Tag Archives: compliance

Cloud Adoption Increases Security for SMBs

Leave a reply

Small and medium businesses have a lot to gain through adopting cloud computing, a recent research from comScore – sponsored by Microsoft – shows.

Not only would these companies benefit from important time and money savings when adopting the cloud, but they also see increased security levels, the aforementioned research shows.

According to the survey, which was conducted among both cloud and non-cloud SMBs in the U.S., India, Hong Kong, Malaysia and Singapore, most businesses who chose to make the move to the cloud consider it a great step in their evolution.

The study shows that SMBs are increasingly more confident on the benefits of cloud computing after adoption, and that twenty percent of companies spend less on security, while only 4 percent of non-cloud businesses suggest the same

Forty-one percent of cloud users considered the service provider as being entirely responsible for the security of their information, which suggests both the level of confidence in such services and that they need to be educated on their responsibilities on the area.

Fifty-seven percent of surveyed companies said that they felt that responsibility was shared with their cloud provider.

This also means that companies that offer cloud services have to ensure that their software is constantly updated so that they can meet the latest requirements in terms of security and reliability.

Richard Saunders, director, Trustworthy Computing, explained to Softpedia in a phone briefing that Microsoft is focused on improving the security of their cloud products.

Every second Tuesday, the Redmond-based giant releases security updates to users, in a process that also makes security updates delivery more predictable and transparent.

Microsoft is one of the main players in the provision of cloud services, with an offering that includes products such as Windows Azure, Windows Intune, Office 365 or Dynamics CRM, available for all customers interested in benefiting from public cloud capabilities.

Moreover, the software giant offers private cloud products as well, including Windows Server, SQL Server, Microsoft Exchange, Lync, SharePoint and the like, all of which are being periodically updated with patches for discovered vulnerabilities and with new features.

Of course, this does not mean that all targeted companies install these updates, due to a variety of reasons, including the costs and the lack of expertise to adjust the business to these updates.

Other findings of the survey also include:

  • Forty-five percent said it was easier to integrate systems.
  • Thirty-eight percent said they spent less time managing security.
  • Thirty-four percent were more confident in their company’s regulatory compliance.
  • Forty-two percent said the cloud made it easier for them to scale their business to explore new markets.
  • Forty-one percent said they were able to employ more staff in roles that directly benefit sales or growth.
  • Thirty-nine percent said they were able to invest in product development or innovation.
  • Thirty-seven percent felt that they benefited from improved agility and competitiveness.
  • Under Impacts, improved security and agility/competitiveness and better scalability are benefits perceived by cloud users.

All in all, it seems that cloud computing is indeed helping SMBs become more competitive and enjoy important savings and increased security levels.

However, not all of them consider the cloud as reliable. Those who haven’t adopted it yet are worried of transparency and identity security say that industry standards for cloud security would help them reconsider their position on the matter.

Non-cloud users are also concerned about security (40 percent) and the cost of transitioning (33 percent) to a new business model, yet the research shows that, in fact, they have nothing to fear on this.

However, Richard Saunders also notes that businesses need to make their own decision when it comes to cloud computing, but that they also need to make informed decisions, and that Microsoft is one of the companies focused on ensuring that this indeed happens.

Author: Ionut Arghire
Source

Mobility Is Driving Desktop Virtualization

Leave a reply

The demand for desktop virtualization is being driven, at least in part, by the explosive growth in mobile work styles. That’s a key takeaway from a new global market study commissioned by virtual solutions provider Citrix, whose virtualization, networking and cloud solutions are delivered to more than 100 million corporate desktops daily.

The survey found that 55 percent of responding companies will deploy new desktop virtualization for the first time by 2013. Of those surveyed, 86 percent said security was the biggest reason, and that desktop virtualization is a strategic choice for improving security in an age of multiple devices.

Security Joins Savings

The white paper describing the study noted that “familiar advantages of desktop virtualization include the ability to enable a more flexible workplace,” provide support for mobile workers, and effectively manage the variety of devices typically found in an organization. It noted that security now joins savings as a reason in favor of desktop virtualization.

The kinds of security that are driving desktop virtualization include the need for secure access for mobile and user-owned devices, increased security requirements for apps and data, the desire to be able to accommodate an increasingly mobile workforce, and simplified risk management.

Citrix Chief Security Strategist Kurt Roemer said in a statement accompanying the survey that desktop virtualization offers centralized control and management of software devices, as well as “granular, policy-based access control and support for compliance requirements.” With its infrastructure level of information governance, he said, it enhances risk management.

Provisioning, Isolation, Wiping

Other benefits found useful by IT managers in the study include the ability for immediate provisioning of security updates, apps and access, which was identified as a key benefit by 60 percent of respondents. Some 54 percent believed that the instant isolation of a compromised application was a key benefit of desktop virtualization, while 32 percent identified the ability to remotely wipe data from devices.

The survey also found that virtually all respondents — 95 percent of those surveyed — believed that virtualization was effective in protecting information, while still allowing employees the ability to get the information they needed to do their jobs.

For device-related issues, nearly three-quarters of the surveyed IT decision makers see desktop virtualization as a way to immediately update an entire fleet of computers and devices, and 66 percent felt that the ability to deploy applications securely was a critical component in their decision to implement the technology.

The survey was conducted by independent market research firm Vanson Bourne, under a commission from Citrix. The survey covered 1,100 senior IT managers in October in 11 countries, including the U.S., U.K., The Netherlands, Germany and Canada. Three-quarters of those surveyed worked at enterprises of more than 1,000 employees, while the rest were in companies of 500 to 999 employees.

