Choosing a CSP: Confidence in Risk

Maybe it’s just me, but I had this assumption that Cloud computing would be one of the most popular search terms. So when I found the list of top ten most searched items, it was slightly surprising to find celebrities that a) I had never heard of and b) turned out to have no involvement with the phenomenon that is cloud computing made the top of the list.

Okay, so perhaps I need a wider circle of friends, and watch more television. However within the technology industry there is no doubt that the Cloud is the number one buzzword. The fundamental question though is whether the benefits will indeed be realized or whether like many of the previously heralded technologies it falls by the wayside.

A 2010 survey by Information Systems Audit and Control Association (ISACA) found that half of U.S. IT professionals who responded to the survey stated that the risks of cloud computing outweigh the benefits. Moreover, a bigger concern for many organizations will be the physical location of their data which of course may well be regulated.

Although such concerns are entirely valid, I would probably add that these concerns should be no different to hosting internal services, indeed such risks could even be managed easier with a third party such as a CSP. By ensuring that all requirements are clearly defined, and included within contracts the customer should be a in a position to ensure that risks are mitigated. Even new threats which may have not been initially considered should be fairly straightforward to mitigate, and this will invariably require an increase in the cost of the service. Compare this with the challenge of recruiting specialists, and getting them to go through the ‘Plan, Do, Check and Act’ cycle for the mitigating controls could not only prove time consuming but very costly.

So where to from here? Well there are many concerns that are completely valid, such as the question of where data will be physically stored. Likewise, although we ASSUME that the CSP will implement the controls they are contractually obliged to, will they actually do it? The fundamental point to remember is that although you can transfer the work, you can never transfer the risk (certainly not in your customers eyes, if not in the eyes of the law). Whether your data is with a CSP or internally hosted, a data breach will still impact you and your business.

This is probably the biggest concern, whereby you are placing your customer confidence into the hands of a third party. The Cloud Security Alliance put forward their ‘quick method for evaluating your tolerance for moving an asset to various cloud computing models’, with the fourth point critical; Evaluate potential cloud service models and providers.

Here the role of certifications play a major part. Whilst cost becomes a crucial factor, it should not remain the sole requirement for determining the CSP. Indeed for the evaluation of potential providers cost should not even be in the equation. If you are unable to find a CSP that can satisfy your risk appetite, for the budget you have allocated then either increase your budget, or host internally. Both options are more attractive than using your media skills to answer difficult questions about why your customer details were made public.

-Raj Samani

Traveling Back to the Year 2000

“I’ll just use the Internet. It’s brilliant.” That’s what a good friend of mine said in the winter of 2000 when he was explaining how he was going to revolutionize the business of accounting. It was his brainchild – to provide restaurants with a service that would allow operators to transmit their financials securely over the Internet. “My business will offer interactive online services including payroll, accounts receivable and a virtual filing cabinet – using a Web-based platform that would eliminate the need for multiple accounting and tracking systems.” Hmmmm…Does any of this sound vaguely familiar?

Honestly, at the time, I was intrigued. This seemed like a radical idea. While I was having a little trouble grasping the concept – remember, it was over a decade ago – I could sense that it was the way of the future. “Count me in,” I said. And with that, I was on board – given the job of creating the corporate brand, messaging, and marketing. (Really, I had no choice. We were good friends, he was broke, and I was the only marketing consultant he knew who would actually work for restaurant gift cards.)

Today, as I look back on the iterations of Web copy, messaging, advertising, training materials, and press releases, I realize that the language of technology has changed but the actual technology has remained relatively the same.

I first wrote about the accounting solution as a Web-based service – transmitting data via point of sale over the Internet to the company’s accountants for analysis. When managed services became the industry buzz word for this type of service, I began writing with this terminology.

It happened again, only a few years ago, when the industry was using the term software-as-a-service (SaaS). The core process being used to support the company’s 600 restaurant clients with their financials had not changed, but the way we were pitching it continued to morph. We modified our messaging with every new term that was adopted by the industry to essentially describe computing in which services and storage are provided over the Internet.

I guess you know where I’m going with this by now. “Computing in which services and storage are provided over the Internet.” Sounds a lot like the new definition of cloud computing doesn’t it? Of course, things have evolved since the first restaurant signed up in 2001 – with the introduction and adoption of technologies and concepts like elastic computing, virtualization and multi-tenancy. Semantics aside, I’m pretty sure this Internet-Managed Service-Cloud Computing-thing is more than just a fad with a somewhat ambiguous name.

