Is It Time To Float Your Business Up Into The Cloud?

What is the cloud?

There are many different definitions you can find, but for the small business owner it means essentially outsourcing your IT infrastructure (possibly including applications, servers, data storage, etc) remotely. Why would you move to the cloud? The most commonly cited reasons are focused upon the core business and cost savings, but in reality every company should consider carefully any move to the cloud to ensure it is the correct move for them.

For small to mid-size business owners migrating some or all of their systems to the cloud environments presents the usual IT issues, but the problems are compounded by having data stored and managed remotely, by external organizations and often in multiple locations. Among these issues are special considerations for privacy, interoperability, data and application portability, data integrity, business continuity, and security.

In this posting I’m going to focus upon the security issues, technical challenges, and best practices associated with a move to the cloud. In a discussion with one of our cloud security gurus, Mike Johnsen, he highlighted some of the key issues that a business owner should be aware of and factor into the decision-making process:

System Complexity. A public cloud computing environment is extremely complex compared with that of a traditional data center.

Shared Multi-tenant Environment. Public cloud services offered by providers have a serious underlying complication—client organizations typically share components and resources with other consumers that are unknown to them.

Internet-facing Services. Public cloud services are delivered over the Internet, exposing the administrative interfaces used to self-service and manage an account, as well as non-administrative interfaces used to access deployed services.

Loss of Control. While security and privacy concerns in cloud computing services are similar to those of traditional non-cloud services, they are amplified by external control over organizational assets and the potential for mismanagement of those assets.

Governance. With the wide availability of cloud computing services, lack of organizational controls over employees engaging such services arbitrarily can be a source of problems. While cloud computing simplifies platform acquisition, it doesn’t alleviate the need for governance; instead, it has the opposite effect, amplifying that need.

Compliance. Achieving industry-specific security compliance becomes more complex due to the different paradigm the “Cloud” brings.

Data Location. When information crosses geographic borders, the governing legal, privacy, and regulatory regimes can be ambiguous and raise a variety of concerns.

Risk of Unintended Data Disclosure. A fundamental underlying vulnerability is the difficulty of collecting meaningful consent for the processing of data available on the cloud.

There are, however, some benefits of a cloud based environment from a security perspective. Some of these benefits would include:

In general, security measures are cheaper when implemented on a larger scale. The cloud provider or third parties can generally offer managed security services which may be cheaper than maintaining an in-house security staff full time.

Standardized Interfaces for managed security devices which creates a more open and readily available market for security services.

Rapid and smart scaling of resources which facilitates the ability of the cloud provider to dynamically reallocate resources for filtering, traffic shaping, authentication, encryption, etc., to defensive measures (e.g., against DDoS attacks) has obvious advantages for resilience.

Audit and evidence-gathering which can provide dedicated, pay-per-use forensic images of virtual machines which are accessible without taking infrastructure off-line, leading to less down-time for forensic analysis.

More timely, effective, and efficient updates and defaults which can facilitate images and software used by customers to pre-harden and update with the latest patches and security settings according to fine-tuned processes.

Benefits of resource concentration which provides the advantage of cheaper physical limitation and physical access control and the easier and cheaper application of many security-related processes.

So what can you do as a small business owner to accurately assess your need to move to a cloud environment and execute the move, if required? Here is a thorough, although probably not all inclusive list of some of the best practices a business owner should use when looking at a move to the cloud.

Plan. Carefully plan the security and privacy aspects of cloud computing solutions before engaging them (e.g., SLA negotiations)

Ascertain. Understand the cloud computing environment offered by the cloudprovider.

Policy. Ensure that a client-side and provider-side cloud computing solution satisfies organizational security and privacy requirements.

Continuity of Operations. If the cost of losing access to an application is severe, it is recommended that subscribers perform the work locally unless a provider is willing to agree to pay for pre-defined damages for specific types of service interruptions.

Compliance. A subscriber should determine: (1) whether the capabilities for defining the necessary controls exist within a particular provider, (2) whether those controls are being implemented properly, and (3) ensure that the controls are documented.

Administrator Staff. Subscribers should make sure that processes are in place to compartmentalize the job responsibilities of the provider’s administrators from the responsibilities of the subscriber’s administrators.

Legal. Subscribers should investigate whether a provider can support ad hoc legal requests for: (1) e-Discovery, such as litigation freezes, and (2) preservation of data and meta-data.

Operating Policies. Subscribers should ascertain the operating policies of providers for their: (1) willingness to be subjected to external audits and security certifications, (2) incident response and recovery procedures/practices, (3) internal investigation processes with respect to illegal or inappropriate usage of IT resources, and (4) policies for vetting of privileged uses such as the provider’s system and network administrators.