Author: Barry Levine
Source

Cloud Computing In The Contact Center

1 Reply

Companies are looking for cloud solutions that satisfy the requirements of the IT manager in terms of reliability, security and rapid access to data, while still receiving everything they need such as service, flexibility and user-friendliness. By consolidating resources into secure, redundant and hardened data centres, providers of cloud solutions can offer a considerably higher degree of reliability and increased network security than before. Yet many companies are still sceptical about these claims and doubt whether a cloud-based communication solution can be successfully implemented within their organisation.

However, these reservations are unjustified. The advantages of cloud-based solutions for contact centres are significant, and many companies globally are showing greater interest and adoption. So, what are the main advantages of cloud computing?

Lower capital expenditure and lower costs

Cloud-based services save companies the high capital expenditure normally required for a communication platform and its associated applications. Companies no longer have to worry about configuration modifications, system maintenance, security and disaster recovery or software upgrades and updates.

Communication services are transformed into single, predictable cost items summarised on a monthly invoice where only the resources that are actually used are paid for (pay-as-you-go). Large server farms can be reduced or removed, significantly lowering not only cost but also energy consumption.

Rapid adaptation to growth and change

The contact centre infrastructure must quickly adapt to meet business requirements. Additional cloud services can be requested and provided at any time. New users, new sites and new functions are easily added or removed without having to invest in a new on-site system. Cloud services give companies the ability to combine new or additional services with existing on-site solutions for agents.

Keeps up-to-date with innovative technology

Given the rapid pace of technological advance, setting up a contact centre solution is not a one-off exercise. The requirements of customers and agents call for further investments and upgrades in order to keep pace with developments. Cloud-based services allow companies to keep up to date effortlessly with the latest developments. New applications or versions can be used as soon as they are released. Software is automatically updated at no additional cost and the system itself does not require any updates or overhauls.

Cloud computing provides the highest levels of security

Security is a sensitive topic and is still the key factor for many companies in the decision for or against a hosted solution. In-built software security measures and compliance with current international security standards must undoubtedly form the basis of any such solution. Risk audits must be able to be carried out at any time so the location of the data centre becomes an important factor. In general, both providers and users of cloud services should treat data security as a sensitive subject.

Availability to customers

The contact centre is important for the success of a business and the subject of availability should be given high priority. Customers want to be able to talk to someone at any time. Poor or limited accessibility is not only bad for business, it usually results in dissatisfied customers. The technology employed by cloud service providers, such as distributed or grid computing, guarantees an extremely high degree of availability.

Self-administration and management

The ability to intervene and make important changes yourself is vital, even for hosted solutions. As there are no devices or software to physically or virtually install or configure, all interactions with the contact centre solution take place in real-time via a web browser, whether it be for agents, supervisors or managers. This enables specialists to carry out and adapt critical and required tasks, such as routing changes or generation of reports and evaluations, as and when required.

Author: Kathryn Penn
Source

10 Vital Steps For Successful Cloud Computing Implementation

Leave a reply

Since Cloud computing is a new way of doing business you have to be clear about what you are letting yourself in for. For some, the business benefits of Cloud are many – for others it will be the simple fact that Cloud allows a small business to stop worrying about its IT – something that distracts from its core function of running the business.

Cloud computing differs from conventional outsourcing in that the latter model is still about stand alone computing — either you take your server and put it in someone else’s data centre or you have a service provider who manages your devices. You will know exactly where your data and servers are and what resources you share with others.

Cloud computing is different – it separates your data from your IT infrastructure, so your data is replicated ‘in the Cloud’, which could be anywhere in a multitude of ‘virtual’ servers. These differences give rise to a new set of security and privacy issues that will have an effect on your risk management practices and has started a re-evaluation of the complex legal issues in areas such as compliance and auditing.

To help with this process, I have put together a checklist of key issues and concerns. When evaluating the different services available, be sure to ask the following questions before you sign any contracts.

And remember – you are on the road to a far better, faster, more efficient, greener and less expensive type of computing, which will free you up from worrying about what’s happening to your ageing IT infrastructure to concentrating on your main task – your business! If you’re planning to maximize the convenience of cloud computing for your business, use this short but important checklist for choosing the right services.

1. Are your applications ready to run in the Cloud?

Are the applications which you use already web-based ? Will they benefit from a cloud- based architecture? Can it scale your present application up in the Cloud ? Migrating your old ‘legacy applications’ to a Cloud based infrastructure will not bring the correct benefits. You need to carry out an assessment to determine an application’s readiness for the Cloud. This means evaluating, via a potential supplier, the readiness of all your key applications. This will provide clear recommendations on your options – whether private or public Cloud.

2. Will you be able to receive technical support for the service?

Many cloud-based services are known for their ease of use, but there will come a time when you will need some technical support. When you use cloud-based services, you’ll be entrusting a lot of your business data to the service’s servers, so it’s only right for you to have a service representative to consult in case things go wrong. Before you go with any cloud-based service, make sure that you will be able to receive adequate technical support from the provider.

3. Ownership and access of your data

The application, the hardware and the operating system will be owned by the cloud provider. However, the data is what your intellectual property is based on and it has to be clearly acknowledged in the contract that you can take that data away with whenever you want to. Your Cloud subscription gives you access to the functionality of the application or function that you use. If that access is removed, can you still access the data so that you can take it away with you? Ensure that the contract allows for access to the back-end data, either directly or via the provider offering an export capability, even after the contract has finished.

4. Fluctuating Data Volumes

The Cloud is excellent for flexible computing, where extra resources such as additional power or sudden additional storage needs – maybe as a result of project work – are needed. However, as your storage capability grows, so does moving it. Migrating 1GB of data across a wide-area network is pretty simple but how about 1TB? That migration can take a long time, and if you need to work with that data as well in real-time, you’ll have to plan for a degree of downtime while the data is pulled from the Cloud and reinstalled against a replacement application or function. Look out for clauses in the agreement that charge for data volumes.

