cloud computing

Distributed Enterprise Data Risks

Question:  With all the talk about data on the cloud, is it possible to build a distributed enterprise architecture that addresses the issues of security and cost effective delivery without compromising business integrity?

For example, let us say you are relying on a major retailer’s supply chain system for inventory control and tracking.  The retailer represents 60% of your annual sales.  They have intimate knowledge of all your costs and are squeezing you to cut your overheads further.  It almost looks like they have better business intelligence tools than you do.  You are uncomfortable with the relationship, but are afraid pulling out will have disastrous effects on your core business and profits. The board is nervous and Wall Street is not treating your stock price kindly.  Too many companies are finding themselves in exactly that situation as they find they are required to share more data with their business partners.  Yes, there are cost efficiencies to be found by taking this approach, but there is also the substantial risk of loss of control.

Data integrity, security and confidentiality have long relied on a combination of network and application based security.  As long as the data was secured on local systems using role-based account access combined with strong firewalls, the thinking was that corporate data was well secured.  As enterprise architectures get more complex and the supply chain more integrated, the data is increasingly stored in massive data warehouses and SOA’s.  To add even more complexity more enterprises are using the cloud as a way to augment their internal systems or sharing information with their business partners.  Data is increasingly spilling out to the cloud with little or no thought given to the security implications for the enterprise.  With the recent news about credit card fraud and identity theft on a massive scale, companies are and should be worried about protecting and securing their data.

At the basic level that means that companies need to understand where their data resides, who is using it, how they are using it and most importantly, why are they using it.  Some of the many security issues that the new distributed architectures might mean to the enterprise include such questions as:

• Just what does data security mean in new contexts where you no longer have full control over the systems?
• How is responsibility for data integrity and confidentiality assured if there are multiple parties involved in the chain of authority?
• Do private clouds avoid or solve the problem, or do they make it more complex to manage as companies increasingly have to interface with business partners and customers on the cloud?
• What types of architectures and mechanisms can be implemented through the systems and to assure full data integrity and confidentiality?
• What are the best approaches to protecting the most sensitive data, particularly in the face of increased regulations and audit requirements?

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

Widgit Company - A Cloud Security Parable: Part 1

Question:  Everyone is singing the praises of cloud computing, or at least all the vendors who are trying to sell services.  Just how safe is my confidential data on the cloud anyway?

To put cloud computing business security risk in concrete terms, I will tell you the parable of the Widget Company and Cloud Computing. Has anything like this happened to you?

Once upon a time, Widget Company, a $300 million dollar global company in the plastic widget business, decides to outsource their Oracle ERP application platform to Cloud Co., a cloud vendor who provides on-demand Oracle database services.  The CFO encourages the board to approve the cloud outsourcing project because it is projected to reduce support costs for their Oracle application by 20%, allowing the company to grow while avoiding an investment in a large, new and very expensive Oracle system.  The board signs a two year contract for services with the agreement that the cloud vendor is responsible for paying the annual Oracle maintenance contract.  Both the legal and finance departments’ review the contracts and give their blessings.

At first everything seems to be working and management is pleased with their decision.  Then reality sets in.  After three months, users increasingly complain server access is slow.  Cloud Co. responds to the complaints by first informing Widget’s IT department that their DSL Internet connection is probably not large enough for the anticipated user load, so they upgrade to a higher speed connection that increases their network connectivity costs by 30%.  When the increased bandwidth still does not fix the problem, Cloud Co responds by applying a patch recommended by Oracle.  After the installation of the upgrade, Widget Company finds that one of their mission critical applications is no longer compatible with Cloud Co’s offering and several months of customer data is lost due to the problems.  Oracle claims no responsibility because the application does not meet their development standards.  Productivity and staff confidence in the application plummet.  After the two companies’ lawyers argue for a while, Widget decides to pull out of the contract, which still has a year to completion.  Cloud Co. agrees to end the contract.

