The Pros & Cons of Cloud Computing, and is it Secure?

Remember, our simplified definition of cloud computing consists of shared computing resources that are virtualized and accessed as a service through an APL.

The Pros

1- Costs/capital expenditures

If cloud computing is right for your company, then major cost savings can be seen in buying and maintaining the needed infrastructure, support equipment, and communication costs. The vendors and/or service provider, who charge the users a utility or user type fee, own these costs.

2- Scalability

One of IT's biggest problem is the constant need to add more equipment to keep up with the growing demand of accessing, storing and analyzing information by both internal and external users. One example is in the data center where adding servers is a major cost issue (actually power for the data center is the number one issue, but it is related to the growing need for items like servers). Since cloud computing is virtual, one can expand or contract equipment/infrastructure as demands change.

3- Start - up

Since the cloud (theoretically) contains the infrastructure and applications, all one just needs to do is "dial" in to the cloud. One can start using applications immediately versus a customary installation, testing and then providing access to the appropriate user community. (Training is assumed to a constant.)

4- Business Applications

Again, the cloud (actually the vendors and/or service providers) through contracts (Service Level Agreements -SLAs) provides numerous business applications for any user who is their client. Again like scale, enterprises only need to know which applications they need to run their business and understand what is actually provided to have access to various business applications. (Training is assumed to be a constant.)

5- Flexibility

Since cloud computing is a virtual offering, a user has the flexibility to choose, on a regular basis, the applications, amount of bandwidth or the number of users by basically modifying his user contract and increasing or decreasing costs at a known rate or factor.

The Cons

1-SLA Agreements

This is the tricky and most important one. SLAs can be very involved and it really leaves the onus on the user to understand and define all requirements in specific detail, and more importantly understand what one is getting in the terms of support, performance, security, etc. A good example is quality of service; one should understand what is offered and what the recourses are if the specified quality is not maintained.

2-Performance

Performance guarantees are usually part of the SLA document, but I have singled this one out because it is critical to maintain the performance (uptime) one needs both for internal AND external users. Understand if the performance guarantee is defined as an average or just during peak times versus a "uniform" performance. If performance is compromised, it can impact many things including revenue and your company's goodwill.

3-Vendors

Not all vendors are created equally! Many vendors are claiming to provide cloud computing, but in reality, they are just providing a specific service, or a specific application or worst they are a middleman and provide no value-add at all. As I sated in my previous posting, one needs to understand the difference between cloud computing and hosted services or managed services or seemingly some form of virtualization. My best advice is to definitely get with reference customers and see if they model what you would like from the cloud.

4-Security

We all know that the internet has some security issues and since the cloud utilizes the internet coupled with applications infrastructure and support, users should be aware of the potential for new threats and increased risk exposure. It is important to include your firm's risk tolerance in any decision to move to cloud computing, as not all the security issues are understood, and new ones will arise.

5-IT Staffing

If one does utilize the cloud, then make sure one understands the vendor staffing that is available to support your needs and hundreds of others using their cloud. A number of vendors out-source staffing and some of the personnel may not be as good as your own internal organization. Ask the potential service provider if they have trained personnel to support the applications you request.

As I have always stated, know your strategy for your IT organization and your lines of business and weigh whether the "pros" out weigh the "cons" for going with cloud computing. Note that there are a number of advantages and disadvantages; do not be swayed by looking at cloud computing from only a cost-saving point of view.

In all probability the answer will be some thing in the "middle", i.e. some hybrid form of cloud computing.

As for security and cloud computing

In Forrester's article titled " A Close Look At Cloud Computing Security" by Chenxi Wang, Ph.D. Wang states "While cloud computing is able to deliver many benefits, organizations should not jump on the "cloud" wagon without a compelling business driver and a clear understanding of the security, privacy, compliance, and legal consequences. An effective assessment strategy covering these items will help you reach the ultimate goal: Make the cloud service work like your own IT security department and find ways to secure and optimize your investments in the cloud."

Forrester includes data protection, disaster recovery, and identity management as some of the areas under security and suggest that an audit of the potential cloud provider to see what level of security is actually provided.

As for compliance, the user should analyze how the cloud may or may not impact one's compliance requirements.

For legal and contractual issues, Forrester advises that one understands who owns/is responsible for what, between the user and the provider (the data, the infrastructure, etc.)

Another article by Network World's Jon Brodkin titled "Gartner: Seven Cloud - Computing Security Risks" he talks about seven security risk areas.

