Tag Archives: SaaS

Cloud Computing Versus SaaS

1 Reply

As our world becomes more and more connected, the terms used to describe online services blur into abstraction. In this article, I’ll clarify the terms “cloud computing” versus “software as a service,” often referred to as SaaS. In some ways, it’s like describing two sides of the same coin. However, there are some clear distinctions, along with risks and rewards to keep in mind.

The Internet is increasingly being referred to as the cloud. One of the earliest mentions of cloud computing is in the paper The Self-governing Internet: Coordination by Design published by MIT Professors Sharon Eisner Gillett and Mitchell Kapor in 1996. Readers of a certain age will remember one of Kapor’s other ideas, a product called Lotus 1-2-3. Regardless, historically the central computers that run the nation’s telephone network were often diagrammed on flowcharts as a cloud. The intricacies of networked computers that comprise the Internet are so complex that the term has been co-opted for use in our modern society.

In the early days of computers, users rented time on a mainframe computer. A few decades later, we all became accustomed to having our own personal computers on our desk, upon which we installed shrink-wrapped software. We became responsible for upgrading our computers, software, and backing up our data. As often happens in life, though, things are going full circle where we’re returning to the days of renting time on someone else’s computer. Instead of a single mainframe computer though, today we may utilize a bank of computers residing in a data center in an undisclosed location. Instead of being relegated to working only at our desk, today we often use mobile devices to carry out tasks unimaginable just a few years ago.

In general, cloud computing can be thought of as any instance where you’re using a computer that resides outside of your physical location. Most users encounter cloud computing in the form of software as a service. You might pay a fee for the service, such as QuickBooks Online, Salesforce.com, or Microsoft’s Office 365, or you may pay in a nonmonetary fashion through an advertising-supported and/or information-gathering models, such as Gmail, Mint, or Facebook.

With all of these applications, you’re relying on software installed and maintained on remote computers. Most often SaaS is delivered via your web browser, so long as you have a connection to the Internet, you’re able to carry out tasks that may be business or personal in nature. With this background in mind, I can provide some distinctions between cloud computing and software as a service:

  • Cloud computing gives you access to an environment that you can customize or build out to suit your needs. With SaaS, you’re limited to the features and capabilities written into the software, but cloud computing offers the ability to increase server capacity or storage space on demand.
  • Cloud computing offers elasticity, meaning your resources and costs can increase or decrease with your demands. SaaS typically involves a set fee per user, per month, so costs and the functionality offered tend to be fixed.
  • In short, cloud computing is highly customizable, whereas SaaS offers more of one-size-fits-all approach.

Some examples of what may be considered pure cloud computing include:

  • Amazon Simple Storage Service (Amazon S3) – This service allows you to store and retrieve an unlimited amount of data, at anytime of day, from any computer connected to the Internet.
  • Microsoft’s Windows Azure – This service provides virtual servers that can be used for application development and delivery.
  • Rackspace.com — Similar to Windows Azure, Rackspace.com provides servers for hire, but with a wider array of operating systems to choose from.

A primary benefit to cloud computing is that users outsource the care and maintenance of servers to firms that specialize in that capability. When demand warrants, new servers can be brought online in minutes, rather than the days required when a company maintains its own data center. Any sort of computer-based application can be hosted on cloud-based computers, from a website or shopping cart to custom programs for internal use. Thus, with cloud computing, the user is generally responsible for maintaining the applications on the server, while the hosting companies maintain the underlying physical equipment and operating system.

For SaaS, end users are removed from maintaining both the application and the server equipment. Benefits of SaaS versus desktop programs include:

  • Applications, such as QuickBooks Online, allow you to access accounting records from anywhere in the world, instead of from specific computers within your office.
  • New features appear in the software automatically, so there’s no need to purchase a software upgrade to be physically installed on each of your computers.
  • Your data is backed up automatically, so a local hard drive crash won’t affect your data.

Despite all of the benefits that cloud computing and SaaS provide, there are still risks to consider and manage:

  • Consider the recent situation with megaupload.com, where certain purported illegal actions by a subset of users caused everyone using the service to lose access to data. Think about a toddler having a certain bodily function in a public swimming pool – everyone has to suddenly get out of the water. Similarly, actions by one or more rogue users can cause unexpected and dramatic disruptions for everyone else sharing a cloud-based resource.
  • Both cloud computing and SaaS involve trust, in that you’re trusting an organization to hold up its end of the bargain. Intuit, maker of QuickBooks, last year experienced a spate of outages that caused business interruptions for users of their myriad online services.
  • A service you trust and rely on could suddenly change hands, such as Facebook’s recent acquisition of Instagram. You may then be forced to find a new service provider if you have philosophical differences with the new owner of a tool that you’ve relied on or if customer service levels start to slip to unacceptable levels.
  • If you stop paying for the service, access to your data can be immediately terminated. However, many providers offer a grace period. For instance, if you cancel your QuickBooks Online account, your data is maintained for a year, should you decide to resubscribe to the service.

