The Corliss Review Group: IT Leaders' Forum

The risks and rewards of cloud. According to Alan Priestley, director of strategic marketing EMEA at Intel, there is one very big barrier to adoption of cloud marketing: risk aversion.

That risk aversion is no doubt born of fear, if not of the unknown, then certainly of the sheer work required before organizations are able to benefit from the flexibility and, potentially, cost savings of moving applications to the cloud.

It isn’t just about the fact that they have built far-reaching IT infrastructures in-house over the course of many years. It’s also about the changes required in how the IT department is run and in the skills of the people who work in it.

Intel, though, has already shifted some of its IT to the cloud, as appropriate. “Intel uses cloud, both private and public, but we also have a lot of IT that we cannot and will not put into the cloud,” Priestley told attendees at this week’s Computing IT Leaders’ Forum, which focused on the management of hybrid clouds.

Feel the fear

However, when an organisation is already facing acute IT problems, the fear factor comes from not facing up to them. UCAS, the universities’ clearing service, has always faced a particular challenge: for a few days every year in August, demand for its services goes through the roof as students rush to secure a university place.

By 2011, the website through which everything had been automated was struggling to cope: a new approach that could handle the August spike in traffic was needed.

The solution proposed by James Munson, head of IT at UCAS, was radical: it would shift much of its computing services to the cloud. Not only that, but it insisted on a contract that would enable it to ramp up its compute capacity in August when it was all-action, and reduce it (and the price) for the rest of the year when the service is quieter.

“In 2011 and 2012, UCAS had problems being able to deliver the scale that was required for that intense period in the morning when everyone was getting their results at the same time,” said Munson.

“It was all hosted on-premise where we’re based in Cheltenham. We had created quite a complex infrastructure environment – some Microsoft .NET, some database, some Unix, different storage area networks all hosted there, and quite a lot of bandwidth that all needed to go in to that location on that one day, so it was not surprising that we were having ‘issues’.”

Furthermore, the architecture around which UCAS’s services had been built was monolithic, which meant changes required far-reaching testing and the systems lacked comprehensive monitoring. “So when things started to go wrong, we didn’t have great insight into what was going wrong and what was causing the problems. Something had to change.”

In late 2012, that change was decided: a transition to a public cloud infrastructure, with services shifting to a combination of Microsoft Azure, which made sense given UCAS’s existing .NET application investments, Amazon Web Services to host the organisation’s Oracle databases, and Rackspace, with whom UCAS already had a relationship.

The key services for finding and tracking courses were rebuilt in Microsoft Azure, with in-house Oracle databases upgraded, re-engineered and ported across to Amazon. These are load-balanced across two zones and the website is hosted by Rackspace.

Skills challenge

Munson found that the new skills required of an IT department in the era of cloud are very different from those required to run IT in-house – a skills gap also found by Rocco Labellarte, CIO at the Royal Borough of Windsor and Maidenhead.

“We are looking at a whole new set of skills,” he said. “There are lots of kids out there with the right qualifications in terms of understanding the environments. But actually getting people with the practical skills who have ‘been there and done that’ is another matter.”

He continued: “We have broken down our skill sets into a three areas: one is to move to a monitoring team, which is effectively just sitting there, watching the large screens all the time and being able to react very quickly because we are maintaining the service integration element internally.

“The second is having commissioned technical architects that understand exactly how everything is put together, both from a hardware perspective, and from a networking, security and applications perspective.”

Finally, although the organisation may be outsourcing to cloud providers, there is still a need for technical architects that can inform the organisation how it should be done, on the one hand, while challenging providers and their recommendations on the other.

Going the extra mile to get appropriately skilled staff in-house can save a fortune, he added. “Having internal skills, if they are significant, provides a cost benefit. We have avoided about £500m in spend by having the right skills from the start,” said Labellarte.

The Corliss Review Group: Five Myths About Cloud Privacy

Cloud Privacy

Last week a new set of privacy principles regarding the handling of personal information came into effect. The changes relate to how businesses handle, use and store personal information. While there are significant changes with a number of benefits for individuals, there have been some misconceptions in the industry with regards to privacy in the cloud that I’d like to address. Here are the top 5 myths that I’ve seen about privacy in the cloud.

1. Use of cloud computing is the biggest privacy risk factor

The notion that the use of cloud computing is the biggest Privacy risk factor that Australian businesses need to worry about is simply untrue. Ponemon Institute’s Survey on Data Security Breaches revealed that 69 per cent of serious data leaks were due to employee activities or errors.

So a lack of internal policies and controls, direct marketing activities, poorly trained staff, stolen laptops and offshore call centres are all bigger risks than cloud computing.