1. Privileged user access, sensitive data processed outside the enterprise.

2. Regulatory compliance, how does the cloud provider match your guidelines?

3. Data location, where exactly is your data housed?

4. Data segregation, understand that your data is "sitting" next to other's data

5. Disaster Recovery, what happens when there is an outage?

6. Investigating inappropriate or illegal activity may be impossible in cloud computing,

7. Long-term viability, what happens if your provider "goes away"?

Another article in Network World that reported on the RSA conference, and stated that the former technical director of NSA, Brian Snow is very concerned about vendors offering cloud computing from a security point of view. He is concerned about vendors not addressing current security issues and about new issues that cloud computing will create. Ironically another panelist was concerned about "Big Brother" listening in on cloud computing and how this might impact enterprises' privacy and compliance issues.

So to wrap up, the internet has security issues, and since cloud computing is in the internet, cloud computing will have those security issues, ones listed above, and ones yet to be discovered. It comes down to the risk profile for your corporation; what level of risk is right for your company relative to investing in cloud computing? Obviously part of the risk assessment depends on your type of company. If you are a financial advisor or in stock management where your intellectual property is basically the company then cloud computing as we currently know it is not right for you at any cost savings. If you resell ping -pong balls (no offense to ping- pong ball resellers) than the risk is relatively low and the savings from cloud computing outweigh the security and other considerations.

Have you conducted an adequate risk assessment before deciding to move to cloud computing?

Dick Lush http://www.firealarmmarketing.com or dick.lush@firealarmmarketing.com or phone 508-643-0411

Fire Alarm Marketing is a marketing and business development consulting team that focuses on product introductions, revenue generations, building partnerships and creating new opportunities and markets. We are a New England based company with more then 40 years of collective experience.

Security Challenges for Cloud Computing - How Prepared Are You?

Cloud computing is here, and has been embraced by many an organization. Cloud computing as defined by the US National Institute of Standards and Technology (NIST) is "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." [1]. Cloud computing is basically about outsourcing IT resources just like you would outsource utilities like Electricity or water off a shared public grid. The cloud services options include:

Software as a Service (SaaS): Whereby the consumer uses the cloud provider's applications running on a cloud infrastructure and the applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email).

Platform as a Service (PaaS):Here the consumer deploys their own applications on the provider's infrastructure. This option allows the customer to build business applications and bring them online quickly they include services like, Email Campaign management, Sales Force Automation, Employee management, Vendor management etc...

Infrastructure as a Service (IaaS): The consumer has access to processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of selected networking components (e.g., host firewalls).

Cloud computing has become popular because, Enterprises are constantly looking to cut costs by outsourcing storage, software (as a service) from third parties, allowing them to concentrate on their core business activities. With cloud computing, enterprises save on setting up their own IT infrastructure which would otherwise be costly in terms of initial investment on hardware and software, as well as continued maintenance and human resource costs.

According to the Gartner report on cloud security [2], Enterprises require new skill set and to handle the challenges of cloud security. Enterprises need to see to it that their cloud service provider has most of "the boxes ticked" and that they have their security concerns addressed. Cloud computing being a somewhat a new field of IT with no specific standards for security or data privacy, cloud security continues to present managers with several challenges. There is need for your provider to be able to address some of the issues that come up including the following:

Access control / user authentication: How is the access control managed by your cloud service provider? To be more specific, Do you have options for role based access to resources in the cloud,? How is the process of password management handled? How does that compare to your organization's Information security policy on access control?

Regulatory compliance: How do you reconcile the regulatory compliance issues regarding data in a totally different country or location? How about data logs, events and monitoring options for your data; does the provider allow for audit trails which could be a regulatory requirement for your organization?

Legal issues: Who is liable in case of a data breach? How is the legal framework in the country where your cloud provider is based, visa vi your own country? What contracts have you signed and what issues have you covered/discussed with the provider in case of legal disputes. How about local laws and jurisdiction where data is held? Do you know exactly where you data is stored? Are you aware of the conflicting regulations on data and privacy? Have you asked your provider all the right questions?

Data safety: Is your data safe in the cloud? How about the problems of Man-in-the-middle attacks and Trojans, for data moving to and from the cloud. What are the encryption options offered by the provider? Another important question to ask is; who is responsible for the encryption /decryption keys? [3]. Also you will find that cloud providers work with several other third parties, who might have access to your data. Have you had all these concerns addressed by your provider?

