Where is my Workload?

15.01.2015 by Mike Small

One of the major challenges that faces organizations using a cloud or hosting service is to know where their data is held and processed. This may be to ensure that they remain in compliance with laws and regulations or simply because they have a mistrust of certain geo-political regions. The location of this data may be defined in the contract with the CSP (Cloud Service Provider) but how can the organization using the service be sure that the contract is being met? This question has led to many organizations being reluctant to use cloud.

Using the cloud is not the only reason for this concern – my colleague Martin Kuppinger has previously blogged on this subject. Once information is outside of the system it is out of control and potentially lost somewhere in an information heaven or hell.

One approach to this problem is to encrypt the data so that if it moves outside of your control it is protected against unauthorized access. This can be straightforward encryption for structured application data or structured encryption using private and public keys as in some RMS systems for unstructured data like documents. However, as soon as the data is decrypted the risk re-merges. One approach to this could be to make use of ”sticky access policies”.

However while these approaches may protect against leakage they don’t let you ensure that your data is being processed in a trusted environment. What is needed is a way to enable you to control where your workload is being run in a secure and trusted way. This control needs to be achieved in a way that doesn’t add extra security concerns – for example allowing you to control where your data is must not allow an attacker to find your data more easily,

Two years ago NIST published a draft report IR 7904 Trusted Geolocation in the Cloud: Proof of Concept Implementation. The report describes the challenges that this poses and sets out a proposed approach that meets these challenges and which could be implemented as a proof of concept.   The US based cloud service provider Virtustream recently announced that its service now supports this capability. They state “This capability allows our customers to specify what data centre locations that their data can be hosted at and what data centres cannot host their data. This is programmatically managed with our xStream cloud orchestration application.”

The NIST document describes three stages that are needed in the implementation of this approach:

  1. Platform Attestation and Safer Hypervisor Launch. This ensures that the cloud workloads are run on trusted server platforms. To achieve this you need to:
    1. Configure a cloud server platform as being trusted.
    2. Before each hypervisor launch, verify (measure) the trustworthiness of the cloud server platform.
    3. During hypervisor execution, periodically audit the trustworthiness of the cloud server platform.
  2. Trust-Based Homogeneous Secure Migration. This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud.
    1. Deploy workloads only to cloud servers with trusted platforms.
    2. Migrate workloads on trusted platforms to homogeneous cloud servers on trusted platforms; prohibit migration of workloads between trusted and untrusted servers
  3. Trust-Based and Geolocation-Based Homogeneous Secure Migration. This stage allows cloud workloads to be migrated among homogeneous trusted server platforms within a cloud, taking into consideration geolocation restrictions.
    1. Have trusted geolocation information for each trusted platform instance
    2. Provide configuration management and policy enforcement mechanisms for trusted platforms that include enforcement of geolocation restrictions.
    3. During hypervisor execution, periodically audit the geolocation of the cloud server platform against geolocation policy restrictions.

This is an interesting initiative by Virtustream and, since it is implemented through their xStream software which is used by other CSPs, it is to be hoped that this kind of functionality will be more widely offered. When using a cloud service a cloud customer has to trust the CSP. KuppingerCole’s advice is trust but verify.  This approach has the potential to allow verification by the customer.

A Haven of Trust in the Cloud?

11.11.2014 by Mike Small

In September a survey was published in Dynamic CISO that showed that “72% of Businesses Don’t Trust Cloud Vendors to Obey Data Protection Laws and Regulations”.  Given this lack of trust by their customers what can cloud service vendors do?

When an organization stores data on its own computers, it believes that it can control who can access that data. This belief may be misplaced given the number of reports of data breaches from on premise systems; but most organizations trust themselves more than they trust others.  When the organization stores data in the cloud, it has to trust the cloud provider, the cloud provider’s operations staff and the legal authorities with jurisdiction over the cloud provider’s computers. This creates many serious concerns about moving applications and data to the cloud and this is especially true in Europe and in particular in geographies like Germany where there are very strong data protections laws.

