Tag Archives: governance

SaaS, PaaS, and IaaS: A Security Checklist for Cloud Models

2 Replies

How does security apply to Cloud Computing? In this article, we address this question by listing the five top security challenges for Cloud Computing, and examine some of the solutions to ensure secure Cloud Computing.

Organizations and enterprises are increasingly considering Cloud Computing to save money and to increase efficiency. However, while the benefits of Cloud Computing are clear, most organizations continue to be concerned about the associated security implications. Due to the shared nature of the Cloud where one organization’s applications may be sharing the same metal and databases as another firm, Chief Security Officers (CSOs) must recognize they do not have full control of these resources and consequently must question the inherent security of the Cloud. However, it is important to note that Cloud Computing is not fundamentally insecure; it just needs to be managed and accessed in a secure way.

All Cloud Models Are Not the Same

Although the term Cloud Computing is widely used, it is important to note that all Cloud Models are not the same. As such, it is critical that organizations don’t apply a broad brush one-size fits all approach to security across all models. Cloud Models can be segmented into Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS). When an organization is considering Cloud security it should consider both the differences and similarities between these three segments of Cloud Models:

SaaS: this particular model is focused on managing access to applications. For example, policy controls may dictate that a sales person can only download particular information from sales CRM applications. For example, they are only permitted to download certain leads, within certain geographies or during local office working hours. In effect, the security officer needs to focus on establishing controls regarding users’ access to applications.

PaaS: the primary focus of this model is on protecting data. This is especially important in the case of storage as a service. An important element to consider within PaaS is the ability to plan against the possibility of an outage from a Cloud provider. The security operation needs to consider providing for the ability to load balance across providers to ensure fail over of services in the event of an outage. Another key consideration should be the ability to encrypt the data whilst stored on a third-party platform and to be aware of the regulatory issues that may apply to data availability in different geographies.

IaaS: within this model the focus is on managing virtual machines. The CSOs priority is to overlay a governance framework to enable the organization to put controls in place regarding how virtual machines are created and spun down thus avoiding uncontrolled access and potential costly wastage.

The following check-list of Cloud Security Challenges provides a guide for Chief Security Officers who are considering using any or all of the Cloud models.

For CSOs focused on PaaS

Challenge #1: Protect private information before sending it to the Cloud

There are already many existing laws and policies in place which disallow the sending of private data onto third-party systems. A Cloud Service Provider is another example of a third-party system, and organizations must apply the same rules in this case. It’s already clear that organizations are concerned at the prospect of private data going to the Cloud. The Cloud Service Providers themselves recommend that if private data is sent onto their systems, it must be encrypted, removed, or redacted. The question then arises “How can the private data be automatically encrypted, removed, or redacted before sending it up to the Cloud Service Provider”. It is known that encryption, in particular, is a CPU-intensive process which threatens to add significant latency to the process.

Any solution implemented should broker the connection to the Cloud Service and automatically encrypt any information an organization doesn’t want to share via a third party. For example, this could include private or sensitive employee or customer data such as home addresses or social security numbers, or patient data in a medical context. CSOs should look to provide for on-the-fly data protection by detecting private or sensitive data within the message being sent up to the Cloud Service Provider, and encrypting it such that only the originating organization can decrypt it later. Depending on the policy, the private data could also be removed or redacted from the originating data, but then re-inserted when the data is requested back from the Cloud Service Provider.

For CSOs Focused on SaaS

Challenge #2: Don’t replicate your organization in the Cloud

Large organizations using Cloud services face a dilemma. If they potentially have thousands of employees using Cloud services, must they create thousands of mirrored users on the Cloud platform? The ability to circumvent this requirement by providing single sign-on between on-premises systems and Cloud negates this requirement.

Users with multiple passwords are also a potential security threat and a drain on IT Help Desk resources. The risks and costs associated with multiple passwords are particularly relevant for any large organization making its first foray into Cloud Computing and leveraging applications or SaaS. For example, if an organization has 10,000 employees, it is very costly to have the IT department assign new passwords to access Cloud Services for each individual user. For example, when the user forgets their password for the SaaS service, and resets it, they now have an extra password to take care of.

By leveraging single sign-on capabilities an organization can enable a user to access both the user’s desktops and any Cloud Services via a single password. In addition to preventing security issues, there are significant costs savings to this approach. For example, single sign-on users are less likely to lose passwords reducing the assistance required by IT helpdesks. Single sign-on is also helpful for the provisioning and de-provisioning of passwords. [Editor's note: Also read Role management software--how to make it work for you.] If a new user joins or leaves the organization there is only a single password to activate or deactivate vs. having multiple passwords to deal with. In a nutshell, the danger of not having a single sign-on for the Cloud is increased exposure to security risks and the potential for increased IT Help Desk costs, as well the danger of dangling accounts after users leave the organizations, which are open to rogue usage.

For CSOs focused on PaaS

Challenge #3: Keep an Audit Trail

Usage of Cloud Services is on a paid-for basis, which means that the finance department will want to keep a record of how the service is being used. The Cloud Service Providers themselves provide this information, but in the case of a dispute it is important to have an independent audit trail. Audit trails provide valuable information about how an organization’s employees are interacting with specific Cloud services, legitimately or otherwise!

The end-user organization could consider a Cloud Service Broker (CSB) solution as a means to create an independent audit trail of its cloud service consumption. Once armed with his/her own records of cloud service activity the CSO can confidently address any concerns over billing or to verify employee activity. A CSB should provide reporting tools to allow organizations to actively monitor how services are being used. There are multiple reasons why an organisation may want a record of Cloud activity, which leads us to discuss the issue of Governance.