Data separation / segregation: Your provider could be hosting your data along with several other clients' (multi-tenancy).. Have you been given verifiable assurance that this data is segregated and separated from the data of the provider's other clients? According to the Gartner report, its a good practice to find out "what is done to segregate data at rest," [2]

Business continuity: What is the acceptable cloud service down time that you have agreed with your provider? Do these down times compare well with your organization acceptable down time policy? Are there are any penalties/ compensations for downtime, which could lead to business loss? What measures are in place by your provider to ensure business continuity and availability of your data / services that are hosted on their cloud infrastructure in case of disaster? Does your provider have options for data replication across multiple sites? How easy is restoring data in case a need arises?

Cloud services providers have increased their efforts in addressing some of the most pressing issues with cloud security. In response to cloud security challenges, an umbrella non-profit organization called the Cloud Security Alliance was formed, some of its members include: Microsoft, Google, Verizon, Intel, McAfee, Amazon, Dell, HP, among others, its mission is "To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing" [4]

As more and more organizations move to the cloud for web-based applications, storage, and communications services for mission-critical processes, there is need to ensure that cloud security issues are addressed.

References

1. National Institute of Standards and Technology, N., Cloud Computing definition, I.T. Laboratory, Editor. 2009.

2. Gartner (2008) Assessing the Security Risks of Cloud Computing

3. Rittinghouse, J.W. and J.F. Ransome, Cloud Computing: Implementation, Management, and Security. 2009., New York: Auerbach Publications.

4. Alliance, C.S. Cloud Security Alliance. 2011; Available from: https://cloudsecurityalliance.org/.

About the Author

Mr. Thomas Bbosa, CISSP, is an Information Systems security Consultant and Managing Partner with BitWork Consult Ltd - ( http://www.bitworkconsult.com ) a leading East African IT security consulting firm, based in Kampala, Uganda. He is a certified Information Systems Security Professional (CISSP), with over 12 years Experience in the IT industry. He has been involved in various roles of IT infrastructure management and support, Information systems Security management & solutions deployment.

Get Your Head Into the Cloud: What Is Cloud Computing?

Everyone from the government, to large corporations, to small businesses and university programs are talking about Cloud Computing (the Cloud) these days, but just what is cloud computing anyway?

The National Institute of Standards and Technology, Information Technology Laboratory, an agency of the U.S. Department of Commerce, founded in 1901 as the nation's first federal physical science research laboratory, also known as NIST, is the government's authority on all matters pertaining to securing our nations information systems. According to NIST, cloud computing "is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This computing model promotes availability and is composed of five essential characteristics, three service models, and four deployment models."

Basically, cloud computing is a developing word that defines the expansion of many current technologies and computing methodologies into something new and different. The cloud divides application and information resources from the basic infrastructure, and the tools used to distribute them.

For organizations adopting this methodology, using the cloud improves cooperation, agility, scaling, and availability, and by improved and efficient computing practices, provide the possibility of cost reduction for the organization.

More precisely, cloud computing defines the use of a collection of services, applications, information, and infrastructure containing pools of compute, network, information, and storage resources. These mechanisms can be swiftly arranged, provisioned, implemented and decommissioned, and scaled up or down. This in turn provides for an on-demand utility-like model of allocation and consumption that is very beneficial to organizations.

From an information architecture viewpoint; there is much misunderstanding about how cloud computing is both like and different from existing models of computing; and how these likenesses and differences impact the organizational, operational, and technological methods to network and information security practices.

The solution to appreciating how this computing architecture influences security architecture are a common and concise lexicon, joined with a static arrangement of selections that can analyze cloud services and architecture, plotting them to a model of compensating security and operational controls, risk assessment and management frameworks, and ultimately to compliance standards that can be adopted by organizations choosing to utilize all the cloud has to offer.

Derek A. Smith is IT Security Manager, Consultant and Associate at a large Fortune 500 company. He is an expert at Information, Cyber, and Physical security with 30 years' experience in the security and law enforcement industry. To learn more visit Derek's website at http://www.Cybersecuritysamurai.com

Security and Cloud Computing

Cloud computing and its potential to offer powerful computing and data storage options to even bootstrapped small businesses at highly competitive prices have generated plenty of excitement in the industry. So much so, however, that critical questions regarding the security of the data stored "in the cloud" are often overlooked by its most enthusiastic adopters. It's understandable, given the heavyweight names behind some of the biggest cloud computing projects in the world. (Google Apps, anyone?) If companies like Cisco and Oracle are betting their futures and fortunes on cloud computing, surely that must mean that all the kinks have been worked out already, right? Or at the very least, security must be a top priority for them as well, given their zealous approach to network security in general, and we can all enjoy the trickle-down effect of their tireless efforts to firewall our data from any and all security breaches.

