By Dan Raywood, August 20, 2010

This blog was reposted from the “SC Magazine” website.

The capability of establishing and working within a private cloud could bring comfort to the suspicions of using the public cloud.

Lori MacVittie, senior technical marketing manager at F5 Networks, claimed that with risks associated with security, availability and performance higher than the always-associated benefits of public cloud computing of lower costs, scalability and flexibility, this results in a reluctance to adopt public cloud computing and is driving organisations towards private cloud computing.

She pointed to recent research by IDC, published by Network Computing, which claimed that while growing numbers of businesses understand the advantages of embracing cloud computing, they are more concerned about the risks involved.

MacVittie said: “Public cloud cannot or will not at this point address these challenges, but private cloud computing can and is – by architecting a collection of infrastructure services that can be leveraged by (internal) customers on an application by application (and sometimes request by request) basis. What will ultimately bubble up and become more obvious to public cloud providers is customer demand.

“Because customers right now are not fully exercising public cloud computing as they would their own private implementation – replete with infrastructure services, business critical applications and adherence to business-focused service level agreements – public cloud providers are a bit of a disadvantage.

“The market isn’t telling them what they want and need, thus public cloud providers are left to fend for themselves. Or they may be pandering necessarily to the needs and demands of a few customers that have fully adopted their platform as their data centre du jour.”

She claimed that organisations have abandoned the pretence of caring about the definition of ‘cloud’ and whether or not such a thing as ‘private’ cloud exists. They are now forging their way forward past ‘virtualisation plus’ (a derogatory and dismissive term often used to describe such efforts by some public cloud providers), and into the latter stages of the cloud computing maturity model.

Research this week by SunGard Availability Services found that businesses can save up to 55 per cent on their IT operational spend by moving their IT infrastructure to a private cloud and provisioning it as a service.

The investigation, which was based on SunGard’s customer experience, took into consideration not only the basic in-house data centre and infrastructure maintenance costs, but also includes ‘invisible’ ancillary charges that are often overlooked by CIOs when considering the expense of moving to the cloud. These include the cost of hiring staff to run data centres around the clock (salary and benefits); the financing needed to build the in-house data centre; and the costs of power, security and rates.

Keith Tilley, managing director UK and executive vice president Europe for SunGard Availability Services, said: “Infrastructure within the cloud will play a significant role in the future of IT. It not only presents an opportunity for companies to move away from complex and outdated legacy equipment, which soaks up a large proportion of the IT budget, but also offers increased flexibility in terms of scalability and IT agility, making for a very cost-effective solution.”

Tony Lock, analyst at Freeform Dynamics, said that the cloud’s modular nature could enable businesses to buy exactly what they need today rather than speculate on a costly IT solution that they hope the business will grow into at some point in the future.

“Although many enterprises have been reluctant to adopt the cloud model due to concerns about the security and availability of their data, this fear is no longer valid given the different types of cloud solution currently available and the levels of security and resilience offered by some vendors,” he said.

Justin Pirie, director of communities and content at Mimecast, said: “There has been a great deal of hype around the benefits of cloud services and while there is huge potential for organisations embracing the cloud, it is in many ways still an emerging industry.

“However, it is wrong to present cloud adoption as an all or nothing decision. Increasingly, businesses are looking for a middle ground that offers the best of both worlds by using cloud services to augment their existing on-premise infrastructure.

“For those companies which do not want to fully embrace cloud computing this ‘just enough onsite’ approach offers an opportunity to adopt cloud computing in a way that is manageable and risk free. By adopting cloud services in this way, IT departments can retain the control and visibility that comes with on-premise technology, while gaining all the benefits of the cloud in terms of lower costs, greater scalability and limitless storage.”

Watch the video

“Estimates are that the server virtualization software market will grow at a compound annual rate of 28% from 2008 through 2013 (from $1.8 billion to $6.2 billion).  However, as virtualization adoption continues to increase, it has opened a heated debate in the market over the security and compliance of virtual environments.”

Read More

This blog was reposted from “The wisdom of the clouds” site.

I’ve been spending this week at the Cloud Connect conference at the Santa Clara Convention Center, in Santa Clara, Calif., listening closely to the broad range of opinions and concerns raise by both the customers of cloud and it’s vendor community. The conference has been an amazing place to get a sense of what those deeply involved in cloud believe will happen in the next few years.

What has surprised me a little bit has been an apparent consensus that more and more applications will leverage public clouds, and that a large number of enterprises will adopt those services for certain classes of applications as early as 2013.