Acceptable Use Policies. Subscribers should ensure that all subscriber personnel read and understand the provider’s acceptable use policy, and negotiate an agreement for resolution of agreed upon policy violations in advance with the provider.

Licensing. Subscribers should ensure that both the provider and subscriber properly license any proprietary software installed into a cloud.

Patch Management. Subscribers and providers should agree on a set of procedures a subscriber needs to perform to take an application offline (whether a software patch is going to be installed by the provider or subscriber), the testing that must be performed to ensure the application continues to perform as intended, and the procedures needed to bring the application back online. Plans for system maintenance should be expressed in the SLA.

Subscriber-Side Vulnerabilities. Subscribers should minimize the potential for web browsers or other client devices to be attacked by employing best practices for web browser security and patching, and seek to minimize browser exposure to possibly malicious web sites.

Data-at-Rest and Data-in-Transit Encryption.

Physical. Subscribers should consider physical plant security practices and plans at provider sites as part of the overall risk considerations when selecting a provider.

Authentication. Subscribers should consider the use of authentication tokens, which some providers offer, to mitigate the risk of account hijacking.

Identity and Access Management. Subscribers should have visibility into to the following capabilities of a provider: (1) the authentication and access control mechanisms that the provider infrastructure supports, (2) the tools that are available for subscribers to provision authentication information, and (3) the tools to input and maintain authorizations for subscriber users without the intervention of the provider.

Performance Requirements. Subscribers should benchmark current performance scores for an application, and then establish key performance score requirements before deploying that application to a provider’s site.

Visibility. Subscribers should request that a provider allow visibility into the operating services that affect a specific subscriber’s data or operations on that data.

Although this list of best practices may seem daunting, the more of these best practices that the business owner can use, the less risky, and more secure their eventual cloud implementation may be.


Cloud vs. Data Center: What’s the difference?

cloud computing

Is a cloud a data center? Is a data center a cloud? Or are they two completely different things?

The terms “cloud” and “data center” may sound like interchangeable technical jargon or trendy buzz words referring to the same infrastructure, but the two computing systems have less in common than the fact that they both store data.

The Basics

The main difference between a cloud and a data center is that a cloud is an off-premise form of computing that stores data on the Internet, whereas a data center refers to on-premise hardware that stores data within an organization’s local network. While cloud services are outsourced to third-party cloud providers who perform all updates and ongoing maintenance, data centers are typically run by an in-house IT department.

Although both types of computing systems can store data, as a physical unit, only a data center can store servers and other equipment. As such, cloud service providers use data centers to house cloud services and cloud-based resources. For cloud-hosting purposes, vendors also often own multiple data centers in several geographic locations to safeguard data availability during outages and other data center failures.

For companies considering whether or not to use cloud computing versus staying with or building their own data center, there are three primary factors affecting their decision: their business needs, data security and system costs.

Does your business need a cloud or a data center?

A data center is ideal for companies that need a customized, dedicated system that gives them full control over their data and equipment. Since only the company will be using the infrastructure’s power, a data center is also more suitable for organizations that run many different types of applications and complex workloads. A data center, however, has limited capacity — once you build a data center, you will not be able to change the amount of storage and workload it can withstand without purchasing and installing more equipment.

On the other hand, a cloud system is scalable to your business needs. It has potentially unlimited capacity, based on your vendor’s offerings and service plans. One disadvantage of the cloud is that you will not have as much control as you would a data center, since a third party is managing the system. Furthermore, unless you have a private cloud within the company network, you will be sharing resources with other cloud users in your provider’s public cloud.

Cloud security vs. data center security

Because the cloud is an external form of computing, it may be less secure or take more work to secure than a data center. Unlike data centers, where you are responsible for your own security, you will be entrusting your data to a third-party provider that may or may not have the most up-to-date security certifications. If your cloud resides on several data centers in different locations, each location will also need the proper security measures.

A data center is also physically connected to a local network, which makes it easier to ensure that only those with company-approved credentials and equipment can access stored apps and information. The cloud, however, is accessible by anyone with the proper credentials anywhere that there is an Internet connection. This opens a wide array of entry and exit points, all of which need to be protected to make sure that data transmitted to and from these points are secure.

Cloud vs. data center costs

For most small businesses, the cloud is a more cost-effective option than a data center. Because you will be building an infrastructure from the ground up and will be responsible for your own maintenance and administration, a data center takes much longer to get started and can cost businesses $10 million to $25 million per year to operate.

