Moving to the Cloud: Privacy

/in

 

Green_GaugeThis post is the fourth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Few topics related to cloud computing create more passion than privacy.  Knowing how well your organization’s information will be safe-guarded is key to trusting a service provider and the decision to go to the cloud in the first place.

Privacy, while closely related to security, differs in that security addresses access and protection of information, privacy addresses who can access data and how it may be used.

When considering privacy, organizations should start with three documents from the service provider:

  1. Terms of Service / Contract:  Most cloud providers provide clear terms and conditions related to privacy in their terms of service.  These include statements about content ownership and access rights; clauses covering confidential information; statements regarding the provider’s access to customer data and content; and terms related to how the service provider will respond to subpoenas and other third-party demands for data.
  2. Service Level Agreement:  Many cloud providers include terms related to privacy in their service level agreement.   In some cases, the SLA stipulates time frames for addressing privacy issues.
  3. Privacy Policy:  Most cloud providers now have one or more privacy policies.  These policies may be universal to the provider’s service, or may cover specific aspects of the services (such as use of the web site/portal).

When looking to choose a cloud solutions provider, look at all three documents.  Verify that they are comprehensive and clear.  Understand how they address any particular regulatory requirements for your organization.  Validate that they are consistent — that no conflicts or gaps exist that could lead to confusion or misunderstandings down the road.

Make sure the review of privacy policies and looks at the specific customer agreements and policies.  Many cloud providers offer “free” or “consumer” services with different terms and conditions than their paid (or free) solutions for business, government, education, and non-profits.   Many organizations spin their wheels and raise unwarranted concerns by not focusing on the specific, applicable agreements, and policies.

Finally, review the privacy performance of the service provider.  If they have had any sort of breach, or a privacy dispute, understand the nature, scope, and response.  Understand if the breach was provider-related or due to the actions or inaction of the customer.  Assess the appropriateness of the provider’s response given the nature of the issue.

Again, due diligence is key.  A small amount of research, a few questions, and an accurate understanding of how a service provider plans and manages privacy will help organizations determine if the provider meets the organization’s privacy needs and priorities.

Next Post in the Series:  Lock-In

 

Previous Post in the Series:  Provider Reliabilty

Moving to the Cloud: Provider Reliability

/in

 

This post is the third in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

One of the challenges in planning a move to the cloud remains the relative youth of the current industry.  While the concept of cloud computing is not new (tip your hat to Control Data in the 1980’s and their mainframe time-sharing service), most cloud computing services are relatively new.  Even services from long-standing, reliable vendors — like IBM and Dell — are relatively new ventures for these firms and have yet to be proven in a long-term market.

Organizations looking at any cloud service, be it SaaS, PaaS, or IaaS, must consider the reliability of the provider.  In doing so, it is the customer that must also understand the benchmarks being used by vendors when reporting their statistics.  Considerations include:

  • What is the availability of the service?  How well does the service provider meet their Service Level Agreement (SLA) benchmarks in terms of total downtime and/or service disruptions?
  • What is the reliability of the service?  How often does the service experience issues?  While most organizations tout availability, 6 disruptions lasting 10 minutes may have more impact on your operations than a single hour-long disruption.
  • Does the provider have performance benchmarks?  If so, how well does the provider meet the benchmarks?  In moving to the service provider, what expectations/needs will you have with respect to WiFi capacity, fixed network performance, and Internet capacity?   In many cases, the limiting factor on end-user performance is not the service provider or the Internet speed — it is the organization’s internal wired and wireless capacity.
  • What level of support do you expect?  Understanding how the provider delivers support — directly or through resellers/partners — is key to an organization’s long-term satisfaction with the service.
  • Does the vendor have the financial stability for the long-term?  With the number of start-ups in the cloud space, this factor may be the most difficult to ascertain.  Looking at the company’s financials, funding levels, and profitability can provide some insight.  Assessing whether the provider would be a good buy-out or merger target can also instill confidence that your provider will not go away unexpectedly.

With a modicum of due diligence, organizations can assess the reliability of cloud solution providers before making a commitment.  Reputable vendors will openly share their data and will not hesitate to discuss failures and how similar events will be prevented going forward.  And while, this type of discussion feels new, it is the same process CIOs and IT decision makers have been using for decades as they evaluate new technologies and vendors.  The players are new, but the process remains the same.

Next Post in the Series:  Privacy

Previous Post in the Series:  Moving to the Cloud: Cost Savings

 

Moving to the Cloud: Cost Savings

/in

 

Green_GaugeThis post is the second in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Will moving to the cloud save money?

The answer is a definite, absolute … maybe!

Whether or not a move to the cloud saves money depends on the in-house services being replaced and the cloud-based services taking their place, as well as the impact the change will have on related IT services and your business.