For CSOs focused on IaaS

Challenge #4: Governance: Protect yourself from rogue cloud usage and redundant Cloud providers

The classic use case for Governance in Cloud Computing is when an organization wants to prevent rogue employees from mis-using a service. For example, the organization may want to ensure that a user working in sales can only access specific leads and does not have access to other restricted areas. Another example is that an organization may wish to control how many virtual machines can be spun up by employees, and, indeed, that those same machines are spun down later when they are no longer needed. So-called “rogue” Cloud usage must also be detected, so that an employee setting up their own accounts for using a Cloud service is detected and brought under an appropriate governance umbrella.

Whilst Cloud Service providers offer varying degrees of cloud service monitoring, an organization should consider implementing its own Cloud service governance framework. The need for this independent control is of particular benefit when an organization is using multiple SaaS providers, i.e. HR services, ERP and CRM systems. However, in such a scenario the CSO and Chief Technology Officer (CTO) also need to be aware that different Cloud Providers have different methods of accessing information. They also have different security models on top of that.

Some use REST, some use SOAP and so on. For security, some use certificates, some use API keys, which we’ll examine in the next section. Some simply use basic HTTP authentication. The problem that needs to be solved is that these cloud service providers all present themselves very differently. So, in order to use multiple Cloud Providers, organizations have to overcome the fact they are all different at a technical level.

Again, that points to the solution provided by a Cloud Broker, which brokers the different connections and essentially smoothes over the differences between them. This means organizations can use various services together. In situations where there is something relatively commoditized like storage as a service, they can be used interchangeably. This solves the issue of what to do if a Cloud Provider becomes unreliable or goes down and means the organization can spread the usage across different providers. In fact, organizations should not have to get into the technical weeds of being able to understand or mitigate between different interfaces. They should be able to move up a level where they are using the Cloud for the benefits of saving money.

For CSOs focused on SaaS, PaaS and IaaS

Challenge #5: Protect your API Keys

Many Cloud services are accessed using simple REST Web Services interfaces. These are commonly called “APIs”, since they are similar in concept to the more heavyweight C++ or Java APIs used by programmers, though they are much easier to leverage from a Web page or from a mobile phone, hence their increasing ubiquity. “API Keys” are used to access these services. These are similar in some ways to passwords. They allow organizations to access the Cloud Provider. For example, if an organization is using a SaaS offering, it will often be provided with an API Keys. The protection of these keys is very important.

Consider the example of Google Apps. If an organization wishes to enable single sign-on to their Google Apps (so that their users can access their email without having to log in a second time) then this access is via API Keys. If these keys were to be stolen, then an attacker would have access to the email of every person in that organization.

The casual use and sharing of API keys is an accident waiting to happen. Protection of API Keys can be performed by encrypting them when they are stored on the file system, or by storing them within a Hardware Security Module (HSM).

Conclusion: Homemade or Off-the-shelf?

When implementing a security framework to address these challenges, the CSO is faced with a buy vs. build option. They could engage developers to put together open source components to build Cloud Service Broker-like functionality from scratch. This approach creates the runtime components of a broker, such as routing to a particular Cloud Service Provider. However, other components of the solution, such as reporting and an audit trail, may not be present. An off-the-shelf Cloud Service Broker product will provide these extra features as standard and should also provide support for all the relevant WS-Security standards at a minimum.

As the Cloud Security Alliance notes in its Security Guidance White Paper. “Cloud Computing isn’t necessarily more or less secure than your current environment. As with any new technology, it creates new risks and new opportunities. In some cases moving to the cloud provides an opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements. At other times the risk of moving sensitive data and applications to an emerging infrastructure might exceed your tolerance.” I hope this article provides sufficient data points to guide readers on their journey.

Source

Cloud Control

Leave a reply

A survey recently carried out for IBM found that 77 per cent of respondents believe that?adopting?cloud ­computing makes protecting privacy more difficult, while 50 per cent are concerned about data breaches or loss.

Indeed, when it comes to security the question now is often framed in terms of: where will my data be, who will be able to access it and how can I be assured of this and know what is really happening?

When speaking of cloud security some talk in terms of the infrastructure, some of applications and some of the smartphones or other devices that people might use to access a cloud. In reality, security in the cloud is about all of these things and more. It is important to think of which model you are buying into and ensure the security is appropriate.

In many ways, the technology has moved from being a back-office function and enabler of cost reduction to a driver of growth and value. There are several models of cloud computing , and security has to be appropriate to the model being used.

A framework for questions

When asking questions about cloud ­security having a framework helps, as does thinking about what will be needed when moving to the cloud, such as shared ­infrastructure and applications.

Elements that should be considered for inclusion in this framework are governance, a focus on the protection of data, security policy and audit measures, management of problems, management of vulnerabilities, a focus on the authentication of users and the protection of physical assets and locations.

Taking this kind of proactive approach to security and risk management means ­staying one step ahead of vulnerabilities and being more secure and resilient.

At the same time, it is clear that a one-size-fits-all approach to security in the cloud will not work. It is about getting the ­appropriate security in place for the workload (or service) that is being considered.

The fundamental things apply

The fundamentals of security apply. ­Individuals and business still want to know where their information is, who is accessing it and how it is being used so they can ­manage and protect it.

Working out where and how to apply security is central to delivering it. Cloud security can be delivered either as part of the service or as a component that can be added. Depending on your provider, it may be that a combination of these approaches is necessary.

To?ensure?security?in?the?cloud ­organisations have to think strategically. Not all workloads are created equal so ­careful ­consideration must be given to each before determining its appropriateness for movement into the cloud.

Organisations must understand the ­governance and security requirements for each proposed workload and then validate whether these can be met within the cloud environment. It is only through this selective evaluation process that customers can avoid audit exposure and control the proliferation of data that may be subject to a variety of controls and residency requirements.

