listen to this article:
Decisions have consequences.
Somewhere in my formative years the decision rule that “you are free to make the choice … but not free to choose the consequences” became lodged in my head. Some choices have inconsequential ramifications (e.g., what flavor of ice cream to buy this week?), while others have life-defining ones (e.g., friends, life partner, career, etc.).
And for all decisions, knowing in advance that there will be consequences provides at least the opportunity to mitigate the consequences you especially want to minimize. If you don’t like the idea of carrying the cost of a vehicle accident, buy insurance. If you want a try a product but have the ability to take it back, look for retailers with generous return policies. If are you unsure on a career choice, enroll in a night class or find a work experience opportunity before signing up to the four-year university degree.
Consequences of Moving to the Cloud: Vendor Lock In
As organizations race to the cloud, many consequences of that decision are beneficial.
Faster time to market for new services? Check.
Less capital tied up in long-term infrastructure? Check.
A full bevy of services to tempt even the most reticent IT director or CIO? Check.
Easy movement between cloud providers, infrastructure options, and encryption methods? Hold on a minute – that’s a different story, and one that too often isn’t read until too late.
The inability to easily move between cloud providers, infrastructure options, and encryption methods, in particular how to manage these effectively, represents new ways of being “locked in” with a vendor, a term that indicates the presence of significant financial, technical, and practical barriers to exiting the situation.
Why Does Vendor Lock–in Happen?
Vendor lock-in happens for a lot of reasons—this usually happens gradually and often before you realize the full extent of what’s happening. For example:
- Your applications are designed to make the most of the native offerings from your cloud vendor – databases, APIs, encryption schemes, and more – to drive efficiency, optimization, and ease of delivery. Boom – your applications are locked in.
- Your data is migrated to the new cloud provider’s platform, reformatted to support their databases, data lakes and data warehouses, and encrypted to prevent unauthorized disclosure. New data is created in place, stored in place, and protected in place. Boom – your data is locked in.
- Your IT people become familiar with using the tooling, consoles, and implementation processes of a particular cloud vendor. They get the certifications of proficiency, competency, and excellence. They attend the vendor conferences and get speaking gigs talking about the success your organization has enjoyed with the vendor’s offerings. Boom – your IT people are locked in.
- Your applications are extended with new emerging offerings from your cloud provider – the machine learning models, the artificial intelligence rhythms, the cloud graph connections. Boom – your future is locked in too.
How easy is it to move to a brand-new cloud vendor – in principle or because you absolutely have to – when your applications, data, people, and future are locked to a given provider? Not very easy at all.
When to Avoid Vendor Lock-In
There are many situations when avoiding vendor lock-in is conceptually important or financially beneficial. At other times, it is much more than that.
Avoiding vendor lock-in is essential when vendors themselves face problems such as regulatory probes, a cyberattack or ransomware incident that cripples operational capability, or bankruptcy and cessation of business operations. These vendor risks can prevent applications and workloads from running, and when lock-in is designed in, the exit costs are high and the timeframes uncertain.
How Do We Mitigate the Risks of Vendor Lock-In?
Organizations can mitigate the risks of vendor lock-in by designing out as many of the risks as possible. For example:
- Start with a multi-cloud strategy from the get-go, setting the expectation internally with decision-makers and IT staff that leveraging the best of what’s available across providers is the strategy of choice in order to avoid the worst risks of vendor lock-in.
- Use virtualization and container technologies for your applications, so they can be moved between cloud providers.
- Embrace virtualization of cryptography so encryption keys are stored invirtual Hardware Security Modules (HSMs)rather than physical ones tied to specific infrastructure providers. Virtualized cryptography simplifies movement between cloud environments, offers unified key management across all applications and infrastructure options, and unifies policy approaches across the organization for encryption algorithms, key lengths, rotation frequency, and allowed usage.
When lock-in has been designed out by using virtualized approaches, switching to alternate providers in a multi-cloud environment is a seamless process.
Waiting until lock-in impacts your enterprise is a poor time to reconsider your infrastructure. What you should be asking yourself is what can you do today to begin a well thought out and strategic journey?