’.
Cloud services suppliers who want to sit down with you first, do a needs analysis and a proper project scope, will often be the ones who will hand-hold you through the entire process, from project inception, through migration, and all the way to the goal post of the service going live. After that, they will most likely also be the ones who are quick to respond if there are any issues, and help with the on-boarding of users who are slower in the adoption cycle.
So, the only question that remains is: When would you like to start?