One approach is to build your own cloud where you have physical control over the technology but you can exploit some of the flexibility that a cloud service provides. This is the approach that is being promoted by Microsoft.  In October Microsoft in conjunction with Dell announced their “Cloud Platform System”.  This is effectively a way for an organization to deploy Dell servers running the Microsoft Azure software stack on premise.  Using this platform, an organization can build and deploy on premise applications that are Azure cloud ready.  At the same time it can see for itself what goes on “under the hood”.  Then, when the organization has built enough trust, or when it needs more capacity it can easily extend the existing workload in to the cloud.   This approach is not unique to Microsoft – other cloud vendors also offer products that can be deployed on premise where there are specific needs.

In the longer term Microsoft researchers are working to create what is being described as a “Haven in the Cloud”.  This was described in a paper at the 11th USENIX Symposium on Operating Systems Design and Implementation.  In this paper, Baumann and his colleagues offer a concept they call “shielded execution,” which protects the confidentiality and the integrity of a program, as well as the associated data from the platform on which it runs—the cloud operator’s operating system, administrative software, and firmware. They claim to have shown for the first time that it is possible to store data and perform computation in the cloud with equivalent trust to local computing.

The Haven prototype uses the hardware protection proposed in Intel’s Software Guard Extensions (SGX)—a set of CPU instructions that can be used by applications to isolate code and data securely, enabling protected memory and execution. It addresses the challenges of executing unmodified legacy binaries and protecting them from a malicious host.  It is based on “Drawbridge” another piece of Microsoft research that is a new kind of virtual-machine container.

The question of trust in cloud services remains an important inhibitor to their adoption. It is good to see that vendors are taking these concerns seriously and working to provide solutions.  Technology is an important component of the solution but it is not, in itself sufficient.  In general computers do not breach data by themselves; human interactions play an important part.  The need for cloud services to support better information stewardship as well as for cloud service providers to create an information stewardship culture is also critical to creating trust in their services.  From the perspective of the cloud service customer my advice is always trust but verify.

Cloud Provider Assurance

05.08.2014 by Mike Small

Using the cloud involves an element of trust between the consumer and the provider of a cloud service; however, it is vital to verify that this trust is well founded. Assurance is the process that provides this verification. This article summarizes the steps a cloud customer needs to take to assure that cloud a service provides what is needed and what was agreed.

The first step towards assuring a cloud service is to understand the business requirements for it. The needs for cost, compliance and security follow directly from these requirements. There is no absolute assurance level for a cloud service – it needs to be just as secure, compliant and cost effective as dictated by the business needs – no more and no less.

The needs for security and compliance depend upon the kind of data and applications being moved into the cloud. It is important to classify this data and any applications in terms of their sensitivity and regulatory requirement needs. This helps the procurement process by setting many of the major parameters for the cloud service as well as the needs for monitoring and assurance. Look at Advisory Note: From Data Leakage Prevention (DLP) to Information Stewardship – 70587.

Use a standard process for selecting cloud services that is fast, simple, reliable, standardized, risk-oriented and comprehensive. Without this, there will be a temptation for lines of business to acquire cloud services directly without fully considering the needs for security, compliance and assurance. For more information on this aspect see Advisory Note: Selecting your cloud provider – 70742.

Take care to manage the contract with the cloud service provider. An article on negotiating cloud contracts from Queen Mary University of London provides a comprehensive list of the concerns of organizations adopting the cloud and a detailed analysis of cloud contract terms. According to this article, many of the contracts studied provided very limited liability, inappropriate SLAs (Service Level Agreements), and a risk of contractual lock in. See also – Advisory Note: Avoiding Lock-in and Availability Risks in the Cloud – 70171.

Look for compliance with standards; a cloud service may have significant proprietary content and this can also make the costs of changing provider high. Executive View: Cloud Standards Cross Reference – 71124 provides advice on this.

You can outsource the processing, but you can’t outsource responsibility – make sure that you understand how responsibilities are divided between your organization and the CSP. For example, under EU Data Protection laws, the cloud processor is usually the “data processor” and the cloud customer is the “data controller”. Remember that the “data controller” can be held responsible for breaches of privacy by a “data processor”.