Roles model

There is also a need to establish clear roles and responsibilities. When adopting public and hybrid cloud solutions the relationship between consumer and provider closely resembles a traditional IT outsourcing arrangement. Therefore it is critical that each party has a clear understanding of their security obligations. For example, the responsibility for securing software as a service offering is largely that of the provider because the solution is consumed as a ­packaged static application. At the other end of the spectrum, infrastructure exposes users to a greater responsibility for securing individual virtual machines.

Call for backup

It is also essential to have a backup plan. Most public and private cloud solutions trade direct control for cost savings and efficiencies derived from the economies of scale. ­Transferring control of specific IT functions to another party does not obviate responsibility for the availability of key workloads.

Organisations must consider a provider’s disaster recovery and restoration plans in the context of their needs, keeping in mind requirements regarding service availability, data backup, data residency and so on.

Reputable cloud providers should offer a variety of service level agreements (SLAs) that include metrics such as availability, outage notification, service restoration, average time to resolve and notification of breaches. Providers should report on SLA compliance and deliver agreed remedies.

All too often organisations spend time and money developing security strategies that employ the latest – and most expensive – technical controls while turning a blind eye to the basics of risk assessment, policy ­development and the continuous validation of established and required controls.

Author: Nick Coleman
Source

Cloud-Ready Networks for Oil & Gas Companies

1 Reply

Rather than working with applications installed on servers at various office and site locations, the new cloud computing model promises to allow oil and gas companies to centralize increasing numbers of applications within the cloud, drawing on them as required and even paying for them as they are used.

This new model is set to reduce costs drastically and improve the flexibility of moving to new software models. Today, CIOs want to benefit from these cost and efficiency benefits, but they want to do so with confidence. CIOs want to adopt cloud computing, but as with any change, the transition isn’t a simple one. In order to be able to guarantee the performance of applications delivered from increasingly remote locations, the corporate network takes center stage.

CIOs at oil and gas companies have operations in multiple countries and a large number of sites – they must be sure that each time a user attempts to use SAP or Oracle software located within the cloud, the network can support the request in the most intelligent way.

Network challenges posed by the cloud
Cloud computing is an amorphous term with varying definitions, but central to each is on-demand computing, where applications and infrastructure are delivered to users as a service, via the network. Applications like SAP, Oracle, Unified Communications, VoIP and telepresence all have varying performance requirements and must be treated appropriately by the Wide Area Network (WAN). Cloud computing is simplifying information technology through centralization, but this very centralization adds complexity to network management. Regardless of what speed companies are moving at, they all have to cope with a combination of private and public IT environments. What remains constant is the application performance level that users expect. That’s why CIOs require the performance of each application to be guaranteed, not at the network level but at the individual user level.

Oil and gas companies need to understand what applications are running on their network and guarantee delivery of critical, time-sensitive applications like Citrix, VoIP and centralized applications. They can also cut costs by avoiding bandwidth upgrades, which can prove to be very costly especially in places like Africa where the infrastructure is not widely in place.

Moving to cloud-ready networks
Today’s WANs are not cloud-ready, and the times where applications could easily fall into the ‘business critical’ or ‘recreational’ bracket is over. Facebook, YouTube and many other social media applications are now business tools for an increasing portion of the workforce. As the share of the Internet traffic continues to grow within enterprise WANs, hybrid networks are a natural and cost-effective path.

SaaS applications start to offer extremely compelling alternatives to mature enterprise applications such as collaboration or CRM. Efficiency and flexibility improvements can be achieved simply by adopting underlying cloud technologies, such as virtualization, into private data centers. Once this first step is mastered, oil and gas companies can further embrace the cloud by migrating IT resources, including computing power and storage, to public cloud IaaS services.

With cloud computing, situations are too complex and change too fast for legacy and static policy based management. To exploit the value of private and public without risks, while fully leveraging their existing investments at the same time, VPNs must evolve to cloud-ready networks that:

  • Understand, control and optimize all application flows
  • Encompass all users, wherever they are located
  • Handle all complex and dynamic traffic mix
  • Support all application delivery models; public, private and hybrid
  • Match oil and gas company requirements for growth, agility and flexibility

A cloud-ready network means oil and gas companies can embrace XaaS (SaaS, IaaS or PaaS) without any risk for the overall business application performance. A cloud-ready network is one that inherits from the cost effectiveness of the cloud. It’s a network that will support any IT initiatives, either public, private or both, today and tomorrow.

If oil and gas companies are set to join the cloud computing revolution, then there must be recognition that old legacy multi-site WANs become an increasingly strategic asset which must be governed and able to support the highly complex demands of cloud IT systems.

WAN Governance
As oil and gas companies realize the need for cloud-ready networks, WAN Governance becomes critical. Cloud computing is possibly the most exciting opportunity in enterprise computing today as it allows for drastic cost reduction and an increase in the flexibility of deploying new IT systems. If you’re an IT department with a cloud-based strategy it’s important to ask the question: how are we going to guarantee application performance? We recommend that all businesses make WAN Governance a standard approach to ensure that everyone experiences the benefits of cloud computing, including end-users without the challenges.

Source

SaaS to Cloud Computing: Four Key Questions

Leave a reply

Software as a service (SaaS) is the oldest and most mature of all the cloud computing options and its adoption is continuing apace – in some areas of the business at least.

According to analyst firm Gartner, the global SaaS sector grew by 14.1 per cent last year to $8.5bn. This higher than average growth rate in an otherwise difficult market meant penetration levels rose to a total of 10 per cent across all enterprise application sectors, with the figure expected to increase to 16 per cent by 2014.

In fact, Ray Wang, chief executive and principal analyst of the Constellation Research Group, indicated that as many as 56 per cent of new purchases in 2010 were SaaS rather than on-premise, although the figure dropped to more like 36 per cent in licence value terms.

This discrepancy was because uptake was highest for low-cost commodity services such as email, and personal and business productivity tools such as Google Docs. CRM packages particularly for salesforce automation and marketing were also popular.

