Posts

Moving to the Cloud: Internationalization

/in

 

Green_GaugeThis post is the eighth in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

Cloud computing is global and a growing number of cloud solution providers are global as well.  Data stored in the cloud can end up in data centers in other countries and jurisdictions with differing laws and level of privacy protection.   In addition, organizations may be subject to laws or regulations that restrict data from being stored across national boundaries or in other jurisdictions.

Some risk exists in national or local laws related to data privacy and ownership.

Learn Before You Leap

Before signing on with a cloud provider, ask the questions about where data is stored and how the provider is protecting your data from foreign governments and other interests.  Review all contracts, agreements, and vendor policy statements to ensure they are consistent with the message you hear from the sales team.

Look for adherence to privacy standards based on international treaties, such as Safe Harbor and EU Safe Harbor. While these programs cannot eliminate all risk, they do set reliable standards and ensure the vendor has a process for managing any issues that arise.

Explore options with your vendor.  Many cloud vendors allow customers to select specific data centers in which their systems will run and/or data resides.

Seek out some knowledge about the privacy laws and regulations in the countries in which your data may reside (many Canadian firms, for example, see the US Patriot Act as a risk when data resides in the US).

With a small amount of due diligence, organizations can judge the vendor’s competency in managing data privacy and ownership across boundaries, and can ensure the cloud solution meets the organization’s needs above all.

Next Post in the Series:  Coming Monday June 10th

Previous Post in the Series:  Regulatory Compliance

Moving to the Cloud: Security

/in

 

Green_GaugeThis post is the first in a series addressing concerns organizations may have that prevent them from moving the cloud-based solutions.

At some point in the evaluation and decision process, the issue of security comes to the forefront as organizations look at cloud computing.  Vendors and resellers, like Cumulus Global, often provide two answers — both of which are correct:

  1. Cloud computing providers need their environments to be secure, and they invest time and money on security.  Most cloud providers deliver environments and systems that are significantly more secure than their customers could provide for themselves.
  2. Standard cloud security may not be sufficient to meet specific business needs.  Just as they would with in-house systems, cloud computing customers should be prepared to add additional security services to meet business requirements such as HIPAA, SEC, FINRA, and PCI compliance.

As a first step, organizations moving to the cloud should review the security capabilities of their solution provider.  Beyond the technology, look for certifications such as SSAE-16 Type I and II, ISO 27001, and FISMA.  Make sure that the provider’s security practices are reflected in their terms of service, contracts, and service level agreements.  Finally, verify if and how you can add security capabilities to meet business or industry requirements.

With a reasonable level of due diligence and planning, cloud solutions can overcome any security concerns.

Next Post in the Series: Moving to the Cloud: Cost Savings

Cloud Solutions Drive Rapid Growth for Cumulus Global

/in

BusSuccess.med

Cumulus Global today announced revenue growth exceeding 300% for 2012 as the company’s cloud solutions business continues to expand. Sales for 2012 surpassed $3.3 million dollars compared to $972,000 in 2011. Net income before taxes jumped over 400%, to more than $200,000 for 2012. This growth reflects increasing demand from Cumulus Global’s core small and mid-size business markets, as well as the company’s expansion into new market segments.

“In the last 18 months, we have helped more than 120 school districts migrate to Google Apps for Education, deploy Chromebooks for Education, and protect their networks and in-house data,” noted Allen Falcon, CEO and co-founder. “We see increasing opportunity in the educational market.”

The company also sees increasing demand from local, municipal, and county governments and agencies throughout New England and nationally. Falcon expects revenues from Google Apps for Government and related services to “more than triple over the next twelve to eighteen months.” Falcon attributes this growth to the migration, education, and support services offered, including the company’s participation in the FCC E-Rate program for schools and libraries.

Serving the needs of small and mid-size businesses, those with 1 to 1000 employees, remains a core market for Cumulus Global. According to Falcon, “Our core SMB market grew by more than 30% last year and we see that rate of growth accelerating.” Falcon attributes this growth to the company’s focus on solutions rather than technology.

