Computerworld Philippines :: cloud computing

Posts Tagged ‘ cloud computing ’

Google opens Google Apps Marketplace

By JM Tuazon on March 10, 2010

By Paul Krill
InfoWorld (US)
March 10, 2010

SAN FRANCISCO - Google will launch on Tuesday evening Google Apps Marketplace, providing a venue for third-party, cloud-based applications to supplement Google’s own online applications.

The program enables integrations with such applications as Google Gmail, Documents, Sites and Calendar. All told, the effort begins with 50 vendors participating, including Atlassian, NetSuite, Skytap and Zoho.

[ InfoWorld's Paul Krill reported earlier today that developers received a boost in native development capabilities for the Google-backed Android mobile phone platform. ]

“Tonight, what we’re doing is we’re announcing a business-to-business marketplace for Google Apps users, where the idea is that we want to help users get more applications for Google Apps from third-party developers,” said Chris Vander Mey, Google senior product manager, in an interview on Tuesday afternoon. Among the applications is a small business payroll system from Intuit, called Intuit Online Payroll, and Box.net’s self-named content management system.

Users can link to an application via the UI in Google applications, offering benefits like single sign-on and sharing of data between Google Apps and third-party applications. Centralized administration also is featured.

“As you purchase applications, they’re automatically integrated into your domain,” Vander Mey said. Applications can be installed within a domain via a four-click process. Google Apps Marketplace could be compared to the Apple App Store for iPhone applications or the Salesforce.com Force.com cloud application platform, said Vander Mey.

At Box.net, an official cited integration benefits of Google Apps marketplace.

“Basically, we’re now pretty deeply integrated with Google Apps,” said Jennifer Grant, vice president of marketing at Box.net. Users can access Box.net directly from applications such as Gmail, she said.

“Before, they would have to go to Box.net as a separate application,” Grant said. Users can add Google Docs documents to a Box.net workflow and send out email alerts.

Participation in Google Apps Marketplace is open to customers of the Premier, Standard and Education editions of Google Apps. Applications are linked to the marketplace via REST Web services and APIs including OpenID and OAuth.

“We expect [the marketplace is] going to significantly help Google Apps adoption and also help adoption of our partner apps,” Vander Mey said. “We’re going to bring 25 million users to these partner companies.”

Google began offering online applications five years ago, having reached the 25 million-user mark last weekend, said Vender Mey. More than 2 million businesses use the applications, he said.

Google will pass on 80 percent of revenues from Google Apps Market sales to participating partners and keep the remaining 20 percent.

Some of the other application partners include Aviary, Batchbook, Bookfresh, Expensify, OfficeSync, Shoeboxed.com, and SuccessFactors.

Possibly Related Posts:

Cloud security, cyberwar dominate RSA Conference

By JM Tuazon on March 5, 2010

By Tim Greene
Network World (US)
March 5, 2010

FRAMINGHAM - Cloud security loomed over the RSA Conference this week as a major concern of business, but worry about the threat of cyberwar was also strong, with officials from the White House and FBI weighing in to encourage private participation in government efforts to defend information and communications networks.

During the highest profile panel at the conference, a former technical director of the National Security Agency bluntly said he doesn’t trust cloud services. Speaking for himself and not the agency, Brian Snow said cloud infrastructure can deliver services that customers can access securely, but the shared nature of the cloud leaves doubts about attack channels through other users in the cloud. “You don’t know what else is cuddling up next to it,” he said.

In his keynote address, Art Coviello, the president of RSA, the security arm of EMC, agreed that customers need to be assured the cloud is safe. Coviello told the 4,000 attendees gathered for his talk that cloud services will inevitably be adopted widely because of the huge financial benefits they offer. “But you won’t want any part of that unless service providers can demonstrate their ability to effectively enforce policy, prove compliance and manage multi- tenancy,” he said.

The big problem is trust, he said. His own company announced at the show a partnership with Intel and VMware to improve trust by enabling measurement of cloud providers’ security. The effort would let customers of cloud infrastructure services weigh the security of the service and get metrics to deliver to auditors who are sent to determine whether businesses comply with government and industry security standards. “Service providers should be able to tell compliance officers and auditors just about anything they need to know — with verifiable metrics,” Coviello said.

But warnings about other cloud threats came through loud and clear. At the Cloud Security Alliance (CSA) Summit held earlier in the conference, for example, the CSA announced a report on its top concerns about cloud security, and they were major, including documented use of cloud infrastructure-as-a-platform to launch botnets.

CSA, an industry consortium of users and vendors, also highlighted vulnerabilities in the means given to cloud customers to access and manage the services they buy. These APIs are not necessarily secure and could offer attackers a chink through which they could infiltrate cloud networks and the corporate content entrusted to them. The answer: “Ensure strong authentication and access controls are implemented in concert with encrypted transmission,” CSA said. CSA’s report details 10 threats as well as fixes, but stands as a warning about embracing cloud services without carefully weighing the downsides.

While Coviello touted the ability to give auditors and compliance officials the data they need to assure businesses meet security regulations, the validity of such regulations was questioned by the top White House cybersecurity adviser during his keynote address. Cybersecurity coordinator Howard Schmidt told the conference that security compliance under the Federal Information Security Management Act is flawed. “You can be [Federal Information Security Management Act] compliant but still not be secure,” he said. “We agree that work needs to be done on that.”

He said the government is addressing it with recommendations from the federal budget watchdog agency, the Office of Management and the Budget, due out next month. Rather than meeting a set of regulations, agencies will have to meet performance metrics. “These new metrics begin to move us from a static compliance-based metrics program to a continuous monitoring capability,” Schmidt said.

Meanwhile, U.S. Secretary of Homeland Security Janet Napolitano came to the conference as a recruiter, using her keynote address to acknowledge that government talent alone cannot address the threats the country faces. She announced that her department is seeking to fill top cybersecurity posts with candidates from outside government. “In fact, we may be trying to recruit some of you for your talent right now,” she said. “We need it.”

Napolitano also tried to interest conference attendees in a contest to create a national cybersecurity-awareness program for educating the general public in cyber threats they face and how they can contribute to help improve security. She said she wants the programs to include social networking and to be as effective as past government campaigns to reduce smoking and litter.

Government can’t do the job itself because the vast majority of the U.S. cyber infrastructure is privately owned. “I ask you to redouble the efforts that you are making to increase security, to increase reliability and to increase the quality of the products that you have that enter the global supply chain,” Napolitano said.

She issued a call for automated security, and said that the government is working on an intrusion-prevention system (IPS) to protect U.S. agency networks. She said the government is upgrading its intrusion-detection platform, Einstein 2, to an IPS, called Einstein 3. Einstein 2 is deployed in nine federal agencies as well as in the networks of carriers AT&T, Qwest and Sprint. Verizon is on the list to get it, too.

But Einstein 3 would automatically detect malicious activity and disable attempted intrusions before they can do harm, Napolitano said. She didn’t give a timetable for when it will be deployable.

Meanwhil,e RSA Conference plowed ahead with its traditional business of educating attendees about threats and the means for countering them. For instance, Jeremiah Grossman, CTO of White Hat Security, warned about an undetectable browser exploit that bares corporate networks to attackers.

That topped his list of the most effective new attacks that have been devised by researchers over the past year. Called DNS rebinding, attackers turn victims’ browsers into Web proxies that do the attackers’ bidding, he said.

The attack works by tricking browsers into seeking internal servers on the victim’s network under the direction of the attacker, who can direct it to find and send corporate data, Grossman said. The browser exhibits no behavior out of the ordinary, so the attacks go unnoticed.

And the conference named Altor Networks as winner of its Innovation Sandbox competition for most innovative product from a vendor with less than $5 million per year in business. Altor makes a virtual firewall platform for protecting VMware virtual machines that includes firewall and intrusion detection. It operates from within the hypervisor and the virtual switch, enabling examination of packets between virtual machines on the same physical host. The software includes an API for automated provisioning.

Possibly Related Posts:

Microsoft’s Ballmer: ‘For the cloud, we’re all in’

By JM Tuazon on March 5, 2010

By Denise Dubie
Network World (US)
March 5, 2010

FRAMINGHAM - Microsoft is betting the cloud will deliver it and its customers the most opportunities for innovation and development. And according to CEO Steve Ballmer, five key reasons are driving the company’s confidence in — and technology strategy for — cloud computing in the coming years.

“For the cloud, we’re all in,” said Ballmer during an address and live Webcast at the University of Washington’s Paul G. Allen Center for Computer Science & Engineering in Seattle. “Literally, I will tell you we are betting our company on it.”

In addition to Microsoft’s Azure platform, Ballmer said the cloud and its potential is behind Microsoft’s technology strategy and that the company, while perhaps behind in some areas such as phones, is with the market leaders when it comes to cloud computing.

“The cloud fuels Microsoft and Microsoft fuels the cloud,” Ballmer said. “We have 40,000 people employed building software around the globe, about 70% of the folks that work for us are doing something designed exclusively for the cloud or designed to serve one of the five points I spoke about today. A year from now, it would be 90%. How we are thinking about delivering it really builds from this cloud base.”

During the hour-long address, Ballmer detailed the five key dimensions of the cloud driving Microsoft, the first being that “the cloud creates opportunities and responsibilities.” That means it provides people the opportunity to create and share content “instantaneously,” but also requires a responsibility around privacy and confidentiality. “It is a dimension of the cloud that needs all of our best work in my opinion,” Ballmer said.

The second key dimension is around learning, what the cloud learns about the world and about users, bringing data together to enable better decisions.

But the cloud, like many disruptive technologies, is not a static entity, he suggested. “The cloud needs to learn about you and needs to keep learning and figure out about the world that has been described virtually,” Ballmer said. “The cloud itself needs to learn, it has to represent the real world and keep getting smarter and better to help me learn.”

The next dimension Ballmer detailed involves how the cloud “enhances your social and professional interactions” and enables people to connect on multi-faceted levels.

“The ability to really connect people and help people connect is just beginning to be tapped,” Ballmer said.

Using an example of Xbox Live tapping into British television service Sky, Simon Atwell, senior program manager at Microsoft’s XBox division, showed how users could virtually watch TV together, interact via prompts and connect socially using the gaming platform, without actually having to be playing games the entire time. While the demonstration suffered from “4,700 miles of geographic latency,” Atwell was able to display the experience in part.

“I get this experience that I am doing something social that is more than just playing games. If I want to share my emotions, I can get super excited about the content,” Atwell said. “We could be anywhere sharing this experience.”

Fourth on Ballmer’s list was hardware: the cloud wants smarter devices.

“That isn’t to say that we aren’t going to continue to do a lot of work on browsers and standards moving forward. When it comes to cloud, the devices you use to access it do matter,” Ballmer said. He pointed to the company’s Windows Phone 7 strategy and discussed Windows being “at Microsoft the most popular smart device on the planet.”

Ballmer said Microsoft is working to get “people, places, content, commerce all front and center for the users, with a very different point of view.”

Lastly Ballmer pointed to servers and the cloud as another key dimension prodding Microsoft’s focus on the technology area. “The cloud drives server advances, and that in turn drives the cloud,” he said.

The cloud will drive many changes such as the amount of data stored and the peak loads on Web sites. It will require hardware and software to scale in various directions and demand rapid deployment of resources required even for just a moment. Ballmer said the cloud will change how software and hardware is designed and managed, but also drive application developers to create apps that can take off in the cloud immediately.

“How do you design apps that immediately make sense of the cloud, that should be deployed instantaneously,” he said. “There shouldn’t be people babysitting these machines. The cloud drives server advances, but those in turn are starting to drive the cloud itself.”

Possibly Related Posts:

More RP companies reach for cloud computing, study says

By Tom Noda on March 4, 2010

By Tom S. Noda
Computerworld Philippines
March 4, 2010

Cloud computing is poised to change the landscape of IT solutions, and possibly the business models that underpin successful software and hardware companies. And in the Philippines, many organizations are now adopting the technology, according to a study by antivirus company Symantec.

The findings of Symantec’s 2010 State of the Data Center Study showed that many organizations in the Philippines are adopting cloud computing, with 50% of respondents indicating that they are in early discussions, planning and trial stages for private cloud computing, while 55% are doing so for public cloud computing.

Raymond Goh, Symantec’s regional technical director for systems engineering and customer advisory services, revealed the early adopters are usually enterprises with the need for the capacity to store and transfer large amounts of information, or for web-based access to data and applications. He added that alternatively, those that would benefit from a pay-per-use storage model may find cloud-based services an effective solution.

Yet Goh said although cloud computing is gaining significant traction as a new IT delivery model with potential business and financial benefits, it is still relatively new, and organizations are grappling with what this emerging delivery model is, what some of the potential barriers are, and how best to take advantage of it.

“Many organizations are still trying to decide the best way to leverage public and private clouds. Therefore, having an understanding on how to realize the benefits of cloud computing while mitigating potential risks are important” Goh said, adding the transition to the cloud will not be a clean break for a vast majority of organizations, but rather a gradual movement of applications, services, and supporting infrastructure into the cloud.

“Symantec enables customers at all stages of this transition. We are leveraging on our experience in managing the world’s largest SaaS storage environment in the world with more than 40 petabytes of online storage for more than nine million active users,” he claimed.

Goh reported Symantec is helping companies capitalize on the advantages of cloud computing with five distinct ways, which include: providing hosted services to businesses and consumers; enabling enterprises to build their own private cloud infrastructures with Symantec software and services; offering cloud-ready Symantec software through third-party cloud-infrastructure providers; enhancing Symantec software to interoperate with cloud-based services; and offering consulting services for cloud strategy development.