Independent certification is the best way to verify the claims made by a CSP. Certification of the service to ISO/IEC 27001 is a mandatory requirement. However, it is important to properly understand that what is certified is relevant to your needs. For a complete description of how to assure cloud services in your organization see Advisory Note: Cloud Provider Assurance – 70586.

This article was originally published in the KuppingerCole Analysts’ View Newsletter.

Posted in Uncategorized | Comments Off

EU Guidelines for Service Level Agreements for Cloud Computing

03.07.2014 by Mike Small

In a press release on June 26th, the European Commission announced the publication of new guidelines “help EU businesses use the Cloud”.  These guidelines have been developed by a Cloud Select Industry Group as part of the Commission’s European Cloud Strategy to increase trust in these services.  These guidelines cover SLAs (Service Level Agreements) for cloud services.  In KuppingerCole’s opinion these guidelines are a good start but are not a complete answer to the concerns of individuals and businesses choosing to use cloud services.

Cloud services are important as they provide a way for individuals and businesses to access IT applications and infrastructure in a flexible way and without the need for large up front capital investment.   This makes it possible for new businesses to minimize the risk of testing new products and for existing businesses to reduce the cost of running core IT services.  It allows individuals to access a range of IT services for free or at minimal cost.

The cost model for cloud services is based on two pillars: the service is standardized and offered to the customer on a take it or leave it basis, and the cloud service provider can exploit the cost savings that accrue from the massive scale of their service.   In the case of services offered to individuals there is a third pillar that the cloud service provider can exploit or sell information gathered about the individual users in exchange for providing the service.

Since the definition of the service offered is not usually open to negotiation it is important that its definition is clear to enable the potential customer to perform a real comparison between services offered by different providers.  This definition should also be transparent on how the service provider handles and uses data stored in, or collected by the service.  This is especially important because many kinds of data are subject to laws and regulations and the customer needs to be able to verify that the data for which they are responsible is being handled appropriately.  In addition the individual user of a service needs to understand how data collected about them will be used.

These new guidelines specify what a cloud SLA should cover but not what the service level should be.   They provide a detailed vocabulary with definitions of the various terms used in SLAs.  They provide a set of SLOs (Service level Objectives) for different aspects of the service.  Some relevant SLOs are suggested for each of the service aspects and SLOs are provided for the following major areas of a cloud service:

  • The performance of the service including: availability, response, capacity, capability, support and reversibility. This latter aspect covers the processes involved when the service is terminated. This is important since one of the key concerns is the return of a customer’s data when the service ends together with guarantees about the erasure of that data.
  • The security of the service including: its reliability, authentication and authorization, cryptography, incident management, logging and monitoring, auditing and verification, vulnerability management and service governance.
  • Data management including: data classification, data mirroring backup and restore, data lifecycle and data portability. The data lifecycle include an SLO “data deletion type”: this should specify the quality of the data deletion ranging from weak to strong sanitization (such as specified in NIST 800-88) where the data cannot easily be recovered.
  • Personal data protection: this focuses on the cases where the cloud service provider acts as a “data processor” for the customer who is the “data controller”: including codes of conduct and certification mechanisms, data minimisation, use retention and disclosure, openness transparency and notice, accountability, geographic location and intervenability.

These guidelines are a good start but are not a complete answer to the concerns of individuals and businesses choosing to use cloud services.  They provide a common set of areas that a cloud SLA should cover and a common set of terms that can be used.  However the definition of the objectives in a standard way that can be measured still falls short; it still allows too much “wriggle room” for the cloud provider.  A worthwhile document that provides more detailed advice on what to measure in cloud contracts and how to measure it is given in ENISA Procure Secure.

It is good that the guidelines distinguish between the legal contractual aspects and the technical service definition.  However the SLOs cover areas of data privacy where there is an essential overlap because of the legal obligations upon the cloud customer where they are using the cloud service to process data subject to regulations or laws.  Section 6.4 covers the contentious area of disclosure of personal data to law enforcement authorities and suggests the objects should include the number of disclosures made over a period of time as well as the number notified.  This will not be sufficient to moderate the significant concerns of European organizations using non EU based cloud service providers.