Author: David H. Ringstrom, CPA
Source

SaaS Revenues To Top $14 Billion

Leave a reply

Global sales of software as a service (SaaS) are rising steadily with increased adoption of SaaS and with total worldwide revenues expected to top $22 billion by 2015.

According to the latest market report from analyst firm, Gartner, SaaS revenue is forecast to reach $14.5 billion this year, a 17.9 percent increase from 2011 revenue of $12.3 billion, with healthy growth through to 2015 when revenue is forecast to reach $22.1 billion.

“After more than a decade of use, adoption of SaaS continues to grow and evolve regionally within the enterprise application markets,” said Sharon Mertz, research director at Gartner. “Increasing familiarity with the SaaS model, continued oversight on IT budgets, the growth of platform as a service (PaaS) developer communities and interest in cloud computing are now driving adoption forward.”

Gartner reports that, although growing interest has been observed in vertical-specific software, the most widespread use is still characterised by horizontal applications with common processes, among distributed virtual workforces and within Web 2.0 activities.

“The top issues encountered when deploying SaaS vary by region,” said Mertz. According to Mertz, limited flexibility of customisation and limited integration to existing systems are the primary reasons in North America. “In EMEA, network instability is the issue most frequently encountered, whereas longer-than-expected deployments are the top issue in Asia/Pacific. Vendors are more aggressively pursuing SaaS buyers outside traditional markets by offering local-language availability, forming alliances and constructing data centres to accommodate local requirements.”

SaaS revenue in Asia/Pacific – including in Australia – is on pace to reach $934.1 million in 2012, up from $730.9 million in 2011, Gartner reports.

Gartner says that, overall, SaaS adoption in Asia/Pacific has been fragmented, and Asia/Pacific (excluding Japan) is a combination of mature markets, such as Australia, New Zealand, Hong Kong, Singapore, South Korea and Taiwan, and emerging markets, including China, India, Malaysia, Thailand, Indonesia, Vietnam and the Philippines. “SaaS financial (accounting) applications are most popular, particularly in China and India. The next-highest SaaS usage is for ERP functions — such as expense management and employee performance management — followed by office suites, email and the CRM sales function, Mertz says.

While the Japanese economy is still struggling and IT budgets are limited, Gartner says that the demand for SaaS solutions is increasing due to the country’s lower implementation costs and faster deployment times. SaaS revenue in Japan is forecast to reach $495.2 million in 2012, up from $427 million in 2011, with Gartner forecasting that growth of the SaaS market in Japan through 2015 will be led by CRM and email/groupware, which already have actual demand.

According to Gartner, North America, specifically the US, currently represents the largest opportunity for SaaS, and it is the most mature of the regional markets. North American SaaS software revenue is forecast to total $9.1 billion in 2012, up from $7.8 billion in 2011. Consistent with other regions, Gartner says North America shows the highest SaaS deployments in expense management, financials, email and office suites, and with use of Web conferencing higher in North America than in other regions, in part because of a highly distributed workforce.

In Western Europe, SaaS revenue is forecast by Gartner to surpass $3.2 billion in 2012, up from $2.7 billion in 2011, while SaaS revenue in Eastern Europe is projected to reach $169.4 million, up from $135.5 million last year.

Gartner analysts say SaaS adoption in EMEA is currently running at two speeds – in Western Europe, the most developed subregion, SaaS offerings and adoption rates are rapidly increasing as North America-based SaaS vendors further penetrate the region and the number of local European SaaS vendors increases. In Eastern Europe and the Middle East and Africa, which are small and emerging markets overall, Gartner says the potential opportunity for SaaS is more in the “medium to long term due to ongoing infrastructure challenges” that vendors need to overcome if they are to be successful in these regions.

Author: Peter Dinham
Source

Improve Performance While Lowering Costs

Leave a reply

Expertly meshed information technology and voice technology services are the perfect combination of near term problem solving and long term competitive opportunities for organizations today.  Delivered across a redundant and highly performing mesh infrastructure, mesh services have proven to lower or completely eliminate technology ownership problems, while improving the customer experience and productivity gains.  Industry leading technologies and technology talent are available in any fraction or combination to fit your exact operational and budgetary expectations.



Intellectual Property On Demand – meshIP

Make good decisions or bad decisions.  There are more advancing and powerful technologies available in the market than most organizations or executives stay keep abreast of – let alone effectively leverage or turn into a strategy.  The meshIP service offers technology seasoned experts to validate or map your technology strategy, address and achieve operational excellence, execute a winning financial strategy, or sales and marketing counseling to leverage the most advanced strategies and technologies.  Compare this service to a CEO, CFO, CIO, or CMO on demand.

Consumable Desktop, Servers, and Cloud Applications – meshDESK

Spend too much to own, or only pay as you go.  Every day a host of advanced technologies and services improve in environments owned and operated by technology companies.  If you are not a technology company, chances are you are wasting money.  The meshDESK service takes responsibility for cost, compliance, and spending risk so you do not have to.  Leverage simple to access hardware, storage, applications, and security controls that can grow or shrink month-to-month.  Compare this service to your utility company relationship.  You only pay when you turn on the lights.

