Tech Lover 9

Did you know that more than half of American companies have converted to the cloud? No one can deny the benefits of cloud computing, but security issues are still a concern for many. Since the days of PRISM, surveillance controlled by the NSA, Americans have been acutely aware that their data is being tracked. Cyber-crime mimicking “Big Brother” has reached new levels when it comes to the security of your data and communications.

Are You Securing Your Cloud In The Right Manner?

Cloud Computing is not just about securing a good cloud service provider; it’s about ensuring that your data and communications are secure. Gaining confidence and trust in your cloud service provider (CSP) is just a mere aspect of cloud security. Here’s a look at eight commandments every company should follow to ensure the security of your cloud no matter what region.

1. In CSPs, we trust: No matter what your company does, it’s important to check the credentials of your CSP. Security issues directly impact businesses when there are immediate losses of data or communications. Service Level Agreements (SLAs) with your CSP are a must, ensuring that you get the service and security that has been promised.
2. Follow the law: The convenience of the cloud can be utilized across the globe. Narrowing down on any legal issues involved is a vital part of the process. Laws are different across countries; it’s impossible to control the transfer of data across every location.
3. Ensure confidentiality: Profit margins remain high by ensuring that there is no unintended disclosure of important information. One of the best ways to ensure the integrity of your data or communications is with the help of secure locks and keys. In today’s world, the best way to ensure security of your data is with the help of encrypted data.
4. Digital signatures: The cloud provides the flexibility of using a common database. In such instances, the use of digital signatures give unique access to specific users. When the authentication of data and information is a threat, use the encryption to secure confidentiality.
5. Usekeys: A secure lock and key system can ensure that one has secured the data from all sides. The use of cryptographic methods can help you gain further control of your cloud.
6. Split data: An alternative to encryption, which is a common method, is to split the data. This is a much quicker option, as one can easily transfer data on multiple hosts that are not related to each other.
7. Try multi-cloud data models: As a component of data splitting, multiple clouds have the advantage of preserving confidentiality, availability, and integrity. Reducing the impact received on a single cloud also reduces the impact of security risks.
8. Don’t share cloud systems: The concept of multiple customer applications is not unique. Apart from cloud storage, other computational resources are also shared in order to reduce costs. Unfortunately, often shared or rented cloud machines are susceptible to hacking and other malicious attacks.

There have been several case studies that have used these various techniques to secure the cloud. No matter which of the eight commandments you use, your business shouldn’t be afraid to reap the benefits of cloud computing.

Free storage and sharing are part of the allure of public cloud storage services like Dropbox, Box and Google Drive. When it comes to the security of your data in the Cloud, there’s a substantial difference between “free” and “no value.”

Cloud vendors do a fantastic job of helping people work together by providing easy, fluid storage for the modern, mobile nature of business. Along with the ease of use on free public cloud platforms, you’re assured by the providers of the security of your personal and business files. But does that security really match what you expect and what your business requires?

For their part, public Cloud vendors provide encryption and decryption of data while it’s in their data centers. Cloud vendors talk up this encryption as a central point of security. But what value do encryption and decryption have if they are entirely in the control of the Cloud vendor? It’s like having a locksmith put a new deadbolt on your front door, but then letting the locksmith keep all of the keys. And, to make matters worse, all the houses in the neighbourhood have the same key!

What the security Cloud vendors actually offer is more along the lines of “zero-value encryption” as it’s been dubbed by trusted enterprise data security voice Steve Gibson and others. It’s a level of security for their data centers, but no great protection when it comes to how you sync, share and store files in the Cloud. The data should be safe inside the perimeter of the data center but as we have discovered, this vendor-backed security wavers.

Diving into the functionality of Cloud vendor-controlled security, a few cracks from this “zero-value encryption” have been revealed. In a recent instance, certain Web apps were regularly opened by Dropbox during the regular process of storing and sharing. One Box user found that a “complete stranger” had been allowed to delete all his files. Cloud vendors have been unable to shake security concerns since the start of the big Cloud adoption boom. Every week brings more tales of business data breaches, exposure of unencrypted personal information and revelations on federal snooping into programs. Every year, the cost of a breach goes up, registering nearly $200 per file in the most recent estimates from the Ponemon Institute.

The Cloud providers are even at odds with each other over what value their encryption provides. Recently, Dropbox and Google leaders got into a back-and-forth spat on the legitimacy of at-rest security of data. Digging into the details, cloud providers acknowledge that security-conscious customers would be best to take on their own layer of data protection. As Google Drive product manager Dave Barth summarized in a company blog outlining their in-house encryption and the control they retain over locking and unlocking the data: “Of course, if you prefer to manage your own [encryption] keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”
Barth’s statement here cuts to the core of the matter. If you want true control over cloud security of value, it’ll take a bit more of a “trust no one” approach and some third-party software.

On the software front, there’s an emerging ecosystem of software, platforms and apps to fill in this security gap between business expectations and zero-value encryption on Cloud platforms. You can go the route of “containing” laptops and mobile devices through policies that implement an extra step or portals to share and store in the cloud. New security “as a service” vendors are offering what amounts to APIs for sharing and storage outside of the traditional business firewall. Coming from an encryption perspective with our product stack, including Viivo, we opt for data-centric protection of data where you hold the keys and authentication for data security in transit and at rest. Your data is protected wherever it goes regardless of how it gets there.