Contrast that with the agenda for a legal seminar being put on in Seattle this May, titled “Cloud Computing New business models and evolving legal issues“, at which I will be presenting. Here is just a sample of the topics to be discussed:

Interoperability: Perspectives on Cloud Governance Through Standards Setting Organizations
Legal perspective on the standards setting process: Pros and cons for cloud computing providers in light of Rambus and other recent cases.

Data Maintained In, and Moving Between, Different National Jurisdictions: Differences in the Law and the Resulting Importance of Jurisdictional Issues
Differences in privacy concepts and regulations, and tips for keeping all the regulators happy; the closely related concept of confidentiality, when a duty arises, and how the service provider can control the terms of the commitment.

Security in the Cloud: Better or Worse than the Alternatives? How Do You Avoid Negligence Claims?
Strengths and weaknesses in the cloud compared to desktop and enterprise solutions; determining your standard of care and implementing security protections to avoid negligence claims; certification requirements and processes.

That’s just part of the first day. The remaining sessions cover subjects with equally big implications for cloud adoption.

The sense I am getting is that adoption of cloud is beginning to outstrip the ability of legal council to evaluate the liabilities that the cloud introduces to enterprise IT. That’s not to say those liabilities are insurmountable, or even as risky as they may seem to a lay person, such as myself.

However, I’m led to ponder a serious question: are we setting ourselves up to see a serious legal challenge to current cloud business models in the next three to five years? Is it possible that the legal implications of the cloud are widely underestimated, and that a lot of investment and effort will be for naught should certain classes of data or processing be deemed impermissible in the cloud by the courts?

I’m not trying to raise a false alarm here. It could also be that any legal issues are handled well before a serious legal challenge can be mounted. However, I’m always shocked that when a room full of IT folks–developer or operations–gets together to discuss cloud, they always fail to discuss what they need to do to mitigate legal risks.

I have no idea what “Rambus” is in the first item above, but it feels to me like I should.

Read more

Yo Delmar

By Yo Delmar, December 10, 2009

1: Bad things happen early on, forcing adoption of GRC-enabled cloud services. Cloud consolidates lots of information in one world, making it attractive to those who would benefit from exploits. Clouds will be tested by some of the best criminal minds, not to mention the best intentioned humans who simply mess up. We will learn where the holes are by leveraging analytics and modeling through the virtualization layer’s highly granular monitoring capabilities, combined with security information and event monitoring that is extended to the cloud. We will patch and fret our way into smaller and smaller threat surfaces. These events will be forcing functions that cause cloud vendors to leverage economies of scale not only for cost reduction, but now for GRC-enablement, certification, and dynamic risk management.

2: Cloud vendors stratify into layers of increasing GRC-enablement. Cloud vendors will differentiate themselves based on their ability to offer various levels of GRC-enablement, determined by the visibility, compliance, and access needs of the customer. At first this will be coarse grained, but as organizations are able to understand and define their needs more granularly, services will naturally segregate information and entities by their classifications and allow them free movement within cloud segments that are matched precisely to those needs. Eventually service will be so superior it will be far cheaper for organizations to contract with a GRC-enabled cloud than retrofit their legacy IT environments, and increasingly, their internal clouds. Cloud vendors will seek long-term, high value relationships with high switching costs by leveraging technologies for data center monitoring, data encryption and tokenization, federated identity management, and strong authentication to prevent fraud, detect malware, and demonstrate compliance.

3: Cloud vendors band together to create classifications that enable chain-of-trust-custody. Federation between clouds will develops rapidly as the rules of engagement become more automated and understood, leveraging federated identity management, encryption, and more. Insight into, understanding of, and protection from the “dark cloud” will be possible through the unified efforts of cloud owners and providers.

4: Organizations understand their needs more granularly. Organizations formalize information governance and learn to classify elements dynamically and accurately, based on business impact analysis that is rationalized and current, in a feedback loop with threat and vulnerability analysis. Information and assets will be able to be intelligently and automatically allocated to the cloud environ that meets information governance requirements.

What further scenarios do you imagine? What cloud eddies and currents can you see along the way?

Yo Delmar

By Yo Delmar, December 2, 2009

GRC stands for Governance, Risk, and Compliance. It is a way of managing the overlaps in the way we govern our business and IT processes, manage exposures that are outside of our risk appetite, and demonstrate compliant controls — all so that we can maximize value and minimize cost. We GRCers often say we like to test controls once, analyze across multiple requirements, and report to many stakeholders. Why? It’s more accurate, efficient, and streamlined that way — everybody gets the same picture.