But Derek Kay, director of cloud services at Deloitte, pointed out that in many application areas, SaaS delivery models are simply not available as an option. “There’s still a fairly limited choice of applications that are truly sold and delivered as a service,” he said.

“In some areas, such as CRM, it’s pretty good. But there aren’t many ERP systems that will scale, which is an important factor, and once you look at industry verticals, you’ve got a very difficult menu choice.”

Nonetheless, awareness of the potential benefits of SaaS among C-level executives continues to mount as the industry’s marketing machine cranks up beyond its more traditional IT audience. This awareness means questions are starting to be raised about promised cost savings, ease of implementation and the ability to wind capacity up and down in line with business needs.

But rather than cave into executive pressure and rush in to cloud computing where angels fear to tread, it is essential that IT directors plan carefully for any change just as they would for more traditional software implementations. As a result, silicon.com has come up with four key questions that IT leaders should ask themselves before jumping in feet first.

Question 1. How can I manage the expectations of the business?

Before doing anything else, heads of IT have to establish a robust business case for adopting a SaaS delivery model, whether in terms of cutting costs or being able to provide new or improved services.

The idea is to understand where the model might fit comfortably into the organisation’s commercial and technical strategy, and to evaluate what value it could bring to the business without opening it up to undue risk.

Deloitte’s Kay said: “Managing the expectations of the business is important, even if you’re saying, ‘Yes, it’s the right thing to do, but not yet’, perhaps because you’ve just signed a five-year deal and it would be too expensive to get out of it. The problem is that…
It’s vital to have a plan B, which includes data recovery, and to know the cost of implementing it

…if you don’t control adoption, down the line you can end up with unpredictable costs if people move to SaaS by the back door and unpleasant surprises if data gets out.”

But one means of entering into a mature dialogue with the business about such issues is to undertake a three-month pilot project. Such a trial might comprise a small number of users in an area of the organisation that has expressed an interest and which might be inclined to go it alone, thereby bypassing IT department controls completely.

If successful initially, the trial could be broadened to encompass larger numbers of people, before evaluating the findings. At this point, the facts can be laid before the executive management team for a decision on whether to proceed.

Question 2. How do I ensure the business is not exposed to undue risk?

Because the stewardship of corporate information rests with IT leaders, they have to ensure it is protected using a suitable mixture of controls, governance and assurance, whether in relation to inhouse systems or SaaS delivery models.

As a result, it is important to undertake an upfront risk assessment and to devise a risk-management strategy to cope with any potential problems.

For example, an obvious risk in a SaaS context is that a third-party supplier could go bust, resulting in lost or inaccessible corporate data. So it’s crucial to undertake due diligence into the supplier to understand, focusing on its credibility and financial health.

If a provider does disappear, it is vital to have a plan B, which includes data recovery, and also to understand how much it would cost to implement. At the very least, the organisation’s disaster-recovery plans must be revised so it is clear what action should be taken if a SaaS vendor’s datacentre goes down, the network collapses or it cannot deliver promised levels of scalability and performance.

In this context, questions should also be asked upfront about resilience, average downtime, both planned and unplanned, and whether the mainly vanilla service-level agreements provided by suppliers are suitable.

Ian Jacobs, senior analyst of customer interaction at Ovum, said: “IT directors need to ask themselves how much availability they really need. Once they understand their own availability requirements, they can then make a judgement on average downtime and SLAs and whether they’re a good fit or not.”

But another means of mitigating risk is to request…

…the ability to audit data and security processes. Although many vendors will indicate that they comply with the US-based SAS 70 auditing standard, for some European organisations, this compliance will simply not be enough and they will need to send in their own people.

Question 3. What about hidden costs?

Although actually implementing a SaaS-based system may be quicker than deploying on-premise applications, the same planning and project disciplines apply. This fact means it is important to set aside budget to revamp business processes, particularly if it is not possible to customise the SaaS system in question to any great extent.

Although all too many organisations simply introduce SaaS technology without considering such matters, a good starting point is to “begin with the end in mind”, according to Constellation’s Wang.

This approach entails being clear about what value the system will bring to the business and using such information to “figure out what dashboards people will need and the information they’ll want to get out of them”.

The next step is to “work out the business processes that get you to that data and what departments touch that business process so you discover where you can make efficiencies. You can then start configuring the system”, Wang said.

But a further five to 10 per cent of the total licence cost should also be put by to undertake integration with core systems. Although third-party libraries from vendors such as Dell’s Boomi, Informatica and SnapLogic are now available, such software and any implementation work will still need to be paid for.

The same applies for all of the usual change-management and user-training activity, which also does not go away.

An additional consideration is that helpdesk staff may also require education and training if the IT organisation is still providing front-line support. Supplier-management skills could well be required for the first time along with guidance on how to deal with problem escalation when dealing with various third parties that do not necessarily work in tandem.

Question 4. What key licensing and upgrade considerations do I have to bear in mind?

Although one of the much touted benefits of SaaS is the ability to scale capacity up and down on a pay-as-you-go basis in line with business requirements, in reality many vendors do not have suitable licensing models to allow this scalability to happen, even though such activity may be technically feasible.

IT directors therefore need to ask themselves how much variation in demand their organisation actually experiences based on change requests and requests for new licences. But they should also ask potential SaaS providers what flexibility is built into their licensing agreements, whether they operate on a year-to-year, bi-annual or month-to-month basis and whether there is the option of adding or taking away seats during that period.

Another consideration is simply controlling the flow of new functions that are provided via upgrades. The issue here is that not all new features will be of use but may still require helpdesk support, which can lead to additional requirements for staff – and end-user – training. Large updates may also have knock-on effects on systems and processes elsewhere and could even necessitate change-management activity.

Ovum’s Jacobs said: “One of the highly touted benefits of SaaS is that it allows enterprises to get the latest and greatest technology in a seamless way, but it can also generate its own problems. IT directors have to figure out how much control a provider gives them over which features they turn on and off and how much of a time window they have to do so. It’s about seeing how much you can limit the flow of functions.”