“We do not sell hype or technology,” stated Falcon. “We work with our customers to identify if and how cloud solutions can improve efficiency, expand services, drive revenue, and lower costs. We bundle products and services that overcome challenges and enable growth.” Partnering with more than a dozen ISVs and solution providers, Cumulus Global can meet customers’ regulatory compliance, security, data management, and IT administration needs.

For companies, non-profits, government agencies, and schools interested in learning more, Cumulus Global conducts regular webcasts and Q&A sessions.

 

Cloud Security Focus Shifts to Data Protection

/in


This blog post is the first in a series on Data Protection issues and practical solutions.

When companies began moving to cloud computing solution, a great deal of time and anxiety was spent on security.  For most considering the move, the questions were basic: Will my vendor access my data?  Will my vendor prevent unauthorized access to my data? How secure is my connection to my data? With the maturing of security standards (SSAE-16, ISO 27001, FISMA, and others), these fundamental questions are less of a concern to most businesses.  Top tier providers not only create secure infrastructures, but build commitments to customer data security and integrity into their contracts, Terms of Service, and Service Level Agreements, or SLAs. That said, security in the cloud requires thought and planning.  In addition to basic access concerns, organizations need to be as vigilant with cloud-based data as they are with in-house data when it comes to data integrity, exposure, and loss prevention.  Holistically, the focus should be “Data Protection”. As we look at Data Protection in this blog series, we will focus on the areas of greatest risk to your data:

  • User Identity and Account Security
  • User Actions — accidental and malicious
  • Data Leaks /Permission Errors
  • Mal-ware
  • Rogue Applications

For each of these issues, we will look at how the risks change (or not) when data is in a public cloud service, as well as practical solutions for mitigating the risks.

Case Study: Google Apps Supports Strategic Growth at Merrimack Mortgage Company

/in ,

 

The Company

Founded in 1983, Merrimack Mortgage Company (MMC) continues to be a leader in residential mortgage lending throughout the Northeast and is one of the region’s largest independent mortgage bankers.

MMC prides itself for being the company that delivers the same products as the big lenders but with the high quality service levels inherent in a small lender. This winning combination of finesse and strength has led Merrimack Mortgage Company to its exceptional growth during the past three decades. The company’s success is attributed to its core strategy of providing a high level of customer satisfaction at a competitive price.

The Challenge

Merrimack Mortgage Company relies on extending its operations by expanding the size of the company’s geographic market area with new satellite branches. The IT department is challenged with bringing these loan officers located in satellite branches into the company’s processes effectively and quickly to allow them to be up and running as fast as possible.

The Solution

With integrated communications and file services, the transition to Google Apps was part of a strategic initiative to put the company in a competitive position to enable it to expand its operations effectively, from a primarily New England-based operation to cover their expansion outside of New England. This expansion included enabling a homogenous environment to all of the company’s loan officers while still complying with SOX, GLBA, ISO and other internal governance and audit requirements.

“The business side of me saw Google Apps as a slam dunk from a ROI and TCO perspective, and the technologist in me also couldn’t argue against introducing variable costs, scalability, availability, and OS and hardware independence. Cumulus Global recommended and helped us deploy CloudLock and Backupify for compliance, policy enforcement, risk mitigation, and data protection. This allowed us to fully embrace Google Apps and made both my Chief Compliance Officer and CFO very happy.”
— Matthew Seaton, CIO Merrimack Mortgage Company

Integrating Google Apps and CloudLock, Merrimack Mortgage Company extends its security perimeter to the cloud. MMC ensures its use of email, calendars, contacts, and files stored and shared via Google Drive comply with regulations like SOX, GLBA, ISO and other internal Acceptable Use Policies.  Backupify protection data across Google Apps accounts against data damage or deletion due to user error.

“I am not sure if I would have felt confident with my decision to move our company’s communication and collaboration needs to Google Apps for Business without the solutions and assistance from Cumulus Global. The integrated solution has relieved my anxiety over having our company data hosted by a third party,” said Seaton.  “Our management team was relieved by the value proposition.  We pay as we grow rather than making large up-front capital investments.”

Since MMC’s initial Google Apps for Business implementation in June of 2011, MMC has increased sales staff by 15% and the number of physical locations by 26%. Operations staff increases have been minimal in comparison. The greatest benefit, in regards to increased sales staffing and locations, is the ability turn-up new team members literally in minutes. In more recent months, MMC has seen back-to-back monthly company record breaking sales numbers.