Highly Agile Voice Communications On Demand – meshPBX

If you are not communicating how your customers want your competitors will.  Aging systems and limited agility are proving to drive unnecessary reinvestment and long term capital risk.  Today, customers demand predictable voice and messaging access. Advanced voice technologies make this simple and possible.  The meshPBX service combines enterprise system functions with low cost network utilization, while incorporating voice to email and other messaging opportunities.  Compare this to 911.  When they need you, you are there.

Our mesh services are uniquely architected for sole proprietors and global enterprise utilization alike.  Desktop applications, storage, business continuation and security are offered at $99 per month per user.  meshPBX features and voice network utilization including long distance start at $29 per month per user.  Simply add or remove users as needed.   Please contact us today for a tailored evaluation and quotation.  The savings can start immediately and your competitive technology position is guaranteed to be future proofed.

www.meshIP.com

800.759.3195

meshIP Launches Two New Services!

Leave a reply

meshIP, LLC is please to announce the launch of two new services! meshIP was formed five years ago and has specialized in company formation, business plan development, funding and growth strategies. We are adding to our capabilities to assist small and mid-sized firms in their growth by offering hosted computing and telecommunications services. These offerings allow our clients to get out of the IT business and focus on their business.

Our meshDESK service offering  allows businesses to end the cycle of information technology overspending and support frustration by moving your users to on demand access of our global application and infrastructure cloud.

Cloud computing is enabling customers to access IT services without any infrastructure investment or any services deployed in-house. meshDESK is an integrated service that takes complex services and makes them simply consumable to businesses and agencies.

Our meshPBX service offering is an advanced telephone system platform that is owned and operated within the best data centers in the world – so you can safely transfer your operational needs and risk to us, while enjoying exceptional pricing.

Most importantly, meshPBX is highly configurable to demanding and unusual collaboration environments, while providing a long list of standard elements to meet your expectations of high mobility, messaging integration, security, and audit.

We are excited to be offering these two new services. Please check out www.meshIP.com to learn more about our capabilities

The CIO Versus Users Who Buy Their Own IT

Leave a reply

The CIO as we understand the role is under threat from Cloud Computing and ICT professionals need to start getting smart about their function.

That was the stark warning from Oracle, a company whose conversion to the Cloud has taken time to go public. While once dismissed by CEO Larry Ellison as “just water vapour”, Cloud is now firmly on the Oracle road map as a top priority.

Hence the appearance of John Abel, chief architect for Oracle, at the firm’s Cloud Conference in London this week where he told delegates that they had to get closer to the business side of the organisation – and at an earlier stage in order to stop non-techies from procuring their own ICT services.

Such ‘land and expand’ strategies have been commonplace in private sector Cloud Computing where departmental heads in, for example, sales have grown tired of waiting for an official ICT department roll out of new functionality and instead subscribed to Salesforce.com off their own backs.

“CIOs need to make sure that they are part of the business conversation early on. For the first time, thanks to Cloud Computing, the business is able to sub-navigate IT,” warned Abel. “Project control is becoming increasingly important for CIOs, because now the business thinks that it doesn’t need IT and it can go and procure its own IT capabilities with SaaS.

“The business person of the future is the same person that will be used to using Facebook and Twitter. They will be used to instant access, they want IT now,” he added. “That’s the challenge that IT has with Cloud, because if IT can’t give the business that instant capability, they will go and get it from somewhere else.”

This isn’t necessarily a threat though, he argued as it gives the ICT Professional a new form of engagement with the organisation. “A good CIO will use this as an opportunity, whereas CIOs that are more conservative, or more risk adverse, will see it as a threat,” he said. “The IT department can capture this problem early and initiate discussions with the business.

“They will work with the business to understand what direction they are moving in, to understand how the IT capability and Cloud can be used to get it there. If they haven’t had that conversation and captured those requirements early, they will be in trouble.”

Author: Stuart Lauchlan
Source

What SMBs Need To Know About SaaS

Leave a reply

Software as a Service is one of—if not the most—popular cloud delivery models for small- and medium-sized businesses. According to Gartner—Hype Cycle for Cloud Computing (2011), SaaS is entering the mainstream market in the next two to five years.

The SaaS model levels the playing field between growing businesses and larger competitors, by equipping SMBs with application functionality that only large enterprises previously enjoyed. Moreover, this increase in functionality no longer requires huge investments in technology and resources. SMBs no longer have to worry about the costs and investment associated with building and maintaining an infrastructure to support modern business applications as the SaaS subscription and delivery model now makes these applications affordable to businesses of all sizes.

While SaaS adoption continues to grow amongst SMBs, it’s important to realize that nothing is ever as easy as it seems. There are thousands of SaaS applications on the market today. Which ones have the right features for your business? Which ones have the security and scalability you need? How do you get started and what support should you expect? How do you pull all these solutions together, with your existing applications and make sure they support your business?