KuppingerCole has helped major European organizations to successfully understand and manage the real risks associated with cloud computing.  We offer research and services to help cloud service providers, cloud security tool vendors, and end user organizations.  To learn more about how we can help your organization, just contact sales@kuppingercole.com).

AWS: Great Security but can you Trust a US Owned Cloud Service?

30.05.2014 by Mike Small

Cloud computing provides an unparalleled opportunity for new businesses to emerge and for existing businesses to reduce costs and improve the services to their customer.  However the revelations of Snowden and the continuing disclosure of state sponsored interception and hacking undermine confidence in cloud service providers.  In this environment CSPs need to go the extra mile to prove that their services are trustworthy.

In general there are two kinds of customers that are adopting cloud computing.  The first kind is the so called “born on the cloud” customers who are starting new businesses which depend upon IT but without the need to make large capital investments in IT.  The second is the organizations that are already using IT in house and are creating new IT applications in the cloud and moving existing ones to the cloud.

These two different kinds of customers have a different sets of risks to manage.  For the born on the cloud the biggest risk is whether or not their business will take off, conventional IT security risks are important but not crucial; (although this may prove to be a mistake in the long run.)  However, organizations moving to the cloud may have already invested heavily in IT, to ensure information security, for compliance or to protect intellectual property and, for these organizations, cloud security and governance are critical concerns.  From the announcements it appears that AWS is now working to attract enterprise customers that are moving to the cloud.

At their event in London on April 28th, 2014 AWS produced an impressive list of customers that included start-ups, enterprises and public sector organizations.  What was new was the list of enterprises that were moving their IT entirely to the cloud; these included an Australian bank and a German hotel chain.  To attract and keep these kinds of customer AWS needs to demonstrate the functionality, security and governance of their offering as well as a competitive price.

AWS claims a high level of IT security and governance for their cloud services and these claims are backed by independent certification.   AWS security principles and processes are described in a white paper.  In June 2013, KuppingerCole published an Executive View on this: Amazon Web Services – Security and Assurance – 70779. There are many existing features which AWS offers that are of particular interest to enterprises and these include:

  • The ability to use a dedicated network connection from the enterprise to AWS using standard 802.1q VLANs.
  • A Virtual Private Cloud – a logically isolated section of the AWS Cloud for the enterprise’s AWS resources.
  • Control of access to the enterprise’s AWS resources based on the enterprise Active Directory using Active Directory Federation Services (ADFS)
  • Data encryption using Amazon Cloud HSM – which allows the enterprise to retain control over the encryption keys.
  • Control of the geography in which the enterprise data is held and processed.

Since then AWS have added AWS CloudTrail.  This is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.  With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.

An organization adopting the cloud needs to balance the risks against the rewards.  Information security and compliance are the main risks that are holding enterprises back from cloud adoption.  AWS claims a high level of security and these claims are backed by independent audits – however there is still the problem of trust.  The revelations by Snowden of the extent to which the NSA was intercepting communications has made many organizations wary of US based cloud services.  The US government unwillingness to permit organizations to publish sufficient data relating to Foreign Intelligence Surveillance Act (FISA) orders added to these concerns.   (However – in January 2014 the Obama administration reached a deal, allowing the disclosure of more information on the customer data companies are compelled to share with the US government, albeit with some delay)

The extent to which nation states are eavesdropping on or hacking into commercial enterprises (US justice department charges Chinese with hacking) has added to this concern.

While this may seem unfair on AWS, many European enterprises are choosing not to put business critical application or confidential data into US managed cloud services.  To address these concerns will be difficult.  AWS CTO Werner Vogels was recently featured in an article in the Guardian newspaper.  In this article he writes “Another core value is putting data protection, ownership, and control, in the hands of cloud users. It is essential that customers own and control their data at all times.”KuppingerCole agrees with this sentiment but cloud service providers will need to go the extra mile to prove that their services, their employees and their infrastructure cannot be suborned by national interests or national agencies.