Even if IT directors are given the flexibility to decide for themselves whether to switch new functionality on or off, it will still be necessary to introduce suitable governance structures to ensure that the process works smoothly, however.

Source

Virtualization 2.0: A Foundation for Successful Cloud Computing

Leave a reply

Virtualization – not quite the nirvana it was promised to be. We expected exponentially better efficiency, higher availability and huge savings for IT budgets. However, now that the honeymoon is over, most organizations feel slighted. Not only have the promised benefits never been realized, but IT organizations also have been saddled with ever-increasing user demand and out-of-control costs – not to mention virtual sprawl, vendor lock-in and high provisioning effort.

With all of these issues, enterprises are looking to solve the problems of “Virtualization 1.0.” Last year, a Gartner study showed that CIOs were looking to cloud computing in more strategic ways, in the hope that the cloud will improve IT operations.

So cloud computing will fix all this, won’t it?

Actually, cloud computing will just compound the problems of virtualization unless we adopt a new management model because the problems of Virtualization 1.0 largely stem from a single undeniable fact: The average human brain cannot keep up with the complexity of a virtualized environment.

In every virtualized IT organization, there is a smart guy, or group of guys, spending a significant portion of their time provisioning virtual machines (VMs). While provisioning a VM is conceptually simple, there is a vital decision to be made: On which physical machine should the VM run? The importance of this simple question cannot be underestimated, and it can be a really complex task to determine the right answer.

Let’s start with the easy stuff: Which physical machines have the capacity to run the workload? Which are running the right hypervisor? Now, here are the harder questions: On which physical machine would the workload most efficiently fit (perhaps you have 1,000 of them)? Which machines have been reserved for a particular task (perhaps because of their high cost or particular configuration)? Are there any special security or governance requirements that limit where this VM can be geographically placed? And now for the killer: Is there anything already running on the physical machine that would cause a compliance issue if we place the new VM there?

You are getting the idea, but we are not done yet. Remember, this needs to be done every time you provision a new VM. But since VMs come and go, you really need to do it every time you restart a VM.

Even if your guys are all Einstein, this is going to be practically impossible. And even if you could do it exactly right, every time, there’s another problem: High-end Virtualization 1.0 solutions include features like high availability and resource scheduling that move VMs automatically – and break everything you just worked out.

Far from fixing it, cloud computing just makes this problem exponentially worse. More machines, more locations and more people provisioning machines equals more complexity. Far from being the enabler of the cloud, virtualization becomes the inhibitor.

How do we solve the problems of Virtualization 1.0?

Virtualization strategy needs to evolve past relying on humans to make each deployment and management decision ad hoc. Enterprises need automated, business-policy-driven provisioning and management. Virtualization 2.0 is that evolution and is built upon three key foundations: separation, delegation and allocation.

Separate the physical and the virtual, separate the application team from the IT infrastructure organization. IT contributes compute, network and storage resources to a resource cloud, and virtual enterprises (a logical unit of users) consume resources from it. Virtual enterprises never access the physical layer and they neither know nor care from where their resources come. IT maintains control of the physical infrastructure and can give multi-tenancy control to various aspects of the virtual infrastructure to authorized users.

Delegate self-service provisioning to virtual enterprises in complete safety because of that separation. Virtual enterprise users access image libraries to spin up pre-configured corporate images that maintain company standards. IT no longer needs to spend days or weeks provisioning according to user demand.

Allocate resources to self-service virtual enterprises according to business policies. When a new VM is created (or restarted), the policies determine how that VM is deployed. For example, the CIO sets a policy for the compliance rules his enterprise must follow; that enterprise’s VMs would be automatically deployed based on that policy. Or let’s say the CIO wants only the most expensive hardware used for certain applications – IT sets a policy to make sure the VMs are automatically deployed accordingly. The same could apply for a green policy or even performance. Policies ensure that VMs are deployed automatically according to security, compliance, efficiency, cost and performance rules.

How do we really benefit?

IT responsiveness skyrockets because the time that was previously devoted to provisioning can be used elsewhere. Value-add activities like capacity planning are now possible. Increased agility due to on-demand deployment enables development teams to test what-if scenarios. Utilization greatly improves and server efficiency can be optimized. Security and compliance concerns are mitigated because the system cannot deploy anything unless it adheres to policy. Virtual sprawl is minimized because virtual enterprises manage their VMs under resource limits – encouraging them to take down defunct machines to free up unused resources when they approach their limits. Users are empowered to control their own VMs, IT has better control over resources, and the CIO can control costs and budgets with business policies.

How do we actually implement this?

This kind of business-policy-driven automation is only possible with the right management tool, one that integrates with your existing management tools and is fully customizable to your needs. It should enable you to avoid vendor lock-in, which prevents your business from being as competitive as possible. Gartner Group reports that by 2012, 49 percent of enterprises expect to have a heterogeneous virtual environment. Enterprises will want to use the free hypervisors for non-critical applications but still be able to use the expensive hypervisors when necessary.

IT departments must be empowered with enterprise-class cloud management software built on open standards and the three fundamentals to manage their entire, globally deployed infrastructure in order to fully realize the benefits of cloud computing. Without the Virtualization 2.0 trifecta of separation, delegation and allocation, any cloud solution will suffer from the same problems of Virtualization 1.0. However, with the new model, the load placed on IT staff can be reduced and savings can be realized through dynamic provisioning based on policy and minimal management efforts.

Without the capabilities and policies of Virtualization 2.0 in place, CIOs may find their heads stuck where their data is not – in the clouds.

