Posts

Moving to the Cloud: Regulatory Compliance

/in

 

Green_GaugeThis post is the seventh in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Moving to the cloud often entails more than switching to an email service or spinning up a some cloud-based storage and servers.  For many businesses — including Small and Mid-Size Businesses (SMBs) — regulatory requirements place demands on IT systems and security.  And, while these requirements impact in-house and cloud solutions, moving to the cloud requires planning.

The most common regulations for SMBs relate to consumer (customer) privacy:  HIPAA, which protects personal health information, and PCI, which protects personal and credit related information.  Many SMBs, however, must also meet the requirements of Sarbanes/Oxley, FINRA, SEC, and various state regulations.

The solution:  Integrating Solutions.

Fortunately, the tools and systems exist to provide compliance with data security and privacy regulations.  Cloud vendors are creating environments and the management controls necessary for customer regulatory compliance and certification.

The challenge is to make sure that all of the pieces work together.

  • Message Archive/eDisovery:  Manages retention of email as official business records and provides the eDiscovery and audit tools necessary to meet federal subpoena requirements.
  • Message Encryption: Encrypts email at the individual message level based on content and rule sets, requires users to authenticate before accessing the message, and prevents forwarding.
  • Two Factor Authorization / Single Sign-On: Provides identity management services and audit trails beyond core products in order to meet regulatory or policy requirements 
  • Third Party Encryption:  Encrypts data in the browser or client before transmission to the cloud, providing a second level of encryption prior to the encryption provided by the cloud vendor.  In the event of a vendor data breach, the exposed data would be encrypted.

These types of solutions, and others, provide cloud environments with the capabilities to meet regulatory requirements.  Vendor contracts and policies should still be carefully reviewed for any terms and conditions that threaten compliance.

And remember, no vendor can ensure compliance.  Compliance exists when the technology meets the technical standards and is used in accordance with policies and procedures that meet the regulatory intent.

Next Post in the Series:  Internationalization

Previous Post in the Series:  Integration with Legacy Systems

Moving to the Cloud: Integration with Legacy Systems

/in

 

Green_GaugeThis post is the sixth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Very few businesses go “all-in” when moving into the cloud.  Most businesses start their move into the cloud with specific applications and services.  For small and mid-size businesses, the trend is to go cloud with critical core services, such as email and calendaring, and/or applications, such as CRM.  Over time, businesses add additional applications and services, such as file services, and hosting of legacy applications and servers.

The result:  Most businesses have a hybrid environment of on-premise and cloud solutions.

For many businesses, this creates a new need to integrate existing systems with new cloud-based applications and services.

While this may seem overwhelming, the scope of the integration depends, in large part, how well your in-house systems integrate today.   For most small and mid-size businesses (SMBs), legacy application integration focuses on a few key features:

  • Email / Messaging:  Legacy applications and systems should be able to send notifications, alerts, and other messages.
  • Shared Storage:  Legacy applications may need to use cloud-based storage for data storing and sharing.  Depending on the need, direct access may be preferred to a sync solution.  Also, business applications often need locations in which to deliver reports and other automated output.  Still others may need to be able to link to documents saved in the file service.
  • Contacts:  Legacy applications, particularly those responsible for customer relationship management (CRM) functions (sales, support, service, marketing) will need to synchronize contact information in a way that does not result in duplicate data or data loss.  The same holds true for Enterprise Resource Process (ERP) and Professional Service Automation (PSA) systems.
  • Calendars / Events:  CRM, ERP, and PSA systems may also look to sync or manage calendars and events.  As with contacts, avoiding duplication and lost data is critical.
  • Data Import/Export:  Legacy systems may have the ability to import/export data from/to other systems.  In some instances, the import/export is manual or scripted to occur at specific intervals.  Some systems support automated synchronization or provide an interface for real-time data exchange.

When looking at cloud solutions, take a moment to research your current environment and needs:

  • What integration exists today?  Does it help or hinder?
  • What integration capabilities do legacy applications support that are not currently in use?  Would these be useful/helpful/meaningful?
  • What integration do you need, or want, to make your business more efficient?
  • What capabilities does the proposed cloud solution have for integration?  Can you leverage these to your advantage?  Is the cost of integration worth the potential benefits?

With a short assessment, organizations can determine if, when, and how to best integrate new, cloud-based solutions with legacy applications and systems.  As with any IT project, the focus should be on resulting business value.

Next Post in the Series:  Regulatory Compliance

Previous Post in the Series:  Lock-In

Moving to the Cloud: Lock-In

/in

 

Green_GaugeThis post is the fifth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

When looking at cloud solutions, most organizations spend a great deal of time, appropriately so, investigating how they will move data and processes into the cloud.  At the same time, organizations should understand how they will get data out of the cloud should they decide to switch solutions in the future.