The executive also said Symantec provides solutions for security, compliance, availability, storage management, data protection, and endpoint virtualization for the highly virtualized and scalable environments required for cloud computing.

He cited that the latest cloud storage solution called Symantec FileStore, has set the new industry benchmark in performance scalability for cloud storage solutions. It delivers record results in Standard Performance Evaluation Corporation (SPEC) System File Server (sfs) test, which demonstrated 47% greater throughput and 14% faster overall response time than the NetApp FAS6080 results posted in August 2009. The latest results also demonstrate the high performance capabilities of Symantec’s new cloud storage solution enabling enterprises to meet the demanding application challenges of cloud environments.

“By taking an information-centric approach to securing and managing information, Symantec can help organizations protect information assets as they adopt cloud computing to optimize costs and IT service delivery,” Goh said.

Goh quoted a reported by IDC, wherein it expects that in the next five years the spending on IT cloud services will grow almost threefold, reaching US $42 billion by 2012, and accounting for 9% of revenues in five key market segments. Software as a Service (SaaS) is described as the most mature offering in this area. New cloud services include a growing array of applications, platforms and infrastructure.

Possibly Related Posts:

Oracle ramps up private cloud offering

By JM Tuazon on February 17, 2010

By John Mark V. Tuazon
Computerworld Philippines
February 17, 2010

Acknowledging the ongoing hype and evolution revolving around cloud computing technology, enterprise software provider Oracle on Thursday unraveled their own cloud strategy that pushes for private cloud adoption by large companies.

“The hype around cloud computing is not dying down; in fact, it is steadily growing momentum, and continuously evolving over the years,” said Sushil Kumar, vice president for product strategy and business development, Oracle, sharing a Gartner study that shows cloud computing situated at the peak of inflated expectations.

While many firms are hesitant to jump onto the public cloud—a type of cloud platform available to the general public with pre-specified features and offsite data hosting—Kumar said many firms can deploy private clouds on top of their existing hardware, which is more customizable and secure.

“Oracle is offering a technology stack that they can deploy on top of existing systems,” he emphasized. Kumar said enterprise computing has gone from being very siloed, to grid systems, and now to private clouds bringing “utility computing” to its users.

Kumar, however, clarified that they are merely offering technology solutions to customers, and not complete deployable systems that include hardware and other components. That option, he said, is available through Oracle On-Demand, a selection of various offerings—from on-premise system implementations to multi-tenant SaaS deployments—that users can leverage to transition slowly into a full-blast private cloud.

The Oracle executive said they are ramping up their foray into the private cloud sphere in order to dispel security qualms about the cloud. “We provide companies with a private cloud platform so that they can take advantage of its benefits without too much risk,” he stressed. “With private clouds, there is more control over security and other necessary precautions.”

Oracle has also made available their software solutions through public cloud IaaS (infrastructure-as-a-service) providers, such as Amazon Web Services and Rackspace Hosting. “For public clouds, we have data encryption for databases and fine-grain access controls so data can be secure even off-site,” he added.

Possibly Related Posts:

Salesforce lets enterprises ‘automate any business process’

By JM Tuazon on February 12, 2010

By Anuradha Shukla
MIS Asia
February 12, 2010

SHENZHEN, CHINA - Salesforce.com has launched a new capability giving enterprises the ability to rapidly automate any business process, says the cloud computing pioneer.

The company has made available Force.com Visual Process Manager that allows customers to visually design any complex business process with an intuitive, visual design tool, and instantly run it in the cloud.

Easier business process

Most enterprises today want to easily automate their important business processes and with Force.com Visual Process Manager, they can quickly reach this goal with greater flexibility and automate processes across all departments.

With this application, companies are free from purchasing expensive on-premise software, hardware and infrastructure to automate processes. They will also be able to innovate on these processes once they are deployed because the software is not complex and changes are not very costly.

Force.com Visual Process Manager is part of the Force.com platform and thus businesses can easily create dynamic and sophisticated business processes within their current Sales Cloud 2 and Service Cloud 2 deployments or custom Force.com applications.

Quick building of apps

George Hu, executive vice president, marketing and alliances, salesforce.com noted that Force.com’s multi-tenant approach eliminates the cost and complexity of legacy on-premise platforms like .NET, Websphere, and Lotus Notes to help enterprises build apps five times faster and at half the cost.

This application is currently being used by Saveology.com and according to Barry Newman, the company’s vice president of IT, the Force.com Visual Process Manager furthers Saveology.com’s goal of consolidating its technology architecture and moving more of its business processes into the cloud leveraging the Force.com platform.

“Building and managing business processes with on-premise software has been needlessly complex and costly, requiring too much custom code and expensive infrastructure,” said Jeffrey M. Kaplan, managing director of THINKstrategies and founder of the SaaS Showplace. “Force.com Visual Process Manager offers an easy-to-use process design tool that organisations can use on a pay-as-you-go basis to more quickly and cost-effectively build and manage business processes via the cloud.”

Possibly Related Posts:

Cloud Computing Will Cause Three IT Revolutions

By JM Tuazon on February 10, 2010

By Bernard Golden
CIO.com
February 10, 2010

FRAMINGHAM - Every revolution results in winners and losers — after the dust settles. During the revolution, chaos occurs as people attempt to discern if this is the real thing or just a minor rebellion. All parties put forward their positions, attempting to convince onlookers that theirs is the path forward. Meanwhile, established practices and institutions are disrupted and even overturned — perhaps temporarily or maybe permanently. Eventually, the results shake out and it becomes clear which viewpoint prevails and becomes the new established practice — and in its turn becomes the incumbent, ripe for disruption.

This is true in technology as in every other domain. In the tech business, we often get caught up in focusing on vendor winners and losers. Point to the client/server revolution, and it’s obvious — Microsoft and Intel. Over on the loser side stand the minicomputer vendors. This winner/loser phenomenon can be seen in every significant technology shift (and indeed, one shift’s winner can become a future loser). This is understandable: we all love conflict and the vendor wars make for great press.

Less awareness is present for the effects of these revolutions on what makes up the vast majority of the technology industry — users. One could hazard a guess that for every dollar of revenue that Microsoft products pull in, IT organizations spend 10 or 20 additional dollars (or perhaps even more) in building and running systems. By far the biggest impact of any technology revolution is that upon technology users (by which I mean those who work with the technology, i.e., IT organizations).

Another aspect of change is how individuals react to it. It’s a cliche that “people don’t like change.” That’s dead wrong. People accept — and even embrace — change when they see it brings a direct benefit. Look at the immediate adoption of the iPhone — didn’t see a lot of resistance to that, did you? A more nuanced understanding of people’s reaction to change would interpret likely reactions based upon how the effect of the change is perceived by the individual — is it a benefit or a threat?

When it comes to organizations, it’s a misreading to assume that the organization will react as a whole — every organization is made up of groups and individual actors, each of which will have its (or his or her) own read on the implications of a change. If we look to the original move of PCs into companies, some portions of IT organizations embraced them, while others, wedded to the existing mode of performing IT, saw them as a distraction, a threat, or a toy. In other words, there were different camps that arose in reaction to the availability of this new form of computing, and there were pitched battles for personal and organizational influence that took the guise of a technical assessment.

When it comes to cloud computing, we should expect to see the same dynamic play out. Over the next two to five years, expect to see enormous conflict about the technical pros and cons of cloud computing that will, at bottom, be motivated by the perception on the part of the participants as to whether cloud computing represents a benefit to be embraced or a threat to be resisted.

In particular, cloud computing’s three characteristics — the illusion of infinite scalability, lack of a long-term commitment, and pay-by-the-use — will result in three revolutions in the way IT is performed, and each of the revolutions will have its adherents and detractors.

Revolution #1: The Change in IT Operations

Much is made of the magic of Amazon Web Services — fill out a web page, hit a button, and 10 minutes later, you’ve got computing resources available. Even more impressive, you can obtain large amounts with that request. And later, should you need even more resources to be added to your original pool, they’re easily requested and joined to the existing resources. This is the vision that many find so tantalizing, given today’s lengthy provisioning cycle, which in many companies results in months-long gaps between request and resource availability. Many think removing all the friction of resource provisioning is a huge win. One might think of this change as the logical extension of the view that hardware has been transformed from a scarce, expensive resource into a cheap, easily purchased commodity — the logical outcome of which is the need to treat provisioning it like a mass good, not a precious luxury.

Perhaps less obvious is the implications of this vision — that existing processes and organizational structures need to change to support this new mode of automated management.

Today, IT organizations interpose a large set of processes and requirements in the provisioning process. Budget requests, discussions with the various operations groups like network and storage, scheduling meetings, all surrounded with lots of paperwork. And these mechanisms make sense for an environment in which they help ration scare resources. They are in place to ensure that each precious resource is devoted to its highest possible use.

The problem is that these mechanisms are orthogonal to the streamlined, short-duration provisioning associated with cloud computing (the au courant term is orchestration, representing the unified bringing together of resource assignment in an automated manner). In effect, there is an impedance mismatch between the operational implications of cloud computing and the organizational artifacts that exist today. And, as noted at the start of this piece, any time this kind of mismatch occurs, there is bound to be organizational conflict — carried on at the level of technical discussion. After all, no one is going to say about cloud computing, “I don’t like it because I’m not sure how my job managing the installation and configuration of servers will be needed when someone can just fill out a web form and have the infrastructure itself arrange for the provisioning.”

So how will this play out and who will be the winners and losers?

Winners: Apps groups. Apps groups are driven by business groups, many of which are frustrated by not being able to react to urgent business pressure. This is not to mention the frustration many feel when confronted by the “owners” of the resources who assert their judgment as to whether the request is justified. Bypassing all of this organizational overhead and being able to react much more quickly to business developments is a huge win. Expect to see enormous pressure from apps groups to “get on the cloud.” And if the operations groups don’t respond quickly enough, expect to see the apps groups look to outside providers which have a financial incentive to respond immediately. (I addressed this in my last post, here).

Winners: Apps groups (2). The high-friction provisioning process hasn’t merely been the result of rationing by the operations groups. This rationing process ends up being backed into the apps groups themselves, where different business applications vie to be put onto the request list. This has the inevitable outcome that many business applications never “make the cut” to be submitted for resources. And often, these are the applications that represent innovative but unproven applications of information technology. The process goes something like “well, we know we *have* to schedule the upgrade of the XYZ package, and we know we need to refresh the hardware that the ABC application runs on, so that pretty much covers what we can do this quarter. Bob, sorry that we can’t address your application that matches our customer complaints against our manufacturer partner’s trouble tickets to see if we can identify breakdown patterns.” Low-priority applications will have much more opportunity in a cloud computing world. A complement to this is the inevitable overall growth in the use of IT resources.

Losers: IT operations. Putting provisioning in the hands of IT resource users inexorably results in less influence for IT resource “owners.” As I was outlining this vision of end user-driven, automated provisioning in a workshop last week, one attendee said “I can see why it’s so attractive, but I can’t see IT operations accepting it. I think we’ll hear something from operations groups like ‘automated provisioning is great, but it should be done in my group to make sure requests align with accepted standards or the like.’” Of course. This is something like what ecommerce sites did 10 or 12 years ago, when the purchaser would fill out a web form, submit it, and it would result in an email to a clerk, who would turn around and type the order into the existing order management system. That’s not what ecommerce sites do today, however. And with the continued cost pressure on IT, which I wrote about in my last blog post, it’s going to be hard to justify this “man in the middle” staffing, though many organizations will no doubt attempt to do so.

Winners: IT operations. Huh, this is a surprise, eh? Well, if the inevitable outcome of reduced friction (not to mention cost — that will be addressed in my next post on Cloud Computing Revolutions) is to increase demand for IT resources, someone is going to have to do the capacity planning. In a sense, the impact of cloud computing will be to shift the tasks for IT operations from tactical resource provisioning to strategic resource planning — with an emphasis on achieving the most efficient, lowest cost infrastructure possible. This is a far cry from the “your mess for less” outsourcing that has previously been the outcome of cost focus — this is about creating an automated, immediate search for the lowest cost, most available, most appropriate computing resources needed to fulfill a provisioning request. The most successful IT operations groups will be those that stop thinking about controlling allocating resource and begin thinking about locating resource.

As I noted at the start of this posting, revolutions results in winners and losers after a period of chaos, in which conflict and strife occur. Technology revolutions at the level of platform shift — think client/server or the move to web-based applications — cause enormous upheavals in IT organizations as they struggle to adopt the new technology and obtain its benefits. Cloud computing undoubtedly represents the latest platform shift and is causing three simultaneous revolutions. This piece has focused on the revolution in operations. My next two postings will focus on cost/payment patterns and application implementation.

Possibly Related Posts:

Microsoft, NSF form cloud computing collaboration

By JM Tuazon on February 5, 2010

By Grant Gross
IDG News Service (Washington Bureau)
February 5, 2010

WASHINGTON - Researchers selected by the U.S. National Science Foundation will have free access to Microsoft’s Windows Azure cloud computing platform under a deal announced Thursday.

Research projects focused on cloud computing will have access to Windows Azure for three years as part of the deal. The agreement will allow the U.S. scientific community “the opportunity to leverage highly scalable cloud computing services, especially for data-intensive applications,” said Jeannette Wing, NSF’s assistant director for computer and information science and engineering.

