Selecting a "best-fit" cloud solution for a business

The multitude of benefits that a business can reap from the correct implementation of cloud services has been well publicised and accordingly, many businesses are taking the decision to either, move business operations in their entirety to cloud platforms (some major South African banks have already commenced with this process), or at least test the waters by moving aspects of their operations to cloud platforms. When a business first considers implementing a cloud solution, the first consideration should be the "best-fit" cloud solution for the business in question. With the various options of cloud services offering businesses a number of ways to structure their cloud solution usage, it is important to understand the benefits and pitfalls of each solution in order to settle on a solution that makes the best sense for a business' requirements.

Service Models

The delivery of computing services (whether servers, storage, hardware software or networking) over the internet through cloud services, means that a variety of service models are available to businesses who are considering implementing a cloud solution. In this regard, various cloud service offerings are available at the infrastructure, platform and applications level of a business' technology stack. At the infrastructure level, a business may choose to implement a cloud solution that provides only the physical hosting infrastructure that stores data. At this level, the business will not have control of the infrastructure but would manage any software applications and development platforms which rely on such infrastructure. At the platform level, the cloud solution provides a business with development, management and software delivery applications. At this level, the business has access to pre-built development tools which are not available at the infrastructure level. At the application level, the cloud solution allows a business to access cloud-based software through the internet. These are typically "as-is" front-facing applications such as email access and word processing. At this level, a business will not have to worry about the underlying platform or infrastructure through which the application is provided as it only has access to the customer-facing applications.

The level at which a business adopts a cloud solution (i.e. infrastructure, platform and/or application software) will depend entirely on the context in which the business intends to put such solution to use. In some instances, a business merely wants to save costs on the purchase and management of data storage infrastructure and may be content to manage the overlaying platforms and applications.  In this instance, an infrastructure as a service (IaaS) cloud solution may be appropriate. Other times, a business that operates in a high-development environment but does not want the hassle of developing its own development platform or managing the related infrastructure, may opt for a platform as a service (PaaS) cloud offering. Finally, a business may want ready-to-use applications without needing to have any insight into the underlying platform or storage arrangements and would in such instances elect to use an application software as a service (SaaS) cloud solution. The extent of implementation of a cloud service model must be considered carefully with regard to the requirements of the business, the costs associated and the model that would offer the most benefits to the business.

Private cloud, Public Cloud, Hybrid cloud or Community cloud

Cloud service offering are also distinguishable by the manner of their deployment. Importantly, the type of cloud solution deployed would provide a business with a different user experience in each case.

Private cloud, offers businesses the ability to deploy a cloud solution which is accessible by a single organization only and may be hosted internally or externally. While this deployment model is generally more costly, it is seen as better addressing privacy and security concerns.

Public cloud on the other hand, is just that, a cloud solution which is accessible by the greater public in the form of, for example, email and picture storage services available online. Public cloud is typically deployed in relation to non-business critical tasks such as file sharing.

Hybrid cloud is a combination of public and private cloud. This deployment model is most effective in instances where businesses have certain information which they may not want (or may not legally be able) to store on public cloud platforms. For example, in some industries (such as healthcare or the financial services industry), security controls expected in relation to personal information are more stringent and a business may decide to manage such data on a private cloud platform. The benefit of having access to public cloud in this instance, is that it can be used to supplement capacity in peak periods.  Consumption on public cloud platforms is often adaptable which allows users to leverage public cloud for short periods of time.

Another instance of cloud deployment is community cloud. This would normally be deployed between businesses with a shared interest who may need the ability to provide each other with access to similar information quickly. An example of this is the financial services industry wherein various institutions would need access to the same credit information of a customer.

Data security and privacy

The nature of cloud services (i.e. their provision over the internet) means that a cloud service provider (CSP) does not need to be located near the physical location of a business that uses the services of such CSP. As such, another preliminary consideration for a business when selecting a cloud solution and the relevant CSP, is data privacy and data security. The importance of taking all reasonable measures regarding the safety and security of cloud services has recently been in the spotlight in the form of fines proposed by the UK's Information Commissioner's Office ("ICO") in relation to the failure of some businesses to observe sufficient security controls in relation to customer data. This can be seen in the ICO's proposed fines of £183million and £99 million on British Airways and Marriott respectively relating to breaches of the General Data Protection Regulation (2016/679) (GDPR).  Importantly, the GDPR has extra-territorial reach and could apply to a business that is not located within the EU, but which processes personal information in the context of its activities (whether as a controller or a processor) in EU, regardless of whether the processing takes place in the EU or not. Businesses operating within South Africa must also take note of the Protection of Personal Information Act (POPI) which will, once fully operational, regulate the processing of personal information in South Africa. Importantly, contravention or non-compliance with POPI can result in civil and/or criminal liability with fines of up to ZAR 10 million or imprisonment for a period not exceeding 10 years.

Notably, while POPI is not yet fully operational, the office of the Information Regulator (mandated to oversee implementation and observance of POPI), has recently announced the appointment of both a CEO and CFO. The Information Regulator has also indicated that it may join legal proceedings where privacy laws and data breaches are implicated. These are all signs that the office is well on its way to becoming fully operational and this may be an indication that the announcement of the commencement date of POPI may be made sooner rather than later. It is therefore advisable that businesses take steps towards compliance with POPI.

Businesses should note the important distinction between data privacy and data security and the considerations which apply to each.  Data privacy speaks to the categorisation of different data and the level of sensitivity attached to such data (e.g. special personal information v non-personal information will not be classified as equally sensitive). Data security, on the other hand, requires a company to consider the access controls that a CSP provides in relation to its data. Accordingly, the level of security required will be informed by the categorisation of such data. When looking at a deployment model, data residency should also be a primary concern - in certain jurisdictions, governments can request access to a business' data and the CSP would be obliged to provide same.