IBM’s Software Defined Environment

08.04.2014 by Mike Small

In IBM’s view the kinds of IT applications that organizations are creating is changing from internal facing systems to external facing systems.  IBM calls these kinds of systems “systems of record” and “systems of engagement” respectively.  The systems of record represent the traditional applications that ensure that the internal aspects of the business run smoothly and the organization is financially well governed.  The systems of engagement exploit the new wave of technology that is being used by customers and partners and which takes the form of social and mobile computing.  In IBM’s opinion a new approach to IT is needed to cater for this change which IBM calls SDE (Software Defined Environments).

According to IBM these systems of engagement are being developed to enable organizations to get closer to their customers and partners, to better understand their need and to better respond to their issues and concerns.  They are therefore vital to the future of the business.

However the way these systems of engagement are developed, deployed and exploited is radically different to that for systems of record.   The development methodology is incremental and highly responsive to user feedback.  Deployment requires IT infrastructure that can quickly and flexibly respond to use by people outside the organization.  Exploitation of these applications requires the use of emerging technologies like Big Data analytics which can place unpredictable demands on the IT infrastructure.

In response to these demands IBM has a number of approaches; for example in February I wrote about how IBM has been investing billions of dollars in the cloud.  IBM also has offers something it calls SDE (Software Defined Environment).  IBM’s SDE custom-builds business services by leveraging the infrastructure according to workload types, business rules and resource availability. Once these business rules are in place, resources are orchestrated by patterns—best practices that govern how to build, deploy, scale and optimize the services that these workloads deliver.

IBM is also not alone in this approach and others notably VMWare are heading in the same direction.

In the IBM approach – abstracted and virtualized IT infrastructure resources are managed by software via API invocations.   Applications automatically define infrastructure requirements, configuration and Service Level expectations.  The developer, the people deploying the service as well as the IT service provider are all taken into account by the SDE.

This is achieved by the IBM SDE being built on software and standards from the OpenStack Foundation of which IBM is a member.  IBM has added specific components and functionality to OpenStack to fully exploit IBM hardware and software and these include drivers for: IBM storage devices, PowerVM, KVM and IBM network devices.  IBM has also included some IBM “added value” functionality which includes management API additions, scheduler enhancements, management console GUI additions, and a simplified install.  Since the IBM SmartCloud offerings are also based on OpenStack this also makes cloud bursting into the IBM SmartCloud (as well as any other cloud based on OpenStack) easier except where there is a dependency on the added value functionality.

One of the interesting areas is the support provided by the Platform Resource Scheduler for the placement of workloads.  The policies supported make it possible to define that workloads are placed in a wide variety of ways including: pack workload on fewest physical servers or spread across several, load balancing and memory balancing, keep workloads physically close or physically separate.

IBM sees organizations moving to SDEs incrementally rather that in a big bang approach.  The stages they see are virtualization, elastic data scaling, elastic transaction scaling, policy based optimization and finally application aware infrastructure.

In KuppingerCole’s opinion SDCI (Software Defined Computing Infrastructure) is the next big thing.  Martin Kuppinger wrote about this at the end of 2013. IBM’s SDE fits into this model and has the potential to allow end user organizations to make better use their existing IT infrastructure and to provide greater flexibility to meet the changing business needs.  It is good that IBM’s SDE is based on standards; however there is still a risk of lock-in since the standards in this area are incomplete and are still emerging.   My colleague Rob Newby has also written about the changes that are needed for organizations to successfully adopt SDCI.  In addition it will require a significant measure of technical expertise to successful implement in full.

For more information on this subject there are sessions on Software Defined Infrastructure and a Workshop on Negotiating Cloud Standards Jungle at EIC May 12th to 16th in Munich.

Smarter Risk

06.12.2013 by Mike Small

According to IBM a consistent way to manage all types of risk is the key to success for financial services organizations.  To support this IBM will be rolling out their Smarter Risk offering during Q1 2014.  Failure to properly manage risk has been alleged to be the cause of the financial crisis and, to force financial services organizations to better manage risk, the regulators around the world are introducing tougher rules.