These are important questions that growing companies typically have little time to consider, particularly with limited IT resources.Once you get beyond the basics of SaaS like cost, infrastructure, access, maintenance and support, here is the next level of items growing businesses should consider when choosing a SaaS solution:

Integration
As growing businesses increase their use of SaaS technology, the need for integrating the businesses’ applications is critical. With little appetite to rip and replace existing applications at once, SMBs must ensure that they connect new SaaS applications to legacy systems. When looking for a SaaS integration solution, SMBs should look for these main characteristics: 1. Simple to implement; 2. Out-of-the box connectors with cloud and legacy systems; 3. Ability to configure without customization

Analytics
Today’s organizations are overwhelmed with data that is siloed on a number of disparate business applications including sales, finance and human resources. SMBs struggle to access and analyze the data they need to get an overall view of business performance.

Today most businesses rely on spreadsheet-based reports that are cumbersome to build and maintain and are frequently out-of-date. They need an analytics tool that comes out of the box with 70 percent of the cross-application reporting capabilities they need yet is flexible enough to be configured and modified as the business changes.

Partners
While the comfort level with cloud computing is growing, many businesses are still wondering “Where do I begin?” When SMBs start to think about expanding their software portfolio from a sea with thousands of seemingly identical SaaS applications, it’s worthwhile to find a trusted partner to help along the way.

Thankfully, there is a new class of partners emerging who offer an end-to-end solution and who are capable of delivering multiple SaaS applications, plug and play integrations, cross application analytics and turnkey services. These partners have the experience and track record to help SMBs choose a solution and stand behind it. With limited IT staff, they don’t have time to sift through all the options and the value-proposition a partner can bring is significant for a small- or medium-sized business.

Now that the market is transitioning, there are new SaaS partner models emerging with companies offering end-to-end services including implementation, integration, business process consulting and support across multiple applications. If you are a growing company with limited IT resources, consider looking at a partner who offers a total solutions approach.

Source

Pros And Cons Of The Cloud

Leave a reply

When you talk to a bona fide Cloud supplier they talk in the straight-forward, clear and non-technical way about the business benefits of Cloud computing. However, in the same way that two hundred jumbo jets landing safely at Heathrow is not news but one jumbo jet crashing is news, Cloud makes the headlines when it fails and for those who over-complicate it.

Cloud computing provides organisations with an alternative way of obtaining IT services and offers many benefits including increased flexibility as well as cost reduction. However many organisations are reluctant to adopt the Cloud because of concerns over information security and a loss of control over the way IT service is delivered. These fears have been exacerbated by recent events reported in the press including outages by Amazon and the three-day loss of Blackberry services from RIM. So what approach can an organisation take to ensure that the benefits of the Cloud outweigh the risks?

Before we de-mystify Cloud computing let’s define it.

Different people interpret cloud computing differently so let’s settle on the National Institute of Standards and Technology(NIST SP800-145) definition as the best one: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of:

* Five essential characteristics (on demand self service, broad network access, resource pooling, rapid elasticity, measured service),
* Three service models (IaaS, PaaS, SaaS), and
* Four deployment models (public, private, hybrid, community).”
* Measured service (cloud systems automatically control and optimize resource use by leveraging a metering capability. Resource usage can be monitored, controlled, and reported to provide transparency).

What makes Cloud computing so compelling to those who use it?

• Confidentiality— Cloud computing solutions provide powerful authentication and authorisation layers. Ironically, since these solutions are used by lots of different organisations the cloud solutions are more secure. The applications which are developed by a company on top of the infrastructure or platform remain the responsibility of the company.
• Privacy- Cloud computing solutions provide good protection for sensitive information
• Integrity—Cloud computing solutions provide similar protection of integer data.
• Availability—Cloud computing suppliers produce the infrastructure and bandwidth to give companies real high speed access, storage and applications. All organisations should still ensure that they have made arrangements for outages. Cloud computing even allows more reliable backup and recovery.
• Resiliency—Cloud providers have disaster recovery equipment to ensure that you will survive untouched by any type of negative event.
• Compliance—Every company has to comply with a huge range of laws, regulations and standards. If data is demanded by the authorities, cloud computing service providers can provide this without compromising any other information.
• Licensing—Cloud computing allows companies to only use those licenses needed at a specific point in time removing any concerns about using illegal software.
• Reliability—Cloud computing provides solutions where people are.
• Transparency—Cloud computing service providers can demonstrate the existence of effective and robust security controls, assuring companies their information is properly secured against unauthorised access, change and destruction.
• Monitoring—Measurable and transparent monitoring is provided by default by solution providers to companies.
• Integration—Cloud computing solutions provide the missing links to integrate with existing internal solutions.
• Network centric—Cloud computing solutions are, by default, offered via the network.
• Certification—Cloud computing service providers can provide proper assurance that they are doing the “right” things. Independent assurance from third-party audits and/or service auditor reports is a vital part of any service provider assurance program.

What added-value?

Cloud computing offers organisations the ability to scale without large financial commitments upfront for infrastructure acquisition and maintenance. Capital expenditure with cloud computing is much lower since services and storage are available on demand and are priced as a pay-as-you-go service. Capital expenditure is largely replaced with operational expenditure. Savings on unused server space and licenses also allow companies to contain costs.