The focus will be on finding new ways to use the cloud in research, Wing said during a webcast press conference. “The cloud as a commodity service is familiar to all of us, providing our e-mail, online shopping, posting pictures for our friends to see, and of course, the killer app, search,” she said. “However, the cloud as a research platform is still underexplored territory.”

Cloud computing can be particularly useful for analyzing “massive amounts of data,” she added.

Microsoft wants researchers to be able to do their work without worrying about infrastructure costs, said Dan Reed, corporate vice president for technology strategy and policy and extreme computing at Microsoft. An explosion of data is leading to a need for new approaches to computing-based research, but it doesn’t make sense for each university to host its own cloud computing environment, he said.

“We need to shift the dialog from a focus on infrastructure to a focus on insight, and that means reducing the burden of infrastructure management that exists for many academic researchers,” he added.

In addition to the access to Azure, researchers will get help from Microsoft developers, who will work with grant recipients to equip them with a set of tools, applications and data collections that can be shared with the broad academic community, and also provide their expertise in research, science and cloud computing, Microsoft said.

Researchers may immediately submit supplemental proposals to any existing NSF award, the NSF said. Under two programs, researchers will have until April 15 to apply for a cloud computing grant for the current fiscal year.

New cloud computing programs at NSF are anticipated.

Possibly Related Posts:

Security Vendors: Set for Online Battle

By Fei Lumbania on January 28, 2010

By Tom S. Noda
Published in the CWP December 2009 - January 2010 issue

As the population of netizens balloon, so will the number of cybercrimes. It is a challenge major security vendors vow to battle with products and strategies engineered to protect businesses and individuals alike.

In this yearend special feature of Computerworld Philippines, four security vendors—Trend Micro, Sophos, NetPlay, Inc., and Symantec—say in separate interviews, that emerging technologies such as Web 2.0, cloud computing, virtualization, and social networking have led them to intensify their efforts on curbing cybercrime.

“As more companies conduct their businesses online, and more information, transactions and communications are posted online, threats and problems increases, like loss of data due to hardware failure and theft, stealing of confidential information, bogus online transactions, account phishing and spamming, among others will continue to rise exponentially,” says Scott Gonzalo, managing director of Netplay, Inc., the Philippine distributor of Microworld Technologies Inc.’s eScan and Elitecore Technologies Ltd’s Cyberoam.

Similarly, Rob Forsyth, managing director of Sophos in Asia-Pacific, describes 2009 as the social media year for businesses globally, since more enterprises have begun to tap social networking and Web 2.0 to reach out to customers and to transform their brand and marketing strategies.

“The Internet will continue to transform the way people work and play, and its pervasiveness will continue to blur the lines between consumer and enterprise technology with the growing sophistication of an average user,” remarks Forsyth, adding that as enterprises discover new ways of integrating the social media platform in the business, employees are expected to continue initiating and implementing their own social media practices within the enterprise, which may prove unsettling to both network security and worker productivity, if a social media usage policy is not in place or adequately enforced among employees.

“Organizations will be increasingly concerned about malicious attacks originating from social networking sites, and the risks associated with users revealing sensitive and confidential corporate information online,” Forsyth says. “Other than social computing, another major enterprise technology trend is cloud computing which will gain greater prominence in 2010.”

According to Gartner, revenues from cloud computing will reach US$14 million annually by the end of 2013. Typical cloud computing services provide common business applications online that are accessed from a web browser, with the software and data stored on the servers.

“The growing adoption of cloud computing will drive the sharing of corporate data in never-before-seen ways and result in both the immediate exchange of information and increased vulnerabilities for enterprises,” says Forsyth. Because of this, he says more powerful encryption policies and security technologies will be needed to safeguard data wherever it is stored.

Eric Hoh, vice president of Symantec, Asia South Region, tells Computerworld Philippines that attackers will continue to shift away from mass distribution of a small number of threats to micro distribution of millions of distinct threats.

He says that many of the new strains of malware consist of thousands of distinct threats that come from known, unique families through a variety of methods such as file sharing, email and removable media. “These new and emerging threats have given rise to the need for new, complementary detection methods such as heuristics, behavior blocking and reputation-based security models.”

ONLINE PROTECTION

To address online threats, NetPlay has unleashed security software from Microworld and Elitecore that are designed to support businesses that have online presence, and they are: the eScan Antivirus software, Cyberoam Endpoint Data Protection suite and Cyberoam UTM, respectively.

Gonzalo says Cyberoam UTM is a gateway security appliance that monitors incoming and outgoing traffic for threats like hacking, spamming, viruses and provides web content filtering.

He claims it to be the first UTM that is identity based wherein the appliance provides the name and the IP address of its user who has breached security regulations unlike other appliance that only provides an IP address.

Gonzalo adds that eScan antivirus is another endpoint security software that provides proactive virus monitoring of its host PC. Gonzalo reveals they will also be rolling out a Cyberoam UTM software and EPDP for the small and medium-enterprise (SME) markets as well as new versions of eScan antivirus software.

The products complement each other, he says, describing Cyberoam UTM as a gateway security solution while eScan Antivirus and Cyberoams EPDP as endpoint solutions.

INTEGRATED SOLUTIONS

Following its integration with data security solutions firm Utimaco Safeware, Sophos introduced in 2009 a portfolio of security software that includes data encryption, computer security, web security, email security, and network access control that users can manage, deploy and use.

In October 2009, Sophos fully integrated data loss prevention (DLP) capabilities into Sophos Endpoint Security and Data Protection 9, which enables businesses to have visibility and control over sensitive data without the need to deploy any additional agents or incur any additional licensing costs.

Forsyth notes that with the rise of cybercrime, breaches, accidental or intentional data leakage, and multi-faceted security threats, business critical information must be fully protected at all times.

He stresses that complexity of securing data stems from the growing popularity of virtualization and cloud computing among organizations and data centers looking to streamline the use of resources.

Accordingly, data centers must comply with enterprise service-level agreements and operating procedures before corporations entrust moving mission-critical applications under their control. To help address these concerns, Sophos has collaborated with Intel to help protect security-critical applications and contribute to compliance for regulations such as financial payments, government agencies and healthcare organizations through integrating Sophos SafeGuard Crypto-Server for cryptography with Intel SOA Expressway for XML security into a single integrated solution to help customers meet industry-specific security regulations and policies.

Forsyth says malware threats and the security landscape have evolved dramatically over the last five years, which bring about a paradigm shift in customer requirements as well.

Today, having anti-malware tools and firewalls in place is no longer enough to protect the dissolving network perimeter. He says the lack of data protection can hurt the bottom line, adding that the Sophos Endpoint Security and Data Protection 9 addresses such concerns by integrating endpoint security with comprehensive data protection to safeguard against data loss.

IT, PEOPLE, PROCESSES

Over at Symantec, the security approach for 2010 is three-pronged: technology, people, and processes.

“We understand that technology isn’t the only answer to enable businesses to secure and manage their information,” Hoh says, adding Symantec will continue to bring together an ecosystem of products, services, and partners that will help businesses secure and manage their information-based security models.

“Symantec’s new reputationbased security technology leverages the anonymous software usage patterns of Symantec’s extensive volunteer user community to automatically identify entirely new spyware, viruses and worms,” he says, noting with the increasing threats, businesses will also opt for multilayer and comprehensive protection, such as those provided by all-in-one security suites.

Hoh claims that the Symantec Protection Suites, made available earlier this year, is an all-in-one suite that protects critical business assets from complex malware and spam threats, and rapidly recovers data or computer systems.

And as businesses consider DLP in the coming year, Symantec recommends that they look beyond technology and consider strengthening policies and processes.

Effective DLP, Hoh says, establishes reputable processes and procedures that reduce the risk of data exposure throughout an enterprise. He says a comprehensive, long-term, sustainable DLP is based on: “Threat coverage, business process integration, and risk reduction measurement.”

TECH OF TOMORROW

At Trend Micro, the game plan is to develop the “technology of tomorrow,” as the level of threats in the world has vastly outrun existing technologies. “Everybody right now is unable to face the threats of tomorrow that’s why we have to go to the technology of tomorrow,” says David Perry, global director of security education.

“We just released our smart protection network over the course of last year, but we got a whole lot more product releases all through next year, starting right away, and some before Christmas this year,” he says.

Perry says Trend Micro is seeing an advancement of many web-based threats that cannot be pursued with traditional methods. “We have invented whole new ways of detecting web-based threats and blocking people from going to them.

This should protect them from Facebook, MySpace, on Twitter, and all of the different places that they’re going on the web,” he says.

Although he declined to name some of the future Trend Micro products, Perry says the company has new products in the SME space, particularly those involved with cloud computing. “We foresee security problems in the cloud so we’re looking at protecting the cloud and placing protection in it.”

Possibly Related Posts:

Cloud Security: Ten Questions to Ask Before You Jump In

By JM Tuazon on January 27, 2010

By Tim Brown
CIO.com
January 27, 2010

FRAMINGHAM - The hype around cloud computing would make you think mass adoption will happen tomorrow. But recent studies by a number of sources have shown that security is the biggest barrier to cloud adoption. The reality is cloud computing is simply another step in technology evolution following the path of mainframe, client server and Web applications, all of which had — and still have — their own security issues.

Security concerns did not stop those technologies from being deployed and they will not stop the adoption of cloud applications that solve real business needs. To secure the cloud, it needs to be treated as the next evolution in technology not a revolution that requires broad based changes to your security model. Security policies and procedures need to be adapted to include cloud models in order to prepare for the adoption of cloud-based services. Like other technologies, we’re seeing early adopters take the lead and instill confidence in the cloud model by deploying private clouds or by experimenting with less-critical information in public clouds.

Organizations are asking many questions and weighing the pros and cons of utilizing cloud solutions. Security, availability and management all need to be considered. As part of that process, here are 10 security-related questions organizations should consider to help them determine if a cloud deployment is right for them, and if so, which cloud model — private, public or hybrid.

1. How does a cloud deployment change my risk profile?
A cloud computing deployment — whether private or public — means you are no longer in complete control of the environment, the data, or the people. A change in control creates a change in risk — sometimes an increase in risk and in some cases a decrease in risk. Some cloud applications give you full transparency, advanced reporting, and integration with your existing systems. This can help lower your risk. Other cloud applications may be unable to modify their security profiles, they may not fit with your existing security measures, and may increase your risk. Ultimately the data and its sensitivity level will dictate what type of cloud is used or if a cloud model makes sense at all.

2. What do I need to do to ensure my existing security policy accommodates the cloud model?
A shift to a cloud paradigm is an opportunity to improve your overall security posture and your security policies. Early adopters of cloud applications will have influence and can help drive the security models implemented by the cloud providers. You should not create a new security policy for the cloud, but instead extend you existing security policies to accommodate this additional platform. To modify your policies for cloud, you need to consider similar factors: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.

3. Will a cloud deployment compromise my ability to meet regulatory mandates?
Cloud deployments shift your risk profile and could affect your ability to meet various regulations. This requires evaluation of compliance requirements as they relate to the cloud deployment you are considering. Some cloud applications give you strong reporting and are tailored to meet specific regulatory requirements, while others are more generic and cannot or will not meet detailed compliance requirements. For example, if you are bound by a regulation that says your data cannot be stored outside the country, some cloud providers may not be able to accommodate this regulation based on data center locations.

4. Are the cloud providers using any security standards or best practices (SAML, WS-Trust, ISO or otherwise)?
Standards play a very important role in cloud computing as interoperability among services will be critical to ensure the cloud does not go down the path of proprietary security silos. A number of organizations have been created and extended to support cloud initiatives. The Cloud-standards.org wiki lists most of the standards organizations involved in the cloud, including those associated with security.

5. What happens if a breach occurs? How are incidents handled?
As you plan for security in the cloud you need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider and must be handled on an individual basis. The cloud provider (as a service provider), and you as a company, most likely have breach notification policies or regulations you must meet. You must ensure that a cloud provider can support your notification requirements should the need arise.

6. Who is liable or will be viewed as the responsible entity for securing my data?
The reality is security responsibility will be shared. However, in the court of public perception, — at least today — it’s the company collecting the data, not the cloud provider, who is viewed as ultimately responsible for information security. In well-negotiated contracts you may be able to limit your responsibility and your liability for data loss so that it is shared with the cloud provider, but from your customers’ perspectives, you still may be viewed as responsible.

7. How do I ensure only appropriate data is moved into the cloud?
Understanding what data is sensitive and building an appropriate security model based on data and applications is critical to understanding what data could be moved to the cloud. This process should begin long before ever considering a cloud deployment as it is a critical part of good security practices. Many companies use data leakage protection technology to classify and tag data.

8. How do I ensure only authorized employees, partners and customers can access data and applications?
Identity and access management is an existing security challenge that is amplified by cloud deployments. Technical capabilities such as federation, securing virtualized systems, and provisioning all play a role in cloud security, as they play a role in today’s IT platforms. Extending and supplementing your existing environments to support the cloud can help solve this challenge.

9. How are my data and applications hosted, and what security technologies are in place?
Cloud providers should provide this information as it can directly affect an organization’s ability to comply with certain regulations. Transparency is critical and necessary for you to make informed decisions.

10. What are the factors that tell me I can trust this provider?
A number of factors come in to play when evaluating the level of trust to assign to a provider. They include many of the same dynamics you consider for any outsourced project, such as: the maturity of service and the provider; the type of contracts, SLA’s, vulnerability procedures, and security policies; their track record; and their forward-looking strategy, to name a few.

