Amazon AWS, Azure, Editorials

False Sense of Security from Vendor

There’s been an interesting trend lately in several different sales calls where you’re walking through the software capabilities, listing out the different goals you have for the project, etc.  The customer (be they internal or external) eventually gets around to infrastructure and how you’ve architected the solution.

Now, if it’s on-premise, this leads to a lengthy discussion (why is it that every customer assumes they’ll overwhelm your infrastructure if it’s on-premises?) about how you have things set up, versions, backups, recovery plans, all of that.  Great discussion, valid questions, if not found in a lot of ignorance of the load their requirements may or may not place on your systems.  These are important discussions though.  Security.  Access controls.  Data protection.  Data policies.  All of that, very important.

Or, you can often just say “we host in the cloud!”  As soon as you mention Azure or AWS or whatever – if the customer knows that provider, the discussion is over.  Because, of course, hosting in the cloud means that you’re automagically covered and things will always work and are always up and running and always recoverable.  It’s just magical!  Potential customers stop short here and stop with the questions, probably 9 times out of 10 in my own experience.  And, in talking with others, they have very similar experiences.

I’m here to tell you – if you’re that customer, see paragraph 2 above.  One of the interesting questions you can ask is what the process of moving from on-premises applications to cloud-based applications (assuming they did) was like.  Ask what changed, and why.  You’ll know in a heartbeat what the likelihood is of that solution being what it needs to be.

You SHOULD hear things like splitting applications into functional pieces and applying the best services to different aspects of the project.  You should hear about things like remapping and testing the recovery process and knowing how to bring things back to life under the new architecture.  Talk about things like how to recover instances, whether they’re databases or websites or email services or AI bot services or CDNs or whatever – what happens if the unthinkable happens, and have those processes been tested?

Of course there isn’t a single list of questions you can make sure you ask, but don’t fall for the false sense of security when someone mentions they host in the cloud.

This isn’t a bash against cloud providers – not in the least.  It’s a reality check on the people deploying the cloud, to make sure they’ve taken the time to figure out where the NEW pieces go, how things work together and how that changes (or doesn’t change) the administration and management of the application environment.

I always twitch a little when someone says “we just set up VMs and copied our stuff up.  Really it’s the same as here in our location, but now we don’t have to manage servers.”  I’ve been through that exact situation.  I’ve seen what that can do to your environment, but more importantly, what it DOESN’T do for your environment.  It’s a hard lesson to learn, but taking the “we host in the cloud” as the be all end all validation of infrastructure is a huge mistake.