Cloud Repatriation and SIEM/Log Management

Over the past few years, a notable shift from cloud-based infrastructures back to on-premises systems has been observed [1,2,3,4,5,6,7,8,9,10,11,12]. This trend, often referred to as “cloud repatriation,” is influenced by various factors including cost, control, security, and compliance issues.

Focusing on SIEM (Security Information and Event Management) and log management, consider below issues:

• Data Ownership and Control: When logs are hosted on-premises, companies retain full ownership and control, critical for meeting stringent regulatory requirements. This control is often reduced when data is stored in the cloud, potentially leading to issues with data sovereignty and privacy.
• Access and Retrieval Uncertainties: With cloud services, retrieving logs at the end of a service period can be problematic. There is often uncertainty about whether logs can be retrieved and in what format they will be available, complicating compliance audits and operational continuity.
• Cost Implications: Utilizing cloud-based SIEM services involves ongoing costs, which can increase based on data volume and usage. By migrating back to on-premises, organizations might reduce costs associated with data storage and processing, especially when dealing with large volumes of logs required for long-term storage and compliance.

Considerations Before Using Cloud SIEM and Log Management Solutions:

• If you send your logs out of your company, they no longer belong to you.
• Once the service ends, it is uncertain whether you can retrieve your logs and in what format. For example, if you retrieve them in CSV, text, or object format, can you use them for searching, scanning, and reporting?

Questions to ponder:

• Will the company providing the SIEM service in the cloud continue to store these logs at no or low cost for another two to seven years (according to your compliance, audit, or incident response policy)? If not, will they deliver the logs to you? How?
• Assuming you received this service for 10,000 EPS, a two-year archive would generate terabytes of logs. How would this be transferred?
• Suppose it was transferred. Could you use these transferred logs without the SIEM software in the cloud?
• If you received these logs in a zipped text format, or object storage formart is there a system that can open terabytes of files and search within them?

In conclusion, organizations must carefully assess their unique needs and ensure they possess the necessary infrastructure and expertise to effectively utilize cloud-based SIEM/Log Management systems. 42% of organizations surveyed in the US are considering or already have moved at least half of their cloud-based workloads back to on-premises infrastructures [16].

References

1. https://www.i3d.net/reverse-cloud-migration-why-companies-move-away-from-cloud/
2. https://www.sangfor.com/blog/cloud-and-infrastructure/what-cloud-repatriation
3. https://dignitas.digital/blog/reverse-cloud-migration/
4. https://www.republicworld.com/business/industry/why-companies-are-reversing-cloud-migration/?amp=1
5. https://www.appdynamics.com/blog/cloud/cloud-repatriation-whats-behind-the-return-to-on-premises/
6. https://securityboulevard.com/2023/08/cloud-repatriation-the-unforeseen-reversal-in-cloud-computing-trends/
7. https://www.splunk.com/en_us/blog/learn/cloud-repatriation.html
8. https://www.forbes.com/sites/peterbendorsamuel/2021/08/10/why-is-cloud-migration-reversing-from-public-to-on-premises-private-clouds
9. https://www.swissvault.global/2023/06/21/the-looming-backlash-against-the-data-storage-industry
10. https://www.datacenterdynamics.com/en/opinions/bringing-the-cloud-back-on-premise-improving-security-and-reducing-costs/
11. https://www.infoworld.com/article/3712861/why-companies-are-leaving-the-cloud.html
12. https://itbrief.com.au/story/why-companies-are-bringing-workloads-back-on-premise
13. https://faddom.com/why-many-companies-are-leaving-the-cloud/
14. https://drertugrulakbas.medium.com/soc-bulutta-siem-veya-y%C3%B6netilen-siem-hizmetlerinde-madalyonun-%C3%B6teki-y%C3%BCz%C3%BC-98dae87154fd
15. https://drertugrulakbas.medium.com/bulut-ve-loglar-b267a8bbf814
16. https://www.helpnetsecurity.com/2024/02/22/cloud-repatriation-projects-reasons/