Widget Company’s management and IT department breathe a sigh of relief until they realize that the data backup from Cloud Co.  will take months of costly integration to re-implement on the old servers - which are fortunately still running, just in case.  However, Widget incurs additional costs when they discover they need to upgrade their Oracle licenses and pay for a year of back maintenance to get critically needed support.

Six months later Cloud Co goes out of business - Widget was not the only company unhappy with their services.  Eight months later, a Widget Company sales associate reports that their main competitor seems to have insider information about Widget’s customer list.  After a bit of legal discovery, Widget’s management discovers that after Cloud went out of business their assets were sold to a salvage company that resold the old backup tapes to a shady operation in the Ukraine, which then sold the customer list to their competitor.  At this point after spending over $500, 000 in sunk costs and with little hope of successful legal actions against the guilty parties, Widget’s management team is completely fed up, fires the CFO along with most of the IT department, and vows never to try cloud computing outsourcing ever again.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

More Clouds with a Chance of Storms

Question:  What exactly are the top security issues that cloud vendors need to address?

Somehow I am getting a sense of déjà vu on cloud security.  Don’t get me wrong folks, but the cow is already out of the barn.  After all, more than 69% of all consumer Internet users have used at least one cloud service in the past year and that doesn’t include the nearly 100% of all consumers who are using web mail services such as Gmail, Yahoo and others of their ilk.

On the other hand, businesses and enterprises are not rushing to jump on the cloud computing band wagon in the same kinds of numbers.  So what is holding companies back from taking the very real advantages that cloud offers?  We can argue that business requires a higher level of security and validation than the average consumer, but the simple answer is really a large dose of inertia, fear and doubt.  That is, all the usual reasons that businesses use as excuses to wait for the consumer products and service to prove their worth before committing precious corporate IT resources.

In a survey conducted by IDC in August 2008 and June 2009, concerns about security topped the list of challenges for 88.5% of the respondents, followed closely by performance (88.1%) and availability (84.8%).   Clearly security is a major impediment to a cloud architecture implementation for many organizations.  It will need to be properly addressed before cloud architectures will be fully embraced by the business community.

Cloud security issues can be divided into three major categories, business, regulatory and technical.  Business issues generally can be quantified as risks to the business in whatever form.  Major business concerns for the enterprise include:

• Legal issues related to the control and protection of intellectual property and sensitive business information
• The difficulty of establishing end to end business data validation
• Regulatory issues related to data ownership and proper handling procedures
• A perception of increased potential for data and business loss
• Risk of reduced data or systems availability
• Proper integration of the mix of secured data residing both in the cloud and on the internal corporate networks

The major global regulatory issues that influence technical and business decisions around cloud computing architectures include:

• Rising consumer data protection laws around the world
• PCI Compliance and the need to ensure end to end data protection
• Banking regulations

It is clear that many of the business and regulatory issues can be addressed with properly secured cloud architectures, applications, networks and systems, but cloud and network security is quite complex.  It encompasses such diverse disciples such as networking, application development, database architectures and designs, hardware architectures, and systems design.  Many standard network security best practices developed for the enterprise are inadequate to handle the new cloud architectures.  However, by taking a network services approach to the architecture of cloud services, there are many advanced methods that can be used to address cloud security issues and allay most if not all of the business owners concerns.

About the Author

Beth Cohen, Luth Computer Specialists, Inc.

Clouds Rolling In…

Question:  There has been much twitter in the technology press and from the big vendors about how cloud computing is the next transformational technology.  Is there really anything to the hype?

Every day seems to bring yet another deluge of cloud-related press releases, articles, analyst opinion, and, somewhere among the confusion, some honest-to-goodness useful information.  While there is always some hyperbole with any new technology direction, there is more to the concept of cloud computing than vapor (pardon the inevitable pun).