Cloud provides on-demand convenience which is a core added value for many companies since they can unilaterally provision computing capabilities as needed automatically without requiring human interaction with cloud services providers. Cloud services offer both increased flexibility and scalability for the evolving IT needs of companies, allowing for traffic spikes and reducing the time to implement new services whilst increasing innovation.

Companies can also focus on their core business, rather than be concerned about solving peak business demands for performance. One of the major added value impacts of cloud computing is that the business is back in control over its solutions. Business departments can find their own solutions online and decide themselves if they go ahead or not without the intervention of others.

Cloud services allow organisations to better use existing infrastructures and increase productivity and transform business processes using methods that were prohibitively expensive before the cloud. Cloud computing allows business departments to detach their IT needs from their infrastructure and allows data to be stored in a centralised easily accessible manner which the user finds easier. Of course, virtualisation has made it impossible to physically pinpoint the exact physical disc where data is stored.

Instead of extensive discussions, analysis and lots of people involved in developing and testing applications and data solutions, business units are able to activate and use practical solutions in days. This has a fundamental impact on the agility of a business and the reduction of costs associated with time delays. One of the cornerstones of cloud computing is that it can automatically control and optimise resource use by leveraging a metering capability appropriate to the type of service. Resource usage can be monitored, controlled, and reported providing transparency for both the provider and company of the used service.

Another added value of cloud computing is less energy usage and using existing energy at the cloud computing service provider, which might have different locations and choose where energy is cheapest to buy. Re-allocating IT operational activities to cloud computing offers companies the opportunity to focus on innovation and research and development. This allows for growth.

The key premise of the cloud is that by outsourcing portions of information management and IT operations, enterprise workers will be free to improve processes, increase productivity and innovate while the cloud provider handles operational activity smarter, faster and cheaper. Assuming this to be the case, significant changes to the existing business processes will likely be required to take advantage of the opportunities that cloud services offer.

When moving to the Cloud it is important that the business requirements for the move are understood and that the Cloud service is selected meets these needs. Taking a good governance approach, such as COBIT1, is the key to safely embracing the Cloud and the benefits that it provides without fear and with many advantages as I hope I have demonstrated.

Author: Constantine Galonis
Source

High-End Trading Strategists See Cost Savings in Cloud Computing

Leave a reply

Cloud computing is changing the world for sophisticated institutional investors – even those who have never used Internet-based servers to execute a trade or stress-tested a high-frequency trading strategy. The result, according to experts, will be a lower cost structure for performing high-end trades and more widespread access to the computing power needed to develop and execute complex algorithmic trading strategies.

Cloud computing – on-demand self-service Internet infrastructure where you pay-as-you-go and use only what you need – is growing fast. Revenues in 2009 topped $56 billion for a 20 percent-plus increase from the previous year, according to technology research firm Gartner Inc., which projects the market hitting $150.1 billion in 2013.

What makes computing in “the cloud” so attractive to institutional investors is that it enables an end user to “rent” computing time from organizations with huge server capacity, such as Google, IBM, Salesforce.com, Savvis, Microsoft’s Windows Azure, Amazon Elastic Compute Cloud (Amazon EC2), and Rackspace Cloud.

Firms now have a choice. They can build and maintain their own data centers, which can cost $1 million even if they cover only two or three markets, estimates Ken Yeadon, managing partner of Thematic Capital Partners LLP, a London-based venture capital firm that specializes in trading infrastructure. Or they can use cloud providers’ servers to test new trading strategies, back test and run time series analyses, and even execute trades.

“High-frequency trading strategies start with a lot of data analysis and often have a long R&D cycle,” notes Yeadon. “This can involve very expensive computational processes. You might need 1,000 CPUs working together in conjunction as a supercomputer for a short period of time. With cloud computing, instead of building the data center infrastructure yourself, you can test the strategy as long as you need to, on demand, and if it doesn’t stack up, you just shut it down and stop paying for it. These types of strategy would simply not be commercially viable otherwise for anyone except the very largest market participants.”

Providers like Amazon EC2 tend to charge the user only for the time and capacity used, rather than passing on a percentage of their total costs – including maintenance, troubleshooting, security and other capabilities. For instance, the hourly charge to use one Rackspace server with a 620GB disk powering 8,192MB of RAM costs $0.96 per hour, or $700.80 per month – along with two basic charges of $100 a month and $0.12 charge per server hour.

The capacity and flexibility of these systems, gained from experience hosting social networking and other large, complex “retail” systems, is far greater than that of proprietary systems at even the largest banks. The result, says Yeadon, is that renting space and time on the cloud is many times less expensive than designing and building one’s own hardware infrastructure.

Trading technology and analytics on the cloud is still in the early stages, says Lloyd Altman, senior executive in the capital market practice at consultant Accenture. Early adopters include newer and smaller players – “the proprietary trading firm with four or five people” – as managed service providers that cater to them, including Fixednetix – in which Thematic holds a stake – and Thomson Reuters Elektron.

The same goes for trading-related software-as-a-service, or SaaS, applications that users can license and run on demand. Microsoft is getting into the act as well with the introduction last summer of PowerPivot, a new version of Excel that can process at least 100 million rows of data simultaneously and runs on the Windows Azure cloud platform. “Cloud computing is permeating the whole supply chain,” says Yeadon.