Moving to a new computing platform is not something to jump into without careful consideration. The answers to these questions are complex and often lead to more questions. We’ve merely scratched the surface at a high level on some of the security questions to think about when considering a cloud platform.

However, enterprises should also understand they have the power to drive the security technologies used in the cloud — whether it’s a private, public or hybrid cloud. Understanding that cloud consumers can, should, and are expected to take responsibility for security measures can lead to the cloud being a secure platform that delivers cost savings and improved productivity.

Possibly Related Posts:

Cloud storage hype: Customers not buying it

By Tom Noda on January 26, 2010

By Jon Brodkin
Network World (US)
January 26, 2010

FRAMINGHAM - For all the hype around cloud computing, few business customers are actually storing data on Web-based platforms, according to a new study that casts doubt on the popularity of cloud storage.

Just 3% of companies have implemented cloud storage, and the vast majority of the customers have no plans to put data in the cloud, according to a survey of 1,272 IT decision-makers at enterprises and SMBs in North America and Europe.

FAQ: Cloud computing, demystified

Storage vendors and IT professionals both have spent much time discussing the cloud over the past year, because data storage needs are growing at least 30% per year while budgets stay flat, writes Forrester analyst Andrew Reichman in the report “Business Users Are Not Ready For Cloud Storage.”

But so far, “this is just talk,” Reichman states.

“Respondents in all geographies and of all company sizes appear to have little interest in moving their data to the cloud any time soon,” he writes. “There is long-term potential for storage-as-a-service, but Forrester sees issues with guaranteed service levels, security, chain of custody, shared tenancy, and long-term pricing as significant barriers that still need to be addressed before it takes off in any meaningful way.”

The Forrester survey asked IT decision makers if they have any plans to adopt cloud storage services such as Amazon S3, EMC Atmos, Nirvanix, The Planet, or AT&T.

Forty-three percent of respondents said they are not interested in cloud storage, and another 43% said they are interested but have no plans to adopt. Three percent plan to implement a cloud storage platform in the next 12 months, and another 5% plan to do so one year from now or later.

While 3% of respondents have already implemented cloud storage, only 1% are expanding an existing implementation.

In general, enterprises are slightly more interested in cloud storage than small- and medium-sized businesses, and interest in cloud storage for backup is greater than interest in general purpose storage clouds, Reichman says. The market has numerous mature backup services such as Asigra, EMC’s Mozy, i365, IBM Business Continuity and Resilience Services and Iron Mountain, he writes.

“Why the greater interest and adoption of backup-as-a-service? First, it’s a complete service offering, not just CPU or storage capacity,” he writes. “You get the backup software intelligence and storage capacity in a fully managed service. Second, it’s solving a very specific pain point — the pain of bringing a costly and error-prone, but very necessary, IT function under control. This is in contrast to storage-as-a-service offerings where the user has to figure out how to put it all together.”

Overall, though, storage-as-a-service offerings still need time to develop, Reichman says. Before adopting, customers need to consider how cloud storage integrates with existing applications and processes, and analyze the total cost over at least a three-year period.

“The hype is strong around storage-as-a-service, but given the fact that your peers are adopting it very slowly, it makes sense to wait on this,” Reichman writes. “It’s likely to be several years before offerings are mature, so don’t rush into anything here.”

Follow Jon Brodkin on Twitter: www.twitter.com/jbrodkin

Possibly Related Posts:

Microsoft calls for cloud computing transparency

By Tom Noda on January 21, 2010

By Grant Gross
IDG News Service (Washington Bureau)
January 21, 2010

WASHINGTON - Cloud computing vendors need to band together to create rules on privacy and security or face the prospect of having the US Congress pass regulations, Microsoft General Counsel Brad Smith said Wednesday.

During a speech at the Brookings Institution, a Washington, D.C., think tank, Smith called for new “truth-in-cloud-computing” principles that would let consumers and businesses know how their information will be accessed by service providers and how it will be stored online.

“These principles should ensure that there is transparency over how data is protected,” he said. “Simply put, it should not be enough for service providers simply to say that their services are private and secure,” Smith added. “There needs to be some transparency about why this is the case.”

Cloud providers should maintain a comprehensive security program and should disclose whether their security efforts meet security standards, Smith said. Customers should know how they can reclaim their documents and data, he added.

Cloud computing vendors could create a self-regulatory code, or they could face regulation from Congress, Smith said. Action from Congress is “likely,” he said. If regulation happens, Microsoft would prefer it on the national, rather than state level, he said.

“Simply put, it should not be enough for service providers simply to say that their services are private and secure,” Smith added. “There needs to be some transparency about why this is the case.”

Smith also called for the U.S. government to work with other nations on an agreement that would allow cloud providers to operate without having to comply with laws in every country they have customers. The U.S. and other countries should establish a multilateral “free trade zone” for data packets, he said.

A handful of other governments have already tried to gain access to data stored in the U.S., he said.

“Where different laws conflict, a decision to comply with a lawful demand for user data in one jurisdiction may place a provider at risk of violating laws elsewhere,” he said. “This also makes it more difficult to provide consumers with accurate information about when and how their personal information might be accessed by law enforcement.”

Microsoft also supports efforts to update privacy protection laws to deal with online activities, and it wants changes to computer crime laws that would make it easier for prosecutors to charge cybercriminals, Smith said. In some cases, it’s difficult for prosecutors now to place monetary values on stolen documents, e-mail or digital photos, he said.

One way of dealing with this problem would be a change in the law that would fix the value of such items for each victim, then allow prosecutors to multiply that amount by the number of victims to determine charges, Smith said.

Smith also called for Congress to allow cloud providers greater latitude to pursue civil lawsuits against attacks, and he called for larger fines for attackers that break into data centers. In most cases, the fines for breaking into a data center are the same as for attacking a single computer, he said.

Smith didn’t directly address critics who say that cloud computing locks customers into one vendor, but he noted that a recent survey commissioned by Microsoft found that 75 percent of senior business leaders said safety, security and privacy are the top potential risks of cloud computing. More than 90 percent of the general population and business leaders would be concerns about the security and privacy of their own data in a cloud computing environment, according to the survey, by Penn Schoen & Berland.

But cloud computing, although not well understood by the general public, offers great potential benefits, Smith added.

“Cloud computing, properly implemented, provides users with greater flexibility, portability and choice in their computing options,” he said. “You can rely on the cloud for as little or as much of your computing needs — and keep as much data and computing functions locally on site — as you want.”

Possibly Related Posts:

Is Google hack an attack on cloud computing?

By Fei Lumbania on January 18, 2010

By Jon Brodkin
Network World (US)
January 18, 2010

FRAMINGHAM - Google and proponents of cloud computing were quick to say that this week’s Google hack should not raise questions about the inherent security of the cloud, but the incident is fueling debate about the safety of storing data in facilities accessed over the Internet.

Google’s stance on China shatters security inhibitions

Google said “this was not an assault on cloud computing.” Meanwhile, the founder of cloud vendor Elastic Vapor, Reuven Cohen, asserted that “the Google Hack proves the cloud is more secure than traditional desktop software, not less,” apparently because systems were “compromised through phishing scams or malware, not through holes in Google’s computing infrastructure.”

Others disputed this idea, such as Search Engine Land editor Danny Sullivan, who wondered if the security breach “will develop into a major reversal for the growth of cloud computing.”

Pund-IT analyst Charles King cautioned that we still don’t know all the details of the breach, but said it should raise concerns about the security of cloud computing services. All IT systems, whether in the cloud or not, have some inherent flaws, but “any time a data center is open to the public Internet, there is the opportunity that it can be hacked in a number of ways,” he says.

“Every system has some inherent flaw or weakness. People do break into supposedly impregnable bank vaults, tunnel through walls,” King says. “No house is burglar proof and the same can be said of data centers. The bottom line here for me is some of the people who have been promoting cloud as … the future of IT have really been overstating the case. I think we will continue to see events like Google and the [T-Mobile] Sidekick failure over time.”

Google on Tuesday said that in mid-December it faced “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” Attackers were apparently attempting to access the Gmail accounts of Chinese human rights activists, and also launched attacks against more than 30 other companies.

Later in the week, it was reported that a flaw in Internet Explorer had been exploited to hack into Google’s corporate networks, and Microsoft said it is working on a patch.

On Twitter and in blog postings, industry observers debated whether the attack is proof of security problems specific to cloud computing, a phrase that generally refers to computing resources made publicly available through the Internet.

“This was not an assault on cloud computing,” Google asserted in its official blog. “It was an attack on the technology infrastructure of major corporations in sectors as diverse as finance, technology, media, and chemical. The route the attackers used was malicious software used to infect personal computers. Any computer connected to the Internet can fall victim to such attacks. While some intellectual property on our corporate network was compromised, we believe our customer cloud-based data remains secure.”

Google’s main business is delivering advertising-supported Web search results, of course, but the company has also become a custodian of enterprise data because of services such as Google Apps, a Web-hosted alternative to Microsoft Exchange.

It is thus important for Google to convince businesses that storing data in Google facilities is safe, despite the events of last month.

Sullivan, in his blog post, noted that he has been moving more and more data into Google services but is rethinking that strategy in the wake of Google’s security troubles. He criticized Google’s insistence that the attack was not an assault on cloud computing.

“It was very much an attack on cloud computing, as Google’s main blog post made clear,” Sullivan wrote. “Hackers went after Gmail accounts, not just through malware-infected computers but directly by targeting Google, that post told us. Gmail — your e-mail, stored in the cloud. That’s an attack on cloud computing.”

Cohen disagreed in his own blog post, saying the attack doesn’t reveal any deficiency in cloud security because hackers used social engineering techniques to gain access to private systems.

“What this hack really proves is that people are easier to hack then networks,” Cohen writes. “The weakest links are the people who are stupid enough to open an attachment they don’t recognize, even if it appeared to be from someone they trusted. That’s the beauty of social engineering based hacks. The e-mail appears to be from your mother, father, friend or colleague. The lesson we must learn is one of education, don’t open attachments you don’t recognize.”

Regardless of how the attack was executed, it did happen and consumers of cloud-based services should remember that there are risks when storing data with a third party, King says.

“Just because you’re using a cloud service doesn’t obviate the need for backing up data to a local hard drive,” King says. “Like anything else the online data repositories are not infallible, and it’s critical for consumers and businesses to protect their data and protect themselves in multiple ways.”

Possibly Related Posts:

Wipro brings cloud computing to retail industry

By Tom Noda on January 14, 2010

By Anuradha Shukla
MIS Asia
January 14, 2010

SINGAPORE - Cloud computing is here to stay and Wipro is focused on tapping this lucrative industry. The company has announced the launch of two new solutions–digital customer experience platform and loss prevention platform–for the retail industry.

The global IT services business of Wipro has also collaborated with Oracle to launch the Oracle application integration architecture (AIA) process integration pack (PIP) for the retail industry. This co-developed solution (AIA PIP) has been designed to address some of the key financial operation control processes for retail merchandising system such as inventory valuation and revenue recognition.

Integrated toolsets

Wipro’s digital customer experience platform (DCxP) has been designed to provide an engaging customer experience. This comprehensive solution integrates social media, community features and personalisation to enable retailers to easily manage their online business.

By using DCxP, retailers will be able to ship to more than 200 countries across the world. This will open up new markets for retailers and increase their chances to generate more revenue from their business. Wipro is offering this solution on a pay-as-you-use business model and this means users will not have to spend a huge amount as upfront payment.

The loss prevention platform gives retailers an integrated view across the entire shrink management lifecycle. This platform includes an analytics suite that leverages predictive modelling to aid retailers to prevent fraud. Once installed in retailers’ systems, this platform will identify both internal and external theft, and help them see areas of shrink that previously went unnoticed.

Oracle AIA PIP integrates Oracle retail merchandise operations management and the Oracle e-business suite financials. This offers customers a pre-configured, supportable and upgradeable integration of the retail merchandising execution applications with the financial operation control applications.

Improve customer experience

Business environment has changed tremendously over the last few years and consumer behaviour is no longer the same, according to Bhanu Murthy B. M., senior vice president- retail, CPG, transportation and government, Wipro Technologies.

Murthy said this change is due to the emergence of social networks and expectations of consistent cross-channel experience. Through their new digital customer experience and loss prevention platform, Wipro is providing an integrated toolset that enables retailers to leverage these trends.

Oracle is excited about partnering with Wipro and Duncan Angove, general manager and senior vice president, Oracle retail, said its new launch will offer retail customers and partners new opportunities to maximise the value of their Oracle investments.

“The solution is designed to reduce complexity, making it easier for retailers to take advantage of opportunities for short-term value creation within their businesses while also helping to provide long-term competitive advantage,” he added.

Possibly Related Posts:

Microsoft, HP announce ‘infrastructure-to-app’ partnership

By Tom Noda on January 14, 2010

By Chris Kanaracus
IDG News Service (Boston Bureau)
January 14, 2010

BOSTON - Hewlett-Packard and Microsoft will invest US$250 million over three years on a product integration strategy meant to “significantly simplify” technology deployments for companies of all sizes, they said Wednesday.

The agreement will employ a new “infrastructure-to-application” model and result in prepackaged offerings that combine servers, storage, networking and software.

During a conference call, executives from both companies repeatedly insisted the pact has much more substance than a typical partnership announcement.