In our experience, most companies see savings over 3-year and 5-year periods of 30% or more.  Some companies see total cost of ownership (TCO) savings of up to 70%

When looking at 5-year TCO, organizations must make honest projections on IT spending to maintain the status quo and/or upgrading systems.  Beyond projected hardware and software replacements and upgrades, the analysis should include the cost of services and supporting systems (backup, anti-virus, security, etc.).  The analysis should also assess soft costs for administration, support, and estimated down time.

The challenge remains making the comparison equivalent.  For example, moving from a single in-house Exchange server to Google Apps for Business is a move from a system with several single points of failure to a highly redundant and highly available service.  If improving availability is an objective of the move to the cloud, the comparison should include the cost of upgrading the Exchange environment for redundancy.

A final consideration should include any business enablement that comes from the move into the cloud.  Will the cloud service enable the business to operate more efficiently and/or in new, more productive ways?  Improved collaboration, real-time communications, and access to information are all examples of how Google Apps for Business enables businesses over traditional email services.

In straight dollars and cents, not every company will see savings when moving to cloud-based solutions.  With better availability and expanded capabilities, cloud computing solutions can deliver better value, even when the price tag is higher.

Next Post in the Series:  Provider Reliability

Previous Post in the Series:  Moving to the Cloud: Security

 

Moving to the Cloud: Security

/in

 

Green_GaugeThis post is the first in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

At some point in the evaluation and decision process, the issue of security comes to the forefront as organizations look at cloud computing.  Vendors and resellers, like Cumulus Global, often provide two answers — both of which are correct:

  1. Cloud computing providers need their environments to be secure, and they invest time and money on security.  Most cloud providers deliver environments and systems that are significantly more secure than their customers could provide for themselves.
  2. Standard cloud security may not be sufficient to meet specific business needs.  Just as they would with in-house systems, cloud computing customers should be prepared to add additional security services to meet business requirements such as HIPAA, SEC, FINRA, and PCI compliance.

As a first step, organizations moving to the cloud should review the security capabilities of their solution provider.  Beyond the technology, look for certifications such as SSAE-16 Type I and II, ISO 27001, and FISMA.  Make sure that the provider’s security practices are reflected in their terms of service, contracts, and service level agreements.  Finally, verify if and how you can add security capabilities to meet business or industry requirements.

With a reasonable level of due diligence and planning, cloud solutions can overcome any security concerns.

Next Post in the Series: Moving to the Cloud: Cost Savings

Microsoft to iOS and Android Users: “Never Mind.”

/in

 

Are we really surprised?  In the flurry of Microsoft’s marketing blitz for Office 2013, Microsoft promised that the “new office” would be available across every platform.  That Mac, iOS, and Android users would not be left behind.

Fast forward a few months and Microsoft  delaying MS Office for the iOS and Android platforms by a year.  Already facing erosion from Google Apps as companies are moving into the cloud, Microsoft is neglecting one of the fastest growing user markets in the “post-pc” era.

Meanwhile, Google is offering Quickoffice to Google Apps customers at no charge and Quickoffice PRO is available to iOS and Android users for $19.99.  MS Office users can now more easily integrate their legacy applications with mobility with Google products than those from Microsoft.

As noted in ZDnet, iOS and Android users — and Google — have the most to gain.

Quickoffice: More Than Office for Mobile Users

/in

 

 

QuickofficeWith this week’s release of Quickoffice for iPhone and Android platforms, Google Apps for Business mobile users can now access and edit MS Office files on any iOS or current Android device.  Word, Excel, and Powerpoint files are no longer captive to heavy and more expensive Windows laptops, netbooks, and tablets.

Overdrive … 

The Quickoffice app also expands access to all files in Google Drive.  In addition to users’ My Drive content, Quickoffice provides folder views for Shared with Me, Starred, Recent, and any subfolders.

Web Weary? Malware May Be the Reason

/in

 

This blog post is the third in a series on Data Protection issues and practical solutions.

Mag_GlassBy some estimates, as many as 60% of search results are tainted with malware, attracting users to infected sites and putting your systems and data at risk.  While not every infection poses a threat, the industry consensus remains that web-resident malware is on the rise.

The problem is large enough that Google Chrome users now receive warning screens, letting users know when legitimate sites have been compromised.  Google has also launched a service to help hacked web sites recover, and regain users’ trust.

While web site owners struggle to keep web sites free of malware, visitors remain vulnerable.

Fortunately, businesses can protect themselves.

Web monitoring and filtering services offer protection from malicious code embedded in web sites and allow businesses to track web activity across their networks.  Advanced web filtering services also help business manage the use of web-based applications and can monitor other web activity.

