SunGard Availability Services released an article recently featuring Rahul Bakshi, vice president Product Management, Managed Services at SunGard AS. In the article, Rahul offers predictions on the future of the cloud, including the maturity and convergence of offerings.
Click here to see the video of Rahul discussing his predictions:
Forrester’s James Staten recently wrote a very well written (and widely read) piece on Cloud Computing trends for 2011. While I agree with most of his bold points and predictions, one point gave me pause. James writes:
“Cloud economics gets switched on. Being cheap is good. We all know the basic of cloud economics — pay only for what you use — but the mechanism isn’t the lesson; it’s just the tool. Cloud economics 101 is matching elastic applications to cloud platforms and moving transient apps in and out so their costs are constantly returning to zero. Cloud economics 201 is designing and optimizing applications to take greatest advantage. Cloud economics 301 is knowing when and which cloud to use for maximum profitability. Look to early efforts such as Amazon Web Services’ Spot Instances and Enomaly’s SpotCloud to show the way here and the Cloud Price Calculator to help you normalize costs. As cloud segments, such as IaaS commoditize, tools that let you play the market will grow in importance.”
While this is true of small very portable and transitional workloads, I think this one is highly overstated in the enterprise. These are the exception not the rule for most businesses. Most services needed to be highly available once in production and must adhere to fully realized IT Infrastructure Library (ITIL®) processes designed to ensure the availability of these services. While they will inevitably be moved into the cloud to get benefits of scale, elasticity and lowering costs – the move will be managed very carefully.
There is a cost to this migration. Enterprises understand this and will choose their cloud vendors carefully and will not switch vendors to save a nickel when then costs associated with the move will likely be measured in dimes. It is precisely because most businesses do not have IT as a core competence–which is part of the benefit of clouds–that they will not have workload migration and cloud optimization as a core competence. They should carefully choose a partner and work with and trust that partner until the partner is unable to meet the organization’s requirements. In short – for the enterprise production applications, the cloud is a service – not a commodity.
ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries.
Cloud Security continues to dominiate the cloud conversation. I asked Nik Weidenbacher, director of product engineering for cloud computing to give us his thoughts on cloud improving security. Nik and his team are responsible for designing, building and testing the infrastructure for SunGard’s Cloud Computing Service…CM
Can Cloud Computing Improve Your Security?
Obviously, the answer is “it depends.” How good is your security now? A number of factors play into that question.
Security in a Data Center
If your technology runs in a traditional data center and you move to a cloud where the same technology is used, security is quite similar. Essentially, you’ve been using virtual local area networks (VLANs) to separate your departments, and now your cloud provider use that same technology to separate your departments and to separate other tenants from you.
Security in a cloud
If your company doesn’t use a technology like VMware to run multiple operating systems within VLANs, than the security landscape changes significantly. A physical switch connecting the network to one machine in your data center is now replaced by software switches connected to multiple machines and managed by a “hypervisor.”
Just as you secured that physical switch in your data center, the cloud technician must secure the software switches and the hypervisor to control who can/cannot access it, and they also need to adding invasion protection software to thwart unauthorized outside access.
Then they have to consider security maintenance. Are patches being received, evaluated and placed operation on a timely basis? Clouds have lots of moving parts and, since it is the weakest link that is most vulnerable, you have to think about security everywhere all the time.
Security gains
Ultimately, the most important security question is “who’s running your cloud.” Many companies can’t afford all the software and technical skill it takes to manage a highly-secured data center, so they aren’t doing it. A cloud provider can share that cost among many companies to not only provide a more secure environment but also to pay constant attention to it. Similarly, where PCI-DSS certification for credit card transaction may be an on-going project in a company, the cloud provider may already have that security in place.
What additional security measures could your organization gain with the right cloud provider?
Gregory L. Smith, Senior Product Architect for Cloud Computing, is a liaison to clients for defining and shaping the security components of SunGard’s Cloud Computing Services.
Is the Cloud Security Risk Overstated?
Is the cloud security risk overstated? If you work with a trusted partner and already have good security practices in place before you move to a cloud, I think the security risk in the cloud is slightly overstated. It is not cloud computing itself that is the risk.