“This is the deepest level of collaboration and integration and technical work that we’ve done that I’m certainly aware of,” said HP CEO Mark Hurd. “This is breakthrough for us. … [Microsoft CEO Steve Ballmer] and I would not be on this phone call if this was just another press release from HP and Microsoft.”

Hurd acknowledged HP and Microsoft have bundled their products in the past, but said “there’s a difference between a bundle and how deep it’s integrated and how much engineering is done.”

Cloud computing is “the driving force behind this deal at this time,” Ballmer said. Some companies may deploy applications to Microsoft’s own Azure cloud infrastructure service but others will want to use a private version, he said. “That thing is going to need to be an integrated stack from the hardware layer to the management layer to the application model,” he said. “We need to evangelize that same application model whether you host in the cloud or on-premises.”

Microsoft will be using HP hardware to support Azure, and HP will be providing services for Azure

Later this year, the partnership will spawn products around Microsoft Exchange and high-end data warehousing for SQL Server, said Bob Muglia, president of Microsoft’s server and tools business.

The deal also makes Microsoft “a preferred provider” of virtualization technology to HP. The companies plan to deliver a series of “Smart Bundles” aimed at small and medium-sized businesses. The products will combine HP servers, storage and networking technology along with Microsoft’s Hyper-V virtualization platform and HP’s Insight system management software.

HP will also resell Microsoft’s own System Center on its hardware and work will be done to integrate Insight with System Center.

The announcement should be viewed simply as an evolution of HP and Microsoft’s relationship and not any sort of reaction to market events, such as Oracle’s pending purchase of Sun Microsystems, according to Hurd.

That transaction, which is on hold while European regulators conduct an antitrust review, will usher Oracle into the hardware and systems business.

“[Oracle] is a great partner, but I’m here to talk about Microsoft,” Hurd said. “I think Oracle will continue to be a very important partner.”

Possibly Related Posts:

IT service providers will reach for the cloud in 2010

By JM Tuazon on January 6, 2010

By Denise Dubie
Network World (US)
January 6, 2010

FRAMINGHAM - Despite the economic recession that started in 2008, many IT service providers didn’t see the expected boon to business in 2009. Some outsourcers struggled to a degree alongside the rest of the high-tech industry, but IT services experts say they started to see a return to growth toward the end of 2009.

That means 2010 could find many outsourcing providers taking advantage of hot technology trends such as cloud computing to sell their services into smaller IT shops. Mike Slavin, partner and practice leader for Global IT Advisory Services at outsourcing industry advisory and consulting firm TPI, shares his take on the coming year and the outsourcing industry with Network World Senior Editor Denise Dubie.

Which of the service providers came out on top in the midst of the outsourcing deals and consolidation that took place throughout 2009?

Actually, we really see that the heritage Indian service providers probably made the largest gains in 2009 in both ADM [applications development and maintenance] and infrastructure services. As a group, they have moved the dial in terms of not just raw capabilities, but experience and competence, which then leads to increased market share and acceptance by CIOs and IT leaders.

What were the trends driving the sourcing industry throughout the year?

The first half of 2009 seemed to be consumed with tactical actions, renegotiations and consolidation of vendor portfolios, all in an effort to reduce the cost profile. In the second half of the year, we saw a marked increase in infrastructure sourcing which signaled a return to building a sourcing strategy past just survival of 2009.

There has been a lot of focus on cloud. What will companies and IT services providers focus on in 2010?

The focus will be on wrapping security around the public cloud offerings. Also, there will be focus on providing traditional tier 1 outsourcing services down into the small and midmarket via cloud services.

How will issues, such as security concerns, hold back the large-scale adoption of cloud computing that the industry is anticipating?

Security appears to be the single largest gating factor for clients who are making decisions about cloud computing. Until those are resolved, implementations will continue of either private clouds or smaller scale pilots.

Even though TPI does not track this space, do you expect to see a continued increase in the volume of activity for MSPs in the midmarket?

Yes, we are seeing markedly increasing interest in the midmarket for services ranging from just co-location to varying levels of managed services. Smaller IT departments are feeling the pressure to spend less time and effort on what is viewed as back office and become part of the mix to increase market share and improve competitiveness. Also, CIOs of midsize firms are not keen to spend precious time in this challenging market on the day-to-day issues related to IT.

Where will companies look to invest as it relates to outsourcing? What will be the hot areas?

Cloud computing will continue to be hot in 2010. What is great for the CIO is that cloud computing is primarily successful with standardization of software and hardware platforms, which is always the mantra of the IT team. I think we’ll continue to see smaller sourcing deal sizes as clients become more granular in their requests from the market. Areas such as service desk, provisioning of customer devices such as PCs and PDAs will continue to grow. Also, clients will struggle with how to create a ubiquitous interface between their networks and any type of device presented by employees or partners — from iPhones to BlackBerries, and PCs to netbooks.

Possibly Related Posts:

Cloud Security Alliance issues new guidelines

By JM Tuazon on December 18, 2009

By Chris Kanaracus
IDG News Service (Boston Bureau)
December 18, 2009

BOSTON - The Cloud Security Alliance published the second edition of its guidelines for secure cloud computing on Thursday, delivering a voluminous document that sets out an architectural framework and makes a host of recommendations around cloud security.

It also seeks to provide a firm definition on cloud computing, which has been the subject of much hype in recent years. According to the CSA, cloud computing environments feature on-demand, self-service consumption; allow broad access via networks; draw from a pool of shared computing resources; can be quickly scaled up or down depending on demand; and involve some type of metering to track usage.

Cloud computing has its benefits, such as economies of scale and standardization, but they in turn raise security challenges, the CSA said.

“To bring these efficiencies to bear, cloud providers have to provide services that are flexible enough to serve the largest customer base possible, maximizing their addressable market. Unfortunately, integrating security into these solutions is often perceived as making them more rigid,” the document states.

“This rigidity often manifests in the inability to gain parity in security control deployment in cloud environments compared to traditional IT,” it adds. “This stems mostly from the abstraction of infrastructure, and the lack of visibility and capability to integrate many familiar security controls — especially at the network layer.”

The CSA’s report tackles cloud security on 13 different fronts, from governance issues like e-discovery, compliance and audits to operational concerns such as disaster recovery, application security and identity management. It updates an original edition released in April.

Also Thursday, Sun Microsystems announced a set of new open-source technologies that target some of the challenges highlighted in the CSA’s report.

The new tools include:

– OpenSolaris VPC Gateway, which lets users create a secure channel to a virtual private cloud on Amazon’s EC2 (Elastic Compute Cloud) service, without special networking hardware.

– Immutable Service Containers, for creating virtual machines with stronger security and monitoring functionality.

– A series of Security Enhanced Virtual Machine Images (VMIs) for EC2. They include images for Sun’s OpenSolaris operating system as well as software stacks, such as the open-source Drupal content management system.

– A tool called Cloud Safety Box, which helps users manage the compression, encryption and division of information stored on cloud services. It includes support for Solaris, OpenSolaris, Linux and Mac OS X.

Possibly Related Posts:

Cloud control and sprawl

By JM Tuazon on December 16, 2009

By Stephen Bell
CIO New Zealand
December 16, 2009

AUCKLAND - Interest in cloud computing is endemic, but the definition of the concept is still unclear. Is it a genuinely new business model for computing, industry commentators and aspiring users ask? If so, what are the features that distinguish it from other models reaching back for decades — the computer bureau of the 1980s, for example, or the more recent vogue for the Applications Service Provider (ASP) and “utility computing”?

Speakers at the CIO Insights Luncheon in November made some attempt to agree on a working definition, while admitting, in the words of Unisys NZ managing director Brett Hodgson that, “We’re not going to demystify that today.”

He says the cloud Unisys talks about “is loosely defined as a multi-tenanted environment” — as distinct from an ASP model, which usually means each customer using their own specialised applications relocated. “The cloud is a different business model, probably more aligned to pay-as-you-go.”

Tim Sheedy, senior analyst at Forrester, agrees. “Paying for only what you use is one of the key tenets. If it’s not pay-as-you-use, it’s not true cloud.”

Virtualisation is also a crucial part of the cloud model, according to the speakers.

Paying for only what you use works in favour of removing capital spikes from your budget, Hodgson says. Sharing a facility means sharing some of the costs and, at least in theory, reduces them. The global financial crisis has added to the normal “do more with less” pressure from business on CIOs and IT managers, and is an important impetus for mounting interest in the cloud.

But just offering customers a slice of remotely accessed computing capacity or storage does not qualify as a cloud service, says Fonterra chief technology officer Andrew Wilshire.

“In the local market, we see every two-bit ISP standing up their cloud infrastructure and offering to sell us a bit of CPU time and some memory. That’s missing the point as far as we’re concerned. The service orientation of this is key, we’re not interested in buying tin.”

Some local providers are moving in the service direction, “but I’m not sure some of these second and third-tier providers necessarily have the maturity from an ITIL perspective or just in terms of relationship management for dealing with corporate or government sectors,” says Wilshire. “I think there’s a lot of aspiration, but nothing material on the market. We’ll wait and see.”

Fonterra is using a cloud model internally — though Wilshire admits he still cringes when he uses the word. The company currently has 60 percent of its servers virtualised. “Our aspiration is to be 100 percent virtualised in the next two to three years,” he says. “It’s working out well. We’re able to consolidate workflow that was previously disparate and we get much better asset utilisation across our server farm.”

Fonterra also runs a few software-as-a-service applications from outside providers, concentrating on tasks that can be cleanly separated from internally-run applications.

These include travel management and recruitment services “and also an AT&T service to provide web access and filtered access for our users in North and South America.

“That saves us from having to deploy a complex, internet-facing infrastructure around the globe, which would be very difficult to manage. We just get the ISP to provide that, it’s a lot simpler.

“In terms of line-of-business apps, we’ve got two big ones,” says Wilshire. “A trade-promotions management system that lets us optimise spend in marketing at the supermarket level, and a transport management system that allows us to optimise our rail, sea, and road movements of goods (see “Points of difference” in CIO August/September 2009). “Those are two fairly hefty applications, but they’re quite autonomous,” says Wilshire. “There’s not a lot of integration there, not a lot of traffic going back and forth to other applications [in-house]. They’ve been sweet spots for us in terms of SaaS.”

Recently, the company considered the pros and cons of SaaS for customer relationship management. It seemed straightforward and autonomous enough at first, Wilshire says. But there are relationships with every application from IVR, to production and marketing systems. [There are] so many touch points, he says, that at any time operations could be “hamstrung” by a faulty linkage between in-house and outsourced systems.

Weighing benefits and risks
The integration problem loomed large in two global customer surveys conducted by Unisys in June and September this year. Customers were asked what stops them from using cloud computing. By far the greatest concern is security, named as the top issue by 72 percent of respondents. In the later survey, on a different sample, that figure was 51 percent, but security and data-loss concerns still dominated.

The second-ranking concern in both surveys was integration. It is no trivial task, speakers agree, to integrate what you run in the cloud with the applications you still run in-house.

“What the survey results say overall is that the cloud is “not a silver bullet to major savings”, says Hodgson. “It’s hard work to get to there. There are definitely savings and opportunities within the cloud as it has been defined. They’re not the same for every company, or for everyone.

“You can’t be complacent with security issues. When you’re putting things outside your control, then you’ve got to be asking some good questions [to potential providers]. Data protection and privacy is critical, particularly with government organisations but also for commercial enterprises.”

In a country that has yet to mount a major cloud service onshore, going into the cloud raises the issue of sovereignty over data. “Where is my data going to reside? What are the operational rules around the datacentre? Is the provider ISO 20000 compliant?” These questions have to be answered so you know what level of trust to put in the provider and how to reflect that in your own operational environments, says Hodgson.

Critical questions
Tim Sheedy of Forrester introduced his presentation with three basic take-away points:

Firstly, he says, cloud computing will never be everything to everyone. “The cloud will be just another sourcing capability for your IT systems”.

Secondly, cloud implementation should be looked at from a role perspective. People with different roles in the organisation will see different advantages and concerns, and there will be different factors that will change in the way each role operates.

“So you can see you need to bring in multidisciplinary teams to make these decisions. You will have to make changes across a lot of your organisation,” Sheedy says.

Moreover, those changes will influence one another. “This is not something simple that you can do in one section and not have it impact the rest of the IT organisation.”

His third point, however, is that the cloud will be a crucial element in the IT environment of the future. “By 2011 or earlier, for every IT decision you make, you should be asking ’should we be doing this in the cloud?’ Or even ‘why are we not running this in the cloud’?”

He says Forrester analyses the cloud into successive layers, where the technology and thinking shows different layers of maturity.

At the next level of complexity and maturity are application components as a service, linked to the in-house elements of the application by APIs. A map service is a basic example.

A complete development platform can be provided as a service, incorporating an applications server and cloud-based file, database and data object storage.

Forrester splits infrastructure as a service (IaaS) into two layers: virtual IaaS, comprising virtual servers, and disks and system management, typified by Amazon’s Elastic Compute Cloud. Datacentre hosting provides another level of cloud; with physical infrastructure as a service.

Forrester has found cloud computing is an issue of growing importance for Australian and New Zealand organisations, with 22 percent ranking it a critical priority and a further 14 percent a high priority. “We expect these numbers to jump considerably when we do this survey again next year,” says Sheedy.

The use of SaaS is showing particularly high growth. “About 55 percent of organisations are considering, implementing, piloting or increasing their use of SaaS in Australia and New Zealand. Last year that figure was 30 percent and the year before 15 percent,” he says.

