FME Cloud Myths Debunked
Over the years I have had many fantastic conversations with clients on moving their data and workflows up to the cloud. There are however are few misconceptions that I continually run into. Here are the top myths I run into.
The cloud is less secure than our on-premises deployment, so we can’t move our workflows up there.
The general industry consensus is that cloud deployments can easily be made as secure as on-premises deployments, and in many cases, they provide tools to enable you to make things more secure if you wish.
From my perspective, for mid/small size organizations, the cloud provides you with the opportunity to deploy infrastructure with a level of security that could only be dreamed of a few years ago. After all, when you leverage the cloud, you are leveraging the collective knowledge of the thousands of people that work on security for the cloud provider. For example, to get the level of compliance that AWS provides on-premises would be impossible for most organizations.
I find the push-back often comes from larger companies who have established IT policies and even their own data centres. The pushback can often be more political and emotional. Often I think it is a fear of the unknown so I look to educate:
- Share the FME Cloud and FME Server Security whitepapers. We take security extremely seriously at Safe. One of the things that often reassures clients, is the fact we have a CISSP certified professional complete an annual application and network security audit.
- FME Cloud has been built from the ground up to be secure. We take a security by design approach and leverage all of AWS’s impressive security tools to ensure your data is as secure as possible.
- FME Cloud has already been through several security audits and the most common questions that come up are in this FAQ.
Looking beyond FME Cloud, don’t assume all cloud providers are secure, but also don’t assume they aren’t. If they can demonstrate how they are securing their infrastructure and you are happy with what you have seen, there is no reason to believe their offerings are not secure. No matter where your infrastructure, you are only as strong as your weakest link. When using cloud services there is an element of joint responsibility, and as with on-premises, if you turn your back on security and use HelloWorld as your password, you are asking for trouble.
Where is the data hosted and can government organizations access it?
Surprisingly, I have been asked this one quite a lot.
You can launch an instance currently in either the USA, Frankfurt or Sydney. We hope to add Canada later this year when the new data centre opens. Whichever country you launch the instance into, their data laws apply. So if you launch an instance in the Frankfurt data centre then the strict German and EU data privacy laws apply, and in theory, the US-Government cannot access your data. Now I say in theory, as there is some worry that because Amazon are an American company, that American agencies could gain access to your data no matter where it is located. This is the key paragraph on the Amazon website:
Disclosure of customer content: We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies customers before disclosing customer content so they can seek protection from disclosure.
Obviously, no one knows the true answer to this question, but I am sure if they can gain access, then the server room down the hall from your office will be no problem 😉
I am worried about a loss of control, if something goes wrong how can I guarantee uptime?
On FME Cloud (and almost all other PaaS’) users only have control over the data and application tier. This means that if something goes wrong at a lower level (operating system/hardware), you are at the mercy of Safe to fix it. If the services you are building on top of FME Cloud have their own SLAs, then this is a legitimate worry.
The first point to note is for small/mid-size organizations, many customers were previously responsible for the uptime of their FME Server deployment, so the thought that they can use FME Cloud and push that onus onto us is liberating. They can focus on building workflows and delivering business value, not on managing IT infrastructure.
For larger organizations, where FME Server was deployed and managed by an IT group it can be a harder sell—but it doesn’t have to be. There are several things we have done on FME Cloud to help:
- We have created a very powerful monitoring framework that allow alerts to be configured to highlight abnormal usage patterns, or an issue with the instance (CPU, Disk, Load). Notifications can then be sent via email, Slack, Pagerduty or WebHook. Since 90% of the time you can actually resolve the issue yourself, this provides you with a framework to deliver a very high level of uptime without any input from us.
- If you want a custom SLA, talk to us, we monitor every aspect of our infrastructure and are alerted within seconds if something is not performing. If you want us to react on that within seconds, it can be arranged.
If I move to the cloud, I will have less control over patching the instance and ensuring it isn’t vulnerable.
Patching infrastructure is critical to ensure a stable and secure environment. As such, allowing users to patch FME Cloud instances has been a priority from the beginning. We have a patching process built into FME Cloud that gives users complete control. Rather than running a bash script to apply the patches, you simply click a button.
We also monitor larger security issues such as Heartbleed and may contact you and apply manual patches where necessary.
I am worried about getting my data out of the cloud once I commit to moving it.
Many cloud providers make it easy to get started with services and hard to leave.
This is not the case with FME Cloud. FME Cloud is really just a hosted version of FME Server. Since FME Server can be deployed on-premises, this is not an issue. We have migration tools that make it very easy. Indeed, many clients do their proof of concept on FME Cloud and then deploy the final solution on-premises.
I am worried that our WAN infrastructure will not cope with moving large amounts of data up to the cloud.
If you are moving large amounts of data between an on-premise data source and FME Cloud, then it can take a lot of bandwidth.
If you are planning on moving huge amounts of data often from on-premises up to the cloud for processing then you do need to be ready for this. Your internet connection will likely be the bottleneck. A few points on this:
- Most clients do a one-time bulk upload and then only apply minor updates. You can use AWS Snowball to get large amounts of data up to AWS/FME Cloud without using the internet.
- You don’t have to worry about data transfer costs. You can load as much data into FME Cloud for free, you are only charged for data that leaves the instance.