Tag Archives: IaaS

SaaS, PaaS, and IaaS: A Security Checklist for Cloud Models

2 Replies

How does security apply to Cloud Computing? In this article, we address this question by listing the five top security challenges for Cloud Computing, and examine some of the solutions to ensure secure Cloud Computing.

Organizations and enterprises are increasingly considering Cloud Computing to save money and to increase efficiency. However, while the benefits of Cloud Computing are clear, most organizations continue to be concerned about the associated security implications. Due to the shared nature of the Cloud where one organization’s applications may be sharing the same metal and databases as another firm, Chief Security Officers (CSOs) must recognize they do not have full control of these resources and consequently must question the inherent security of the Cloud. However, it is important to note that Cloud Computing is not fundamentally insecure; it just needs to be managed and accessed in a secure way.

All Cloud Models Are Not the Same

Although the term Cloud Computing is widely used, it is important to note that all Cloud Models are not the same. As such, it is critical that organizations don’t apply a broad brush one-size fits all approach to security across all models. Cloud Models can be segmented into Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS). When an organization is considering Cloud security it should consider both the differences and similarities between these three segments of Cloud Models:

SaaS: this particular model is focused on managing access to applications. For example, policy controls may dictate that a sales person can only download particular information from sales CRM applications. For example, they are only permitted to download certain leads, within certain geographies or during local office working hours. In effect, the security officer needs to focus on establishing controls regarding users’ access to applications.

PaaS: the primary focus of this model is on protecting data. This is especially important in the case of storage as a service. An important element to consider within PaaS is the ability to plan against the possibility of an outage from a Cloud provider. The security operation needs to consider providing for the ability to load balance across providers to ensure fail over of services in the event of an outage. Another key consideration should be the ability to encrypt the data whilst stored on a third-party platform and to be aware of the regulatory issues that may apply to data availability in different geographies.

IaaS: within this model the focus is on managing virtual machines. The CSOs priority is to overlay a governance framework to enable the organization to put controls in place regarding how virtual machines are created and spun down thus avoiding uncontrolled access and potential costly wastage.

The following check-list of Cloud Security Challenges provides a guide for Chief Security Officers who are considering using any or all of the Cloud models.

For CSOs focused on PaaS

Challenge #1: Protect private information before sending it to the Cloud

There are already many existing laws and policies in place which disallow the sending of private data onto third-party systems. A Cloud Service Provider is another example of a third-party system, and organizations must apply the same rules in this case. It’s already clear that organizations are concerned at the prospect of private data going to the Cloud. The Cloud Service Providers themselves recommend that if private data is sent onto their systems, it must be encrypted, removed, or redacted. The question then arises “How can the private data be automatically encrypted, removed, or redacted before sending it up to the Cloud Service Provider”. It is known that encryption, in particular, is a CPU-intensive process which threatens to add significant latency to the process.

Any solution implemented should broker the connection to the Cloud Service and automatically encrypt any information an organization doesn’t want to share via a third party. For example, this could include private or sensitive employee or customer data such as home addresses or social security numbers, or patient data in a medical context. CSOs should look to provide for on-the-fly data protection by detecting private or sensitive data within the message being sent up to the Cloud Service Provider, and encrypting it such that only the originating organization can decrypt it later. Depending on the policy, the private data could also be removed or redacted from the originating data, but then re-inserted when the data is requested back from the Cloud Service Provider.

For CSOs Focused on SaaS

Challenge #2: Don’t replicate your organization in the Cloud

Large organizations using Cloud services face a dilemma. If they potentially have thousands of employees using Cloud services, must they create thousands of mirrored users on the Cloud platform? The ability to circumvent this requirement by providing single sign-on between on-premises systems and Cloud negates this requirement.

Users with multiple passwords are also a potential security threat and a drain on IT Help Desk resources. The risks and costs associated with multiple passwords are particularly relevant for any large organization making its first foray into Cloud Computing and leveraging applications or SaaS. For example, if an organization has 10,000 employees, it is very costly to have the IT department assign new passwords to access Cloud Services for each individual user. For example, when the user forgets their password for the SaaS service, and resets it, they now have an extra password to take care of.

By leveraging single sign-on capabilities an organization can enable a user to access both the user’s desktops and any Cloud Services via a single password. In addition to preventing security issues, there are significant costs savings to this approach. For example, single sign-on users are less likely to lose passwords reducing the assistance required by IT helpdesks. Single sign-on is also helpful for the provisioning and de-provisioning of passwords. [Editor's note: Also read Role management software--how to make it work for you.] If a new user joins or leaves the organization there is only a single password to activate or deactivate vs. having multiple passwords to deal with. In a nutshell, the danger of not having a single sign-on for the Cloud is increased exposure to security risks and the potential for increased IT Help Desk costs, as well the danger of dangling accounts after users leave the organizations, which are open to rogue usage.

For CSOs focused on PaaS

Challenge #3: Keep an Audit Trail

Usage of Cloud Services is on a paid-for basis, which means that the finance department will want to keep a record of how the service is being used. The Cloud Service Providers themselves provide this information, but in the case of a dispute it is important to have an independent audit trail. Audit trails provide valuable information about how an organization’s employees are interacting with specific Cloud services, legitimately or otherwise!

The end-user organization could consider a Cloud Service Broker (CSB) solution as a means to create an independent audit trail of its cloud service consumption. Once armed with his/her own records of cloud service activity the CSO can confidently address any concerns over billing or to verify employee activity. A CSB should provide reporting tools to allow organizations to actively monitor how services are being used. There are multiple reasons why an organisation may want a record of Cloud activity, which leads us to discuss the issue of Governance.

For CSOs focused on IaaS

Challenge #4: Governance: Protect yourself from rogue cloud usage and redundant Cloud providers

The classic use case for Governance in Cloud Computing is when an organization wants to prevent rogue employees from mis-using a service. For example, the organization may want to ensure that a user working in sales can only access specific leads and does not have access to other restricted areas. Another example is that an organization may wish to control how many virtual machines can be spun up by employees, and, indeed, that those same machines are spun down later when they are no longer needed. So-called “rogue” Cloud usage must also be detected, so that an employee setting up their own accounts for using a Cloud service is detected and brought under an appropriate governance umbrella.