The underlying causes of the damaging financial crisis can be traced back to the management of risk.  Financial services organizations need to hold capital to protect against the various forms of risk.  The more capital they have to hold to cover existing risks the less the opportunity to use that capital in other ways.  So fully understanding the risks faced is a key factor to organizational success.

According to Gillian Tett in her book Fool’s Gold – the roots of the financial crisis can be traced back to the Exxon Valdez disaster in 1993. To cover the billions of dollars needed for the clean-up Exxon requested a credit line from its bankers J.P. Morgan and Barclays.  The capital needed to cover this enormous credit line required the banks to set aside large amounts of capital.  In order to release this capital J.P. Morgan found a way to sell the credit risk to the European Bank for Reconstruction and Development.  This was one of the earliest credit default swaps and, while this particular one was perfectly understood by all parties, these types of derivatives evolved into things like synthetic collateralized debt obligations (CDOs) which were not properly understood and were to prove to be the undoing.

IBM believes that, in order to better manage risk, financial services organizations need to manage all forms of risk in a consistent way since they all contribute to the ultimate outcome for the business.  These include financial risk, operational risk, fraud and financial crimes, as well as IT security.  The approach they advise is to build trust through better and more timely intelligence, then to create value by taking a holistic view across all the different forms of risk.  The measurement of risks is a complex process and involves many steps based on many sources of data.  Often a problem that is detected at a lower level is not properly understood at a higher level or is lost in the noise.  Incorrect priorities may be assigned to different kinds of risk or the relative value of different kinds of intelligence may be misjudged.

So how does this relate to IT security?  Well security is about ensuring the confidentiality, integrity and availability of information.  In this last week the UK bank RBS suffered a serious outage which led to its customers’ payment cards being declined over a period of several hours.  The reasons for this have not been published but the reputational damage must be great since this is the latest in a series of externally visible IT problems suffered by the bank.  IBM provided an example of how they had used a prototype Predictive Outage Analytics tool on a banking application.  This banking application suffered 10 outages, each requiring over 40 minutes recovery time, over a period of 4 weeks.  Analysing the system monitoring and performance data the IBM team were able to show that these outages could have been predicted well in advance and the costs and reputational damage could have been avoided if appropriate action had been taken sooner.

So in conclusion this is an interesting initiative from IBM.  It is not the first time that IT companies have told their customers that they need to take a holistic view to manage risk and that IT risk is important to the business.  However, as a consequence of the financial crisis, the financial services industry is now subject to a tightening screw of regulation around the management of risk.  Under these circumstances, tools that can help these organizations to understand, explain and justify their treatment of risks are likely to be welcomed.  This holistic approach to the management of risk is not limited to financial organizations and many other kinds of organization could also benefit.  In particular, with the increasing dependence upon cloud computing and the impact of social and mobile on the business, the impact of IT risk has become a very real business issue and needs to be treated as such.

Salesforce Identity

15.10.2013 by Mike Small

Today Salesforce.com announced the general availability of Salesforce Identity – what does this mean for customers and the IAM market?

In some ways this is not a completely new product, Salesforce.com CRM customers have been using much of this for some time.  However what is announced today extends the functionalities of this way beyond what previously existed.  Salesforce Identity provides a web single sign on capability that can be white labelled and which can be based on authentication by Salesforce.com or a number of other trusted identity providers.  The Salesforce.com authentication methods include two factor and risk based approaches as well as user id and password.  It supports the main authentication standards like SAML, OAuth and OpenID as well as third parties like Facebook connect.  It includes an extensible cloud directory and an optional “Salesforce Identity Connect” module. This latter component is built on ForgeRock’s Open Identity Stack and creates a bridge between existing on-premise directory solutions and Salesforce Identity.  Salesforce Identity also includes monitoring and reporting capabilities to allow the development of user activity and compliance reports.