Right?

Well, yes and no. Cisco CEO John Chambers admitted as much in a speech he delivered in 2009 that, while cloud computing presents innumerable opportunities, it's also a "security nightmare." And with good reason. Some of the security issues that cloud computing providers must address in order to allay customer fears include:

Multi-tenancy issues. Cloud computing, by definition, involves shared data storage among a number of users spread across multiple companies and locations. Providers must be able to reassure corporate clients that users from another company will not be able to gain access to - accidentally or otherwise - their account and information.
Data loss and recovery. What happens in the event of a catastrophe that results in data loss? Does the provider have a rigorously and regularly tested backup solution to ensure data recovery? If a problem occurs in one client's account that results in data loss, does the provider have fail-safe systems in place to ensure that a devastating cascading effect doesn't occur that will lead to data loss among their other clients? What if the cloud computing provider goes out of business, is bought or taken over by another company, or declares bankruptcy? How will its clients be assured that their sensitive corporate data won't be lost in the transition or closure?
Storage and hosting information. Where is the data itself physically stored? Are the servers somewhere in Silicon Valley, Chicago, or Bangalore, India? Who provides the actual hosting services? If the host provider is a third-party, has the cloud computing provider properly vetted its credentials to ensure that they adhere to industry standards for data security?
Security tests and updates. How often is the software or platform updated? How often is it tested? During and after testing, does the provider have systems in place to ensure that any updates or tweaks not result in security breaches? You'll want to make sure that unauthorized users - from your company, your provider or a third-party - don't inadvertently gain access to your information.
Compatibility of different security policies. If your company has an established security policy regarding sensitive client and corporate information, does it differ from the policy offered by the provider? Is the provider willing to meet your internal standards of security? What about third-party companies with whom the provider does business and who may be involved in some way with the service? Will they adhere to your corporate standards as well?
Collaboration issues. One of the most appealing benefits of cloud computing is its ability to promote collaboration among its users, either with internal staff or external parties. Does the software or platform provider have systems in place to ensure that collaboration doesn't compromise security?
Human resource issues. Who within the provider will have access to your company information? Who is in charge of data security? Are they made available to you to discuss any concerns you may have? Can they adequately address your questions to your full satisfaction? What is their experience and background in corporate data and network security?
Downtime reports and frequency. How often does the company's servers experience downtime? Will they make their downtime reports available to you so that you can investigate the reliability of their network? Do they have systems in place to ensure that your data is secure and that no unauthorized users will have access to your account both during and after the downtime periods?
Cyberattack defense. It's inevitable that cloud computing is the next great frontier for cyberattackers salivating over the vast amounts of sensitive information concentrated in a relative handful of services, all available on the web. How does the provider plan to address potential cyberattacks, because it's only a matter of when, not if, they'll experience a hacking attempt on their network?

This list is just the beginning. The best cloud computing providers spend the majority of their waking hours - and I'd be willing to bet some of their dreaming hours, too - thinking about security issues and how they can be proactive in the face of increasing threats that can potentially compromise their clients' business and destroy the trust and faith that they've built with their audience. It's an ongoing conversation that we at Mothernode are excited to be a part of, and one that will be consuming our industry for the foreseeable future.

Ken Pearson
President
Mothernode, LLC
(800) 928-6055 x300
ken.pearson@mothernode.com
http://www.mothernode.com

Mothernode is a Software-as-a-Service (SaaS) business system that offers Small and Medium Business (SMB) a suite of powerful on-demand applications, components and expansion packs designed to streamline all aspects of operations. The software suite includes Salesforce Automation, Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), Order Fulfillment, Quoting and Proposals, Inventory Control Systems (ICS), Vendor Access, Invoicing, Performance Indicators and so much more.

Will Cloud Computing Crush Viruses from Catastrophic Calamity on Your Computer?

Will Americans be any safer from the coming cyber storm as Internet Technology evaporates into the clouds? Will users be safe from hackers with cloud computing? Will their data, identity, money, etc, be safe in the clouds? I wonder, I am very skeptical, but let's talk.