Whilst Cloud Service providers offer varying degrees of cloud service monitoring, an organization should consider implementing its own Cloud service governance framework. The need for this independent control is of particular benefit when an organization is using multiple SaaS providers, i.e. HR services, ERP and CRM systems. However, in such a scenario the CSO and Chief Technology Officer (CTO) also need to be aware that different Cloud Providers have different methods of accessing information. They also have different security models on top of that.

Some use REST, some use SOAP and so on. For security, some use certificates, some use API keys, which we’ll examine in the next section. Some simply use basic HTTP authentication. The problem that needs to be solved is that these cloud service providers all present themselves very differently. So, in order to use multiple Cloud Providers, organizations have to overcome the fact they are all different at a technical level.

Again, that points to the solution provided by a Cloud Broker, which brokers the different connections and essentially smoothes over the differences between them. This means organizations can use various services together. In situations where there is something relatively commoditized like storage as a service, they can be used interchangeably. This solves the issue of what to do if a Cloud Provider becomes unreliable or goes down and means the organization can spread the usage across different providers. In fact, organizations should not have to get into the technical weeds of being able to understand or mitigate between different interfaces. They should be able to move up a level where they are using the Cloud for the benefits of saving money.

For CSOs focused on SaaS, PaaS and IaaS

Challenge #5: Protect your API Keys

Many Cloud services are accessed using simple REST Web Services interfaces. These are commonly called “APIs”, since they are similar in concept to the more heavyweight C++ or Java APIs used by programmers, though they are much easier to leverage from a Web page or from a mobile phone, hence their increasing ubiquity. “API Keys” are used to access these services. These are similar in some ways to passwords. They allow organizations to access the Cloud Provider. For example, if an organization is using a SaaS offering, it will often be provided with an API Keys. The protection of these keys is very important.

Consider the example of Google Apps. If an organization wishes to enable single sign-on to their Google Apps (so that their users can access their email without having to log in a second time) then this access is via API Keys. If these keys were to be stolen, then an attacker would have access to the email of every person in that organization.

The casual use and sharing of API keys is an accident waiting to happen. Protection of API Keys can be performed by encrypting them when they are stored on the file system, or by storing them within a Hardware Security Module (HSM).

Conclusion: Homemade or Off-the-shelf?

When implementing a security framework to address these challenges, the CSO is faced with a buy vs. build option. They could engage developers to put together open source components to build Cloud Service Broker-like functionality from scratch. This approach creates the runtime components of a broker, such as routing to a particular Cloud Service Provider. However, other components of the solution, such as reporting and an audit trail, may not be present. An off-the-shelf Cloud Service Broker product will provide these extra features as standard and should also provide support for all the relevant WS-Security standards at a minimum.

As the Cloud Security Alliance notes in its Security Guidance White Paper. “Cloud Computing isn’t necessarily more or less secure than your current environment. As with any new technology, it creates new risks and new opportunities. In some cases moving to the cloud provides an opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements. At other times the risk of moving sensitive data and applications to an emerging infrastructure might exceed your tolerance.” I hope this article provides sufficient data points to guide readers on their journey.

Source

Cloud Computing Data Security

3 Replies

Meeting the requirements for cloud data security entails applying existing security techniques and following sound security practices. To be effective, cloud data security depends on more than simply applying appropriate countermeasures. Taken collectively, countermeasures must comprise a resilient mosaic that protects data at rest as well as data in motion.

While the use of encryption is a key component for cloud security, even the most robust encryption is pointless if the keys are exposed or if encryption endpoints are insecure. Customer or tenant control over these endpoints will vary depending on the service model and the deployment model.

OVERVIEW OF DATA SECURITY IN CLOUD COMPUTING
It is understandable that prospective cloud adopters would have security concerns around storing and processing sensitive data in a public or hybrid or even in a community cloud. Compared to a private data center, these concerns usually center on two areas:

  • Decreased control by the owning organization when data is no longer managed within an organization’s premises
  • Concern by the owning organization that multitenancy clouds inherently pose risks to sensitive data

In both cases, the potential risk of data exposure is real but not fundamentally new. This is not to say that cloud computing does not bring unique challenges to data security.

Control over Data and Public Cloud Economics

In contrast to use of a public cloud, maintaining organizational physical control over stored data or data as it traverses internal networks and is processed by on-premises computers does offer potential advantages for security. But the fact is that while many organizations may enforce strict on-premises-only data policies, few organizations actually follow through and implement the broad controls and the disciplined practices that are necessary to achieve full and effective control.

So, additional risks may be present when data doesn’t physically exist within the confines of an organization’s controlled facility—this is not necessarily the security issue that it may appear to be. To begin, achieving the potential advantages with on-premises data requires that your security strategy and implementation deliver on the promise of better security.

The basic problem is that most organizations are neither qualified to be in the information security business nor are they in that business—they are simply using computers and networks to get their work done! Although secure computing is a desired quality, information security expertise is not a core-competency for most computer users nor is it common in most organizations. Returning to the point:

  • Moving data off premises does not necessarily pose new risks, and it may in fact improve your security.
  • Entrusting your data to an external custodian may result in better security and may well be more cost effective.

Two examples that underscore this are the commercial service offerings to either store highly sensitive data for disaster recovery or assure the destruction of magnetic media. In both cases, many highly paranoid organizations tightly control how they use these services—but the point is that they use external services, and when they do so, they entrust their data to external custodians.

It is important to state that some kinds of data are simply too sensitive and that the consequence of data exposure is too great for some customers to seriously consider using a public cloud for processing. This applies to any information category that entails national security information or information that is subject to regulatory controls, which cannot yet be met by public target cloud offerings. Likewise, it is unlikely that a well-governed organization would release highly sensitive future product plans to any environment where the organization would be uncertain that the information custodian (the CSP) did not enforce the information owning organization’s interests as well as the organization itself would.