The Security Risk Realization
Unfortunately, it is not uncommon for a company to be planning a move to a cloud and suddenly see risks everywhere, including places that they had naively overlooked in their existing environment. However, in you are moving to a trusted cloud computing provider, that provider probably offers more security capabilities than most managed service or infrastructure providers.
The Key to Reducing Security Risk
The key to reducing the security risk within a cloud is to know how your provider approached the security requirements. Did the cloud computing provider retrofit security or design it in from scratch?
Retro-fitting security capabilities to handle, say, PCI-DSS, HIPAA, ISO 27001/2 regulatory requirements means extracting whatever information is available from low-level system logs after the fact. This approach offers limited information, and testing security is difficult.
Designing security into a cloud means you can embed audit trails with needed data across all layers of the environment. From a due diligence perspective, you can produce reports that provide transparency and prove that security is in place, not only for the auditors, but for the client and their customers as well.
Large enterprises, especially, need built-in security. The existing security information provided by a vendor may meet the needs of low-level use cases but not that of more closely regulated organizations. Adding those capabilities could be difficult.
Enable the Client
The goal is not just to put a check mark by each security item on the list. Rather, the goal is to enable the customer. With embedded security, applications can ride on top of the infrastructure and transparently hand-off data that your organization needs for its applications.
Download SunGard’s white paper, “All clouds are not created equal.”
… and water, and HVAC, and all related infrastructure components. Resilience is dependent on all these infrastructure components, along with network communications.
This became obvious this weekend with two distinct events:
- A friend shared a photo of a car that went through the side of a building while parking; in doing so, they broke water and sewage lines which prevented the building from remaining open for business occupancy for several days.
- An underground explosion and fire in Philadelphia early Monday morning – just a few blocks from my office – caused local businesses to deal with power outages and street closures when they arrived back after the weekend.
These two incidents are a reminder that every business is dependent on utilities for power and water and on telecommunications carriers for their connections to the outside world. Not long ago, I directed a continuity drill for a brokerage company, where we simulated an underground fire. Within ten days of that simulation, underground utility fires or explosions occurred in both Philly and New York.
Continuity planning is never really finished. It is a cyclical process, including establishing policies for your organization, assessing capabilities to meet those policies, training staff and validating capabilities, and then maintaining that readiness. In parallel to maintaining the readiness and capability is the ongoing question of whether your organizational needs are changing.
Regular validation is recommended by most standards and may be mandatory under many regulations. This includes updating the scenarios which you follow when conducting any validation exercise.
So what are the top causes of disasters? Of 2,367 disasters supported by SunGard over the years, 1,181 (49%) were caused by hardware failures (570), weather (349) or power failures (282). Fourth on the list is terrorism at 7.4%.
With these threats in mind, it becomes easier to ensure that any scenario planning you consider to maintain and validate your plan includes those elements that have been consistently a threat to continuity, in addition to any industry-specific threats you need to anticipate.
The SunGard statistics for 2009 (last full-year) show that the industries with the greatest number of declaration events are led by financial organizations, followed by manufacturing, government, technology, services, health care and insurance. When you consider the business drivers of regulations and supply chain dependency, these industry segments demonstrate the greatest maturity in their continuity planning programs.
When developing your business continuity program, be sure to consider a broad array of possible threats. The events that will actually occur will differ, but the guidance of your plan will still inform your decision process as you recover production capability.
________________________________________________________________
Please join me at the Continuity Insights webinar discussing alternate site selection on November 23, 2010.
One of the most frequent questions I get when the topic of cloud computing comes up is around security. Justifiably, folks tend to have questions around security, privacy, and regulatory compliance in shared environments.
A shared environment (also called a multi-tenant environment) is much like an apartment building. You have multiple tenants (renters) sharing common infrastructure (the apartment building). The tenants may be different departments from the same company or completely different companies.
Security is a complex topic but the main concepts are applicable whether you are looking at private cloud solutions or public cloud solutions. To keep things grounded in something practical, I’ll use Cisco’s Vblock architecture as a reference, since it is deployed in both public and private cloud environments.