5. Is any part of the Cloud infrastructure outsourced or subcontracted?

Cloud computing can often involve chains of sub-processors. If you work across Euorpe you need to watch this. In some parts of Europe, data protection law requires the controller to independently authorise all subcontracts and to enter into direct contracts with all processors. In most member states, it is left to data controllers or processors to determine what amounts to appropriate technical and organisational measures. However, some countries (for example, Spain, Italy and Poland) have prescriptive requirements for security set out in their legislation. If a customer that operates in one of these countries wishes to put data into the cloud, then it will need the cloud computing service provider to confirm that its security arrangements meet these particular countries laws.

6. Compliance

Organisations considering using Cloud services should perform a gap analysis between the specific requirements identified in relevant regulations and the set of controls provided by the Cloud service provider. Using Cloud computing services for data and applications subject to compliance regulations requires a high degree of transparency on the part of service providers. If you are considering these services, you need to think through what use cases make sense, closely review contracts and service-level agreements and understand how the Cloud service meets your specific compliance requirements.

7. Cost analysis

The business case for Cloud application migration is never complete without taking the target Cloud platform into consideration. The migration and overhead costs vary widely based on the target Cloud platform and thus will skew the estimated cost savings. Cost analysis helps decide whether to go ahead with moving a particular application to the cloud or not from a return on investment perspective. Cost should include capital expenditure, operational expenditure, and the overhead costs involved with migration.

8. Migration Strategy

Defining a migration strategy involves understanding the various migration options available, establishing business priorities, and evolving a strategy that offers a fine balance between costs and meeting business priorities. Fundamentally, enterprises have the two following options with a cloud infrastructure – private or public. The choice is driven by priorities such as business model, go-to-market strategy and constrained by factors such as technical feasibility, security, migration costs, etc.

9. Dealing with Downtime

No business should start their operations with a cloud computing vendor without a Service Level Agreement (SLA). The SLA will specify the guaranteed uptime. In cloud computing, anything less than 99.9% is unacceptable. One of the distinguishing features of cloud computing is the assurance of an uptime to nearly 100%. Providers should be able to do this because of their multiple data centres. These are a necessity for providers to ensure uptime. The process in dealing with downtime should also be indicated as should a clear vendor strategy on how the problem will be dealt with if it arises.

10. Data Migration

Cloud computing does not just ‘happen’. Vendors must explain to their clients how data migration will be implemented. This is the most important task for cloud computing vendors because this will not only deal with the future efficiency of the application but also the security of the data.

A detailed plan with a corresponding time frame should be expected from the vendor. Although there are companies that will have more requirements from their clients for data migration, these are done to ensure proper migration without having to deal with future insecurities.

All of the above ten steps should be carefully considered by any business before they proceed to cloud computing. The specific advantages for cloud computing will only be realised if you have selected the right vendor.

Author: Constantine Galonis
Source

Cloud Computing and Accountants

Leave a reply

By definition, Cloud computing is Web-based computing, whereby shared resources, both software and information are provided to computers and other devices on-demand through an Internet connection. Instead of having to buy, install, maintain, and manage these resources on your own computer or device, you access and use them through a Web browser.

One of the major advantages to businesses using Cloud based technologies is that it saves time. Rather than managing technology in-house, you pay a third party to manage it for you. What you do with the increase in time is up to you. If you are still building your firm, you’ll have more time to ramp up your marketing efforts. Or, the time could be billed out to a client, or better yet, spent with family! When you consider the opportunity cost of your time, using Cloud based solutions make sound economic sense for most, if not all, firms.

If the opportunity cost of your time isn’t enough to sway you, consider this: In many cases, Cloud technology can save you money. First of all, using Cloud-based solutions requires less hardware! In addition to the cost of the hardware, managing servers in-house will invariably require some sort of technological support. Depending on the complexity, many firms require the assistance of a full time IT manager, or at the very least, an IT consultant on a part time basis. Even with this IT support, servers in your office can be unreliable and pose significant data security risks. Also, most Cloud service providers allow you to purchase different levels of service depending on your firm’s needs, with a pay-as-you-go option. This means you will pay for the applications you need instead of paying for a whole suite of software when you only use a portion of it.

Another benefit of Cloud computing is portability. Cloud technology allows you to work from anywhere, as long as there is an Internet connection. You do not need to go through the hassle of setting up a virtual private network to log into your server in the office. The information you need is stored on a remote server which means you can access your data from your office, your home, or on your iPad on a beach in the Bahamas!

In short, Cloud computing can save accounting firms time and money, and it offers increased access to work documents, allowing the firms to provide better customer service. To be clear, there are risks associated with Cloud computing. When choosing Cloud computing providers you should definitely choose time-tested companies that have clearly defined privacy policies and are in compliance with the SSAE16 Auditing Standard, which is the latest standard for Reporting on Controls at a Service Organization. This will ensure the data you put on the Cloud is safe and secure! Ultimately, you are the only one who can determine if your future is “Cloudy” or not, but there are many compelling reasons to consider utilizing Cloud technologies within your firm.

Author: Chad Brubaker
Source

The Cloud and EDI

Leave a reply

Cloud computing is a remarkable phenomenon, with analysts at IDC predicting public cloud computing services to be a $73 billion market by 2015.

However, many CIOs are still puzzled by the term and may not yet be familiar with how appropriate ‘The Cloud’ is for certain business IT functions.

Concerns over security, too, remain an issue for some.