In these examples, it is not the case that security needs for these categories can’t be met in a public cloud, rather the cost of providing such security assurance is incompatible with the cost model of a public cloud. If a CSP is to meet these needs that would demand additional controls, procedures, and practices that would make the cloud offering noncompetitive for most users. Consequently, where such data security needs prevail, other delivery models (community or private cloud) may be more appropriate. This is depicted in Figure 1. Note that this situation is a function of generally available and anticipated offerings in the public cloud space. Quite likely, this will change as security becomes more of a competitive discriminator in cloud computing.

FIGURE 1 Meeting security needs: public, community, and private clouds.

One can easily imagine future high-assurance public clouds that charge more for their service than lower-assurance public clouds do today. We might also expect that some higher-assurance clouds would limit access by selective screening of customers based on entry requirements or regulation. Limiting access to such a cloud would reduce risk—not eliminate it—by limiting access if screening is effective.

Organizational Responsibility: Ownership and Custodianship
While an organization has responsibility for ensuring that their data is properly protected as discussed above, it is often the case that when data resides within premises, appropriate data assurance is not practiced or even understood as a set of actionable requirements. When data is stored with a CSP, the CSP assumes at least partial responsibility (PaaS) if not full responsibility (SaaS) in the role of data custodian. But even with divided responsibilities for data ownership and data custodianship, the data owner does not give up the need for diligence for ensuring that data is properly protected by the custodian.

By the nature of the service offerings, and as depicted in Figure 2, a data owning organization can benefit from their CSP having control and responsibility for customer data in the SaaS model. The data owning organization is progressively responsible beginning with PaaS and expanding with IaaS. But appropriate data assurance can entail significant security competence for the owning organization.

FIGURE 2 Owning organization has increasing control and responsibility over data.

Ultimately, risks to data security in clouds are presented to two states of data: data that is at rest (or stored in the cloud) and data that is in motion (or moving into or out of the cloud). Once again, the security triad (confidentiality, integrity, and availability) along with risk tolerance drives the nature of data protection mechanisms, procedures, and processes. The key issue is the exposure that data is subject to in these states.

Data at Rest and in Motion

Data at rest refers to any data in computer storage, including files on an employee’s computer, corporate files on a server, or copies of these files on off-site tape backup. Protecting data at rest in a cloud is not radically different than protecting it outside a cloud. Generally speaking, the same principles apply. As discussed in the previous section, there is the potential for added risk as the data owning enterprise does not physically control the data. But as also noted in that discussion, the trick to achieving actual security advantage with on-premises data is following through with effective security.

Referring back to Figure 1, the less control the data owning organization has—decreasing from private cloud to public cloud—the more concern and the greater the need for assurance that the CSPs security mechanisms and practices are effective for the level of data sensitivity and data value. (But in Figure 2, we saw that the owning organization’s responsibility for security runs deeper into the stack for the owning organization as they move from SaaS to PaaS and again to IaaS.)

If you are going to use an external cloud provider to store data, a prime requirement is that risk exposure is acceptable. Risk exposure varies in part as a function of service delivery as it does for deployment.

A secondary requirement is to verify that the provider will act as a true custodian of your data. A data owning organization has several opportunities in proactively ensuring data assurance by a CSP. To begin with, selecting a CSP should be based on verifiable attestation that the CSP follows industry best practices and implements security that is appropriate for the kinds of data they are entrusted with. Such certifications will vary according to the nature of the information and whether regulatory compliance is necessary. Understandably, one should expect to pay more for services that involve such certifications. One likely trend here is that higher assurance cloud services may come with indemnification as a means of insurance or monetary backing of assurance for a declared level of security. Whatever the future may hold, we can expect that practices in this space will evolve.

Data in Motion
Data in motion refers to data as it is moved from a stored state as a file or database entry to another form in the same or to a different location. Any time you upload data to be stored in the cloud, the time at which the data is being uploaded data is considered to be data in transit. Data in motion can also apply to data that is in transition and not necessarily permanently stored. Your username and password for accessing a Web site or authenticating yourself to the cloud would be considered sensitive pieces of data in motion that are not actually stored in unencrypted form.

Because data in motion only exists as it is in transition between points—such as in memory (RAM) or between end points—securing this data focuses on preventing the data from being tampered with as well as making sure that it remains confidential. One risk has to do with a third party observing the data while it was in motion. But funny things happen when data is transmitted between distant end points, to begin with packets may be cached on intermediate systems, or temporary files may be created at either end point. There is no better protection strategy for data in motion than encryption.

Common Risks with Cloud Data Security

Several risks to cloud computing data security are discussed in this section. None of these are unique to the cloud model, but they do pose risk and must be considered when addressing data security. They include phishing, CSP privileged access, and the source or origin of data itself.

Phishing
One indirect risk to data in motion in a cloud is phishing. Although it is generally considered unfeasible to break public key infrastructure (PKI) today (and therefore break the authentication and encryption), it is possible to trick end users into providing their credentials for access to clouds. Although phishing is not new to the security world, it represents an additional threat to cloud security. Listed below are some protection measures that some cloud providers have implemented to help address cloud-targeted phishing related attacks:

  • Salesforce.com Login Filtering Salesforce has a feature to restrict access to a particular instance of their customer relationship management application. For example, a subscriber can tell Salesforce not to accept logins, even if valid credentials are provided, unless the login is coming from a whitelisted IP address range. This can be very effective in preventing phishing attacks by preventing an attacker login unless he is coming from a known IP address range.
  • Google Apps/Docs/Services Logged In Sessions & Password Rechecking Many Google services randomly prompt users for their passwords, especially in response when a suspicious event was observed. Furthermore, many Google’s services display the IP address from the previous login session along with automatic notification of suspicious events, such as login from China shortly after an IP address from the United States did for the same account.
  • Amazon Web Services Authentication Amazon takes authentication to cloud resources seriously. When a subscriber uses EC2 to provision a new cloudhosted virtual server, by default, Amazon creates cryptographically strong PKI keys and requires those keys to be used for authentication to that resource. If you provision a new LINUX VM and want to SSH to it, you have to use SSH with key-based authentication and not a static password.