While this seems like a new issue or concern, the reality remains that organizations switch systems and data migration and integration issues exist — cloud or not.  The same analysis and decision making process that organizations follow for in-house systems should be followed for cloud solutions.

Platform as a Service (PaaS) solutions provide environments that, in general, enable data and application movement.  Moving to a Windows Server image in the cloud is not much different from moving to an in-house Windows server.  Key considerations focus on the amount of data and the time/efficiency of moving the data on or off the cloud server.

Software as a Service (SaaS) solutions can prove more challenging.  Migrating to or from a cloud-based application provides the same challenges as migrating data to a new in-house application.  Record matching, data scrubbing, and data translation are all issues to be considered.  In addition to the strength of the import utilities, understand the strength and cost of the export utilities.  Some SaaS applications only provide comprehensive export capabilities at their most expensive licensing options.

Fear of “Lock-In” should not prevent organizations from moving into cloud solutions.  Rather, a small amount of due diligence will ensure that the “how” and “how much” of a future migration is understood.

Next Post in the Series:  Integration with Legacy Systems

Previous Post in the Series:  Privacy

Moving to the Cloud: Provider Reliability

/in

 

Green_GaugeThis post is the third in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

One of the challenges in planning a move to the cloud remains the relative youth of the current industry.  While the concept of cloud computing is not new (tip your hat to Control Data in the 1980’s and their mainframe time-sharing service), most cloud computing services are relatively new.  Even services from long-standing, reliable vendors — like IBM and Dell — are relatively new ventures for these firms and have yet to be proven in a long-term market.

Organizations looking at any cloud service, be it SaaS, PaaS, or IaaS, must consider the reliability of the provider.  In doing so, it is the customer that must also understand the benchmarks being used by vendors when reporting their statistics.  Considerations include:

  • What is the availability of the service?  How well does the service provider meet their Service Level Agreement (SLA) benchmarks in terms of total downtime and/or service disruptions?
  • What is the reliability of the service?  How often does the service experience issues?  While most organizations tout availability, 6 disruptions lasting 10 minutes may have more impact on your operations than a single hour-long disruption.
  • Does the provider have performance benchmarks?  If so, how well does the provider meet the benchmarks?  In moving to the service provider, what expectations/needs will you have with respect to WiFi capacity, fixed network performance, and Internet capacity?   In many cases, the limiting factor on end-user performance is not the service provider or the Internet speed — it is the organization’s internal wired and wireless capacity.
  • What level of support do you expect?  Understanding how the provider delivers support — directly or through resellers/partners — is key to an organization’s long-term satisfaction with the service.
  • Does the vendor have the financial stability for the long-term?  With the number of start-ups in the cloud space, this factor may be the most difficult to ascertain.  Looking at the company’s financials, funding levels, and profitability can provide some insight.  Assessing whether the provider would be a good buy-out or merger target can also instill confidence that your provider will not go away unexpectedly.

With a modicum of due diligence, organizations can assess the reliability of cloud solution providers before making a commitment.  Reputable vendors will openly share their data and will not hesitate to discuss failures and how similar events will be prevented going forward.  And while, this type of discussion feels new, it is the same process CIOs and IT decision makers have been using for decades as they evaluate new technologies and vendors.  The players are new, but the process remains the same.

Next Post in the Series:  Privacy

Previous Post in the Series:  Moving to the Cloud: Cost Savings

 

Moving to the Cloud: Cost Savings

/in

 

Green_GaugeThis post is the second in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Will moving to the cloud save money?

The answer is a definite, absolute … maybe!

Whether or not a move to the cloud saves money depends on the in-house services being replaced and the cloud-based services taking their place, as well as the impact the change will have on related IT services and your business.

In our experience, most companies see savings over 3-year and 5-year periods of 30% or more.  Some companies see total cost of ownership (TCO) savings of up to 70%

When looking at 5-year TCO, organizations must make honest projections on IT spending to maintain the status quo and/or upgrading systems.  Beyond projected hardware and software replacements and upgrades, the analysis should include the cost of services and supporting systems (backup, anti-virus, security, etc.).  The analysis should also assess soft costs for administration, support, and estimated down time.

The challenge remains making the comparison equivalent.  For example, moving from a single in-house Exchange server to Google Apps for Business is a move from a system with several single points of failure to a highly redundant and highly available service.  If improving availability is an objective of the move to the cloud, the comparison should include the cost of upgrading the Exchange environment for redundancy.

A final consideration should include any business enablement that comes from the move into the cloud.  Will the cloud service enable the business to operate more efficiently and/or in new, more productive ways?  Improved collaboration, real-time communications, and access to information are all examples of how Google Apps for Business enables businesses over traditional email services.

In straight dollars and cents, not every company will see savings when moving to cloud-based solutions.  With better availability and expanded capabilities, cloud computing solutions can deliver better value, even when the price tag is higher.