When we talk about the cloud, whether it is an internal cloud, an external cloud (i.e., public cloud), or a private cloud (i.e., hybrid cloud), we are inevitably led to consider GRC. To date the cloud GRC discussion has been limited to issues of privacy, trust, reliability, and availability, narrowly focused at times on security. This is typical when profound changes are underway driving any paradigm shift, and this evolution to the cloud is truly profound for IT. It changes not everything, but nearly everything. It is as transformational for IT, and perhaps more so, than the movement from centralized to distributed client server computing in the 90’s.

Going forward, we need to broaden the cloud discussion to imagine the scenarios where the cloud is GRC-enabled, at the appropriate level, matching the precise needs of its diverse and distinct user communities. Let’s rise above the clouds for a moment and “blue sky” GRC concepts one by one.

First, to level the set:

Governance is about boundaries and decision rights between entities, whether those entities are humans or machines. It’s all about aligning policy with business intent, and driving that accountability into the day to day fabric of the organization and infrastructure, whether the organization is virtual in the technology sense, extending through webs of cloud relationships, or in the people sense, extending through webs of human relationships.

Risk is all about managing exposure within appetites, if you are blessed enough to know what that is. This can be a challenge because there are mini-universes of processes, assets, and requirements and of course, this becomes even more complex in the clouds.

Compliance is largely about demonstration of control design and effectiveness, whether controls are in place to satisfy business or regulatory requirements, in the cloud, on the ground, or in the fog.

Governance in the cloud

What would a governance-enabled cloud look like? Governance translates directly through policy to authority, behavior, and access in the cloud.

Policy would need to be based not only on business and regulatory requirements, but also on best practices that can be translated from written edicts through instantiations of configurations for all in-scope technologies. For example, applications would specify their operational policies; hosts would specify their control capabilities; and hosting would occur when policies match control capabilities.

Classification schema would need to underpin the policies that govern behavior of entities, in particular, applications, information, or virtualized environs. Entities would need to know their GRC profile, that is, how they are classified and what their attendant configuration and protection requirements are, and by extension, what the characteristics of their target cloud environs must be.

Chain-of-trust-custody: we know about chain-of-trust-custody in the legal and even information security sense. When clouds negotiate handoffs in this dynamic, fluid eco-system, the chain of trust would need to be carried with it, logged, analyzed, and be auditable. If the chain should break, it must either stop the movement or self-heal. Policy shapes the rules of interaction and policy enforcement would be able to break bindings dynamically.

Risk management in the cloud

What would a risk management-enabled cloud look like? Risk translates directly to the probability or likelihood that a threat will have a negative impact on an entity.

Business Impact Analysis (BIA) would need to be continuous and based on known and accepted levels of risk tolerance, at many levels of granularity, running from business process through the stack to applications, information, and the cloud environ. BIA would be based not just on availability, “A”, as we see today in business continuity, but also on confidentiality, “C”, to ensure privacy, and integrity, “I”, to ensure data quality, as well. This BIA-CIA profile would map into the governance classification schema and be a foundation stone to facilitate trust.

Threat and vulnerability analysis would need to be dynamic, absorb new threat-vulnerability pairs, and determine probabilities by sensing their context through the type of e-discovery, instrumentation, and configuration controls monitoring that is possible at granular levels through the hypervisor. We have this type of technology today at the network level within the internal cloud; we need to extend it across cloud ecosystems.

Risk analysis and remediation would need to be dynamic; near-real time. Blocking and quarantining technologies would be part of the solution but most importantly, human-machine and machine-machine visibility into configuration postures, coupling, and service levels would enable just-in-time remediation.

Compliance in the cloud

What would a compliance-enabled cloud look like? Compliance translates into understanding how policy enforces regulatory and business requirements in the cloud, through the use of controls.

Control rationalization and normalization would need to be more automated. Conflicting controls would be rooted out and overlapping controls allowed to persist only in those environs where deeper levels of defense are required, based on classifications and policy.

Control implementation would need to be dynamic when possible. Human intervention will bottleneck processes, and where communication is machine-machine, collaborative decisions will need to be negotiated through rules or inference. Compliance would involve knowing such things as where information resides or has resided; where it has been transmitted to, from, or through regulatory boundaries; and how it is protected at rest or in flight, notified, consented, or “safe harbored”.

It’s time to reframe the cloud discussion in a way that frees us to think strategically and practically about how the journey to the cloud may actually evolve. By doing this we can be proactive and creative, and avoid the inevitable backtracking and reworking that occurs when we react piecemeal to profound change. Let’s continue the dialogue…it’s time.