But these methods are not always fool proof—with phishing, the best protection is employee/subscriber training and awareness to recognize fraudulent login/ capturing events. Some questions that you might ask your CSP related to protection from phishing-related attacks are:

  • Referring URL Monitoring Does the CSP actively monitor the referring URLs for authenticated sessions? A wide-spread phishing attack targeting multiple customers can come from a bogus or fraudulent URL.
  • Behavioral Policies Does the CSP employ policies and procedures that mandate that a consistent brand is in place (often phishing attacks take advantages of branding weaknesses to deceive users)? Does their security policy prohibit weak security activities that could be exploited? An example would be if they prohibit the sending of e-mails with links that users can click on that automatically interact with their data. Another example would be whether they allow password resets to occur without actively proving user identity via a previously confirmed factor of authentication (that is, initiate a password request on the Web and they confirm the identity of the user based on an out-of-band SMS text message to their cell phone).

Phishing is a threat largely because most cloud services currently rely on simple username and password authentication. If an attacker succeeds in obtaining credentials, there is not much preventing them from gaining access.

Provider Personnel with Privileged Access
Another risk to cloud data security has to do with a number of potential vectors for inappropriate access to customer sensitive data by cloud personnel. Plainly stated, outsourced services—be they cloud-based or not—can bypass the typical controls that IT organizations typically enforce via physical and logical controls.

This risk is a function of two primary factors: first, it largely has to do with the potential for exposure with unencrypted data and second, it has to do with privileged cloud provider personnel access to that data. Evaluating this risk largely entails CSP practices and assurances that CSP personnel with privileged access will not access customer data.

Data Origin and Lineage
The origin, integrity, lineage, and provenance of data can be a primary concern in cloud computing. Proving the origin of information or data has importance in many areas, including patents or proving ownership of valuable data sets that are based on independent analysis of commonly available information sources.

For compliance purposes, it may be necessary to have exact records as to what data was placed in a public cloud, when it occurred, what VMs and storage it resided on, and where it was processed. In fact, it may be equally important to be able to prove that certain datasets were not transferred to a cloud, for instance, when there are sensitivity or EU-privacy concerns about what national borders such data may have crossed.

While reporting on data lineage and provenance may be very important for regulatory purposes, it may be very difficult to do so with a public cloud. This is largely due to the degree of abstraction that exists between actual physical resources—such as disk drives and servers—and the virtualized resources that a public cloud user has access to. Visibility into a provider’s operations in terms of technical mechanisms can be impossible to obtain, for understandable reasons.

Where such requirements exist that the origin and custody of data or information must be maintained in order to prevent tampering, to preclude exposure outside a jurisdictional realm, or to assure continuing integrity of data, it may be completely inappropriate to use a public cloud or even a low-assurance private cloud. One can imagine that if such requirements become increasingly common, cloud-based services will arise to profit from the opportunity. In the absence of a public service and where a private cloud is cost prohibitive, alternative approaches should be considered— easiest among them the use of a hybrid or community cloud.

Source

Cloud Computing Services: Feds Get On The Bandwagon

1 Reply

After a delay due to a complicated vendor-authorization process, the General Services Administration (GSA) is finally offering cloud computing services via its Apps.gov website.

Federal agencies now can order from a menu of three Infrastructure as a Service (IaaS) offerings–cloud storage, virtual machines and Web hosting–from service providers that have received GSA authorities to operate (ATOs) to offer them.

It was the process of acquiring ATOs that delayed the GSA’s plans to offer IaaS on Apps.gov. But last week, GSA Portfolio Management Division Director Bill Lewis said the first services would be available in July, and, true to his word, they are.

Apps.gov on Friday was updated to provide detailed information on each service and the list of vendors providing them, in addition to stepping agencies through the ordering process. That process, however, is not exactly as easy as dragging and dropping a service into an online shopping basket, if instructions on the site are any indication.

Each service provider is offering its own cloud services and bundled pricing, and agencies can peruse the packages on offer before making a decision.

Services are billed by the month–as opposed to by the compute hour, as commercial cloud provider Amazon Web Services typically does it–and the process includes agencies getting quotes for the type of service they are looking for through the GSA eBuy system before making a purchase.

Those quotes will then be awarded to one of the ATO contractors for the service, which is responsible for contacting the agency to help staff configure and manage the service from their own website.

To be fair, Lewis said last week that the GSA is working to reduce transaction time and the complexity of purchasing cloud solutions, an endeavor that may involve the development of online tools for agencies that allow for on-demand self-service or the ability to increase or decrease the size of their purchase.

Even with the complexity, the GSA is now for the first time allowing agencies to buy on-demand computing power through service providers that already have the federal stamp of approval, which should make government adoption of cloud computing easier and more efficient.

Agencies currently can choose from five service providers offering cloud storage: Apptis, Computer Literacy World, Eyak Technology, Insight Public Sector, and Computer Technologies Consultant.

The virtual machine service provides even more choice, with 10 vendors on the list: Autonomic Resources, Carahsoft Technology, CGI Federal, Computer Literacy World, AT&T, Eyak Technology, General Dynamics, Verizon Federal, Computer Technologies Consultant, and Savvis Federal Systems.

Finally, five service providers are offering Web hosting via Apps.gov: CGI Federal, Computer Literacy World, Eyak Technology, Computer Technologies Consultant, and Savvis Federal Systems.

Source

How Banks Use Cloud Computing

Leave a reply

Ever since 2009 when NIST published its first definition of cloud computing there has been a promise of community clouds, and now we finally have a second one in the financial services market, thanks to NYSE Technologies.

The IT arm of NYSE Euronext announced beta of Capital Markets Community Platform, its cloud computing offering this week, and the effort, on the surface, is a good example for other vertical markets to follow.

For years, financial services firms such as investment banks and hedge funds have been competing on trade execution speed and volume — where milliseconds per trade can translate into billions of dollars in competitive advantage.

And in doing so, they have found that you can’t beat the speed of light. Thus if you want very, very fast connections to the stock market, you need to be as close to the servers used by the market as possible.

The way to do this prior was to find out where the data centre for an exchange was located and put your servers as close as possible and hopefully on the same network backbone. If the exchange was in a colocation facility, then you wanted the cage right next door.