While Australian companies need to be wary of the new legislation and how it affects their IT infrastructure, the direct business benefits of cloud far outweigh these alleged risks.

2. It is unclear which jurisdiction my data is held in

This is a common misunderstanding among businesses. The word “cloud” suggests to some that your data is floating around in some unknown location, implying transborder data risks under the Privacy Act. The reality is your data is still yours, and it’s still on a server in a data centre. The data centre just happens to be owned by someone else. Cloud providers are overwhelmingly transparent about where your data is stored and would never move it across regions without your permission. If you’re unsure, a simple call to your provider will quickly clarify any concerns.

3. I can’t control third party access to my data in the cloud

The suggestion that you can’t control third party access to your data in the cloud is another myth. In most cases, the security services and accreditations that cloud providers offer are significantly better than internal IT can deliver. With the use of data encryption and support from your cloud partner, the technology risks are easily mitigated. And of course, technology and human risks exist whether you are hosting your data internally or externally.

4. Australian privacy law is tougher than elsewhere

Understandably, there are lots of businesses that are concerned about just how tough the new privacy laws are. In particular, they are worried about the cost of compliance and potential for significant fines (up to $1.7 million).

It’s important to remember that most developed economies have had strong privacy laws for some time. The EU established one of the more comprehensive with the 1995 Privacy Directive covering 27 countries, with Spain and Germany having issued many stiff fines. Many South American countries, including Peru, Uruguay, Argentina, Costa Rica and Mexico have issued Privacy laws to open trade with the EU. In Asia, Singapore passed a privacy law last year that protects personal data for ten years after a person’s death, while South Korea’s privacy law even covers a person’s image or voice.

5. I don’t need to worry about it

Despite my other comments, complacency remains the most dangerous myth! Businesses that think they don’t need to worry about security and privacy in their cloud are dead wrong. The risks may be similar to hosting data internally, but they still exist. Larger organizations may struggle to effectively audit their own use of cloud services, particularly when they have been adopted within departments, rather than corporate IT. On the other hand small, companies may struggle to understand the risks or establish privacy statements and policies. That said, simple steps can ensure that a company’s use of cloud is not a high risk factor in terms of its overall privacy compliance, when compared to the alternatives available.

The Corliss Review Group: What are the top security concerns when moving to the cloud?

techradar.com

Cloud computing brings a myriad of benefits for any enterprise, but it is also a cause for concern in a world where, according to InformationWeek, cyber criminals are now targeting "any company where they can find data to resell, disrupt or exploit."

Moving your company's sensitive data into the hands of third party cloud providers expands and complicates the risk landscape in which you operate every day.

In order to understand what concerns should be given emphasis in your cloud security strategy, you need to understand what you can't afford to lose and what can protect you.

Understanding what you can't afford to lose

Data breaches, according to the Cloud Security Alliance, are the top cloud computing security threat for 2013 and beyond. Sensitive data can be of enormous value to a hacker, so you need to consider what sensitive data you are storing in the cloud.

This might be anything a criminal can use to determine or steal someone's identity, such as personally identifiable information (PII) like full names, addresses, birth dates, some IP addresses, and online logins and passwords; and financial information such as bank account numbers and PINs. Furthermore, you should consider any confidential corporate information you might share in the cloud.

Essentially, ask yourself "What do I have that others might want?" and "What do I have that I can't afford to lose?" Data privacy regulations often demand public breach notifications in the event of a malicious data breach or inadvertent data loss – particularly if the information is in the clear.

If your security strategy fails to protect sensitive data, your enterprise could face severe consequences in terms of business and reputation loss as the result of disclosure.

Understand what can protect you if you do lose your data

Businesses migrating to the cloud should lock down any sensitive data before it leaves the premises. As the Snowden leaks indicate, third party cloud surveillance is ubiquitous, so the more open your data and access policies are for harvesting, the greater the risks to your cloud security strategy.

Deploy an encryption scheme that provides limited, controlled, enterprise-exclusive encryption key access. When you retain exclusive control of your encryption keys, you eliminate that concern of a data breach regardless of where your data resides or how many copies of it exist.

In many jurisdictions, a breach of strongly encrypted data to which the enterprise holds the key does not require public notification.

Even the systems you and your CSPs may have in place to prevent accidental erasure of your data can pose dangers to your enterprise's data privacy.

While backups, redundancy and other failover strategies protect against data loss due to deletion or system failures, they also create extra opportunities for the theft of this data that you consider important.

Keep in mind that, if you terminate your services with a particular CSP, you can never be certain the data has been digitally destroyed.

Moving to the cloud need not be complicated. An important element is for businesses to decide what data to put in the cloud – and then to encrypt it and retain the keys.