Source

In the Cloud, Governance Trumps Ownership

Leave a reply

In more than a decade of talking about cloud computing, I have found the principle of ownership has been a recurring theme. People feel comfortable owning their computing. They know where they stand. Since cloud computing means giving up ownership, it makes people uncomfortable, uncertain of their ground.

But while there’s comfort in ownership, it’s not of itself a guarantee of security or certainty. People often talk of the risks of trusting computing that lies “outside the firewall,” as if cloud computing providers don’t use firewalls. Of course they do, and in many cases, their firewalls are more robust and better policed than the average enterprise firewall. What the phrase really means is, “outside my firewall.” There’s an implicit assumption that it must be better, simply because it’s mine.

Even if I concede that it might not be the world’s most secure device imaginable, at least I know I can trust it. It’s sitting on my own premises, configured and managed by own staff, and up-to-date with my organization’s current security and access policies.

Or is it?

We use the term ‘on-premise’ to describe computing that’s within the domain of an organization. But it doesn’t always mean what it appears to mean. Many acres of so-called on-premise computing assets are actually deployed elsewhere, at co-location centers and facilities management sites. The organization trusts the operators of those third-party premises to control access and security.

In larger organizations, it’s not even safe to assume that staff working on your own site are direct employees. With many IT consultants and other administration staff either outsourced or brought in as contractors, the assumption that on-premise assets are configured and maintained by the organization’s own direct employees ignores the facts on the ground.

At least the organization still sets its own processes and policies. With proper procedures in place for ensuring everyone knows the rules and puts them into practice, you can be confident that the IT infrastructure is operating as it should and that any risks and threats are correctly managed.

And how do you do that?

The real reason we like ownership is that, whenever we need to, we know we can just walk in and make a hands-on assessment of the situation on the ground. If we’re honest with ourselves, that sense of direct, actionable accountability is probably covering a multitude of sins. We know there are times when our own people or our contractors, whether through lack of training, process flaws or sheer carelessness, get things wrong. We probably tolerate errors within our own organization that we would never accept from a third-party provider because we know we have the power to put things right to our own satisfaction if we ever need to.

Yet in a modern IT infrastructure, there are other ways of controlling proper policy and process. The technology allows us to instrument, verify and audit whether procedures are being followed correctly. Accountability, governance, compliance and problem resolution are no longer dependent on physical access. It can all be done electronically in real-time.

Using a third-party cloud computing provider can therefore be just as trustworthy and certain as relying on in-house resources, provided the instrumentation and governance of policy and process is as good. In practice, this is one area where public cloud providers did not begin well. Some providers espoused an arrogant mirror-image of the “it’s my firewall” mindset: “We don’t publish an SLA, you can trust us because we’re a big, friendly online brand.”

Fortunately, those attitudes are now being challenged. For customers willing to pay the extra cost, the current generation of cloud providers offers better transparency into processes, a more granular choice of policy settings and enterprise-grade instrumentation and reporting. Because investments are pooled across the entire customer base, a cloud provider can operate the technology at a larger scale and sophistication than most of their customers would wish or need to do individually.

There’s still some work to do to establish the process and policy stipulations it’s reasonable to demand from third-party providers. Enterprises must focus on specifying the results they want, rather than attempting to constrain the provider’s underlying technology and operational choices in unnecessary detail. But in principle, a proper governance infrastructure is capable of delivering more control from a third-party provider than most enterprises realistically have over what happens today within their own on-premise IT.

Ownership is not the critical factor here. What matters is having the right mechanism in place for proper accountability and governance.

Source

SaaS Won’t Succeed With Some Apps

1 Reply

Given all the hype about the software-as-a-service model, you’d think that it could be applied to every category of software. Not so, says a new report from Forrester Research Inc.

In fact, SaaS will be “a disruptive force” in software categories that account for about a quarter of global software spending but will have “little or no effect” on many of 123 market segments studied, Forrester analysts Liz Herbert and Andrew Bartels wrote.

Forrester said that SaaS faces major obstacles in four broad software sectors:

• Lower-level elements of the stack, such as operating systems and databases.

• Software for internal IT management and data management.

• Entrenched process applications.

• Vertical applications, such as securities transaction processing systems.

Such systems account for 40% of all software spending, and Forrester’s report said they are likely to stay mostly in-house for “pretty obvious” reasons: security concerns, existing infrastructure investments, and the need to tightly integrate with other applications.

But SaaS is making inroads in mature application areas such as supply chain management, particularly among users who haven’t already purchased the same functionality in an on-premises product, according to the report.

Meanwhile, SaaS is starting to shake things up in areas like customer relationship management and human resources, where hosted offerings are replacing on-premises systems. SaaS is also moving into application development and the niche of governance, risk and compliance software, the analysts said.

The Forrester report said that SaaS is now the dominant model for software sales and delivery in areas such as e-purchasing, expense reporting tools, blogging and wikis.

Still, categories where SaaS has taken hold of at least 50% of revenue amount to only 3% of the total software market, Forrester said.

Source

Evaluating Cloud Computing Services

26 Replies

Selecting a cloud computing provider is becoming increasingly complex. As cloud environments mature, many cloud providers attempt to differentiate themselves by focusing on specific aspects of their offerings, such as technology stacks or service-level agreements (SLAs). In short, not all cloud providers are created equal.

At the same time, enterprises are beginning to rely on cloud providers for hosting mission-critical applications, which raises the stakes for selecting the right cloud service. So how do organizations navigate this multifarious landscape? Below you’ll find a few key factors for evaluating services as well as some resources to use.

Performance

One of the main concerns for enterprises that are considering cloud computing is performance. Achieving high-speed delivery of applications in the cloud is a multifaceted challenge that requires a holistic approach and an end-to-end view of the application request-response path.

Performance issues include the geographical proximity of the application and data to the end user, network performance both within the cloud and in-and-out of the cloud and I/O access speed between the compute layer and the multiple tiers of data stores. A number of services and research reports such as CloudSleuth and CloudHarmony have recently attempted to measure the performance of cloud providers from various locations and with different application use cases.