This method gave larger investment banks a distinct advantage as you had to be able to afford a full cage and have priority access.

To help level the playing field a bit more, NYSE Technologies new IaaS offering lets financial firms of any size place VMs directly on the same infrastructure as the exchange. Using VMware vCloud Director for secure tenancy, NYSE is able to separate financial firms from each other as well as from the exchange itself.

It also lets NYSE control access which presumably promotes fairness in the market. Now financial firms can compete on their trading algorithms, market insights and knowledge without geolocation, colo relationships and big money prioritisation creating an uneven playing field. This doesn’t mean that a large financial institution can’t still colocate a massive server farm, just that winning isn’t defined by your ability to do so.

This effort by NYSE is a classic example of a community cloud in that it is a private IaaS solution (yes, there is dedicated hosting too) designed specifically to meet the needs of a particular market and open to all members of that community.

It is similar to an effort created several years ago by NASDAQ called Market Replay that let’s financial institutions exercise their algorithms against yesterday’s market. That cloud solution leverages Amazon Web Services’ Simple Storage Service (S3) public cloud infrastructure. But NYSE Capital Markets Community Platform is for access to the live market. This service, when it goes live (expected July 1) will affect actual trades.

Community clouds exist in higher education, pharmaceuticals, and other markets so this isn’t brand-new but is another testament to how real the cloud computing market is and shows a best practice for how to set up a solution that serves the unique needs of a particular market. Well done, NYSE.

Source

Cloud Computing for Small Business 101

Leave a reply

Many small businesses are still uncertain about cloud computing and wonder if it can help boost profitability without being extremely risky. To figure it out, it’s best to start by defining cloud computing in small business terms. There are two commonly agreed upon types of cloud computing: 1) software-as-a-service and 2) infrastructure-as-a-service.

Software-as-a-service (SaaS) refers to cloud computing where the software you would normally install on your office computers is instead delivered over the Internet.

The most commonly recognised software application is CRM (customer relationship management). Last year 26% of spending on CRM was for SaaS versions, and this is expected to grow to 33% by 2015, according to Experian.

Infrastructure-as-a-service (IaaS) cloud computing is where you rent space in a data centre and use their servers rather than buying new hardware to run your business. A common example of IaaS is website hosting.

You may also hear terminology like “public cloud” or “private cloud.” Simply, the public cloud is where shared resources are used outside of your company and delivered over the Internet. The private cloud is where you build a shared infrastructure within your company and deliver services over the internal network to users within your company, without installing software on their individual systems.

Starting in the Cloud

Many small businesses that started in the last ten years may not realise that their business has already started utilising aspects of cloud computing – email and websites, for instance.

When an entrepreneur starts a business the first IT consideration, after buying that first computer, is typically setting up an email address, likely followed by setting up a web site. Purchasing a server probably doesn’t make it to the list for some time. In fact, 90% of small businesses do not own a server.

So where do small businesses go for their email service and website hosting? Usually to their ISP (Internet Service Provider) which includes it as part of a package. These are simply applications and shared resources delivered over the public cloud and fundamental to business operation.

As the business grows, it may make sense to purchase a dedicated server that runs the email and web servers – but initially, the business began in the cloud. And now, advancements in technology will likely take them back to the cloud. The need for expansion and flexibility coupled with increased cost control requires the smart small business owner to search for IT alternatives.

Over the past few years, cloud services have developed to a point where most, if not all, software vendors have developed and released their applications as a service. For example, consider the cloud products from Sage, Intuit and MYOB. Or, think about the expansion of Microsoft to include Office365 and a suite of hosted platforms for their communication and collaboration suite.

Then take cloud start-up companies that have gone mainstream like SalesForce.com. When you throw in heavy weights like Google and their Google Apps service, you can see the clear direction and evolution for cloud computing for small businesses.

On the flip side, we tend to hear a few arguments against cloud adoption, such as data security (as recently illustrated by Sony’s PSN hacking disaster), resources availability, bandwidth speed and cost, and general trust issues.

Availability of Resources

When small businesses were using their ISP for email and web hosting, were they concerned about email not being available? Perhaps it wasn’t an issue then. But now that they have experienced sluggish email systems or server overloads (after moving to their own dedicated server), there are some concerns that going to the cloud may mean more downtime due to a lack of control.

But a single server belonging to a small business may struggle to run the email, website, file store, backup, security management, finance and accounting packages – and to top it all off, in many cases, servers are managed by staff members with no formal IT training.

This means a server is prone to more downtime and instability than, say, an application, delivered securely over the Internet, hosted on a server farm with the latest equipment, and managed and maintained 24×7 by experts.

And what about the issues that can occur on a local server when one application provider updates their software? If that update doesn’t ‘play nice’ with the other applications installed, then your business could grind to a halt. Cloud services work independently, so software update conflict issues are a thing of the past.

When you consider the types of applications delivered via the cloud, some are more likely to be used by businesses that are most concerned about availability. Many applications have offline caching, meaning a copy can be stored locally and then synced later when online. So even if the Internet is not available, they can continue to work.

Endpoint security (the virus scanner on desktops, laptops and servers) is another application that could be a re-entry point to the cloud. It’s the management component and the threat databases that are stored in the cloud. The scanner still sits locally, so if a connection is not available your scanners can still defend against local threats. Keep in mind though that over 90% of threats today come via the Internet, so without a connection you are already potentially 90% safer.

Cost vs. Speed vs. Productivity

For many developed market regions, cost versus speed versus productivity is a concern that never gets raised. However, across Australia, New Zealand, Asia parts of Eastern Europe, and Latin America the cost and speed of accessing large amounts of information back and forth over the Internet are valid concerns.

Small business owners tend to be concerned about the availability of services as opposed to cloud-related issues such as security, data ownership and data privacy.

While this concern is true for many applications, the cloud should not be ruled out totally by small business purely based on these reasons. When applications like website hosting, mail server hosting, and computer antivirus and security are offloaded to the cloud, it can free up the resources on your network. This means the tools you leave onsite are free to perform better.

