Essential due diligence for CIOs
Virtually every organisation is now running some form of hybrid cloud model. An estimated 96% of companies are expected to use public cloud services in 2025, typically for solutions such as Microsoft Office365 and Sage Intacct, alongside a mix of legacy on premise technologies and private cloud solutions for core applications, including ERP and finance.
While many CIOs will admit that the current IT infrastructure has been created by chance rather than design, not least due to the pandemic and need to support remote staff, far too many companies have yet to address the significant compliance, security and operational risks associated with unplanned hybrid clouds.
James Bedford, Technical Director at CPiO, highlights the growing recognition that working with a hybrid cloud partner to bring the entire infrastructure together under one umbrella is key to creating a consistent approach to data and security that reduces operational risk and enables future innovation.
Introduction: Reactive cloud adoption has fragmented IT infrastructure
The IT infrastructure in UK businesses has changed beyond recognition over the past decade, with cloud-based applications becoming the standard. In addition to the core business benefits, software vendors have accelerated their cloud-first strategies in recent years, offering easier, frequent upgrades and fast access to innovation.
For the majority of businesses, however, the process has been reactive rather than strategic, leading to a fragmented, piecemeal IT environment. The average number of multiple cloud platforms to run business operations with staff working remotely spiked from 1.3 to 2.2 public clouds between 2020 and 2022, an increase of 69%.
Businesses now have multiple vendor relationships, diverse data stores and, in many cases, are not 100% confident in which country the data is located. Critically, they have handed over responsibility to multiple third parties without understanding exactly what they will receive in return.
From security risk to client compliance, fraud to litigation, poorly managed hybrid cloud models are adding significant operational risk and cost. So, what can CIOs do to regain control?
- Is the business indemnity insurance still valid?
Adding any cloud technology has an immediate impact on business indemnity insurance. As soon as any data is located in the cloud – private or public – essential cyber indemnity insurance will be invalid unless the business has implemented another level of security.
Without the addition of Multi-Factor Authentication (MFA), companies are completely exposed to any security breach: there will be no help, no support and, crucially, no financial recompense.
MFA not only ensures the business meets the demands of insurers to validate insurance policies, but it will also stop in excess of 90% of fraudulent activity. However, public cloud providers do not offer MFA as standard. Some providers, such as Sage, offer basic email- or text-based MFA as an add-on. But for any organisation operating a hybrid cloud model, the goal is to achieve a consistent approach to MFA across all deployments.
Creating a consistent approach to security across an entire hybrid cloud infrastructure is becoming increasingly essential. To move away from point solutions and consolidate the security model, we advise investing in the enterprise networking and security solutions encompassed by Secure Access Service Edge (SASE) , which can be used to lock down multi-cloud platforms, private cloud and / or on-premise solutions and cloud applications.
Leveraging SASE tools reduces the risks associated with a fragmented infrastructure, while enabling secure, anytime, anywhere access to applications on premise and in the cloud.
- Can the business respond to client compliance expectations?
Businesses now need to demonstrate secure data handling and storage processes to ensure clients and prospects can confidently share their own data without fear of security breach or non-compliance with regulatory demands.
These complex compliance documents demand information ranging from the frequency of data audits, the cybersecurity model and the processes used to collect, retain and delete personal data. For a company that has created a piecemeal hybrid cloud infrastructure, answering these in-depth questions can be almost impossible.
‘Where is the data located?’ is a standard question, but if the company is using one or more SaaS solutions in the public cloud, is it possible to answer the question with any confidence?
Most businesses juggle multiple public and private clouds as well as on premise systems, and so the process of responding is time-consuming and resource-intensive. Yet failure to respond quickly and meet the client/ prospect expectations will compromise the business relationship and even lead to complete business loss.
- Is the business ready to respond to litigation?
Understanding data storage, accessibility, and security is not just about meeting client/ prospect compliance demands. Any business operating a hybrid cloud model should also be asking whether the current set-up meets its own compliance requirements. From the location of backup data to the accessibility of old records or deleted emails from previous employees, far too many businesses have simply assumed ‘the cloud’ means data is always there, forever. It isn’t.
This issue is becoming increasingly important with the rise in litigation, especially as a result of companies suffering data breaches. With the adoption of Artificial Intelligence also expected to increase Intellectual Property disputes, companies need to urgently consider their ability to respond. Can the business resurface deleted emails or access archived material to ascertain their legal position? If it is in a public cloud, the answer is typically, no.
Once an Office365 email has been deleted and then fully purged (usually after 30 days max), it has gone. There is no way of retrieving that information unless the business has invested in or implemented extra services such an Office 365-supported backup solution. It is not part of the standard Service Level Agreement (SLA).
Public cloud SLAs include anytime access to current data. They often do not address the issues of data archive and backup, access to historic or, critically, deleted data. Attempting to recreate and rebuild essential evidence across a hybrid cloud will be, at best, painstaking and, at worse, utterly impossible. The business may be in the right, but without the data, there will be no proof.
Conclusion: Regaining control over your hybrid cloud technology
As businesses increasingly rely upon the cloud, there is growing recognition of the need to move beyond piecemeal deployments and retain control.
As a result, managed services provider (MSP) usage has increased year over year, with 60% of all organisations now using MSPs in some capacity for managing public cloud.
Working with a single hybrid cloud provider addresses the major challenges created by piecemeal cloud strategies. It removes the need to manage multiple vendor relationships and provides clarity and consistency of data storage and security models.
Hybrid cloud technology is the future and the foundation for essential innovation and competitive differentiation. But current deployments are not meeting operational compliance requirements. It is time to wrestle back control and create a single, managed hybrid cloud solution that delivers a consistent approach to data management and security.
About the Author
James Bedford is Technical Director at CPiO. We help organisations get more from Sage business software. As a Strategic Partner of Sage UK, we are one of the UK’s leading resellers of Sage mid-range software such as Sage Intacct, Sage X3, Sage 200 and Sage CRM. We also offer our hosted services with CPiO Cloud if you are looking to host your Sage software. CPiO is a member of The Waterdale Group of Companies.