The wide availability of computing power, storage capacity and software over the internet, through ‘The Cloud’, presents businesses with the potential to use highly sophisticated software products on a pay-as-you-go basis – removing the pressure of capital investment for hardware and software, as well as taking away the onerous responsibility of maintenance.

Smaller businesses now have the ability to access software delivered as a service and use it to gain operational advantage over competitors, both large and small.

The opportunity of a level playing field is now available to all.

One of the greatest advantages of the internet is its connectivity – the ease with which it can link businesses together.

Orders, acknowledgements and invoices can be easily passed between buyers and suppliers through this medium.

Electronic Data Interchange (EDI) is a natural fit with the internet and the ‘intelligence’ offered by Next Generation EDI sits comfortably in a cloud environment.

However, there are important differences between the requirements of EDI services and the ‘self-service’ nature of the public cloud.

Public cloud services require businesses to use their own staff to set-up, input data and maintain services.

This may not always be convenient or desirable, and may not be applicable to all IT functions, including EDI.

Connecting buyers and suppliers up to an EDI platform is a sophisticated, complex and arduous task that requires skilled technicians that are familiar with the many protocols used by business.

Outsourcing this function to an EDI provider on a managed service basis removes this issue.

Also, by moving to a ‘Managed Cloud’, compliance to an organisation’s trading requirements becomes a simple matter.

If a customer changes their message format, it is the responsibility of the service provider to update the system.

One of the most common barriers to companies moving to a cloud environment is the question of security.

Although attitudes are changing fast, companies can be reluctant to place data outside their own firewall.

However, for any business that has a network there is always the danger that someone could compromise their systems, and yet few companies are adequately equipped.

Cloud computing services have to be more secure than any individual business and leading service providers dedicate considerable resources to maintaining the highest standards on security and virus protection on a 24/7 basis.

Importantly, EDI services are best suited to what may be regarded as a ‘Community Cloud’ – where access is only available to the hub owner and authorised trading partners.

An important consideration when adopting a cloud solution is whether each individual customer has their own database, with their data completely separated from other customer’s data.

This is key in ensuring that there is no possibility of data getting mixed up or someone getting access to another company’s information.

An often overlooked advantage of moving to the cloud is the creation of a repository of information away from the enterprise.

This allows the stored information to be accessed anytime, anywhere.

Therefore, if a company’s ERP is unavailable, access via a browser enables business to continue, therefore assisting in the company’s disaster recovery process.

Many major businesses in the retail, manufacturing and building sectors are moving their electronic trading to Next Generation EDI services hosted in the Cloud.

Taking an outsourced managed service approach has been seen by a growing number of leading companies as the best way of freeing up internal IT resources, dealing with issues of compliance and facilitating the fast on-boarding of new trading partners.

The ‘Managed Cloud’ is the right place to be for Next Generation EDI.

Source

Cost-Conscious Cloud

1 Reply

While some concerns remain about data security and application uptime, there’s significant movement within the retail industry toward cloud-based solutions that can be delivered on an on-demand basis, and it’s easy to see why. Unlike many other technologies that retailers have had to adapt to meet their business needs, it’s as if cloud computing was designed specifically with the cost-conscious, data-deluged retail enterprise in mind.

For retail CIOs seeking a quick ROI payback from any proposed new initiative, adopting cloud-based solutions offers almost immediate cost savings. Not only is there less need for up-front capital investment in hardware, software and deployment, but these solutions are typically available on a per-usage basis, opening the door for retailers to use as much of an application as they need at any given time.

In addition, this pricing model allows retailers to move many IT costs from the capital expenditures budget line to the operating expenditures line, which can free up CapEx funds for other IT projects.

But most industry experts, along with retailers that have already adopted cloud solutions, agree that cost savings are only their most obvious benefit. Cloud-based solutions’ expanded availability offers retailers new levels of flexibility and speed to market. IT departments can scale up support in far less time than traditional application architectures would have needed.

Defining Cloud Computing

Cloud computing has nothing to do with meteorology. It got its name from the “cloud” graphics used to represent any off-premise computing area, in this case the Internet.

Cloud computing “allows users to obtain computing capabilities through the Internet, regardless of their physical location,” write Michael Mojica, Jeff Stephenson and Alan Healey in the May 2010 Accenture report, Six Questions Every Retail Executive Should ask About Cloud Computing. “Computing clouds are in essence online, supersized data centers containing hundreds of thousands of servers hosting web applications.”

There are public clouds, which take advantage of massed servers to lower all participants’ costs and are essentially available to anyone, and private clouds maintained by a company or group of companies, as well as public/private hybrids.

Cloud-based services are broadly divided into three categories: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Applications designed for traditional distribution methods can be adapted for cloud delivery, but many technology vendors are now designing solutions that specifically optimize cloud-based models.

Applying Power to ‘Big Data’

Many retailers would like to use more of the data coming from mobile technology and social media to gain greater insights into customer behavior and demand patterns, but one of the barriers has been the enormous IT investment required for both hardware and software.

In addition to lowering costs, mitigating risk and increasing flexibility, the cloud computing model expands access to massive computing power. And because retailers can use this power on an as-needed basis, they gain the benefits of deep data analysis without having to invest in technology that they might use for only a few days each week or each month.

The cloud’s combination of expanded computing resources and delivery to virtually any Web-connected device also adds the possibility of using its solutions to conduct real-time analyses.

“Scenario modeling, what-if analysis, and forecasting, which are ‘lumpy,’ data-intensive processes, are great candidates to be served by cloud-based solutions,” according to the Accenture Six Questions report.

Addressing Security Issues

The nagging questions about cloud computing have to do with security and application uptime. While acknowledging that no IT architecture can guarantee full 100% uptime, cloud proponents say that the use of multiple servers and data centers offers higher redundancy levels than would be possible with a single enterprise-operated data center.