Incorporating web monitoring and filtering into your computing environment adds an additional layer of data protection.  In addition to protection from malware, web monitoring and filtering gives businesses additional control over web usage and provides a mechanism for enforcing policies and procedures.  And, for most businesses, the value of this protection should outweigh the additional cost.

 

 

Incompetence 16; Microsoft 0

/in

 

Last week, Microsoft’s new Outlook.com service suffered its second major outage since its launch earlier this year.  The most recent outage, a 16 hour fiasco impacting Outlook.com, Hotmail, and SkyDrive users, was due to an botched firmware update resulting in overheating servers in one of its data centers.  As reported in PC World, the switch-over to alternate servers also failed.

This outage follows a 9 1/2 hour Outlook.com outage in February that Microsoft acknowledge on Twitter but neglected to not on its status dashboard.  February also saw a major Azure outage, caused when Microsoft failed to renew and install new SSL security certificates (a mistake they also made one year earlier).  In November, the Office 365 service was down for most of a day when Microsoft was unable to allocate adequate resources.

These strings of outages, all due to operational errors and architectural limitations, raise serious questions about Microsoft’s ability to manage a multi-tenant data center.

They also raise questions about the Microsoft’s integrity with respect to marketing and customer expectations.  While Microsoft promotes Office 365 and it’s other services as redundant, these outages demonstrate that service reliability is facility-dependent.

 

Viral Spread of Cloud Creates New Challenges

/in


This blog post is the second in a series on Data Protection issues and practical solutions.

Data Protection SeriesAs discussed in a recent TechRepublic Blog Post, cloud computing vendors are enabling the spread of on-demand software outside the control of the IT Department.

It is easy to see how it happens.  Somebody signs up for a service in order to complete a task that they cannot (or do not know the can) do with their current system.  They share the solution with co-workers, and, before you can say monthly recurring fee, the company must decide if this new tool is a de facto standard and should be included in the formal IT ecosystem.

Aside: On the one hand, shame on the users for not asking first.  On the other hand, shame on IT for not understanding the users’ needs and providing solutions with either current or new technologies.

The challenge becomes managing these services and making sure they are secure.  Beyond deciding who, why, and when services may be used, these services may create real security risks.

In the Google Apps environment, users can install any one of hundreds of third-party applications, many of which request and require access to user data.  While most applications only request and use the access they need, many request permissions that can inadvertently expose critical data such as sensitive documents and contact information.

Solutions

To mitigate these risks, it is important for the IT team to review and evaluate all new applications and companies should have policies through which they can enforce this rule.  In return, the IT team must be held accountable for responsiveness.

In addition, it is wise to monitor your environment for new software.  For you in-house systems, free tools like Spiceworks, will update you with scheduled scans of all systems.

Within your Google Apps ecosystem, Cloudlock App Firewall, provides you with the ability to both monitor and manage which applications are running in your environment.  The App Firewall reports the level of data exposure by application and reports applications added by user and well as by application.  You can mark applications as approved, blocked or not trusted.  You can revoke permissions, effectively disabling applications as well.    The system also provides guidance, letting you know how other companies have rated applications.

Conclusion

While users will continue to look for apps, the IT team can and should be ahead of the curve.  Additional tools, however, can help monitor and manage applications, which will mitigate risk, enforce company policies, and meet regulatory requirements for data protection.

 

For more information about Cloudlock App Firewall, please contact us.

Microsoft Azure Fail! Will Customers Bail?

/in

 

Once again, a flagship Microsoft cloud service blows through the Service Level Agreement like a blizzard through the Midwest.  Th February 22nd outage, impacting all Azure users worldwide, lasted more than 12 hours.

The culprit:  Microsoft failed to purchase and replace expiring SSL certificates.  In other words, Microsoft neglected to renew one of the most basic components that secure the Azure service.

As noted on RedmondMag.com

“Furious customers wanted to know how something as simple as renewing a SSL cert could fall through the cracks. Even worse, how could that become a single point of failure capable of bringing down the entire service throughout the world?”

Once again, an operational error puts thousands of customers  in the dark.  And this outage is one in a string of major service outages, including:

Microsoft described the issue as “A breakdown in our procedures”.  If not for the disruption and financial impact for thousands for companies, this statement might be considered almost comical.  Ironically, a different certificate error was behind a major Azure outage in February 2012.

To put this in perspective, how would you respond if your internal IT department had Microsoft’s track record of catastrophic failure?

 

It is difficult to trust that Microsoft has the operational maturity and rigor to design and manage multi-tenant, hosted services.  The Azure outage, and others like it, demonstrate immaturity, negligence, or incompetence.  Do the reasons matter given the frequency and impact?  With certificate outages on two subsequent annual renewal terms, it is hard to believe that Microsoft is learning from its mistakes.