Asked for reasons for not using SaaS, respondents cited concerns that savings in total cost might not come about, the problem of network latency and concerns over application performance. About 27 percent cited lock-in to a current vendor.

Despite some evident total cost concerns, Sheedy argues cloud services have “a compelling value proposition over traditional sourcing”.

What should you run in the cloud today? Sheedy lists such applications as employee portals, ERP, email, Web 2.0-style collaboration, testing, back-office transaction systems and disaster recovery.

The mention of ERP caused surprise in the audience. Clearly such a move deserves careful thought, says Sheedy, but the multi-year, in-house customisation that used to go on with ERP systems would no longer get past many boards.

There is little in ERP that makes your business any different from any other business, he says. “Sometimes this is about protecting us from ourselves and about cutting back the ridiculous amount of customisation we put these systems through.”

Unisys kindly sponsored the CIO Insights Luncheon “Security in the Cloud” held in Auckland and Wellington.

Possibly Related Posts:

Microsoft talks cloud computing security, plans to offer private cloud software

By JM Tuazon on December 11, 2009

By Jon Brodkin
Network World (US)
December 11, 2009

FRAMINGHAM - With Microsoft’s Azure cloud computing platform set to go live on New Year’s Day, the company is looking ahead to later in 2010 when it will unveil a new security structure for multi-tenant cloud environments as well as private cloud software based on the same technology used to build Azure.

Hasan Alkhatib, the Azure senior architect, described the Microsoft security project code-named “Sydney” Thursday at an Xconomy forum on cloud computing held at Microsoft’s New England R&D Center in Cambridge, Mass.

In addition to embedding greater security into the public cloud, Alkhatib said Microsoft is planning to help customers build private cloud networks within their own data centers, using the same software Azure is based on.

“Every customer says ‘where can we get a private cloud?’” Alkhatib said. “We’re building them. Within a short period of time private clouds will be available with the same technology we’ve used to build Windows Azure.”

However, Alkhatib said he thinks private clouds lack most of the benefits of public clouds, and focused most of his talk on the Azure services that will be offered publicly over the Web.

Project Sydney, unveiled last month at Microsoft’s Professional Developers Conference, addresses security in virtualized, multi-tenant environments in which customers are typically sharing data center resources.

Sydney will provide isolation between customers’ cloud resources with network virtualization, and provide secure connections between an enterprise’s internal data center equipment and what it uses in the cloud, Alkhatib said. Sydney will aggregate “any arbitrary set of endpoints,” including servers and client machines inside the enterprise and resources in a public cloud service like Azure, and create what Alkhatib called a “virtual network overlay” which is secured with IPsec and which can only be accessed by those authorized to do so.

“All these elements appear to each other as if they have a dedicated, private network,” Alkhatib said.

Regulatory compliance in cloud computing is still a major challenge, however. Alkhatib said the IT industry must lobby agencies to accept new security guidelines that are based on logical, rather than physical structures.

Microsoft hasn’t announced a release date for Sydney but is committed to delivering at least a beta version in 2010, Alkhatib said. The private cloud product based on Azure may also come out in 2010, he said.

Microsoft today is running Azure out of data centers in Chicago and Texas, and will add four more data centers in January in Dublin, Amsterdam, Singapore and Hong Kong, Alkhabit said.

Possibly Related Posts:

Frankly Speaking: ID management woes in the cloud

By JM Tuazon on December 4, 2009

By Kathleen Lau
ComputerWorld Canada
December 4, 2009

TORONTO - Businesses will be running on the cloud in as little as five to 10 years, so getting on board with identity management now will be the “onramp” to sustaining and growing the business in the cloud over time, said Sun Microsystems Inc.’s chief governance officer for cloud computing.

Michelle Dennedy said given that cloud is inevitable, businesses must figure out what assets are in their distributed network and how to reap success from them.

Historically, little attention has been paid to individual accounts on the distributed network, like those of employees, customers and vendors. “Identities are now being realized as the true assets for the organization,” said Dennedy, who spoke at a CIO Canada Frankly Speaking Breakfast entitled Identity Management–Pathway to Enterprise Agility.

Dennedy urged the audience of chief information officers to pay attention to identity management because, while discussion on the topic has been ongoing for some time, the technology actually works now.

Also on the panel, Mark Dixon, Sun chief identity officer for North America, pointed out that having technology and processes in place to manage access to online systems can reap regulatory compliance, operational efficiency, security, and the enablement of business processes.

Many companies look upon identity management as an enabler, said Dixon. “Why do race cars have brakes? Certainly not to make them go slow. It’s to give them control so they can go fast,” he said.

Integrating identity management systems with the jungle of in-house-built versus commercial applications is not necessarily obvious in terms of which is easier, said Dixon. Some IT departments might have built thousands of in-house applications in which the authentication and authorization processes are more easily controlled than those of commercial vendor apps, he said. But commercial apps might integrate more easily.

But the holistic approach required of identity management can be daunting to organizations. Injecting cloud computing into that equation may seem to complicate matters, but Dennedy said there is often more cloud in the business than leaders are aware. So, over are the days of regarding a business’s IT infrastructure as a segregation of cloud and internal IT, she said.

This means that companies have the challenge of ensuring their identity management systems interoperate with those of their cloud providers. Dixon said while standards-based identity management technology exists, there is yet no standardized legal contract to “establish those circles of trust.”

Dennedy said there is a movement to standardizing in the cloud, but the problem is a lack of open APIs (application programming interfaces) in cloud development.

“Tell your vendor you want interoperability,” said Dennedy. “That’s the only thing that moved some of these highly proprietary vendors off the dime.”

Attending the event was Roman Olarnyk, chief information officer with the Ministry of Health and Long-Term Care (MOHLTC), which has an identity management initiative in place.

Olarnyk agreed that identity management in a cloud environment requires that customers be able to work well with their cloud providers.

“When I take a look at the ‘I’ in Identity, that’s the antithesis to enterprise agility,” said Olarnyk. “It’s the concrete that weighs down the enterprise and what we need is less ‘I’ and more ‘We.’”

Currently, identity management is owned by the IT department, where it’s buried in security, “which means it’s in the dungeon,” said Olarnyk. But if identity is an asset in a business’s distributed network, then it must be owned by a department that can turn the asset into a business opportunity, he said.

Possibly Related Posts:

Cloud computing awareness in Asia remains low

By JM Tuazon on December 4, 2009

By Computerworld Hong Kong staff
Computerworld Hong Kong
December 4, 2009

HONG KONG - Overall awareness of cloud computing in Asia Pacific excluding Japan is still relatively low, with only 46 percent of survey respondents in the region having familiarity with the concept, said Springboard Research Thursday.

While awareness is low, cloud computing will continue to drive further demand for Software-as-a-Service (SaaS) as well as further broadening the types of services available via the on-demand model, according to the latest Springboard report dubbed Market Evolution and Implications

Springboard defines cloud computing as a collection of IT-enabled resources and capabilities that can be delivered via the internet as a service. The report looks across all layers of the Cloud, including not only SaaS, but also platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS).

“Cloud Computing is the next phase in the delivery and consumption of IT-enabled services and a major evolutionary step in the maturing of the IT industry,” said Michael Barnes, vice president, and Software Research. “It provides an opportunity for organizations in Asia Pacific to leapfrog competitors in other regions. We expect organizations across Asia Pacific to embrace Cloud Computing as a way to drive greater standardization at the IT infrastructure level while simultaneously lowering the resources required to leverage technology solutions for business benefits.”

Springboard noted that awareness and understanding of Cloud Computing remains limited in the region, particularly the relevance for strategic business and IT priorities. Two-thirds of organizations across the region currently find cloud computing ‘not-relevant’ for their organizations. Among the organizations that are aware of the concept, 78 percent have not yet deployed any Cloud-based applications, the research firm added.

SaaS is an exception to the region-wide lack of cloud awareness, said the analyst house. This is substantiated by a key finding from the Springboard report which revealed that 95 percent of Asian organizations are familiar with SaaS whereas less than half the organizations surveyed were familiar with Cloud Computing, Springboard added.

SaaS based applications like CRM and ERP, storage, Web conferencing, and e-mail are the most popular applications among cloud users and constitute the bulk of cloud-related spending, said Springboard.

“For the Cloud vendors, establishing and maintaining trusted relationships is critical to overall market growth. In fact, delivering strong support is even more important in the still nascent Cloud Computing market as it is needed to overcome the early skepticism, uncertainty and doubts that characterize this market,” Barnes advised.

Possibly Related Posts:

Cloud computing top tech of choice for RP CIOs

By JM Tuazon on November 27, 2009

Computerworld Philippines Staff
November 27, 2009

With a promise of resource optimization, faster ROI and a cost-effective investment scheme, cloud computing emerged recently as the top technology of choice for local CIOs at the conclusion of a series of CIO Forums led by G2iX (Global Gateway Innovation Exchange), a local pioneer of cloud computing services.

Cloud computing, which has experienced widespread adoption not only locally but especially abroad, remains at the helm of inexpensive yet effective solutions that answer common enterprise problems, especially during the recent crisis.

“Infrastructure is generally underutilized. The enterprise ecosystem in the Philippines, particularly the telecommunications sector, can bank on cloud computing and Software as a Service (SaaS) to significantly reduce time, costs, as well as headaches and deliver innovations within their organization,” remarked Winston Damarillo, CEO, G2iX.

Measuring up to market demands, Morph Labs, a division of G2iX that provides cloud computing services in the country, recently unveiled Morph Cloudserver, a cloud platform patterned after Amazon’s Elastic Compute Cloud and Eucalypus that enables firms to massively develop and deploy software throughout the enterprise.

“Cloud computing technology, such as the Filipino co-developed Morph Cloud Server, provides emerging countries with affordable access to world-class ICT infrastructure,” commented Secretary Ray Anthony Roxas-Chua of the CICT (Commission on Information and Communications Technology).

G2iX is hoping to hold more CIO Forums in 2010 to further discover trends and share best practices among the country’s top innovators. – John Mark V. Tuazon

Possibly Related Posts:

Amazon called out over cloud security, secrecy

By Fei Lumbania on November 16, 2009

By Jon Brodkin
Network World (US)
November 16, 2009

FRAMINGHAM - Amazon’s cloud computing service should not be used for applications that require advanced security and availability, the Burton Group analyst firm says in a report accusing Amazon of secrecy regarding its cloud data centers.

10 cloud computing companies to watch

Amazon has helped define the cloud computing market with its Elastic Compute Cloud (EC2), a service offering access to virtual server capacity over the Web. There are many things to like about EC2 and related platforms such as Amazon’s Simple Storage Service (S3), but there are also numerous unanswered questions about Amazon’s cloud infrastructure, according to the Burton Group.

Amazon seems to do a good job of network and physical security, but overall Burton Group gives the company “low marks for enterprise availability and security” because of a lack of transparency.

“Amazon maintains a strict ‘will not discuss’ policy regarding specific data center details. In Burton Group’s opinion, this position is unacceptable because it prevents organizations from assessing the risk posed by placing enterprise applications in EC2,” states a report titled “Amazon EC2: Is it ready for the enterprise?” written by Burton Group analyst Drue Reeves.

Amazon says its data centers meet Tier 4 specifications, with fully redundant power, backup power, networking and HVAC systems.

“However, no outside firm has inspected or audited Amazon’s data centers to verify these claims,” Reeves writes. “Due to lack of available information and audited inspection regarding Amazon’s data centers, Burton Group cannot verify Amazon’s availability claims.”

Specifically, Burton Group says Amazon customers have no way of determining the “physical redundancy level and data protection” of physical components such as servers, storage devices, network and power infrastructure. Burton Group also faulted Amazon for replication rates in its Simple Storage Service and a lack of failover between data center regions.

Amazon spokeswoman Kay Kinton said the Burton Group report contains inaccurate statements. For example, the report says Amazon lacks SAS 70 security certification, when in fact Amazon does have that certification, Kinton writes in an e-mail to Network World.

“In terms of reliability, we often hear from our customers that AWS [Amazon Web Services] can achieve higher degrees of performance than they’ve been able to achieve on their own,” Kinton writes. “Additionally, AWS gives users a great deal of control and visibility into a user’s environment. Users can choose where to place their data, they can run their applications and back up to multiple availability zones and in the event of any service interruptions, they have access to a service health dashboard that gives regular updates on the service health. We also have features that provide monitoring, Auto Scaling and Elastic Load Balancing for even greater resilience in building applications. One of the main reasons customers use our services is the reliability that we’re able to provide.”

Kinton also noted that Amazon recently launched the Amazon Virtual Private Cloud (VPC), which connects a customer’s existing infrastructure to a set of isolated cloud computing resources with a VPN connection.

“Amazon VPC enables enterprises to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources,” Kinton writes.

The Burton Group did give Amazon high marks for scalability and said it offers adequate performance. EC2’s core strength is the ability to easily provision and load-balance virtual machine images, and compute-intensive applications that have small data sets and are built for parallelism will work well in the service, the analyst firm says.

However, Burton Group also says Amazon’s management tools do not integrate adequately with the management tools used by enterprises today. EC2 is often a good fit when organizations need to defer large capital expenses, but Burton Group says the service is still not suitable for applications that store sensitive information, require identity management, high degrees of availability and high rates of I/O transactions.