Next Post in the Series:  Provider Reliability

Previous Post in the Series:  Moving to the Cloud: Security

 

Moving to the Cloud: Security

/in

 

Green_GaugeThis post is the first in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

At some point in the evaluation and decision process, the issue of security comes to the forefront as organizations look at cloud computing.  Vendors and resellers, like Cumulus Global, often provide two answers — both of which are correct:

  1. Cloud computing providers need their environments to be secure, and they invest time and money on security.  Most cloud providers deliver environments and systems that are significantly more secure than their customers could provide for themselves.
  2. Standard cloud security may not be sufficient to meet specific business needs.  Just as they would with in-house systems, cloud computing customers should be prepared to add additional security services to meet business requirements such as HIPAA, SEC, FINRA, and PCI compliance.

As a first step, organizations moving to the cloud should review the security capabilities of their solution provider.  Beyond the technology, look for certifications such as SSAE-16 Type I and II, ISO 27001, and FISMA.  Make sure that the provider’s security practices are reflected in their terms of service, contracts, and service level agreements.  Finally, verify if and how you can add security capabilities to meet business or industry requirements.

With a reasonable level of due diligence and planning, cloud solutions can overcome any security concerns.

Next Post in the Series: Moving to the Cloud: Cost Savings

Guest Post: Why Half of Our Company is Using Chromebooks Full-Time

/in

Originally posted by David Politis, CEO of BetterCloud.  BetterCloud offers FlashPanel, an integrated management and administrative tools for organizations using Google Apps. Cumulus Global recommends and includes Flash Panel with most Google Apps implementations.

Being a Gmail and Google Apps fanatic, I’ve always been intrigued by the concept of Chromebooks and Chrome OS in general. And with every 3 minute reboot of my aging Windows laptop this past spring, I became more tempted to take the plunge and go 100% web with a Chromebook, at least for the large portion of my day when I’m working in Google Apps and not installable software programs. So when the new Samsung 550 Chromebooks came out this past June, I made my case to the bossman that we should order a few of these devices. They’re cheap, and if we’re true Google Apps experts developing for the Google Apps ecosystem, we need at least a basic understanding of how Chromebooks function and are managed in a business environment.

What I didn’t expect, however, is that I’d be using a Chromebook nearly 100% of the time in the months to follow – we’ve even converted the office’s Controller, an Excel power user, to a Chromebook and Google Spreadsheets. So with about 4 months of Chromebook experience under my belt, I thought it would be a good time to share some of the top reasons why a few of my coworkers and I find Chromebooks indispensable.

Speed

You’ve heard the stats, “8 second boot, instant wake from sleep” etc. etc. I can tell you this: you won’t fully appreciate this kind of speed until you use it. I used to come into the office, turn my laptop on, go get a cup of coffee and chat with a couple coworkers, then come back to a laptop that was still rolling out of bed. The Chromebook is ready to go when you are, and over the course of days, weeks and months, saving a few minutes here and there really adds up. You can get similar speeds with any computer using a solid-state drive, but if you don’t have $1,000 to spend on a new MacBook Air, you can get the same speed with the new $249 Chromebook.

Simplicity

While the simplicity of Chrome OS is certainly a big reason for its speed, the simplicity in and of itself actually makes working in Chrome OS a very nice experience. The tools you need to access consistently throughout the day, like Gmail and Google Drive, are always at your fingertips in the launch bar. Obviously you can do this on a “real” laptop with hot keys, browser shortcuts, etc. but with a Chromebook it’s just so easy. And I find that the stripped-down nature of Chrome OS creates far less distractions.

Security and Standardization

There’s definitely a security benefit for personal Chromebook users, as the device doesn’t truly store local files (more security by limitation) and the OS only boots from a read-only version, but the security benefits are even greater for an organization deploying Chromebooks. As an IT administrator, not only can you implement security settings like restricting sign-in to accounts on your domain only or wiping local files after every log out, but you can also standardize certain aspects of the Chromebook experience by proactively pushing out useful Chrome extensions, or even pre-configuring WiFi network logins for every Chromebook on your domain, or particular Org. Units (useful if you use geography to group your OUs).

Using Chromebooks has been a great experience for our team. Not only do we get lightning-fast, affordable laptops, we also have seen Chrome OS evolve significantly over the past 4 months alone. The user experience has improved pretty significantly every few weeks, while the Chrome OS team continues to add more “traditional” PC features like extended desktop and better multimedia support. It’s certainly a Google-centric solution so we wouldn’t recommend it for everyone, but if you’re a Google Apps customer and are already spending the majority of your day in a web browser, it’s worth checking out a Chromebook.

Editor’s note:  Click Here if you are interested in learning more about Chromebooks, or taking one for a test drive.

Data Loss and Recovery Are Still a Growing Concern

/in

 

With all of the industry focus on data loss and disaster recovery, you may be surprised at the state of affairs.