Shared Resource Blocks
At the most basic level, you need to be able to segment shared resources among the tenants. The Vblock architecture segments tenant resources in several ways:
At the network level, the architecture uses unique Media Access Control (MAC) address pools, Virtual Local Area Network (VLAN) tagging and security features, such as vShield zones, private VLANs and access control lists, to consistently define and enforce policies, not just at the tenant level but also down to the virtual machine level so you can enforce segmentation even within a tenant.
Similarly, at the storage level, the architecture uses Logical Unit Number (LUN) masking, zoning and Virtual Storage Area Networks (VSANs) to segment of storage assets.
Quality of Service Monitoring
One subtle aspect of Vblock’s segmentation capability is the ability to create and enforce “quality of service (QoS)”between tenants. The apartment analogy of this ability is when your neighbor plays their stereo too loud and drowns out your TV. In cloud environments, you need to ensure that QoS mechanisms are in place so you workloads are not adversely impacted by the activities of another tenant.
Manage Consistent Security
The next area to look at is manageability. First is the ability to integrate with your existing information security (“infosec”) framework. If your information security framework doesn’t have operational consistency with the rest of your environment it can reduce efficiency or, worse, create policy compliance issues.
The second area is the security on operations and management interfaces, which prevents someone from hacking in and taking control of your infrastructure. Vblock provides an open framework that integrates with your existing security framework to ensure consistent security between physical and virtual environments.
Auditability
Finally, you need auditability. If you have a business governed by regulatory compliance policies, then you need to make sure your cloud solutions can provide you with the kind of data you need to keep your auditors happy.
At the end of the day, do you need to do your due diligence around security issues when looking at cloud solutions? Absolutely, but the good news is that there are proven solutions available that allow you to take advantage of cloud computing while still keeping your infosec folks happy, which is always a good idea.
Download SunGard’s white paper: “All Clouds are Not Created Equal.”
Earlier this week, a colleague asked whether cybersecurity was really different from information security, and if so, how was it to be managed: within or separate from IT security?
Cybersecurity has a focus on external electronic threats to your information or operation. No IT security program would be effective without considering such external threats, so it is fair to say that cybersecurity is a specialty area within the broad requirements of IT security. Internal security looks at passwords, access authorization, employee awareness and training, data protection and more. What makes cybersecurity unique is the complexity of a changing environment, and the need to constantly upgrade the monitoring and tools in order to stay ahead of increasingly sophisticated attacks. An additional cybersecurity dimension is that most external aspects of the Internet are not government owned, but are provided
Last month, the GAO released their audit report on federal initiatives to improve federal cybersecurity. Since the 2009 GAO report to Congress, the audit showed progress, but called for further improvement. The previous report to Congress showed a rise in cybersecurity breach-related incidents from 5,503 in 2006 to 16,843 in 2008. This increase in a three year period shows that cyber threats are increasing broadly; evidence of increased threat activity is reported by every monitoring agency and info security company, and such threats are not limited to the federal sector.
In last week’s post, the suggestion was made that business decisions are at their core risk management decisions. A recent ISACA Journal article referenced the 2009 GAO report in a discussion of FISMA requirements, and raised an interesting challenge: cybersecurity programs need to shift from a compliance focus to a risk-based info security program.
The rational for this shift is straight-forward: implementing new compliance oriented security programs take time, but as soon as they are deployed, they may be obsolete given the principal threat – cyber terrorists – keeps changing. Those behind the threats and rising numbers of attacks are creative, smart and dangerous. As soon as they detect an obstacle to their threat path, they will look for a new weakness.
Risk-based cybersecurity programs have a greater flexibility to respond to changing threats. Compliance-based programs monitor specific, known threat attributes. The advantage of a risk-based approach is the ability to adapt and respond to a wide variety of threats, including those that are constantly changing.
While the ISACA report specifically addresses federal systems and FISMA requirements, it can readily be applied to private sector cybersecurity programs, leading to more robust and secure systems, with increased resilience as threats continue to change.
Rahul Bakshi Talks Cloud
Rahul Bakshi talks about meeting customer needs and requirements with enterprise cloud services. Click here to view the video.