Technology stack

Several cloud providers have focused their services on a particular software stack. This typically moves them from being Infrastructure as a Service (IaaS) providers to the realm of Platform as a Service (PaaS). As one would expect, the different stack-specific clouds align with the most popular software stacks out there.
Examples include Heroku and Engine Yard for Ruby on Rails; VMforce and Google App Engine (GAE) for Java/Spring (GAE also supports Python), PHP Fog for PHP and Microsoft’s Windows Azure for .NET.

If your application is built using one of these stacks, you may want to consider these cloud platforms. They can offer tremendous savings in terms of time and expense by shielding you from having to deal with lower level infrastructure setup and configuration. The flip side is that they often require developers to follow certain best practices in architecting and writing their apps, which creates a higher degree of vendor lock-in.

Service-level agreements and reliability

Some cloud providers offer guarantees for higher levels of service as a way to separate themselves from the pack. In Rackspace: The Avis of Cloud Computing, I describe how Rackspace has higher levels of cloud service SLAs to compete with Amazon, the 800-pound gorilla of cloud computing.

Note that SLAs are often merely an indication of the consequences when the service fails and not the service’s actual reliability. A great example of this is GoGrid’s 10,000% Guaranteed SLA. In other words, GoGrid offers a 100% uptime guarantee. Should it fail to meet that level of availability, it will compensate the customer with 100 times the fee paid for the downtime.

Although the SLA is a good indicator of any provider’s level of commitment, knowing the real uptime levels of a particular cloud provider is a trickier proposition. Most vendors have a status page that acts as a dashboard for the health of their services, but these generally display only stats from a few days ago at the earliest. To get actual long-term numbers for reliability and availability, it’s better to rely on customer testimonials and comparison services such as CloudSleuth and CloudHarmony.

APIs: Lock-in, community and ecosystem

Another critical aspect of selecting a cloud provider is the application programming interface (API) it exposes for accessing the infrastructure and performing operations such as provisioning and de-provisioning servers. The API is important in a number of ways.

First, an API that is supported by multiple providers and vendors reduces lock-in because migration from one provider to another — or simultaneously working with multiple providers — requires less change to the application and is, therefore, easier.

Second, an API that is widely supported by a community of developers and vendors has an entire ecosystem around it of complementary services and capabilities. The APIs offered by Amazon Web Services (AWS) and the various VMware cloud offerings have large ecosystems built around them, which includes tools for governance (such as enStratus), monitoring and management (such as Cloudkick and RightScale) and a slew of other services that complete their cloud service.

VMware itself does not have a cloud service, but various providers use the VMware stack and APIs — specifically vCloud — such as Terremark and Savvis.

Both Amazon and VMware — and perhaps Windows Azure as well — allow customers to implement in-house clouds using their stack and APIs, thus enabling an easy way to manage and run applications on what some call a hybrid cloud. A hybrid cloud is a cloud that is both hosted by a provider and runs in the company’s on-premise data center. In the case of Amazon, this can be done through Eucalyptus, a startup that provides a software stack for implementing private clouds using the AWS APIs.

A recent development in the space is worth mentioning. Rackspace, jointly with NASA and supported by many vendors and cloud providers, has open sourced its software stack in a project called OpenStack. Along with being the closest to what might be considered an industry standard, this move creates a viable alternative to the Amazon and VMware ecosystems.

Security and compliance

Two of the biggest barriers for companies considering cloud computing continue to be security and compliance. In a recent Zenoss Inc. survey conducted during the second quarter of 2010, nearly 40% of respondents listed security when asked about their biggest concerns about cloud computing. The second most common answer was management, which received only 26.5% of the responses. The Zenoss survey is consistent with a number of other surveys related to cloud computing.

The real concern for enterprises is not actually security threats but rather their inability to achieve compliance with security-related standards such as PCI. In response, many cloud providers are now touting their security and compliance chops with SAS-70 Type II audits, security white papers and other measures.

Banking on the opportunity, cloud provider Logicworks, has dubbed its offering the Compliant Cloud and has recently announced the Level 1 PCI accreditation of its cloud.

Cost

A straightforward way to compare cloud providers would appear to be cost, but it turns out to be anything but. The problem is that there is no consistency among providers in regards to the resources customers actually receive and pay for. Providers offer virtual machines (VMs) that vary widely in memory capacity, CPU clock speed and other features. Furthermore, the units that are actually provided to customers are often virtualized, creating even further confusion as to what the customer is actually getting and how it might be affected by other customers on the same cloud.

Amazon has EC2 Compute Units, Heroku offers Dynos and other vendors have created their own measurement units. The only truly reliable way to measure the cost-performance of different cloud providers at this point is to conduct an experiment with the same application or prototype on multiple providers and compare the results.

Conclusion

Choosing the best cloud provider for an application is a multidimensional problem. As the number of cloud providers increases, and as many of them focus on specialized needs and use cases, more choices require more focused examinations. Fortunately, services are emerging that help compare cloud services so that customers can tell which provider is best suited for which application.

Source

Cloud Governance is About More Than Security

Leave a reply

Cloud computing needs governance. Which is to say that cloud computing needs processes, policies, and procedures. In a way, this is no different from IT more broadly. But virtualization, dynamically moving workloads, and an increased reliance on third parties for many types of IT functions mean that well thought-out and documented processes, policies, and procedures tend to be more important in cloud computing than with a more static and manual environment.

This has been driven home to me in the course of speaking at lots of cloud-related events over the past few months and appearing on panels such as the one at HMG Strategy’s CIO Summit of America in New York last week.

Governance for cloud computing is a big topic that I’ll be exploring in stages over the next few months. I’m going to get started today with two basic points.

Security procedures and technology are part of governance, but governance is a broader concept.