In the Burton Group’s opinion, the bottom line is that “Today, EC2 is a good fit for stateless, parallel, transient, scale-out applications. But gaps in EC2’s security and availability, poor enterprise management integration, vendor lock-in potential, and input/output (I/O) costs prevent organizations from using EC2 for applications that process vast numbers of transactions, house highly sensitive data, have low recovery point objectives, and require system failover to save application state.”

Possibly Related Posts:

Ailing data centres to seek relief in cloud computing: IDC

By Tom Noda on November 12, 2009

By MIS Asia staff
MIS Asia
November 12, 2009

SINGAPORE - Hobbled by rising operational costs, below-standard utilisation levels and increasing technological complexities, seven-year old data centres are facing a fuzzy horizon.

Based on the latest research findings on data centres by market intelligence provider IDC, complexities and redundancies will fester in the migration stage.

The current economic recession has neither made things easier for chief information officers (CIOs), who are still at a loss on where to start tackling the problem.

“There is a lot of pent-up demand for revamping and building new data centres that have been postponed due to the ongoing recession,” said Avneesh Saxena, group vice president for domain research at IDC Asia Pacific.

IDC predicted that IT-driven companies are likely to rely heavily on cloud computing services offered by other organisations to preempt paralysis of operations because of more problematic situations.

‘Elastic’ IT framework

The catch, however, is that these companies must not waste time in planning for a responsive IT framework as an essential prerequisite. IDC stressed that this is especially crucial for companies wishing to build their own private or internal clouds.

“Meanwhile, the demand for IT has not gone down and CIOs worry about coping with the turnaround as and when it comes through,” Saxena noted. “This has to lead to the emergence of an adaptive and elastic IT framework, whether inside or outside the organisation.”

In its conference titled ‘Powering the Enterprise Cloud’, IDC Asia Pacific will suggest important points for organisations to take into account as they plan for an enterprise cloud. Hosted by 13 Asia Pacific countries from November to December 2009, the conference in Singapore is scheduled on November 12. Seoul, South Korea became the first venue of the event last November 3. The last conference will be on December 15 in Hanoi, Vietnam.

Possibly Related Posts:

Cloud computing inevitable? Not so fast, educator says

By JM Tuazon on November 6, 2009

By John Fontana
Network World (US)
November 6, 2009

FRAMINGHAM - Is cloud computing inevitable? Maybe, but IT still has a lot of questions to ask before floating away on its promises, according to Melissa Woo, director of cyberinfrastructure and network and operations services at the University of Wisconsin-Milwaukee.

Michael Dieckmann, CIO at the University of West Florida, thinks otherwise and the two spent Wednesday at the annual Educause conference debating the hype vs. the hope around commercial cloud computing that promises to cut IT costs and provide efficiencies.

Woo’s contention isn’t so much that the cloud won’t emerge as an option, but that IT still has a lot of questions to ask before floating away on its promises.

“Why is the conversation always when, why are we not asking why,” she said to a packed Educause session that with a raising of hands showed the audience of higher-ed IT pros are on the fence over cloud computing. “Gartner has cloud computing at the peak of inflated expectations on its hype cycle,” she said.

Woo noted recent reports of outages by large providers should grab attention. This week, cloud provider Rackspace reported its third outage since June. Last month, Microsoft reported it lost the data stored by users of T-Mobile’s Sidekick service before eventually recovering most of the data. And Google, which provides e-mail services for students, faculty and staff on Dieckmann’s campus, has had numerous outages that have frustrated users so much that Google developed a Google Apps Status Dashboard and pumps updates to users via RSS.

“And what about the privacy risks, security risks? Where is that data being stored? Where is research data being stored? How do you handle identity and access management, what happens if the cloud service falls out from under you?” Woo said.

Dieckmann countered that the cloud question is most relevant for commodity services, but the tricky part is that the definition of commodity services is constantly changing.

“To many people e-mail is e-mail,” he said. “Storage is becoming more of a commodity. When that service can come externally just are reliably and with the same service levels we can provide why do we need to spend significant resources to run it in-house?”

But on the cost issue, Woo’s contention is that most universities don’t have a true handle on costs and therefore can’t determine if the cloud is saving money.

“Another thing to think about is are we just cost shifting. Are we throwing things over the wall for others to worry about,” said Woo, who wonders about the burden put on legal and purchasing departments. “We are not just looking at saving IT costs but costs across the institution.”

Dieckmann, in part, conceded Woo’s point, saying he spends more time now with UWF’s general counsel than he did before venturing out into the cloud.

But Dieckmann compared the cloud with what has been happening internally in IT over the past few years in terms of centralizing servers into data centers and adding virtualization for added efficiencies and benefits. He said many of the same arguments IT made for centralization are now being turned against them via the cloud debate.

“Part of what is uncomfortable here is that it is our apple cart that is now being upset,” he said. “But we need not approach this as a poison pill. There are many advantages and we should be leading here rather than following.”

Woo contends the transfer to centralized IT has been based on trust, but questioned whether that same trust exists in the cloud.

“Can we negotiate good service-level agreements (SLA). We don’t have the maturity to negotiate those. What if the cloud provider breaks the SLA, do we know how to measure harm if our storage disappears,” she said.

“We need to come to grips with the inevitability of the cloud,” Dieckmann says. The massive economy of scale involved in cloud computing can make it the most cost effective way to provide services for higher education, he contends. “Cost is not a minor concern today.”

When evaluating cloud services, he says users must focus on how the cloud alters the parameters on the old notion of outsourcing, an idea that was hot nearly a decade years ago but lost its sizzle for technological and other reasons.

The cloud has benefits that can’t be ignored, Dieckmann says, such as delivering infrastructure as a service, support for massive sharing, flexibility and a pay-as-you-go model.

He concedes the debate has many layers, but he points out that end-users have their own cloud choices now and that could eventually mean less IT control.

“Our clients are voting with their feet,” he said, in reference to students and faculty who go out on their own to online services. “Our challenge will be to combat the choices users make and to keep coherent IT enforcement,” he said.

“The next evolution of this is academic departments deciding to using the cloud and they are not doing that with IT or general counsel input. In some cases we have no control. We need to show some leadership.”

Possibly Related Posts:

Amazon downplays report highlighting vulnerabilities in its cloud service

By Melba Bernad on October 29, 2009

By Jaikumar Vijayan
Computerworld (US)
October 29, 2009

FRAMINGHAM - Amazon said today that it has taken steps to mitigate a security issue in its cloud computing infrastructure that was identified recently by researchers from MIT and the University of California at San Diego.

The report described how attackers could search for, locate and attack specific targets in Amazon’s Elastic Computer Cloud (EC2) because of certain underlying vulnerabilities in the infrastructure.

Though the attack described in the report was conducted against Amazons infrastructure, the researchers concluded that similar targeted attacks could be carried out in other cloud services as well because the vulnerabilities were generic.

In response, Amazon spokeswoman Kay Kinton said today that the report describes cloud cartography methods that could increase at attacker’s probability of launching a rogue virtual machine (VM) on the same physical server as another specific target VM.

What remains unclear, however, is how exactly attackers would be able to use that presence on the same physical server to then attack the target VM, Kinton told Computerworld via e-mail.

The research paper itself described how potential attackers could use so-called “side-channel” attacks to try and try and steal information from a target VM. The researchers had argued that a VM sitting on the same physical server as a target VM, could monitor shared resources on the server to make highly educated inferences about the target VM.

By monitoring CPU and memory cache utilization on the shared server, an attacker could determine periods of high-activity on the target servers, estimate high-traffic rates and even launch keystroke timing attacks to gather passwords and other data from the target server, the researchers had noted.

Such side-channel attacks have proved highly successful in non-cloud contexts, so there’s no reason why they shouldn’t work in a cloud environment, the researchers postulated.

However, Kinton characterized the attack described in the report as “hypothetical,” and one that would be “significantly more difficult in practice.”

“The side channel techniques presented are based on testing results from a carefully controlled lab environment with configurations that do not match the actual Amazon EC2 environment,” Kinton said.

“As the researchers point out, there are a number of factors that would make such an attack significantly more difficult in practice,” she said.

At the same time, Amazon takes all reports of vulnerabilities in its cloud infrastructure very seriously, she said. The company will continue to investigate potential exploits thoroughly and continue to develop features bolster security for users of its cloud service, she said.

Amazon Web Services has already rolled out safeguards that prevent potential attackers from using the cartography techniques described in the paper, Kinton said without offering any details.

She also pointed to the recently launched Amazon Web Service Multi-Factor Authentication (AWS MFA) as another example of the company’s continuing effort to bolster cloud security. AWS MFA is designed to provide an extra layer access control to a customer’s Web services account, Kinton said.

The research report that highlighted the security issues in cloud computing infrastructures is scheduled to be presented at the ACM Conference on Computer and Communications Security next month.

Possibly Related Posts:

Gartner on cloud security: ‘Our nightmare scenario is here now’

By Melba Bernad on October 22, 2009

By Ellen Messmer
Network World (US)
October 22, 2009

FRAMINGHAM - At the Gartner Symposium IT/Expo this week, thousands of IT managers packed into sessions on the topic of virtualization of enterprise computers, along with the prospect of adopting public cloud-based services or building private ones. Some say the revolution is underway, and security managers are caught in the middle, losing their earlier controls.

Gartner analysts, including David Cearley and Gene Phifer, trotted out user case studies involving FedEx, Presidio Health, Johnson Diversey and others extolling the public or private cloud, while in a separate session Michael Lock, head of enterprise sales at Google, found himself looking like a budding rock star in front of an huge audience of high-tech execs eager to hear about Google Apps. With new ways of conducting enterprise computing and application development shaking up established IT practices, the darker mood about it all was mainly heard from Gartner’s security analysts, recognizing the revolution underway is ripping away the security controls of today.

“Our nightmare scenario is here now,” said Gartner analyst John Pescatore. Botnet-driven cybercrime is clearly accelerating as online predators involved in “cybercrime as a service” plunder corporate and consumer data for financial gain. In addition, corporate employees are now using handheld smartphones the company didn’t even issue and spending substantial time on networks not owned by the enterprise.

Now comes cloud computing as service offerings and “obviously attacks will come after this,” Pescatore said. In many instances, the fact is the “IT organization is being driven to have less control over software and hardware.”

The implication of this, Pescatore said, is they can sit and dream of something pleasant, like the return of the mainframe, or they will have to make a shift to using or developing “security as a service” to adapt to new threat scenarios in both public cloud computing and virtualization of their IT infrastructure.

With the cloud taking shape nebulously as many types of public, private and hybrid services, an important technology to turn to will likely be encryption services. “In the next few years, you’ll see encryption services out there,” Pescatore said.

Gartner analyst Neil MacDonald also minced no words in describing the implications for security in the virtualization and cloud-computing revolution.

“We’re at a critical point,” MacDonald said. Adoption of consumer technologies and the transformation of the technical infrastructure in the enterprise means that there’s “frustration of the business units with us,” MacDonald said.

With virtualization, the key concept of “locking down a physical device” is disappearing in favor of virtual machine-oriented security, such as virtual security appliances as software instead of physical appliances, he said. In addition, the enabling of quick deployment of virtualized applications and databases to facilitate business partnerships will need to be done, though “security becomes very difficult in this environment.”

Cloud computing and virtualization “break one of the foundational principles of security architecture: Us and them,” MacDonald said.

Known technologies such as signature-based antivirus are now insufficient, increasingly useless and he added, way overpriced. Antivirus must be buttressed with whitelisting to control application use, and the newer software-based virtual appliances for security have to be examined for use in a virtual-machine environment.

About the physical security appliances out on the market today, MacDonald said “these boxes are expensive,” and he disparaged Cisco, Juniper and TippingPoint as “not having much going on now because they like to sell boxes.”

When it comes to cloud computing services, the security professional is being pressured to “get out of the way” and figure out something that’s “secure enough,” said MacDonald, though the impulse will be to say no to the cloud.

Though the public cloud “makes sense for less-sensitive data,” there are limits, such as “PCI stuff, no way,” MacDonald said, referring to the data falling under the Payment Card Industry security requirements.

But there are going to be “trade-offs” as new cloud service offerings, and the stance the security professional should take is to clearly explain the risks to the business owners of the data and make sure they accept it, not push it back onto the security and IT department.

“They get all the accolades and you take all the risk, who wants that job?” he pointed out.

Speaking on a panel at the Gartner conference, a number of CIOs acknowledged their prime concerns are about security in cloud computing.

June Hartley, CIO at the National Business Center of the U.S. Department of the Interior, said security requirements known as FISMA that the U.S. government uses for security compliance will likely be changed to meet the new world of private and public cloud computing.

Casey Coleman, CIO at the General Services Administration and co-chair of what’s known as the Federal Cloud Council, agreed, but both indicated there was no apparent barrier to that.

Sometimes there are some unexpected risks.

Sal Allavarpu, senior director, product marketing at Citrix Systems, a player in the virtualization market which has created virtual appliance versions of its Access Gateway, Branch Repeater and NetScaler security, network and application control appliances, says there are new security issues that arise in virtualization and cloud computing.

For one thing, it’s not advised to run applications with different levels of trust controls on virtual machines located on the same physical server, he says. “It’s best to keep them separate, virtual machines with the same trust controls on the same physical server,” he said, noting auditors prefer this.