To learn more about Merrimack Mortgage Company, visit: www.merrimackmortgage.com.

 

 

Friday Thought: Building a Cloud File Service

/in

For many of the companies, non-profits, school systems, and local governments we work with, the desire to use the cloud is expanding beyond email and calendar.  These organizations are looking to move some or all of their file services into the cloud as well.

Motivation:

While the initial motivation is often to improve access to and sharing of information on projects, or in general, the planning process often reveals a greater value proposition. These secondary benefits derive from giving users direct access to data, and include, but are not limited to:

  • Reduced need for SSL VPN services and/or remote access, desktop, or virtual desktop solutions, resulting in lower hardware, software, networking, and support costs.
  • Reduced need for site-to-site links, enabling organizations to replace expensive point-to-point WAN links and MPLS networks with much less costly direct Internet access links.
  • Improved access to information from tablets and smart phones.
  • Reduced backup/restore costs, as physical infrastructure and in-house administration is replaced by cloud-to-cloud data protection services.

In short, cloud file services provide better user access to information, a simpler IT infrastructure, and lower costs.

Ecosystem

Many services exist to provide cloud-based file services and organizations are best off if they  review their needs before making a selection.  Beyond methods of accessing the service, be sure to review your permissions/security requirements with the features and function of the service.

Building a file service also means having the necessary components to ensure a robust ecosystem.

  • Affordable storage purchased as used or in flexible blocks
  • Drive letter access (DLA) or Network Place access from Windows desktops
  • Drive type access from Mac desktops, if needed
  • Access from mobile devices, including smart phones and tablets
  • Ability to integrate user identity with your LDAP, Active Directory, or SSO service
  • Availability of cloud-to-cloud backup/restore services
  • Encryption of data at rest and in transit
  • Ability to set permissions in accordance with your business needs, policies, and procedures

Execution

Moving to a cloud file service starts with understanding your requirements and the impact of the change on your computing environment and your end users.  Which aspects of the ecosystem do you need/want?  How will the change effect the user experience?  How will a new file service fit in with your other cloud solutions?  With an understanding of requirements, you can better match your needs to the available solutions and map out a migration that minimizes risk and enhances the benefits of the move.

 

Google Apps and Google’s New Privacy Policy

/in

The cloud world is buzzing as Google announced that effective March 1, 2012, it would consolidate more than 60 privacy policies for different services into a single, simplified policy covering all Google services.  Not surprisingly, we are already fielding calls from our Google Apps for Business / Education / Government customers with questions about the impact of the change.

Rest easy.  Here are the answers.

Not Much is Changing

The consolidated privacy policy is not changing how Google collects or uses information with individual services or across services.  The policy is providing a simpler, easier to understand document that is consistent across all services.  Google has also removed components of its existing privacy policies that are redundant with content in the Terms of Service policy for each service, which are also being updated and consolidated into a single, consistent policy.

Note that the Privacy Policy address how Google collects and uses information about individual users, but that the Terms of Service dictate how Google treats content you place or store using Google services.  To understand how your information is protected, you must review both documents.

Public and Free Services versus Business / Education / Government Services

The new Terms of Service and Privacy Policy provide a baseline for all services.  The Terms of Service clearly states that

“Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services.”

Google Apps for Business, for Education, and for Government all have these additional terms and settings.

Confidentiality in Google Apps for Business / Education / Government

The Terms of Service for Google Apps for Business, for Education, and for Government each define Confidential Information as follows:

Confidential Information means information disclosed by a party to the other party under this Agreement that is marked as confidential or would normally be considered confidential under the circumstances. Customer Data is Customer’s Confidential Information.

Very simply, the agreement defines all user/customer content in these services as confidential.

The Terms of Service prevent Google from accessing or disclosing customer information without permission and guarantee a standard of care related the security, availability, and privacy of customer information.

Exceptions

There are exceptions when Google may disclose or publicly display Google Apps for Business / Education / Government customers.