How often does a small business owner need to log into the management console of their security system? Let’s face it, daily email alerts and weekly reports are probably sufficient. And if an email travels through a server on the Internet versus locally, it still travels the same distance and at the same speed as it comes across the wire (except for internal emails. In a small business, it’s probably quicker to lean across the desk and talk to the person anyway.)

Is My Data Really Safe?

Securing data is a critical concern to service providers. Some countries have regulations that govern the storage and transmission of confidential information, not to mention the power of the customer to take their business elsewhere if bad press follows data breach.

Some businesses are also concerned with the location of the data centre. Is it in my backyard? Or, is it in some far-flung, low-cost country where government controls and infrastructure are not as well defined?

This is a very valid concern. How does a business truly know where its data is stored? The answer is, it probably doesn’t. That is the nature of the Internet. In order for a service provider to provide an always-on, always-available service, it needs to have multiple data centres with high availability and failsafe capabilities. So if something happens to one set of servers, the next set can take up the slack. In order to do this, your data is probably stored and shared in multiple locations, even in multiple countries.

You should be asking your service provider for the details about their primary and secondary data centres and if there are any redundancy plans. This will help you see where your data may or may not be stored. You then need to make a judgment call based on your level of trust in that provider from both an availability and security perspective.

Think about where your business has come from; what you require in terms of resources to take it to the next level; and how you plan to use technology moving forward. You’ll begin to see why research and general industry chatter predicts Small Business adoption of cloud computing will grow at staggering rates over the next 18 months.

The Small Business journey to the cloud is actually more of a round trip. It’s important to keep this in mind when you make your next IT investment decision.

Source

Why You Don’t Need a Cloud Computing Strategy

1 Reply

As with any new exciting technology, companies commonly look towards creating a “strategy” around the movement in order to ensure their investments achieve the greatest ROI. In the 1990s, it was all about how companies needed a “Linux” strategy; the last decade has been dominated with companies needing a “virtualization” strategy; and the trend I’m seeing today is everyone talking about needing a “cloud computing” strategy.

While this new saying is good news for large vendors who quickly rebrand existing and/or legacy technologies to go along with the momentum, it can also cause a number of challenges. The main one is that it can introduce risks and new costs with minimal ROI for companies building out cloud strategies outside of their normal IT practice. So, to get it right the first time, rather than looking at the cloud as a separate replacement strategy, companies need to look at it from the bigger picture as a complete IT strategy.

Here are five key things to think about when identifying areas for cloud adoption and driving a successful IT strategy:

1. Understand the cloud and its benefits to your business: Think business, not technology – not all clouds are created equal. There are many choices, from hosted applications to hosted infrastructure – Software as a Service (SaaS), Infrastructure as a Service (IaaS); some run on premise, some run off. Each have significant benefits but only when viewed in the context of how they fit in with your current operations. You need to understand how each of these can augment your IT strategy to achieve the benefits of efficiency and agility.

2. Build off your existing operational choices and be application specific: If existing services such as CRM and e-mail are functioning well you will gain very little by transitioning them to the cloud. In fact, these types of changes could prove confusing and incite end user rejection. However, if you are just implementing these services for the first time the cloud may give the benefits and cost savings that you need. This same rule applies to IaaS clouds. Rather than trying to replace existing infrastructure that is already working, identify workloads that are dynamic or new that constantly require attention on infrastructure to reap the benefits.

3. Think small, but plan big: Start out with a pilot. 2010 was the year of defining the cloud and 2011 will be the year of cloud implementation. James Staten, an analyst at Forrester Research, recently predicted that many will try to deploy a private cloud, but many will fail. The key is to start small and identify areas where you can extend your existing strategy with new technologies to understand their impact. For IaaS clouds, the easiest is to start with your current virtualization strategy, as the cloud uses virtualization as a core technology. Whether it is development, testing, or new web application environments, the cloud can quickly and easily be implemented with a high likelihood for success.

4. Evaluate all of your options – think agility: There are many options when implementing a cloud solution. The choice between a public or private cloud should be made based on factors such as cost, security, availability and control. Each deployment model has pros and cons; the goal is to optimize for your business requirements. If you are choosing to build your own, private cloud, vendors can help you achieve this. Portability and flexibility are important elements to consider. You need to choose a solution that works within your system, but also does not lock you into a specific environment. Additionally, a solution that gives you the ability to migrate to public clouds in the future will prove to be valuable.

5. Acknowledge the immaturity of cloud computing, but don’t let it hold you back: Cloud computing is a new paradigm in IT. It has a few issues including data security and compliance, but new advancements every day continue to take the cloud to the next level. Across the industry, there are more companies and developers working on advancing this segment than many of the traditional/legacy apps. As such, you do not want to get behind the curve of the next wave of innovation. By acknowledging its immaturity and picking applications and workloads that can handle the risk, you get the benefit of getting ahead of the movement and truly understanding the technology as it matures and how it can become an incredible weapon in your IT strategy.

Cloud computing is an exciting new movement that promises to bring many benefits to companies of all size. By taking simple steps to understand how to integrate it into your existing “business strategy” versus treating it like a separate strategic project will increase the likelihood of success and simplify the transition to this new form of IT service.

Source

How Cloud Computing Helps a Business Grow

2 Replies

If you came here for the article with the title, “How Cloud Computing Helps a Business Grow”, unfortunately, it has been removed at the request of the publisher of the website from which it was obtained.

Asking me to remove it was within their rights, but I believe it was a shortsighted decision based on old media ideas about the copyright “protection” of assets and the imagined potential loss of ad revenue.

I am not competing with the publisher of “How Cloud Computing Helps a Business Grow”. The articles here are gathered for the benefit of my clients and prospects who are trying to make a decision about cloud computing in their business. There are no competing ads here.

By asking me to remove “How Cloud Computing Helps a Business Grow”, the publisher lessened the opportunity for the author to have his ideas more widely read and the publishing website lost the long term SEO benefit of the link from this page that was here to acknowledge the source of “How Cloud Computing Helps a Business Grow”.

I invite you to check out these links to articles with information similar to “How Cloud Computing Helps a Business Grow”

A Clearer View of How to Exploit Cloud Computing

2 Replies

Design engineers and design managers may have heard the term ‘cloud computing’ but found it hard to establish exactly what it is – or whether it will help them in their jobs. Alistair Rae presents some answers to these questions and looks at what might happen in the future.