In addition, data security is a concern no matter what type of IT architecture a company uses. Retailers traffic in Personally Identifiable Information (PII) about their customers as well as financial and transactional data, not to mention sensitive proprietary information about prices, promotions and their own interactions with vendors and suppliers.

Experts say the move to a cloud computing model can actually be a catalyst for assessing and addressing security concerns throughout the retail enterprise.

7 Security Recommendations

The Accenture Six Questions report provides seven security recommendations for companies considering a cloud deployment:

  • Work with your provider to determine its attention to security, privacy and compliance with data laws in all relevant jurisdictions.
  • The security of the cloud should be equal to the most risky client that is serviced by the provider.
  • Require your cloud computing partner to provide you with its risk assessment and how it intends to mitigate any issues found.
  • If the cloud provider does not have a seasoned Privacy Officer and a client-facing CSO, CISO, or equivalent security role, it is a sign that the provider doesn’t take security seriously enough.
  • Schedule monthly discussions with the cloud provider’s top privacy and security people.
  • The cloud provider should have the ability to map its policy and procedures to any security mandate or security/privacy/compliance-driven contractual obligation you face.
  • Pay attention to your cloud provider’s adherence to secure coding practices.

What cloud-based solutions can provide is cost savings with much higher levels of IT and business flexibility than retailers have been accustomed to.

Cloud-based solutions are just starting to sprinkle their benefits on the retail industry, and there are strong indications that these “showers” will quickly grow into a downpour — and that more and more retailers will like this change in the weather.

Source

Cloud Computing Data Security

3 Replies

Meeting the requirements for cloud data security entails applying existing security techniques and following sound security practices. To be effective, cloud data security depends on more than simply applying appropriate countermeasures. Taken collectively, countermeasures must comprise a resilient mosaic that protects data at rest as well as data in motion.

While the use of encryption is a key component for cloud security, even the most robust encryption is pointless if the keys are exposed or if encryption endpoints are insecure. Customer or tenant control over these endpoints will vary depending on the service model and the deployment model.

OVERVIEW OF DATA SECURITY IN CLOUD COMPUTING
It is understandable that prospective cloud adopters would have security concerns around storing and processing sensitive data in a public or hybrid or even in a community cloud. Compared to a private data center, these concerns usually center on two areas:

  • Decreased control by the owning organization when data is no longer managed within an organization’s premises
  • Concern by the owning organization that multitenancy clouds inherently pose risks to sensitive data

In both cases, the potential risk of data exposure is real but not fundamentally new. This is not to say that cloud computing does not bring unique challenges to data security.

Control over Data and Public Cloud Economics

In contrast to use of a public cloud, maintaining organizational physical control over stored data or data as it traverses internal networks and is processed by on-premises computers does offer potential advantages for security. But the fact is that while many organizations may enforce strict on-premises-only data policies, few organizations actually follow through and implement the broad controls and the disciplined practices that are necessary to achieve full and effective control.

So, additional risks may be present when data doesn’t physically exist within the confines of an organization’s controlled facility—this is not necessarily the security issue that it may appear to be. To begin, achieving the potential advantages with on-premises data requires that your security strategy and implementation deliver on the promise of better security.

The basic problem is that most organizations are neither qualified to be in the information security business nor are they in that business—they are simply using computers and networks to get their work done! Although secure computing is a desired quality, information security expertise is not a core-competency for most computer users nor is it common in most organizations. Returning to the point:

  • Moving data off premises does not necessarily pose new risks, and it may in fact improve your security.
  • Entrusting your data to an external custodian may result in better security and may well be more cost effective.

Two examples that underscore this are the commercial service offerings to either store highly sensitive data for disaster recovery or assure the destruction of magnetic media. In both cases, many highly paranoid organizations tightly control how they use these services—but the point is that they use external services, and when they do so, they entrust their data to external custodians.

It is important to state that some kinds of data are simply too sensitive and that the consequence of data exposure is too great for some customers to seriously consider using a public cloud for processing. This applies to any information category that entails national security information or information that is subject to regulatory controls, which cannot yet be met by public target cloud offerings. Likewise, it is unlikely that a well-governed organization would release highly sensitive future product plans to any environment where the organization would be uncertain that the information custodian (the CSP) did not enforce the information owning organization’s interests as well as the organization itself would.

In these examples, it is not the case that security needs for these categories can’t be met in a public cloud, rather the cost of providing such security assurance is incompatible with the cost model of a public cloud. If a CSP is to meet these needs that would demand additional controls, procedures, and practices that would make the cloud offering noncompetitive for most users. Consequently, where such data security needs prevail, other delivery models (community or private cloud) may be more appropriate. This is depicted in Figure 1. Note that this situation is a function of generally available and anticipated offerings in the public cloud space. Quite likely, this will change as security becomes more of a competitive discriminator in cloud computing.

FIGURE 1 Meeting security needs: public, community, and private clouds.

One can easily imagine future high-assurance public clouds that charge more for their service than lower-assurance public clouds do today. We might also expect that some higher-assurance clouds would limit access by selective screening of customers based on entry requirements or regulation. Limiting access to such a cloud would reduce risk—not eliminate it—by limiting access if screening is effective.

Organizational Responsibility: Ownership and Custodianship
While an organization has responsibility for ensuring that their data is properly protected as discussed above, it is often the case that when data resides within premises, appropriate data assurance is not practiced or even understood as a set of actionable requirements. When data is stored with a CSP, the CSP assumes at least partial responsibility (PaaS) if not full responsibility (SaaS) in the role of data custodian. But even with divided responsibilities for data ownership and data custodianship, the data owner does not give up the need for diligence for ensuring that data is properly protected by the custodian.