Once you strip away the fluff, cloud computing represents the next step along the continuum in the evolution of utility computing.  It promises to have a substantial impact in the way that organizations provide IT services in the future to consumers and the entries alike.  From the consultant’s perspective, cloud computing, at a minimum, represents another option in terms of providing a flexible level of service more closely aligned with your exact requirements.  In the Service Provider Model (SPM), service levels are defined based on business requirements and IT delivery capabilities.  On the “demand” side, attributes such as availability, recoverability, and performance form the basis for the service definitions.   From the “delivery” side, IT is responsible for determining the most efficient means of providing a given service level. A key attribute for both demand and delivery is, of course, the per-unit cost at each level of service.

Cloud computing opens up additional delivery options for organizations in planning and providing IT services.  The advantages promised by cloud computing - the ability to quantify operational costs of infrastructure, dynamic resource allocation and improved flexibility, must be weighed against potential risks, such as the availability and control of data, performance impact on applications, potential for vendor lock-in in developing a services strategy.

Incorporating cloud computing into an IT strategy impacts a wide range of IT functions, and an expertise in the areas of data center consolidation, virtualization, security, and data management and protection can provide a unique perspective to determining the right approach to planning and implementing cloud services. If  you are feeling lost in all the hype, look for a vendor independent provider of IT services, to assist you in determining the appropriate IT services strategy for your organization.

Over the coming months, we’ll have more to say on this topic, but for those seeking a decent primer on the subject sans the hype,  a good place to start might be the UC Berkeley paper, “Above the Clouds: A Berkeley View of Cloud Computing” (http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf).  While it has sparked some debate, it frames the subject and its key components quite well.

About the Author

Jim Damoulakis, CTO of GlassHouse Technologies,

Part 2: Consumer Driven Business Innovation

Question:  Recently you wrote how the consumer market is the major driver of innovation.  How can you say that when IBM and HP are constantly developing new products for the enterprise?

Last time, I talked about how the consumer markets are driving innovation.  This week I will follow up on those ideas and look into the reasons for this continued trend.  In a nutshell it can be summarized as available resources and reduced risk tolerance by businesses.

Since 2001, the business market has bifurcated into two very divergent directions, the large enterprise sector and everyone else.  The usual suspects, IBM, HP, Oracle, etc. continue to cater to the large enterprise, profiting on million dollar contracts and cozy deals.  None of these companies make money on revolutionary products.  They are best at creating better, more feature-rich versions of existing products that appeal to their generally risk-adverse enterprise customers.

Revolution and true innovation rarely, if ever, comes out of established companies.  They have so much invested in their existing products; they cannot afford to jeopardize their enterprise customer base comfortable with the status quo, in the risky pursuit of something revolutionary. No, the most fertile ground for true innovation is going to remain with companies that have nothing to begin with and therefore nothing to lose.  Look to the well documented history of the development of the computer hard-drive for a perfect example of how companies selling better products with more storage and features lost the marketing war to emerging companies with cheaper, smaller alternatives with fewer features.

Apple Computer is the rare exception that proves the rule; and their famously wild relationship with Wall Street is well-known. Apple has clearly bet heavily on the consumer market as their future direction.  The only company that seems to be able to defy my predictions and successfully develop their products to the entire spectrum of the business market, while maintaining a large consumer base at the same time, is Microsoft.  Starting with their brilliant idea to package a common set of desktop automation tools into Microsoft Office, which has now been installed in over 800 million systems worldwide, and continuing with their latest office productivity tools, SharePoint and Communicator, Microsoft remains very much in command of the business desktop.  Their products uniquely appeal to consumers, small business and the enterprise alike, yet, I would argue that most of their innovation - such as it is, is focused on the broad mid-sized business market, rather than the consumer (with the exception of Xbox) or the enterprise.

Ironically, the smart IT vendors, such as Cisco, HP and Microsoft, figured out long ago where the innovation was coming from and regularly snap up promising startups with the intention of incorporating their ideas into their product offerings.  Despite this understanding, these companies continue to struggle to translate all the great intellectual property they purchase into products that appeal to their risk adverse enterprise customers.

Beth Cohen, Luth Computer Specialists, Inc.  IT infrastructure consulting services.