  • 53% of businesses experienced data loss within the past 12 months; up from 31% in the prior year (EVault 2012 Survey)
    • 24% of IT Managers admit to not telling their CIOs that some data is not backed up, including data on mobile devices
    • 38% of IT managers worry about the security and effectiveness of their backup solutions
  • 58% of downtime and data loss was caused by storage problems or failures (Continuity Risk Benchmark)
  • 86% of companies experienced unplanned downtime last year (Acronis Disaster Recovery Index Survey)
  • 60% of companies identify human error as the most common cause of downtime and data loss (Acronis Disaster Recovery Index Survey)

What does this mean?

Whether  running systems in-house or in the cloud, businesses MUST understand the risks to their data and system, and have reasonable protections and responses in place.  Solutions that focus on addressing hardware and software errors may not protect you from user mistakes and missteps.

False Sense of Security in the Cloud

When moving to the cloud, businesses must remember that while good cloud infrastructures provide protection from hardware/software type failures, your data is still susceptible to user error.  Backup/recovery services offer protection for cloud-based data that rivals services available for in-house solutions.

Want More Info?

Please contact us if you would like to discuss your needs and available options.

 

Cloud Security Focus Shifts to Data Protection

/in


This blog post is the first in a series on Data Protection issues and practical solutions.

When companies began moving to cloud computing solution, a great deal of time and anxiety was spent on security.  For most considering the move, the questions were basic: Will my vendor access my data?  Will my vendor prevent unauthorized access to my data? How secure is my connection to my data? With the maturing of security standards (SSAE-16, ISO 27001, FISMA, and others), these fundamental questions are less of a concern to most businesses.  Top tier providers not only create secure infrastructures, but build commitments to customer data security and integrity into their contracts, Terms of Service, and Service Level Agreements, or SLAs. That said, security in the cloud requires thought and planning.  In addition to basic access concerns, organizations need to be as vigilant with cloud-based data as they are with in-house data when it comes to data integrity, exposure, and loss prevention.  Holistically, the focus should be “Data Protection”. As we look at Data Protection in this blog series, we will focus on the areas of greatest risk to your data:

  • User Identity and Account Security
  • User Actions — accidental and malicious
  • Data Leaks /Permission Errors
  • Mal-ware
  • Rogue Applications

For each of these issues, we will look at how the risks change (or not) when data is in a public cloud service, as well as practical solutions for mitigating the risks.

Microsoft’s Apology Says Volumes about Office 365 Outages

/in

 

It should be no secret that Microsoft’s Office 365 service continues to experience the types and frequency of outages that plagued its predecessor cloud service, BPOS.  While the outages receive little press coverage (they are frequent enough that they are not newsworthy?) , customers feel the impact.

In response to outages on Nov 8 and Nov 13, Microsoft sent customers a formal letter of apology (read it here).

Most disturbing to Office 365 customers is what Microsoft’s apology says about the quality and capabilities of Microsoft and the Office 365 platform.

With respect to the Nov 8th outage, Microsoft states the following:

“Office 365 utilizes multiple anti-virus engines to identify and clean virus messages from our customers’ inboxes. Going forward, we have built and implemented better recovery tools that allow us to remediate these situations much faster, and we are also adding some additional architectural safeguards that automatically remediate issues of this general nature.”

What this says is that, at times, significant virus traffic makes it to the email servers, and Microsoft has technology to remediate this problem by scanning servers and removing these messages from inboxes.  This is troublesome for a few reasons:

  • Best practice is to prevent viruses from reaching email servers, as any inbox remediation system allows the possibility that a virus is activated by a user before being cleaned.
  • Remediation of this problem has been manually driven and that automating the process is still in development
  • Remediation of virus infections dramatically impacts performance, up to the level of an outage.
  • Microsoft has not yet built an infrastructure that is capable of preventing virus infections, and continues to be focused on remediation.

With respect to the Nov 13th outage, Microsoft states:

“This service incident resulted from a combination of issues related to maintenance, network element failures, and increased load on the service.”

Microsoft acknowledges that they perform maintenance that can interrupt customer services outside of maintenance windows and that the Office 365 architecture lacks sufficient redundancy.  Microsoft is also admitting that the Office 365 infrastructure does not have sufficient capacity to handle peak demand loads and does not allow for automatic activation and allocation of resources based on demand.

In response to these outages, Microsoft promises the following:

“Significant capacity increases are already underway and we are also adding automated handling on these type of failures to speed recovery time.”

In essence, Microsoft cannot  predict or manage capacity, so they are throwing resources at the problem.   More importantly, Microsoft is not fixing the architecture in order to prevent load-based failures — they are automating how they respond to failures.

In other words:  Microsoft expects future Office 365 outages;  So, too, should Office 365 customers.