By the nature of the service offerings, and as depicted in Figure 2, a data owning organization can benefit from their CSP having control and responsibility for customer data in the SaaS model. The data owning organization is progressively responsible beginning with PaaS and expanding with IaaS. But appropriate data assurance can entail significant security competence for the owning organization.

FIGURE 2 Owning organization has increasing control and responsibility over data.

Ultimately, risks to data security in clouds are presented to two states of data: data that is at rest (or stored in the cloud) and data that is in motion (or moving into or out of the cloud). Once again, the security triad (confidentiality, integrity, and availability) along with risk tolerance drives the nature of data protection mechanisms, procedures, and processes. The key issue is the exposure that data is subject to in these states.

Data at Rest and in Motion

Data at rest refers to any data in computer storage, including files on an employee’s computer, corporate files on a server, or copies of these files on off-site tape backup. Protecting data at rest in a cloud is not radically different than protecting it outside a cloud. Generally speaking, the same principles apply. As discussed in the previous section, there is the potential for added risk as the data owning enterprise does not physically control the data. But as also noted in that discussion, the trick to achieving actual security advantage with on-premises data is following through with effective security.

Referring back to Figure 1, the less control the data owning organization has—decreasing from private cloud to public cloud—the more concern and the greater the need for assurance that the CSPs security mechanisms and practices are effective for the level of data sensitivity and data value. (But in Figure 2, we saw that the owning organization’s responsibility for security runs deeper into the stack for the owning organization as they move from SaaS to PaaS and again to IaaS.)

If you are going to use an external cloud provider to store data, a prime requirement is that risk exposure is acceptable. Risk exposure varies in part as a function of service delivery as it does for deployment.

A secondary requirement is to verify that the provider will act as a true custodian of your data. A data owning organization has several opportunities in proactively ensuring data assurance by a CSP. To begin with, selecting a CSP should be based on verifiable attestation that the CSP follows industry best practices and implements security that is appropriate for the kinds of data they are entrusted with. Such certifications will vary according to the nature of the information and whether regulatory compliance is necessary. Understandably, one should expect to pay more for services that involve such certifications. One likely trend here is that higher assurance cloud services may come with indemnification as a means of insurance or monetary backing of assurance for a declared level of security. Whatever the future may hold, we can expect that practices in this space will evolve.

Data in Motion
Data in motion refers to data as it is moved from a stored state as a file or database entry to another form in the same or to a different location. Any time you upload data to be stored in the cloud, the time at which the data is being uploaded data is considered to be data in transit. Data in motion can also apply to data that is in transition and not necessarily permanently stored. Your username and password for accessing a Web site or authenticating yourself to the cloud would be considered sensitive pieces of data in motion that are not actually stored in unencrypted form.

Because data in motion only exists as it is in transition between points—such as in memory (RAM) or between end points—securing this data focuses on preventing the data from being tampered with as well as making sure that it remains confidential. One risk has to do with a third party observing the data while it was in motion. But funny things happen when data is transmitted between distant end points, to begin with packets may be cached on intermediate systems, or temporary files may be created at either end point. There is no better protection strategy for data in motion than encryption.

Common Risks with Cloud Data Security

Several risks to cloud computing data security are discussed in this section. None of these are unique to the cloud model, but they do pose risk and must be considered when addressing data security. They include phishing, CSP privileged access, and the source or origin of data itself.

Phishing
One indirect risk to data in motion in a cloud is phishing. Although it is generally considered unfeasible to break public key infrastructure (PKI) today (and therefore break the authentication and encryption), it is possible to trick end users into providing their credentials for access to clouds. Although phishing is not new to the security world, it represents an additional threat to cloud security. Listed below are some protection measures that some cloud providers have implemented to help address cloud-targeted phishing related attacks:

  • Salesforce.com Login Filtering Salesforce has a feature to restrict access to a particular instance of their customer relationship management application. For example, a subscriber can tell Salesforce not to accept logins, even if valid credentials are provided, unless the login is coming from a whitelisted IP address range. This can be very effective in preventing phishing attacks by preventing an attacker login unless he is coming from a known IP address range.
  • Google Apps/Docs/Services Logged In Sessions & Password Rechecking Many Google services randomly prompt users for their passwords, especially in response when a suspicious event was observed. Furthermore, many Google’s services display the IP address from the previous login session along with automatic notification of suspicious events, such as login from China shortly after an IP address from the United States did for the same account.
  • Amazon Web Services Authentication Amazon takes authentication to cloud resources seriously. When a subscriber uses EC2 to provision a new cloudhosted virtual server, by default, Amazon creates cryptographically strong PKI keys and requires those keys to be used for authentication to that resource. If you provision a new LINUX VM and want to SSH to it, you have to use SSH with key-based authentication and not a static password.

But these methods are not always fool proof—with phishing, the best protection is employee/subscriber training and awareness to recognize fraudulent login/ capturing events. Some questions that you might ask your CSP related to protection from phishing-related attacks are:

  • Referring URL Monitoring Does the CSP actively monitor the referring URLs for authenticated sessions? A wide-spread phishing attack targeting multiple customers can come from a bogus or fraudulent URL.
  • Behavioral Policies Does the CSP employ policies and procedures that mandate that a consistent brand is in place (often phishing attacks take advantages of branding weaknesses to deceive users)? Does their security policy prohibit weak security activities that could be exploited? An example would be if they prohibit the sending of e-mails with links that users can click on that automatically interact with their data. Another example would be whether they allow password resets to occur without actively proving user identity via a previously confirmed factor of authentication (that is, initiate a password request on the Web and they confirm the identity of the user based on an out-of-band SMS text message to their cell phone).