As information technology companies describe new ways to offer infrastructure to businesses, the term ‘cloud computing’ is becoming more common – but what exactly is it? The definition of the internet is quite simple and easily understood: a freely accessible network of servers for information, services and commerce. Cloud computing has no single, clear definition, partly because it is difficult to explain. As a consequence, it is not easy to see the advantages, disadvantages and how a particular company might exploit cloud computing.

Predictions by Gartner Research for 2011 and beyond suggest that, by 2012, one-fifth of all companies will no longer own their IT (information technology) assets and that, by 2015, information-smart businesses will increase recognised IT spending per head by 60 per cent. But, at the same time, in 2011 Gartner predicts a clash between cloud computing and more conventional ways of providing IT.

Although the idea for this type of computing has been around for at least a decade, it is only now that there is reliable software and infrastructure readily available to support it. The term ‘cloud computing’ comes from a way the IT industry has historically explained how systems function. There is what you know a lot about and have control over, usually a local computer (a PC, Apple Macintosh or other workstation), which is connected to something else that you do not have to worry about – and this undefined ‘something’ is depicted as a cloud (Fig.1). Connection between the two is usually through a network, although sometimes the diagram refers to processes coexisting in a single computer. What goes on in the cloud is often not explained but, whatever it is, it is assumed to work. In fact the technology involved is not new, although it is continually being improved as fresh commercial demands are met by more development.

Those instances not normally considered to be cloud computing are those where everything takes place within one computer, or where there is a single server providing multiple services. The latter case is common where there are many virtual private servers (VPSs) on a single physical server at an internet service provider (ISP), sometimes presented as a ‘cloud’ even though this is not really the case. The essential characteristics of cloud computing are that processing is carried out remotely from the user, using variable amounts of metered resource, with payment on the basis of a subscription or the resources used, rather like a pay-per-use mobile telephone (Fig.2). In business terms, it makes a user independent of hardware and moves IT expenditure from capital expenditure (capex) to operating expenditure (opex).

There are three basic types of cloud, all delivered over a network connection as computing services to the end-user.

Infrastructure clouds, which are also referred to as Infrastructure as a Service (IaaS), are where hardware resources – processing power and storage – are made available to the user, thereby removing the need for companies to have their own servers. The correct usage of the term refers either to data and storage clouds or compute clouds, which provide the infrastructure on which applications can be built.

Data and storage clouds (for example, Amazon S3) offer reliable access for varying amounts of data. Amazon’s Simple Storage Service (S3) is built with a minimal feature set and allows reading, writing and deletion of files from 1byte to 5terabytes each. They are firewall-protected and have high reliability (designed for 99.99 per cent reliability).

Compute Clouds provide environments that include processing power, but there are many different models. The important characteristic is that they offer scalable, on-demand resources to run code that has been developed to use them. There are various restrictions on what they will do (languages and types of storage, for example) but they can offer an organisation reliable and flexible computing with high availability. Users often do not know where the code is executed or the data stored (which can be a problem) but the point is that it will be executed and stored remotely. Typical examples are Amazon’s Elastic Compute Cloud (EC2), the Google App Engine and the Rackspace Cloud (see panel for other examples of cloud computing).

Sometimes vendors use cloud technology to offer scalable server environments built with cloud components. In this case the hybrid offering is similar to using a VPS but with the benefit of being able to have more than one instance of the server if required. There is no change needed in the software used, whether it is proprietary or written in-house, as the cloud just provides the underlying infrastructure for a given level of service.

Platform Clouds, which are also referred to as Platform as a Service (PaaS), feature computational resources that are made available on a platform for which applications and services can be developed. While this was once a separate class of service, the name survives despite the boundary between the latest compute clouds and PaaS clouds having almost disappeared. The difference is now more between environments that deliver application functionality (see Software Clouds) and those which do not. The Google App Engine is sometimes classed as a platform, rather than infrastructure.

Software Clouds, also referred to as Software as a Service (SaaS), are where a single application is made available as a service, possibly by using one or both of the types of cloud service described above. This is the oldest type of internet-based service and some vendors have always operated in this way. Typical examples are the Salesforce.com customer relationship management (CRM) system, Google Docs (office documents), and SAP Business by Design (a business management system). In this case the end user buys precisely the service that is advertised. For designers, Autodesk is one of the more advanced in terms of its cloud-based offering, which includes the Project Neon rendering service and Bluestreak collaboration software.

Cloud computing overcomes many problems inherent with conventional IT resourcing, but the newer technology is not without its risks. First, company data (and possibly also intellectual property) will be stored remotely, so organisations need to be sure that is it in the right jurisdiction for their type of work, that the service provider complies with all relevant regulations and that the provider is open to security audit. This could include questions about any of their staff who might access to the organisation’s data – which may or may not be encrypted.

Source

GSA: Cloud Computing Is Safer Than You Think

Leave a reply

GSA assistant commissioner Mary Davie tries to dispel cloud computing ‘myths’ and says a phased deployment strategy will raise the chances for successful projects.

Moving to the cloud is easier, more cost-effective, and safer than many federal IT pros realize, according to the assistant commissioner of the General Services Administration.

In light of the federal mandate for agencies to embrace cloud computing, GSA’s Mary Davie tried to debunk some of the myths about cloud computing in a blog post on GSA.gov.

The Office of Management and Budget has taken “an aggressive stance on the cloud,” she wrote. “We’re all on the hook to move three systems to the cloud by 2012. I’m here to tell you that it can be done intelligently and securely.”

GSA, provides technology products and services to federal agencies, has begun offering software as a service through its Apps.gov portal. In October, the agency announced that it would “soon” begin offering infrastructure as a service through Apps.gov and named 20 vendors that had been approved to offer those services.

Now, nearly six months later, GSA has yet to offer IaaS via Apps.gov. In the blog post, Davie writes that blankets purchase agreements for IaaS and e-mail as a service will be ready soon. “These vehicles will make it easier for our customers to compare services and acquire what they need from the cloud,” she said.