EXPANDING CLOUD FOOTPRINT AT McAFEE

It’s not uncommon for my wife to stare at me blankly while I try to explain something exciting at work. I had this experience again over the weekend when I explained, “Hey honey, on Monday we’re announcing that we’ve grown our global Cloud footprint 500 percent over the past year and we just earned our ISO 27001 certification too. Pretty cool, huh?”

Nothing. Just a blank stare.

Never the less, today’s announcement is – at least to me and my colleagues – pretty big news for a couple of reasons. First, I think both the new data centers and ISO 27001 Certification demonstrates McAfee’s commitment to becoming the world’s leading provider of Cloud-based security solutions. I mean, let’s face it. Opening a major data center is no small task, let alone opening five around the world. And ISO certification is no cake walk either. Second, and perhaps more importantly, the expansion allows us to continue serving our SaaS security customers even better, providing unparalleled reliability, scalability and security.

Moreoever, I think the announcement offers an opportunity to start having better dialogues with customers about how Cloud-based services are delivered on a global level, and what sets McAfee apart. Too often, I hear or read about vendors boasting about the number of data centers they have around the world. Little detail is shared as to whether those are Tier 1 or Tier 3 or 4 data centers. And how they’re interconnected also matters, particularly when you’re dealing with critical infrastructure. Yet, for all we know, these so-called data centers plotted on a fancy-looking map could be housed in the back room of some strip-mall office. I’m sure they’re not, but the point it’s important to ask.

So the next time you’re talking with a Cloud provider, and they boast about the number of data centers they have around the world, pause for a moment and ask them to provide some more details. You’ll sleep easier at night.

Now Entering Cloud City

Once considered a trend, cloud computing continues to grow. And, we’re not just talking about growth in thought leadership circles, but growth in actual physical size. Yes, the cloud is going urban. Within two years, China’s proposed cloud city will be physical proof that this computing model truly has a stronghold on our technological life. Partnering with IBM and based in China, Range Technology is putting its money where its mouth is – betting on the cloud by erecting a 6.2 million square feet facility located in a province near Beijing.

The sprawling campus, about the size of the Pentagon, will include offices, call centers, restaurants, and living spaces, as well as at least seven enormous data centers. The move is a sign that organizations and countries are starting to step up efforts to grow the IT infrastructure to meet the surging demand for cloud computing and other data services. Funded by the government, China’s cloud city will be mainly utilized for government departments but also opened to private industries upon its estimated completion in 2016.

Is this a sign that data cities will become the newest feature of the urban oasis – powering a world that lives and breathes on the Internet?

Sure it Saves Money, but is SaaS Security Better?

Stop me if you’ve heard this before: The Cloud can save you money! If you’re anything like me, you’re pretty much exhausted hearing about how much money and time that cloud-based services can save you. We get it already.

While cost savings are important, what you, me and every other IT person on the planet really wants to know is whether Cloud-based solutions are any better? Is Email or Web SaaS security better than using an appliance and doing it myself? No amount of costs savings would justify moving to a “less secure” solution.

Of course, the term “better” is a relative term. It’s also quite subjective, particularly when it comes to comparing apples and oranges. The simple – albeit un-gratifying – answer I’ve come up with so far when asked whether SaaS security is better is, “In some cases, yes. In other cases, no.”

The fact of the matter is that SaaS security solutions – or any Cloud-based solution for that matter – has its proper place and usage. This is particularly true when it comes to security for organizations. No two businesses are alike, and no two security infrastructures are alike. So trying to make a blanket statement that SaaS or on-premises solutions are best, well, is silly.

That said, there is data supporting that some SaaS-based solutions can be more effective than traditional hardware or software solutions. For example, in 2010 Aberdeen published a series of reports comparing email and web SaaS security solutions against on-premises solutions. In the case of email, they found that the users of the SaaS email security solution reported 47 percent fewer cases of spam and malware. For web, users of SaaS reported more than 50 percent fewer cases of malware outbreaks.

Why the difference? According to Aberdeen, the answer isn’t entirely clear. Aberdeen surmises that the 24x7 managed nature of SaaS security solutions ultimately makes the difference in effectiveness, not to mention that the SaaS solutions are managed and optimized daily by the engineers who designed them.

Still, this information alone doesn’t necessarily mean SaaS email security is “better”. An IT organization with the resources and expertise to manage their on-premises solution full time are just as capable of doing a great job managing an on-premises solution.

The question is, would their time and expertise be better spent elsewhere?

Test Blog Post

This is a test blog post sent on 10.5.10 at 3:54 p.m. MT. Will it work?