Phishing is a threat largely because most cloud services currently rely on simple username and password authentication. If an attacker succeeds in obtaining credentials, there is not much preventing them from gaining access.

Provider Personnel with Privileged Access
Another risk to cloud data security has to do with a number of potential vectors for inappropriate access to customer sensitive data by cloud personnel. Plainly stated, outsourced services—be they cloud-based or not—can bypass the typical controls that IT organizations typically enforce via physical and logical controls.

This risk is a function of two primary factors: first, it largely has to do with the potential for exposure with unencrypted data and second, it has to do with privileged cloud provider personnel access to that data. Evaluating this risk largely entails CSP practices and assurances that CSP personnel with privileged access will not access customer data.

Data Origin and Lineage
The origin, integrity, lineage, and provenance of data can be a primary concern in cloud computing. Proving the origin of information or data has importance in many areas, including patents or proving ownership of valuable data sets that are based on independent analysis of commonly available information sources.

For compliance purposes, it may be necessary to have exact records as to what data was placed in a public cloud, when it occurred, what VMs and storage it resided on, and where it was processed. In fact, it may be equally important to be able to prove that certain datasets were not transferred to a cloud, for instance, when there are sensitivity or EU-privacy concerns about what national borders such data may have crossed.

While reporting on data lineage and provenance may be very important for regulatory purposes, it may be very difficult to do so with a public cloud. This is largely due to the degree of abstraction that exists between actual physical resources—such as disk drives and servers—and the virtualized resources that a public cloud user has access to. Visibility into a provider’s operations in terms of technical mechanisms can be impossible to obtain, for understandable reasons.

Where such requirements exist that the origin and custody of data or information must be maintained in order to prevent tampering, to preclude exposure outside a jurisdictional realm, or to assure continuing integrity of data, it may be completely inappropriate to use a public cloud or even a low-assurance private cloud. One can imagine that if such requirements become increasingly common, cloud-based services will arise to profit from the opportunity. In the absence of a public service and where a private cloud is cost prohibitive, alternative approaches should be considered— easiest among them the use of a hybrid or community cloud.

Source

How to Enter the Cloud

Leave a reply

Cloud computing is a reality, and it’s a force that I believe IT professionals need to come to terms with quickly. The economic motivation for cloud is high; business need for speed and agility is like never before, and the technology has reached a level where it makes prudent investments in cloud services not only possible but fast and easy.

The cloud is here and it won’t go away, but what is it really, why should organisations use it and what are the risks? If you live in a corporate IT organisation, responsible for IT infrastructure, what factors do you need to consider?

What we really mean when we talk about cloud
“Cloud” has become a catch-all term for utility or on-demand compute, but there are a lot of things that cloud isn’t. Let’s start by establishing some common terminology:

  • Cloud: generally IT as a Service (ITaaS)
  • Cloud computing: a business model for delivering IT as a service
  • Cloud services: the deliverable or what you actually get. This encompasses the following areas of ITaaS:
  • Infrastructure as a Service (servers, network, storage, management, reporting)
  • Platform as a Service (application building blocks and standards)
  • Software as a Service (applications)
  • Storage as a Service (primary, back-up, archive, DR)

In my experience the best way to define cloud is actually to look at the problem it is trying to solve. For instance, when customers ask me about cloud, most of the time what they are thinking about falls into three main areas:

  • Decreased storage costs: achieved via storage efficiency
  • Data centre efficiency: achieved via virtualisation and internal or private clouds
  • Conversion of capital expenditure into operational expenditure: achieved via external or public clouds

Whether to create your own cloud, or use a third party
The big question behind cloud computing is whether a company should build or expand its own data centre (a private cloud), or whether it should outsource and access computing resources remotely over the Internet (a public cloud).

The solution is individual to every organisation; there is no single blueprint to apply and IT strategists and architects have to do their own homework. Organisational factors such as the need to balance opex with capex, attitude to risk, security, criticality of applications and the need for redundancy are unique to every organisation and demand a unique cloud analysis and definition.

How to define a cloud infrastructure and “cloud-safe” data management policy
There are two fundamentals to developing a robust cloud-based IT infrastructure:

  1. Governance and compliance for outsourced public cloud applications
  2. The creation of internal cloud services to drive down costs and time to market for in house applications

If your organisation is just beginning to explore the cloud, you need to identify which services can reside in the cloud and which should be internal. Determine what systems and services are core to your business or store your crucial intellectual property. These should be categorised as high risk and not considered cloud opportunities in the near term.

You also need to develop a sourcing strategy to achieve the low cost, scalability and flexibility your business is seeking. This should include all the necessary protections such as data ownership and mobility, compliance and other elements familiar from more traditional IT contracts.

Implementing an external / public cloud infrastructure
Since there are applications (CRM, ERP, messaging and collaboration) that are common to every company, outsourcing to an external cloud provider that can do a better job managing the application at a lower cost structure makes sense. Governance plays a central role in deciding which applications can be safely outsourced, and how to manage the processes. You will need to assess the applications and build policies based upon the type of data. Factors to consider include: how it is accessed and by whom, security and compliance aspects, and the strategic importance or competitive advantage the application or data offers.

Second, you need to assess the cloud service provider’s service offerings. Look at their capabilities, security, SLAs on availability and performance to see if they meet the levels required by the applications before agreeing to cloud-outsource the application.