So – is this just a cloud based web access management system?  Should this simply be viewed as being in direct competition with the range of IAM products in the market?  How does this stack up against the Microsoft cloud directory offering?  (See the Blog by Martin Kuppinger: Understanding Azure Active Directory)

As a company Salesforce.com has declared that its vision is to help organizations connect with their customers, partners, associates and devices.  To do this successfully requires an understanding of identities.  The organization needs to be able to uniquely identify a customer, partner or associate irrespective of how they connect – from whatever device and by whatever means.  So this announcement needs to be seen as part of this core vision.  When taken together with the other Salesforce.com developments, acquisitions and partnership it is much more than just another WAM.  It is a key component of a platform for organizations to connect with their customers, partners and associates.  It is an essential component needed to support the other parts of the platform.

So – through this platform – Salesforce.com are seeking to change the way in which identities are managed by organizations.  To alter the perspective away from one focussed on internal IT systems and users to an outward looking one focussed on customers and partners whilst retaining internal control: integrating enterprise identity with CRM.

Avoiding Data Breaches and Managing Big Data

09.10.2013 by Mike Small

Today information is the foundation upon which businesses are built and organizations need to prosper.  However, given its value, information is not treated with sufficient respect by everyone in the organization.  It sometimes seems that the only people that understand the value of information are those who are trying to steal it!

Big data makes this problem worse – in addition to the vast quantity of data from the Internet of Things and social media, so much unstructured information is now being created within organizations.  Who owns this data and who is responsible for its security?

I believe that what is needed is better information stewardship.  Information Stewardship is the holistic concept beyond Information Security which is based on the idea of taking care of to look after property that is not your own.  Information stewardship involves everyone who creates information not just the application owners or the IT service provider.

I will be presenting a session this subject at RSA Europe on October 29th.

You can listen to a short podcast preview of this session.

Posted in Uncategorized | Comments Off

The Future of the Cloud

03.10.2013 by Mike Small

As a UK member of ISACA as well as an industry analyst I was privileged to participate in a round table on the subject of the future of the cloud and the results of this were published in a supplement to the Guardian newspaper on September 27th.

Here is a summary of my thoughts on this subject:

The cloud is about efficiency and economies of scale.  The successful CSPs (Cloud Service Providers) will be those that can provide value for money to their customers.  For large enterprises the cloud will add complexity by becoming yet another platform to be accommodated.  However for SMEs the cloud can provide the IT services they need but could not run effectively themselves.  For start-ups the cloud provides a low risk opportunity to create new services.

The cloud is having an impact on conventional hosting services by creating what appear to be a cheaper and more easily accessible alternative.  The recent acquisition of SoftLayer by IBM shows that the existing IT hosting organizations and service providers will need to acquire cloud skills and technologies if they are not to lose out. I believe we will see consolidation in the market.

The cloud also provides a challenge and an opportunity for IT solution vendors.  Large CSPs can provide a more stable platform for these solutions than the vendors themselves.  Basing their solution on a cloud platform allows the solution provider to focus on their specific product and skills rather than on the challenges of running an IT service.  It also provides a great opportunity for new solutions to emerge.

However – it is not straightforward for organizations to migrate existing application to the cloud.  This is a limiting factor for the take up of the cloud by enterprises.  I expect that the market in services to help organizations migrate existing applications to the cloud will grow.

The major concerns that most organizations have with the use of the cloud relate to security and compliance.  The large CSPs have taken these concerns on board and, in general, offer IT services and infrastructure that are as secure as, if not more secure than, those which most organizations can provide for themselves.  There has also been a growth in CSPs providing services that are focussed on markets with specific areas of compliance.  However the standard contracts offered by many CSPs still provide limited liability in the event of failure of the service or for security breaches.

For organizations here are keys to successful exploitation of the cloud.  These are:

  1. Understand – at the board level what your business objectives are from exploiting the cloud.
  2. Set constraints – that limit the risks relating to security of your data and compliance with laws and regulations to a level that you are comfortable with.
  3. Trust the CSP but verify that trust through independent certification and monitoring of the service.

Posted in Uncategorized | Comments Off
© 2015 Mike Small, KuppingerCole