Larger institutions, which often have a considerable investment in their existing data infrastructure, are less likely to move parts of their trading operations to the cloud – at least in the near term. But some banks are already adopting cloud platforms for other aspects of their work, suggesting that they haven’t closed their doors to the idea.

“We will never buy another data center,” Michael Harte, CIO of Commonwealth Bank of Australia, said in a speech to the Committee for Economic Development in Australia last April. “We will never buy another rack or server or storage device or network device again. I will never let any organization that I work for get locked into proprietary hardware or software again.”

One solution some banks are looking into is internal or “private” cloud networks, which virtualize their own computing services. Much of the technology that goes into creating and operating external clouds is now available to large organizations through vendors such as Eucalyptus Systems.

Analytics, research, and testing of trading strategies are the parts of the process that institutions find easiest to migrate to the cloud at present: “the stuff you need to do to get the car to the racetrack,” as Yeadon puts it. Actual trade execution? Not to the same extent, experts say.

“Program trades involving baskets of stocks, possibly yes,” says Altman. “But these need to take place in milliseconds. Ultra-high frequency, algorithmically decided trades based on real-time price moves, taking place in microseconds, are not going to move to the cloud.” Nevertheless, Yeadon notes, there’s savings for managers who can break up baskets of trades, using managed service providers that specialize in low-latency, ultra-high-speed automated trading for the transactions that need it, while saving money on the rest by using vendors that access the cloud.

Source

SaaS, PaaS, and IaaS: A Security Checklist for Cloud Models

2 Replies

How does security apply to Cloud Computing? In this article, we address this question by listing the five top security challenges for Cloud Computing, and examine some of the solutions to ensure secure Cloud Computing.

Organizations and enterprises are increasingly considering Cloud Computing to save money and to increase efficiency. However, while the benefits of Cloud Computing are clear, most organizations continue to be concerned about the associated security implications. Due to the shared nature of the Cloud where one organization’s applications may be sharing the same metal and databases as another firm, Chief Security Officers (CSOs) must recognize they do not have full control of these resources and consequently must question the inherent security of the Cloud. However, it is important to note that Cloud Computing is not fundamentally insecure; it just needs to be managed and accessed in a secure way.

All Cloud Models Are Not the Same

Although the term Cloud Computing is widely used, it is important to note that all Cloud Models are not the same. As such, it is critical that organizations don’t apply a broad brush one-size fits all approach to security across all models. Cloud Models can be segmented into Software as a Service (Saas), Platform as a service (PaaS) and Integration as a Service (IaaS). When an organization is considering Cloud security it should consider both the differences and similarities between these three segments of Cloud Models:

SaaS: this particular model is focused on managing access to applications. For example, policy controls may dictate that a sales person can only download particular information from sales CRM applications. For example, they are only permitted to download certain leads, within certain geographies or during local office working hours. In effect, the security officer needs to focus on establishing controls regarding users’ access to applications.

PaaS: the primary focus of this model is on protecting data. This is especially important in the case of storage as a service. An important element to consider within PaaS is the ability to plan against the possibility of an outage from a Cloud provider. The security operation needs to consider providing for the ability to load balance across providers to ensure fail over of services in the event of an outage. Another key consideration should be the ability to encrypt the data whilst stored on a third-party platform and to be aware of the regulatory issues that may apply to data availability in different geographies.

IaaS: within this model the focus is on managing virtual machines. The CSOs priority is to overlay a governance framework to enable the organization to put controls in place regarding how virtual machines are created and spun down thus avoiding uncontrolled access and potential costly wastage.

The following check-list of Cloud Security Challenges provides a guide for Chief Security Officers who are considering using any or all of the Cloud models.

For CSOs focused on PaaS

Challenge #1: Protect private information before sending it to the Cloud

There are already many existing laws and policies in place which disallow the sending of private data onto third-party systems. A Cloud Service Provider is another example of a third-party system, and organizations must apply the same rules in this case. It’s already clear that organizations are concerned at the prospect of private data going to the Cloud. The Cloud Service Providers themselves recommend that if private data is sent onto their systems, it must be encrypted, removed, or redacted. The question then arises “How can the private data be automatically encrypted, removed, or redacted before sending it up to the Cloud Service Provider”. It is known that encryption, in particular, is a CPU-intensive process which threatens to add significant latency to the process.

Any solution implemented should broker the connection to the Cloud Service and automatically encrypt any information an organization doesn’t want to share via a third party. For example, this could include private or sensitive employee or customer data such as home addresses or social security numbers, or patient data in a medical context. CSOs should look to provide for on-the-fly data protection by detecting private or sensitive data within the message being sent up to the Cloud Service Provider, and encrypting it such that only the originating organization can decrypt it later. Depending on the policy, the private data could also be removed or redacted from the originating data, but then re-inserted when the data is requested back from the Cloud Service Provider.