What are the risks of using an external cloud?
You should pay careful attention to:

  • Service Levels. Understand the service levels you can expect for transaction  response times, data protection, and speed of data recovery.
  • Privacy. If someone else hosts and serves your data they could be approached  by the U.S. government to access and search that data without your  knowledge or approval. Current indications are that they would be  obligated to comply.
  • Compliance. You are probably already aware of the regulations that apply to  your business. In theory, providers of cloud services can provide the same  level of compliance for data stored in the cloud, but, since most of these  services are young, you’ll need to take extra care.
  • Data Ownership. Do you still own your data once it goes into the cloud? You may  think the answer to this question is obvious, but the recent flap over Facebook’s  attempt to change its terms of use suggests that the question is worth a second look.
  • Data Mobility. Can you share data between cloud services? If you terminate a  cloud relationship can you get your data back? What format will it be in?  How can you be sure all other copies are destroyed?

As with any service that’s going to be critical to your company, the best advice is to ask a lot of questions and get all commitments in writing.

Implementing internal / private cloud infrastructure
Internal clouds will help the business launch applications faster and at much lower cost. This is about building ITaaS capabilities in house, or building shared infrastructure that is offered as a service to the business. You’ll need pooled infrastructure, policy based automation to simplify provisioning, metrics and charge backs, service assurance and conformance to SLAs, as well as forward-looking capacity planning. Add a self-service portal to your internal cloud and now the applications teams are happy they can deploy faster and lower cost and the corporate IT governance guys will be happy too.

This space is evolving fast, so start with the basics; pool the infrastructure and use a vendor that offers dynamic virtualised infrastructure to quickly activate applications, or repurpose capacity and performance as loads from applications ramp up or down. For this you need unified storage, network, and servers that can cater for wide range of applications requirements and choose highly efficient infrastructure.

Internal cloud services drive down costs and time to market for in house applications is built on a pooled dynamic infrastructure with utilisation levels in excess of 75%. This is achieved through thin provisioning, deduplication, and cloning technologies (which can raise utilisation levels well in excess of 100%). The bottom line is that this approach yields big cost savings.

Summary
Cloud computing is n’t going away. It’s an IT concept we must all sign-up to.

  • Provisioning an effective  cloud infrastructure is individual to every business.
  • In evaluating public  versus private clouds—be aware of what you’re getting into and how to  get out of it.
  • For an external cloud, if  there’s too much risk, don’t do it. Be selective about what you choose to  put in an external cloud. No amount of IT cost-saving can justify breaking  a business.
  • For internal clouds, make  sure you understand what your data centre is capable of and consider  vendors that can offer greatest flexibility and real unified computing.

 

Source

Companies Ill-Prepared To Achieve Cloud Goals

Leave a reply

The majority of large organisations are migrating internal virtual infrastructure to the cloud because they believe it will reduce costs, according to a recent survey. The survey finds that only 17 per cent of organisations achieved their utilisation and ROI goals with virtualisation and yet, they intend to use similar planning and management approaches for their move to the cloud.

The survey interviewed 94 executives responsible for virtual and cloud infrastructure decisions at organisations with more than 25,000 employees. It revealed that many organisations are ill-prepared to make the move: 77 per cent of respondents plan to use cloud-vendor supplied tools or spreadsheets to plan the migration of workloads to the cloud and only 48 per cent plan to implement new solutions to manage cloud infrastructure.

While cloud operating models have the potential to reduce spend, it is more likely that infrastructure costs will increase if these initiatives are poorly planned and managed. Virtualisation provided many organisations with some quick hits in terms of cost savings on hardware, but the reality is that few have fully met their objectives for utilisation and ROI. Despite this, the majority of organisations are betting on the cloud without dramatically changing the approach to planning these environments.

Cloud operating models can naturally increase inefficient use of capacity and the amount of “excess” capacity an organisation has on hand in internal clouds by their very design:

  • Providing users with self-serve access to capacity can result in buffet-style over-indulgence as application owners request more capacity than they actually need to safe-guard against risk.
  • Pre-defined instance configurations and sized “buckets” of capacity may enable easier management, but they can also result in built-in excess capacity in allocations vs. customising allocations for each workload’s true requirement.
  • Increased responsiveness requires a supply of excess capacity to be held as a demand buffer for new workloads. Sizing this capacity requirement, however, is tricky and teams could end up with unnecessary idle capacity taking up room on the data centre floor.

Key findings from the survey reveal that organisations will face a direct conflict between high hopes for cost reduction and poor planning and management methods:

  • 39 per cent of respondents felt that virtualisation costs were higher than expected or delivered an uncertain ROI.
  • 70 per cent of respondents felt that moving to cloud infrastructure would decrease costs and 42 per cent cited cost reduction as the primary reason they would move systems off of internal virtualised infrastructure to the cloud.
  • Despite the hopes for cost reduction, a total of 77 per cent planned to take a very basic and biased approach to migration planning, using a cloud vendor-provided tool or spreadsheets to plan the migration of their workloads to the cloud.
  • 75 per cent planned workload movements using spreadsheets in currently virtual environments, which not only slows response times, but also takes a very simplistic approach to sizing and placement in internal cloud environments.

According to Gartner analyst Alessandro Perilli, in the June 9, 2011 research paper “The Big Mind Shift: Capacity Management for Virtual and Cloud Infrastructures”:

“Gartner defines “optimised” as a virtual infrastructure where the workload placement satisfies all of an organisation’s technical, business, and compliance constraints and the capacity is allocated to avoid resource wasting (i.e., rightsized),”

Perilli also recommends:

“The capacity management tool should allow for the definition of complex, multi-dimensional placement rules according to the technical, business, and compliance constraints inherent to each service that the infrastructure is hosting.”

Strategic workload placement is critical to achieving savings, particularly in internal clouds. Taking a manual approach to planning cloud migration, like many organisations have done with virtualisation is a recipe for inefficiency and reduced return on investment. There are simply too many factors to consider in placement and capacity sizing decisions to be able to do so efficiently and accurately using home grown tools.

Source