There was an interesting article recently in Homeland Security news which discussed the inherent safety of cloud computing running devices with no executable files, or ways for computer viruses to get in and load themselves onto the computer. The article was titled "Is Google's Chromebook impervious to viruses?" which was published 16 May 2011. Have you heard about the new laptops Google is planning, they will run on completely on the cloud, and without the need for Anti-Virus software - what about the computer anti-virus software industry the article asks? Good point indeed.

Now then, I have a question about all this; what about an internal challenge at the data center, or elimination of the data center due to a terrorist attack? What if a disgruntled employee puts a virus into that data center? The article also states I am not alone in my worries, "but, not all analysts are convinced that Google's Chromebook is as secure as they claim; this move to a cloud based computer could signal a broader shift that could hamper the antivirus industry's future prospects."

They Promise to Save Us from Cyber Pearl Harbor Attacks - But Can We Trust Them?

The US Government is also working on Cyber Security too. Yes there was a very interesting article in Physorg [dot] com recently titled; "White House unveils global cyberspace strategy" by Chris Lefkow posted on May 16, 2011, which states in the first sentence that they administration "unveiled a set of policy proposals Monday for international cooperation in ensuring an open and secure Internet," and in the article it stated that; "To date, the international community has lacked the collective willingness to engage in a meaningful conversation on the need for a global approach," he said. "US leadership is critical to reaching a consensus solution."

Can we really trust this Administration to protect the American People from Cyber Attack? No, absolutely not, say I, but let me explain my points of contention why. First, if the government attempts to move to all devices being on the cloud, and it can control everything (for reasons of security) then in essence they will create another "Great Wall of China" type scenario, basically eliminating any and all privacy - forever. As an American, well, you can understand I have a problem with all of this.

Lance Winslow is the Founder of the Online Think Tank, a diverse group of achievers, experts, innovators, entrepreneurs, thinkers, futurists, academics, dreamers, leaders, and general all around brilliant minds. Lance Winslow hopes you've enjoyed today's discussion and topic. http://www.WorldThinkTank.net - Have an important subject to discuss, contact Lance Winslow.

Will Cloud Computing Crush Viruses from Catastrophic Calamity on Your Computer?

Will Americans be any safer from the coming cyber storm as Internet Technology evaporates into the clouds? Will users be safe from hackers with cloud computing? Will their data, identity, money, etc, be safe in the clouds? I wonder, I am very skeptical, but let's talk.

There was an interesting article recently in Homeland Security news which discussed the inherent safety of cloud computing running devices with no executable files, or ways for computer viruses to get in and load themselves onto the computer. The article was titled "Is Google's Chromebook impervious to viruses?" which was published 16 May 2011. Have you heard about the new laptops Google is planning, they will run on completely on the cloud, and without the need for Anti-Virus software - what about the computer anti-virus software industry the article asks? Good point indeed.

Now then, I have a question about all this; what about an internal challenge at the data center, or elimination of the data center due to a terrorist attack? What if a disgruntled employee puts a virus into that data center? The article also states I am not alone in my worries, "but, not all analysts are convinced that Google's Chromebook is as secure as they claim; this move to a cloud based computer could signal a broader shift that could hamper the antivirus industry's future prospects."

They Promise to Save Us from Cyber Pearl Harbor Attacks - But Can We Trust Them?

The US Government is also working on Cyber Security too. Yes there was a very interesting article in Physorg [dot] com recently titled; "White House unveils global cyberspace strategy" by Chris Lefkow posted on May 16, 2011, which states in the first sentence that they administration "unveiled a set of policy proposals Monday for international cooperation in ensuring an open and secure Internet," and in the article it stated that; "To date, the international community has lacked the collective willingness to engage in a meaningful conversation on the need for a global approach," he said. "US leadership is critical to reaching a consensus solution."

Can we really trust this Administration to protect the American People from Cyber Attack? No, absolutely not, say I, but let me explain my points of contention why. First, if the government attempts to move to all devices being on the cloud, and it can control everything (for reasons of security) then in essence they will create another "Great Wall of China" type scenario, basically eliminating any and all privacy - forever. As an American, well, you can understand I have a problem with all of this.

Lance Winslow is the Founder of the Online Think Tank, a diverse group of achievers, experts, innovators, entrepreneurs, thinkers, futurists, academics, dreamers, leaders, and general all around brilliant minds. Lance Winslow hopes you've enjoyed today's discussion and topic. http://www.WorldThinkTank.net - Have an important subject to discuss, contact Lance Winslow.