Without sharing detail, he said he knows of a recent occurrence in a cloud-computing arrangement where law enforcement going after someone seized the data for the entire physical server even though the suspect had data on just one virtual machine on that server. This caused a lot of consternation among other companies whose data happened to be on that same physical server in separate virtual machines. He noted that virtualization and cloud computing is new to law enforcement in some instances and this kind of issue is still being hammered out.

Mark Hurd, chairman and CEO at HP, who gave the keynote at Gartner yesterday, evoked a knowing chuckle from the audience when he said he has visited with many CEOs and frankly, they didn’t like the term “cloud” because they would prefer to think they’re operating in “clear skies.”

But without tipping his hand, he hinted that HP could be active in this arena itself with cloud-oriented services over time, probably the more private cloud varieties.

Possibly Related Posts:

Top 10 IT management trends for the next five years

By Fei Lumbania on October 20, 2009

By Patrick Thibodeau
Computerworld (US)
October 20, 2009

FRAMINGHAM - ORLANDO — The top trends affecting technology infrastructure over the next five years can be summed up as largely a list representing where IT and users are battling for control over technology.

The ability for users to be mavericks and bypass IT systems via social networks, application development with mashups, and conduct business on their mobile devices, is rapidly increasing, according to industry research firm Gartner Inc.’s forecast.

However, conversely, IT is poised to strike back, with technologies such as client virtualization. Centrally managed virtualized clients bring a new approach of “let’s give them what they actually need, not what they want,” said David Cappuccio, chief of research for the Infrastructure teams at Gartner.

“That’s a cultural change as much as it is technology,” said Ted Meisky, assistant director of IT infrastructure, Ohio Public Employees Retirement System, of the push to client virtualization.

It’s also in contrast to what Meisky and Cappuccio both agreed was another problem, and that is the rise of dead servers in data centers, a growing problem for virtualized environments where servers can be rapidly created but gradually fall in disuse. “We really don’t have a lifecycle view of this,” said Meisky.

The second major theme in Gartner’s list is energy and, even here, users are more aware today of the problem and raising questions about usage as well.

Client virtualization was first on the list. Gartner’s other trends are ranked from those that are well under way to the more emerging ones further down. Here are the others:

No. 2: The amount of enterprise data will grow about 650% over the next five years, the vast majority of it unstructured, or not included in any database. This growth “is going to cost us dearly if we dont pay attention,” said Cappuccio. Cutting that growth will mean adopting methodologies such as data deduplication and automated tiering of storage, which involves moving underutilized data to less costly storage systems based on risk and need.

No. 3: Green IT is about efficiency and that is prompting the business to ask “how IT runs its shop and what they’re spending” on energy. In most cases, IT managers aren’t able to say because energy cost are paid out of a separate facilities budget, said Cappuccio,

No. 4: A closely related trend to Green IT is what’s called complex resource tracking, which gives you the tools to monitor energy consumption as well as automate energy usage to optimal levels. “Instead of monitoring systems performance, let’s monitor consumption as well,” Cappuccio said.

No. 5: Companies are beginning to realize that if you don’t allow workplace use of Wikis, Twitter, or Facebook, to communicate for business “people are going to use it anyways, they ll find a way around it,” said Cappuccio, who recommends establishing rules around it, monitoring, participating, as well as bringing a “social dimension” to external Web sites.

No. 6: Companies are trying to unify as much of their communications as possible, tying in Web communications, social networking and other platforms “so we have some control with what’s going on,” Cappuccio said.

No. 7: More and more people are utilizing applications for mobile and wireless applications that are either free or modestly priced. “As people get more and more handhelds, they are saying they want these apps and they want them now,” said Cappuccio, and those users aren’t interested in seeing what IT can produce in six months.

No. 8: The energy cost of supporting a server will exceed the cost of the server in three years. It is helping to usher a “build what you need” approach in the data center. Blades are leading a move to componentized servers: plug-and-play the resources as needed, storage, processors, I/O , etc. “Think about that concept across an entire data center,” Cappuccio said.

No. 9: Mashups created by users are also something that IT has to manage. “If we aren’t careful, these things are going to take off like crazy,” Cappuccio warned.

No. 10: Cloud computing, particularly a private cloud, separates users from the technology decision because it turns IT into a set of services. “If you do that, it frees up IT to make decisions on what technology to buy, when to buy to buy … suddenly the constraints all go away,” Cappuccio said. The public cloud will grow slower than the private cloud, he said.

Possibly Related Posts:

Google takes enterprise promotion campaign global

By Melba Bernad on October 19, 2009

By Juan Carlos Perez
IDG News Service (Miami Bureau)
October 19, 2009

MIAMI - Google, not known for using conventional marketing to promote its wares, has nonetheless found that such an approach is effective for its enterprise products and will roll out internationally a campaign it launched in the U.S. in August.

The “Gone Google” campaign is aimed at IT and business executives who influence IT purchasing decisions, and is designed to sell them on the benefits of using products like Google Apps and the Search Appliance enterprise search device.

The campaign, which is also being extended in the U.S., will involve billboards and signs in airports and train stations, as well as ads in major online and print publications in the U.K., France, Canada, Japan, Australia and Singapore.

The campaign focuses mainly on Google Apps, the company’s Web-hosted suite of collaboration and communication applications, whose “cloud” software-as-a-service (SaaS) architecture Google maintains is a superior alternative to managing on-premises software.

The company is intent on convincing businesses of all sizes, but in particular large enterprises, that Google Apps is less costly, easier to implement and maintain, and makes possible better workplace collaboration than on-premise options such as those sold by Microsoft and IBM’s Lotus division.

“The idea behind ‘Going Google’ is that companies switch to Google Apps and it’s a real transformational change,” said Tom Oliveri, Google’s enterprise marketing director.

Of course, Google isn’t alone in the SaaS market for collaboration and communication software, where Zoho and Yahoo’s Zimbra also compete. Meanwhile, IBM and Microsoft are busy re-tooling their on-premise software to work on the cloud as well.

Google, like other SaaS vendors, also faces skepticism over the security, privacy and reliability of Web-hosted applications, which reside, along with their data, at external data centers beyond the control of an enterprise’s IT managers.

Still, Google maintains that it is making steady progress at winning over large corporations. Some recent large deployments of Google Apps Premier, which costs US$50 per user per year, include 20,000 users at Motorola, 35,000 users at Rentokil Initial and 7,000 users at Konica Minolta.

On Sunday, Google will announce its latest Apps enterprise win — MeadWestVaco, a global packaging company based in Virginia that has signed up for 17,000 users.

Currently, Google Apps is in use at more than 2 million businesses by more than 20 million end users, although the company doesn’t break out how many of those deployments are of Premier, the paid version of the suite.

Over the past year, Google’s enterprise team has doubled in size to about 1,000 employees and the company is actively recruiting to continue beefing up the staff, Google spokesman Andrew Kovacs said.

Possibly Related Posts:

How data security can vaporize in the cloud

By JM Tuazon on October 16, 2009

By Lucas Mearian
Computerworld (US)
October 16, 2009

FRAMINGHAM - While hosted cloud computing may be all the rage for reducing cost of ownership and management, IT managers say hosted storage services present dramatic security challenges and legal implications that need to be considered.

Arthur Lessard, chief information security officer at toy manufacturer Mattel Inc., in El Segundo, Calif., said during a presentation at Storage Networking World on Wednesday that cloud computing is appealing, even if many end users don’t know what the word “cloud” means. For example, many confuse cloud computing with pure server and storage virtualization or simply backing up data to a remote site.

True cloud services should be characterized by grid-architected hosts with central management, applications that can be ported seamlessly from system to system, capacity that is easily provisioned and significant data redundancy, he said.

“We’re talking software as a service,” Lessard said.

When storage is hosted offsite in a virtualized server and disk array environment, cloud computing presents real limitations around authentication, and auditing - especially auditing of logging. The lack of auditing capabilities may affect the ability to record user logins, administrative actions and data writes, Lessard said.

“What I can’t find out is who has been reading the data files, and … depending on what business you’re in, that might be important,” he said.

There is also not usually any indication of login anomalies, such as repetitive attempts to log into your site under an incorrect name and password. That information is kept by the vendor and is usually part of a contract negotiation process. With respect to authentication, or who sets up the accounts and what control you have over accounts and how they’re provisioned, most vendors offer self-registration into your applications, “and that can have holes,” Lessard said.

“Most authentication in a cloud environment is done through user name and password only, so if I had a nifty two-factor authentication set up or biometrics, it’s no longer offered,” he said.

Most service provider also have restrictions against penetration testing of the cloud by their customers.

“To be honest, I can’t blame the vendor because by doing penetration testing against their environment for your applications, it could impact someone else’s applications,” he said. “Remember, it’s a cloud, and you don’t have a lot of control over where my stuff is running or where it sits.”

Hackers can also exploit security holds associated with hardware and software cloning in virtual server environments. Most operating systems have unique or personalized components when they’re installed on hardware, and the OSes rely on the hardware to generate random numbers for public and private encryption key pairs and user IDs, even when they’re being cloned onto new systems.

When operating systems are cloned in virtual environments, where new servers and software are stamped out to meet user demand, service providers may use pseudo-random number generators, which will pass back values that look random and for the most part are spread out over a range, but they aren’t random and can be predictable, Lessard said.

At the last Black Hat hackers convention, there was an attack proposed that would exploit resources in the cloud based on pseudo-random number generation.

“If you have multiple systems, and they’re all cloned and you have some idea of when a particular instance was cloned and created, you can start making some pretty good guesses about the pseudo-random number generator in that operating system, and that means you can start making some pretty good guesses about public and private key pairs that got generated when an operating system got cloned.”

One of the stickier legal ramifications of storing data with a cloud service provider falls under the government’s right to search and seize that information during the course of a criminal investigation.

According to Lessard, the U.S. government has also asserted that it has a right to serve a warrant to a third party service provider in order to see your data on their systems and not notify that provider’s customers that it has served the warrant prior to the search.

Because one company’s data may be kept on the same disk as another’s by a service provider, a criminal investigation could expose your data to authorities or simply limit your ability to access data through that cloud service provider, Lessard added.

“Essentially, you’re losing your right to answer warrants served by the government,” he said. “To use a technical term, cloud computing is probably going to give your legal department the heebie jeebies.”

Other IT managers also had security concerns about cloud services, some of whom overcame them after becoming SaaS customers and others who weren’t convinced the security around such services is sufficiently mature.

Gordon Peterson, director of information technology for the city of Carlsbad, Calif., recently began using Microsoft’s Live Mesh cloud computing service to host collaborative applications, such as Exchange, Office Communicator and Live Meeting in order to spend less time on maintaining back office systems and more time on technology innovation.

Peterson, who has a staff of 25, said he definitely had security concerns, mainly around Microsoft employees who would be able to see internal e-mail traffic.

“We do have justice system traffic, after all,” he said. “But I think what helped was realizing somebody else can probably do security better than I can.”

Peterson said his main concern was Microsoft’s hiring and firing procedures and whether employee background checks were thorough. A trip to Microsoft’s hosting facilities helped alleviate those concerns.

“Their procedures are very similar to ours,” he said. “They told me that if they mess up, the online community is unforgiving.”

Norton Healthcare Inc., a private, nonprofit hospital system based in Louisville, Ky., is in the middle of rolling out virtualized servers, desktops and storage to serve four acute care hospitals and other health care facilities in Kentucky and southern Indiana.

Brian Comp, associate vice president of technology at Norton Healthcare, said cloud computing, with its ease of use is definitely in the hospital’s future, just not the near future. Comp said over the next five years, as cloud computing providers and the technology mature, it will become more reliable and secure, allowing him to put non-clinical systems on a distributed architecture.

“I wouldn’t say I’m uneasy about security in the cloud, but I do have reservations about it. It’s about having data offsite. I just want certain assurances. Nobody wants to be on the front page of a newspaper because of security problems,” he said. “But I do think cloud vendors will work that out over time.”

Possibly Related Posts:

Next Entries »

Posts Tagged ‘ cloud computing ’

Google opens Google Apps Marketplace

Cloud security, cyberwar dominate RSA Conference

Microsoft’s Ballmer: ‘For the cloud, we’re all in’

More RP companies reach for cloud computing, study says

Oracle ramps up private cloud offering

Salesforce lets enterprises ‘automate any business process’

Cloud Computing Will Cause Three IT Revolutions

Microsoft, NSF form cloud computing collaboration

Security Vendors: Set for Online Battle

Cloud Security: Ten Questions to Ask Before You Jump In

Cloud storage hype: Customers not buying it

Microsoft calls for cloud computing transparency

Is Google hack an attack on cloud computing?

Wipro brings cloud computing to retail industry

Microsoft, HP announce ‘infrastructure-to-app’ partnership

IT service providers will reach for the cloud in 2010

Cloud Security Alliance issues new guidelines

Cloud control and sprawl

Microsoft talks cloud computing security, plans to offer private cloud software

Frankly Speaking: ID management woes in the cloud

Cloud computing awareness in Asia remains low

Cloud computing top tech of choice for RP CIOs

Amazon called out over cloud security, secrecy

Ailing data centres to seek relief in cloud computing: IDC

Cloud computing inevitable? Not so fast, educator says

Amazon downplays report highlighting vulnerabilities in its cloud service

Gartner on cloud security: ‘Our nightmare scenario is here now’

Top 10 IT management trends for the next five years

Google takes enterprise promotion campaign global

How data security can vaporize in the cloud

MENU

KNOWLEDGE CENTER

MARCH 2010 EDITION

QUICK POLL

Web Stats

POPULAR TAGS