  1. A User Marks Content as Public:  If a user marks content as “public” or as “publish on the web”, the user is giving permission to Google and instructing Google to index the content in Google search engine and to make the content available to everyone publicly.   Google Apps administrators can limit user permissions to prevent them from marking content as public.
  2. Required Disclosure:  Per the Terms of Service, Google may “… disclose the other party’s Confidential Information when required by law but only after it, if legally permissible: (a) uses commercially reasonable efforts to notify the other party; and (b) gives the other party the chance to challenge the disclosure.”

Summary

While Google’s consolidation of privacy policies makes for great, sensational headlines, the reality is that their is no material change in how Google addresses information privacy.  For Google Apps for Business, for Education, and for Government customers, there is no change what so ever.

Tuesday Take-Away: New Security Standards for Cloud Computing

/in

It is common for cloud computing vendors often promote their security credentials, and doing so gives prospective customers valuable information about the vendors’ security operations and capabilities.

If your vendor is still promoting their SAS 70 Type II certifications, however, they are a little bit out of date.

As of June 15, 2011, the American Institute of CPAs replaced SAS 70 with SSAE 16, a much more rigorous standard for service provider security audits and attestations.  SSAE 16 is also in line with a separate, international security audit and attestation standard, ISAE 3402.

If you use Google Apps, Google Postini Services, Google App Engine, and/or Google Apps Script, you are in good shape.  Google is one of the first cloud computing vendors to move to the new, more rigorous, standards.

Google has attained SSAE 16 Type II and ISAE 3402 Type II certifications for these services.  SAS 70 Type II certifications are still valid for audits conducted before June 15, 2011.

While third party audits are part of the security and compliance benefits of Google Apps and Google App Engine products.  Google’s security efforts go well beyond audit requirements.  You can learn more about Google’s security by reviewing the current security white paper and watching this data center video tour.

Want to know more?  Contact us.  We would be happy to discuss your needs.

Friday Thought: 3 More Reasons Google Apps is Secure

/in

In addition to SAS 70 Type II Certification, here are 3 more reasons Google Apps is secure.

  1. Custom Operating System. Google Apps runs on a custom version of the LINUX operating system (OS).  Services and ports that are not needed, a common entry point for hackers, are not simply disabled, they have been removed.  As important, hackers cannot buy a copy of Google’s custom OS and use it to find vulnerabilities.
  2. Data is Unreadable, at least by humans.  When you save data in Google Apps, it is broken into little pieces that are each saved in different servers across multiple data centers.  Each piece is then obfuscated using encryption and other methods.  Even if somebody was able to break in, or a Google employee gained access to your data, they would first need to find all of the pieces and then figure out how to decrypt each piece. In comparison, your MS Exchange administrator can read every email in the system.
  3. Google is the second largest target for Hackers. Only the US Department of Defense has more attacks by hackers.  Google, therefore, has built an extremely robust defense against hackers.  With a security team of thousands on the job, led by some of the foremost security experts in the world, Google has built protection from hackers that greatly exceeds what most businesses can technically do, or even afford to do.

Does this mean your data is perfectly secure?  No!  Security can never be perfect.  It does mean that your chances of losing data in Google Apps is negligible when compared to most businesses’ network security and the actions of their employees (sharing passwords, stolen laptops, lost USB drives, and so on…..).

Friday Thought: What does SAS 70 really mean?

/in

When talking about security of cloud solutions, we often mention that Google Apps is SAS 70 Type II certified.  While it sounds impressive, what does it really mean.

SAS 70 is an accounting audit standard for operational policies and procedures.  To achieve certification, you …

  1. Must have best-practice policies and procedures in place
  2. Must be able to prove that you follow policies and procedures
  3. Must have an independent 3rd party audit your operations on a regular basis to validate the policies and procedures and verify that they are followed.

SAS 70 Type II reflects a level of certification for data center and IT operations that includes:

  • Physical security of buildings and data centers
  • Logical security (network, systems, data, etc)
  • Privacy
  • Incident management and availability
  • Change management
  • Organization (roles and responsibilities)
  • Administration (personnel, documentation, funding, etc.)

So while it sounds impressive, SAS 70 Type II certification really is impressive!

Most businesses cannot or choose not to incur the cost and effort to achieve SAS 70 Type II certification for their internal systems.  With the certification, Google is confirming the security and safety of your data continuously at a level that likely exceeds the security of your in-house networks and systems.