Legal and regulatory procedures, transparency, service levels, indemnification, notification, and portability are all part of this bigger picture, especially as the discussion widens to include public cloud infrastructure providers and software-as-a-service vendors. It’s all about mitigating risk associated with suppliers (whether supplying software for on-premise IT or supplying infrastructure in a public cloud).

Consistency and portability are two of the most important pillars supporting well-governed cloud architectures whether on-premise, public, or a hybrid architecture. These concepts are closely related but they’re not the same thing.

Consistency refers to having a consistent runtime environment (such as an operating system or middleware) in different clouds, private and public. The same application should be able to run in both places. For starters, this means that you can take a given Linux, Java, PHP, or whatever application and the target environment(s) will have the supporting software and hardware infrastructure that allows that application to run in the same way in all these places. The bottom line is that the user of that application should not be able to tell where it is running. (Of course, the IT operations people need to know where workloads are running as well as specifying upfront where different workloads are allowed to run.)

One of the ways that consistency breaks down is that public clouds encourage ad hoc development that doesn’t necessarily comply with an organization’s standards for applications run on-premise. This may be fine for prototyping or other work that is throwaway by design. However, it’s far too easy for prototypes to evolve into something more–as often happened in the case of early visual programming languages–and the result is applications that either have to be rewritten or that may have support, reliability, or scalability issues down the road. Just because developers find that a given public cloud environment offers the cheapest and easiest path to write and test an application doesn’t mean total application life cycle costs will be lower. Public cloud-based development will happen though, so the best strategy is to recognize this inevitability and channel it in a way that fits within organizational standards.

Consistency goes beyond just technical factors though. Consistency between on-premise and public cloud environments also requires that the full runtime–including the applications running on it–be supported and certified by the same ISVs and others when running in the cloud or in the cloud, a commitment that is as much about business relationships as technical ones.

Portability takes multiple forms. Portable computing creates scalable private clouds that can be federated to a public cloud provider under a unified management framework. Portable applications mean that developers can write once and deploy anywhere, thereby preserving their strategic flexibility and keeping their options open while lowering maintenance and support costs Portable services simplify development and operations by eliminating the need to re-implement frequently needed functions in private clouds and enable the movement of data and application features across clouds. Portable programming models let existing applications be brought over to cloud environments or evolved incrementally.

And, as with consistency, there are aspects of portability that aren’t primarily technical–such as whether software subscriptions and licenses can be transferred from one location to another. Consistent support and maintenance environments are also essential elements.

Organizations will use public cloud providers in various forms. The goal should be to govern that use, not block it.

If some of what I wrote above seems to focus on the potential downsides of using public cloud resources, that isn’t my intention. The benefits offered by public cloud infrastructures operated by companies like Amazon and software-as-a-service offered by someone like Salesforce.com are well documented. In the case of infrastructure, they allow rapid experimentation and expansion. Hosted applications can often be brought online more quickly than conventional on-premise software and thereby start delivering business value faster.

And the reality is that cloud computing in some form will happen throughout all organizations whether it’s the evaluation and adoption of a new CRM platform through a formal IT process, the ad hoc use of public cloud infrastructure by developers, or the “bursting” of an on-premise cloud to a public cloud to gain temporary capacity. Especially given the importance of properly securing data and minimizing lock-in to specific third-party provider, it’s critical to bring cloud computing activity that involves corporate data or production applications under a common governance umbrella.

But, for the vast majority of organizations, simply forbidding the use of public cloud resources and applications is a poor strategy. For one thing, it cuts the organization off from the benefits of using those third-party providers. For another, that approach is unlikely to work. Shadow IT, which is to say unofficial use of personal mobile devices and free or inexpensive Web-based services of all sorts, happens.

So better to acknowledge that reality and, to the degree possible, make it an explicit part of overall IT governance. An IT organization might, for example, freely allow personal devices to access corporate e-mail but put in place mechanisms such as tokens that add a layer of security to that access. A final point worth making here is that, as one CIO told me, perhaps the most important process is to involve users in formulating the policies rather than creating an IT vs. everyone else dynamic.

Cloud computing isn’t “risky” any more than IT more broadly is risky. Rather, like all IT activities, cloud computing projects should be undertaken in a way that both mitigates risk and that considers those projects in the context of IT as a whole while taking into account the ultimate objective: to support the business in a way that balances costs with benefits.

Source

Legacy IT Investments Hampering Cloud Formation

1 Reply

Thirty five percent of C-level respondents in a global survey have identified significant investments in legacy infrastructure as the reason they are not adopting cloud computing.

The survey, the fourth Global Status Report on the Governance of Enterprise IT (GEIT) – 2011, conducted by the non-profit, IT Governance Institute (ITGI) polled 834 executives from 21 countries, divided almost evenly between business executives (CEOs, CFOs and COOs) and IT executives (CIOs and heads of IT).

According to the report, “Six out of 10 respondents currently use or plan to use cloud computing for non-mission-critical IT services, compared to four out of 10 who use it or plan to use it for mission-critical IT services. Those respondents not planning to use cloud computing cited data privacy and security concerns as the main reasons.

“It is also noteworthy that a significant number of respondents have concerns about reliability and one-third have significant legacy infrastructure investments that are influencing their cloud computing plans.”

According to GEIT, “The top outcomes cited in this year’s study are improved management of IT-related risk (mentioned by 42 percent of respondents) and better communication and relationships between business and IT (37 percent).”

It says: “The study analyses the degree to which the concept of GEIT is accepted by the C-suite and determines GEIT maturity levels, recognised frameworks, required/preferred certifications, and impact of current special-interest, GEIT-related topics.

“Of the C-level executives surveyed, 95 percent consider governance of enterprise IT important. This reveals an almost universally shared perception of IT as a critical contributor to overall business strategy, no matter where the organisation is on the path of GEIT maturity.”

Source