Davie addressed what she described as four “cloud computing myths”: that clouds can be “anything”; that public clouds aren’t secure; that agencies lose control of their data in the cloud; and that moving to the cloud is difficult to do.

All of these challenges can be overcome, she argued. For one thing, there are baseline characteristics for cloud architecture, and not all clouds are created equal, Davie said.

Moreover, while public clouds are not inherently secure, agencies can customize the controls to lock down data and applications in the cloud. They should weigh carefully what they choose to put in the cloud, as not everything is suitable for a cloud environment, she said.

Agencies can demand strict service level agreements to ensure they maintain control over data and applications and aren’t being taken advantage of by cloud service providers, Davie said.

Davie acknowledged that it can be difficult to move systems to the cloud if a measured approach isn’t taken. She recommended that agencies use a phased process on a “time line that makes sense.”

“If an agency is facing a technology transition that requires a large capital investment, say in hardware, then making that technology transition may be easier and faster in the cloud,” Davie wrote.

But Davie also urged caution. “Every time you move data or applications, there is risk,” she wrote.

Source

Every Cloud Has a Silver Lining

Leave a reply

Cloud computing (Infrastructure-as-a-Service) has already proved its value to some businesses and specific applications. It provides a way to deploy and access massive amounts of IT resources, on demand, in real time. It drives better utilization of data center resources, reducing capital expenditures and operating expenses. Most important, it provides the scalability and agility to adapt to changing business needs.
However, challenges remain with the Infrastructure-as-a-Service (IaaS) cloud computing deployment model. For enterprises that have evaluated and deployed on-premise IaaS clouds or those that use public clouds, it’s obvious that IaaS clouds require application developers and IT practitioners to install, configure, customize, optimize, and manage their deployment environments – manual tasks somewhat counter to the promise of cloud computing’s “agility” value proposition. Also, IT administrators and application developers have to maintain deep technical knowledge of multiple software components, and monitor and manage them.

Platform-as-a-Service frees application developers from infrastructure issues

With Platform-as-a-Service (PaaS), enterprises and developers get a higher value. Software stacks are pre-configured and pre-integrated in PaaS and can be available within minutes. The PaaS model abstracts the application layer from the application infrastructure; this step eliminates the need to manage infrastructure software and provides an easy-to-manage, standardized, integrated stack and multi-tenant deployment platform. PaaS technologies provide monitoring, management and auto-scaling engines that resize the resources allocated to each application in real time, taking full advantage of the scalability of the cloud. Additional platform services can be dynamically added to the PaaS globally.

The ultimate benefit is simple: developers can develop. No longer are they responsible for managing, monitoring and dynamic resource scaling. That task belongs to the PaaS platform, managed by a centralized IT department.

In addition, the PaaS model offers flexibility to build and deploy a standard set of shared components so all applications are deployed with a consistent set of software versions and releases. Centralized IT executives have full control to maintain a homogeneous and standardized development and deployment platform across the enterprise, simplifying IT operations and reducing the time needed to deliver IT resources or platforms to their departmental constituents.

Choices for enterprises for applications in the cloud

As IT organizations prepare their applications and infrastructure for cloud deployment, they must deal with enormous complexity. They must consider issues such as new deployment architectures, management and monitoring of cloud resources, application lifecycle management, software support on clouds, licensing, security, scalability, and the thorny problem of migrating existing custom applications to the cloud. Based on the application data security and compliance needs and their goals in adopting cloud computing models, enterprises have the following options to move existing applications or develop new applications:

* Acquire similar applications from SaaS vendors such as Salesforce.com, NetSuite, SuccessFactors, or RightNow. This option best suits database-centric enterprise applications such as ERP, CRM, etc. and may not apply to business-specific custom applications. However, this approach means writing off investments in existing applications and software licenses and can lead to vendor lock-in.
* Move custom applications to a public PaaS, such as Salesforce.com’s force.com, Microsoft Azure or Google App Engine; however, this option also involves a high degree of re-write and vendor lock-in, as public PaaS providers require the use of proprietary SDKs and data models. Current offerings also may not be suitable to some enterprises that must adhere to privacy and compliance standards. Further, these vendors could be a poor fit because of their limited functionality.
* Do-it-yourself PaaS. While technically doable, it is complex and could take six months to a year.
* Off-the-shelf PaaS. Use a PaaS-enablement solution vendor to build a PaaS using the set of application infrastructure components that are currently used within an enterprise and on a choice of private and public clouds.


Enterprise Java PaaS Requirements

Because of Java ubiquity in the enterprise, IT departments have invested heavily to develop and deploy Java applications on software stacks from Oracle, IBM and Red Hat. Ideally, enterprises that wish to move applications to clouds should be able to leverage their investments in skill sets, application code and infrastructure software, without re-writing applications.

Enterprises should also be able to create their own standards-based Java PaaS on public clouds such as Amazon EC2, or private clouds such as VMware, Eucalyptus or Cloud.com using the middleware they already have.

In other words, enterprises should look for a PaaS solution that is truly architected to put IT in the driver’s seat. It must allow enterprises that prefer to run their private PaaS on Amazon EC2 to set up an enterprise-wide master account with access controls, quotas, and hard/soft limits on cloud resources for users and departments to be able to manage capacity, usage, security and compliance. Application developers and QA/testing teams in turn have the flexibility of an on-demand PaaS while maintaining security and compliance, as well as controlling expenses in a manageable fashion. The same functionality should be available for on-premise private clouds.

Opportunities for Cloud Service Providers

As data center outsourcing to hosting providers continues to be one of the primary initiatives in enterprises, hosting providers are evolving their offerings to accommodate IT and management requirements for new SaaS business applications and legacy custom applications. Hosting providers should consider providing Java PaaS solutions as a service to their independent software vendors and enterprise customers. Such standard PaaS solutions give enterprises and ISVs a common platform to deploy new applications and easily migrate their existing applications to the cloud. Hosting providers can also integrate a Java PaaS solution into their own IaaS environments and offer a more valuable, more complete platform solution to customers. Additionally, a Java PaaS offering would enable service providers to compete with proprietary cloud offerings in the marketplace.

Source