For CSOs Focused on SaaS

Challenge #2: Don’t replicate your organization in the Cloud

Large organizations using Cloud services face a dilemma. If they potentially have thousands of employees using Cloud services, must they create thousands of mirrored users on the Cloud platform? The ability to circumvent this requirement by providing single sign-on between on-premises systems and Cloud negates this requirement.

Users with multiple passwords are also a potential security threat and a drain on IT Help Desk resources. The risks and costs associated with multiple passwords are particularly relevant for any large organization making its first foray into Cloud Computing and leveraging applications or SaaS. For example, if an organization has 10,000 employees, it is very costly to have the IT department assign new passwords to access Cloud Services for each individual user. For example, when the user forgets their password for the SaaS service, and resets it, they now have an extra password to take care of.

By leveraging single sign-on capabilities an organization can enable a user to access both the user’s desktops and any Cloud Services via a single password. In addition to preventing security issues, there are significant costs savings to this approach. For example, single sign-on users are less likely to lose passwords reducing the assistance required by IT helpdesks. Single sign-on is also helpful for the provisioning and de-provisioning of passwords. [Editor's note: Also read Role management software--how to make it work for you.] If a new user joins or leaves the organization there is only a single password to activate or deactivate vs. having multiple passwords to deal with. In a nutshell, the danger of not having a single sign-on for the Cloud is increased exposure to security risks and the potential for increased IT Help Desk costs, as well the danger of dangling accounts after users leave the organizations, which are open to rogue usage.

For CSOs focused on PaaS

Challenge #3: Keep an Audit Trail

Usage of Cloud Services is on a paid-for basis, which means that the finance department will want to keep a record of how the service is being used. The Cloud Service Providers themselves provide this information, but in the case of a dispute it is important to have an independent audit trail. Audit trails provide valuable information about how an organization’s employees are interacting with specific Cloud services, legitimately or otherwise!

The end-user organization could consider a Cloud Service Broker (CSB) solution as a means to create an independent audit trail of its cloud service consumption. Once armed with his/her own records of cloud service activity the CSO can confidently address any concerns over billing or to verify employee activity. A CSB should provide reporting tools to allow organizations to actively monitor how services are being used. There are multiple reasons why an organisation may want a record of Cloud activity, which leads us to discuss the issue of Governance.

For CSOs focused on IaaS

Challenge #4: Governance: Protect yourself from rogue cloud usage and redundant Cloud providers

The classic use case for Governance in Cloud Computing is when an organization wants to prevent rogue employees from mis-using a service. For example, the organization may want to ensure that a user working in sales can only access specific leads and does not have access to other restricted areas. Another example is that an organization may wish to control how many virtual machines can be spun up by employees, and, indeed, that those same machines are spun down later when they are no longer needed. So-called “rogue” Cloud usage must also be detected, so that an employee setting up their own accounts for using a Cloud service is detected and brought under an appropriate governance umbrella.

Whilst Cloud Service providers offer varying degrees of cloud service monitoring, an organization should consider implementing its own Cloud service governance framework. The need for this independent control is of particular benefit when an organization is using multiple SaaS providers, i.e. HR services, ERP and CRM systems. However, in such a scenario the CSO and Chief Technology Officer (CTO) also need to be aware that different Cloud Providers have different methods of accessing information. They also have different security models on top of that.

Some use REST, some use SOAP and so on. For security, some use certificates, some use API keys, which we’ll examine in the next section. Some simply use basic HTTP authentication. The problem that needs to be solved is that these cloud service providers all present themselves very differently. So, in order to use multiple Cloud Providers, organizations have to overcome the fact they are all different at a technical level.

Again, that points to the solution provided by a Cloud Broker, which brokers the different connections and essentially smoothes over the differences between them. This means organizations can use various services together. In situations where there is something relatively commoditized like storage as a service, they can be used interchangeably. This solves the issue of what to do if a Cloud Provider becomes unreliable or goes down and means the organization can spread the usage across different providers. In fact, organizations should not have to get into the technical weeds of being able to understand or mitigate between different interfaces. They should be able to move up a level where they are using the Cloud for the benefits of saving money.

For CSOs focused on SaaS, PaaS and IaaS

Challenge #5: Protect your API Keys

Many Cloud services are accessed using simple REST Web Services interfaces. These are commonly called “APIs”, since they are similar in concept to the more heavyweight C++ or Java APIs used by programmers, though they are much easier to leverage from a Web page or from a mobile phone, hence their increasing ubiquity. “API Keys” are used to access these services. These are similar in some ways to passwords. They allow organizations to access the Cloud Provider. For example, if an organization is using a SaaS offering, it will often be provided with an API Keys. The protection of these keys is very important.

Consider the example of Google Apps. If an organization wishes to enable single sign-on to their Google Apps (so that their users can access their email without having to log in a second time) then this access is via API Keys. If these keys were to be stolen, then an attacker would have access to the email of every person in that organization.

The casual use and sharing of API keys is an accident waiting to happen. Protection of API Keys can be performed by encrypting them when they are stored on the file system, or by storing them within a Hardware Security Module (HSM).

Conclusion: Homemade or Off-the-shelf?