Unlike a data center, cloud computing does not require time or capital to get up and running. Instead, most cloud providers offer a range of affordable subscription plans to meet your budget and scale the service to your performance needs. Whereas data centers take time to build, depending on your provider, cloud services are available for use almost immediately after registration.

Cloud Computing: Effectively Changing The Business Operation Model

Cloud computing technologies are ubiquitous. While not exactly new technologies, the speed with which they’re transforming business models and efficiencies seem to have accelerated over the past few years. The reason for the transformation depends on how the business operates and its specific needs, but there are some major trends that have emerged.
It All Started with Employees

Employees are one of the main driving forces behind many changes related to cloud computing within the business environment. Employees have families, want to work from home or even use devices with which they are most comfortable. Cloud computing has made it easier for remote employees to enjoy all of the benefits of working in an office (collaboration, Hosted Exchange email, access to documents, etc.) while they are working from home or even on the road.
While Yahoo YHOO +0.52%’s Marissa Mayer may have made the directive for employees to come into the office, most businesses, on the other hand, are seeing the benefits of allowing their employees to work remotely, namely that those employees are more productive. They’re more efficient and willing to work longer hours because they have the privilege and flexibility of working remotely.
For employees that do decide to come into the office, many want to bring their own devices because they prefer or are more familiar with them. Cloud computing is also accelerating the Bring Your Own Device (BYOD) trend, allowing employees to virtually “dial into” their corporate systems with their own computers or tablets Cloud computing gives employees these freedoms without IT having to worry about these different machines or the remote access overloading and crashing their on-site infrastructure.
Shaking Up Your Standard Business/IT Model
Speaking of IT, cloud computing has unburdened businesses from the traditional IT business model, giving them more options when it comes to their IT infrastructure. In the past, the business/IT model was very straightforward: Businesses hired IT professionals to run their computer hardware and software. The IT staff had to forecast business needs as far out as 5 or 10 years, and make purchases accordingly.
The problem with this business/IT model was that oftentimes the forecasts were wrong. We’ve all heard horror stories of IT forecasting. For example, IT may forecast that a business will only need a certain amount of data storage for the next five years and only purchase the forecasted amount, without considering growth, more personnel or even just more demand on the system. Then after only a year, IT realizes that they’re on the verge of running out of storage and need to purchase more.
With cloud computing, you never have to worry about running out of storage or server capacity, resulting in major cost savings. While you still need to forecast the amount of storage or server capacity that you may need, you no longer have to be overly concerned about the capital expense of scaling up your needs if you do require more space or capacity. It’s far less expensive and less of a hassle to increase cloud storage and cloud server needs than on-site infrastructure. You still need IT for many functions, but cloud computing may actually result in less of a need for a full-blown IT staff. You’ll be outsourcing most of your activity to a cloud vendor. While your IT staff may not be as robust in the past, they’re still necessary for business innovation. With standard maintenance and upgrades off of their plate, IT professionals can find time to create new technologies and products for your company. Take the Toyota example.
Toyota Has Seen the Impact of Using Cloud Applications
In a recent article by Julie Bort “To Understand Just How Much the Cloud Will Change the World, Look at Toyota” on Business Insider, she profiled Zack Hicks, Toyota’s CIO, North America. Hicks has been leading the efforts at Toyota to embrace cloud computing, including moving his entire team to Microsoft MSFT +1.54%Office 365, which includes Hosted Exchange Email and Microsoft Office, and a number of other cloud applications to improve productivity. The real advantage of using this type of software is that the team no longer has to worry about day-to-day maintenance of software, including verifying that everyone is using the same version of email.
These cloud applications have allowed Toyota to streamline their business, providing their IT teams with more flexibility to actually create new technologies for their cars. Hicks sees cars as the next type of connected platform with a whole range of technologies to help people in their day-to-day lives, including:
Semi-autonomous vehicles that can help the elderly get around
Steering wheels that “can measure your heartbeat, respiration, blood-sugar levels, and send it to a doctor”
Cars that can send an alert if a driver’s health condition has become unsafe and needs medical help

Your Customers Demand that You Change
Another way that cloud computing has changed business models is in the way that you interact with customers. It gives you the flexibility to immediately react to customer needs as soon as the customer wants you to. Customers no longer wait for business hours to shop for products or get the services that they need. They expect it 24/7. Plus, they want a more robust experience that often means websites with videos, tools and interactive presentations. Most medium to small businesses don’t have the internal bandwidth to host these interactive files.
Outsourcing your interactive data to a cloud vendor ensures that you have enough capacity to not only store these files, but guarantee that customers can download or view the files at higher speeds from a secure cloud computing platform.