When implementing a security framework to address these challenges, the CSO is faced with a buy vs. build option. They could engage developers to put together open source components to build Cloud Service Broker-like functionality from scratch. This approach creates the runtime components of a broker, such as routing to a particular Cloud Service Provider. However, other components of the solution, such as reporting and an audit trail, may not be present. An off-the-shelf Cloud Service Broker product will provide these extra features as standard and should also provide support for all the relevant WS-Security standards at a minimum.

As the Cloud Security Alliance notes in its Security Guidance White Paper. “Cloud Computing isn’t necessarily more or less secure than your current environment. As with any new technology, it creates new risks and new opportunities. In some cases moving to the cloud provides an opportunity to re-architect older applications and infrastructure to meet or exceed modern security requirements. At other times the risk of moving sensitive data and applications to an emerging infrastructure might exceed your tolerance.” I hope this article provides sufficient data points to guide readers on their journey.

Source

New Buzzword, Old Legal Issues

Leave a reply

As an observer of the information technology and Internet industries for several decades, I watch with great amusement as new buzzwords surface for old IT concepts.

I was rewarded not too long ago, when the term “cloud computing” appeared on the scene. The technology concept behind cloud computing has been around for more than 50 years, and the legal issues are equally old. Those concerns remain unchanged, despite the new buzzwords.

Dartmouth Time-Sharing – 1964

Connecting to computers remotely (think connecting to a mainframe over telephone lines) has been around since at least 1964, but the current marketing buzz about cloud computing might make you think it’s something new. It’s just not true.

“Cloud computing” is merely the newest label for the 1964 remote computing service originally called “time-sharing” at Dartmouth College. Dartmouth “time-sharing” used General Electric (NYSE: GE) 235 computers (and dumb terminals — teletype 33/34) over telephone lines. Since 1964, the same idea of using remote computing as “time-sharing” has been given a number of labels:

Application Service Provider (ASP)
Software as a Service (SaaS)
Platform as a Service” (PaaS)

At a recent conference, I attended a panel discussion about cloud legal issues; however, not once did the panel ever refer to any of these prior names. In fact, the panel members acted as if the technology and legal issues raised by cloud computing were something new.
How the Big Internet Players Address Cloud Legal Issues

The major cloud providers include IBM, Microsoft, Amazon, Google and Salesforce.com. Their Terms of Service (ToS) are generally standardized for single and small users — however, major customers can and do negotiate their arrangements.

Small users have no choice. They have to agree to terms that are likely confusing without a lawyer’s help. For example, the standard legal terms of Amazon Elastic Computer Cloud (Amazon EC2) include seven different links:

AWS Acceptable Use Policy
AWS Customer Agreement
AWS Service Terms
AWS Tax Help
AWS Trademark Guidelines
Privacy Policy
Terms of Use

What Legal Terms Are Most Important?

If your company is using the cloud to store or access business data, and if you have the clout to negotiate, there are a few key issues you should address:

How will you get your data when you are no longer happy using your cloud service provider?

Inevitably, each cloud customer will stop using its cloud provider at some point for some reason. When that happens, options are limited to 1) moving the processing back in-house and off the cloud; or 2) moving to another cloud provider. Cloud customers’ lawyers need to negotiate with their cloud providers to clearly define closure, including the data format and the cost for migration of the data to another location. Failure to address this could result in an expensive and painful migration, or a business decision to be stuck without the practical ability to change, similar to the days when changing cell carriers required losing your cellphone number, making customers reluctant to switch.

After termination, be sure the cloud provider deletes your data.

It is essential that the old cloud provider not retain the customer’s business data, such as accounting and customer data, and other business records. Deletion is even more important because of regulations related to privacy (including credit card information and/or HIPAA health data). The cloud provider agreement must clearly obligate the cloud provider to delete data from its system (including backups) after the customer has migrated away. Of course, the cloud provider should be bound to protect all confidential data at all times.

Understand data backup obligations.

Speaking of backups, companies routinely create data backups, and cloud providers are no different. Therefore, cloud provider agreements must clearly delineate how customer data and systems are protected from disaster, including sharing where customer data is stored and how the customer can access that data if and when it is needed.

Ensure protection of trade secrets.

If the cloud customer has trade secrets such as proprietary customer data or software, that customer must properly protect its data or software and have tangible evidence to prove in a lawsuit that it made appropriate efforts to protect those trade secrets. One of the best ways to prove that a trade secret has been properly protected is to show that only the trade secret owner can access the protected information. One solid way to do that is to have the ability to audit.

Establish the right to audit cloud IT operations.

The Sarbanes-Oxley Act (SOX) requires publicly traded companies to comply with laws of the Securities and Exchange Commission (SEC) including the ability to audit and verify accounting data. In order to conduct a SOX audit of IT/Internet services, customers need audit rights in the agreement. For companies not covered by SOX, but for which a formal CPA opinion is required by stockholders, the right to audit the cloud provider is essential.

In Conclusion

Each business has its unique requirements for using cloud services. Signing the standard cloud provider agreements may be convenient, but risky.

Any company using the cloud needs to properly protect its IT and data with a cloud agreement that is clear and specific to its own requirements.

Author: Peter S. Vogel
Source