Storing data securely in the cloud is an uncomfortable prospect compared with how businesses typically seek security for their critical documents. Understandably, businesses within their own networks and systems aim for full control of data. Protection is expected for all information in transit or in storage. With public cloud storage services, users have opened up an exposure challenge to security norms, many under the perception that the cloud alone gives them full, valuable protection.
Businesses working in the cloud need protection of value, a level of control to go with security that doesn’t sacrifice user experience. With no shortage of risks and threats to business information, it’s worth your while to expect – and obtain – security and control in the cloud.

“I don’t need a hard disk in my computer if I can get to the server faster… carrying around these non-connected computers is byzantine by comparison,” Steve Jobs said about cloud computing. Many people agree that cloud solutions are convenient for business applications and the practice is becoming more wide spread. The number of businesses that are trying to simplify their business processes with information technology is growing. With more and more companies using virtual business processes for varied tasks, systems are more complex and data security is a paramount concern.

A recent study by Gartner has shown that cloud compliance and cloud data residency are slowly gaining prominence. Some businesses utilize a cloud broker to arrange and manage the service, which can be a cloud broker platform or an actual person. With this platform, it is expected that almost 25% of companies will use some kind of cloud broker by 2016 and data losses would be reduced by 30%. According to the experts at Gartner, cloud security can be achieved with a cohesive cloud security broker solution.

Who’s On the Speed Dial for Cloud Emergencies? – The Cloud Security Broker








Cloud infrastructure is one of the most important aspects for any business today, making cloud security more important than ever before. One cannot deny the importance of a cloud access and securitybroker with the increasing implementation of cloud services to reduce costs for the business and also ensure that the company has secure critical processes.

We have narrowed down three types of cloud brokers who can enhance the security protocol for any cloud service:

1. Cloud aggregator: Certain brokers in cloud security are involved in adding capabilities and improving some aspect of the service. They are also involved in adding and supporting hosting services.
2. Cloud customizer: Multiple services from different cloud providers can be brought together and integrated for a company. This is usually offered by what is called a cloud customizer.
3. Brokers that arbitrage cloud services: These brokers give the ability to consumers to choose several cloud service providers that are dependent on attributes, costs or speed.

Can Brokers Actually Protect The Cloud?

In the event of complex infrastructure, companies feel the need to manage software applications by integrating the local applications and services. As the cloud increases its coverage across business processes, then the role of cloud brokers grows as well. As mentioned before, cloud service security is not just about simplifying the data processes that are managed within the business but also securing them.  Now it may be expected for the broker to ensure the complete security of the cloud.
Companies have learned from experience to reduce the consumer’s responsibility related to security. Cloud services offer security via brokers to give confidence to customers with the provision of greater security.

Whether companies are involved in ensuring the services of cloud brokers or a particular cloud broker platform, it’s important to consider capabilities and certifications. One should be confident in the certifications and other capabilities of brokers or broker platforms before engaging them in cloud security.

Privacy is the main concern holding many cloud computing companies back from prosperity and success. Even the massively influential Google is facing concerns of privacy. Sweden’s Risk Assessment Board has disallowed Swedish public companies from using Google’s cloud-based service, Google Apps, according to Datainspectionen.se. They have determined that the Google contract has given the search giant too much power over data usage, and a lack of concrete knowledge over what subcontractors are storing or using this data. This begs a harrowing question—if Google cannot be trusted for privacy, who can be?

The Big Privacy Hack

Many large companies do not have the capacity to store data in-house. Tablets and laptops have extremely limited internal storage capabilities, enhancing the overall drive for cloud computing. Evernote is a glorified note-taking resource that stores data through multiple devices. A recent security breach of the resource opened up 50 million encrypted passwords, usernames and accompanying email addresses were leaked. According to Evernote, this caused forced them to restart everyone’s accounts with new passwords.

The Value of General Protection

These security concerns are influencing users to seek identity protection through services like LifeLock Identity Guard. Through credit alerts, address monitoring and advanced Internet-monitoring techniques, these types of services bridge the gap between general security and public comfort. Their features help facilitate comfort in dealing almost solely though the Internet, amidst growing concerns of privacy.

Microsoft, the largest computer provider, offers detailed tips for protection. The company reports confirming that any cloud provider has a detailed privacy policy and the means to support it. The policy should not be a direct copy of someone else’s, but a policy that is adjusted and conducive to the company. This confirms that the company has taken the effort to provide something relevant and specific.

Cloud Computing: Hackers Great Big Target in the Sky

Hackers target cloud services because they store so much data. Seagate’s smaller cloud storage features offer between 500 gigabytes to 1 terabyte, reports Computer World. The latter data is equivalent to about 1,100 movies.

The huge Apple cloud is in North Carolina and spans acres. It is specifically designed for the iCloud service, notes ABC News and consists of an undocumented quantity of data storage. More speculation has the service providing anywhere up to 10,000 terabytes.

Of course, much larger cloud services such Dropbox and Google Drive are highly regarded. Technet reports that the free Cloud Security Readiness Tool from Microsoft is pushing privacy focus for cloud companies looking to realistically compete. The resource offers insight into very detailed cloud constructs and how to maximize safety. It also allows a firm to determine their readiness for moving to the cloud.

Paving the Road to Enhanced Protection

Microsoft is paving the road for future cloud computing services with 1 billion customers, 20 million major businesses and 76 global markets being serviced through them, Technet further reports. Detailed trust center security documents are available online to maximize cloud privacy and effectiveness. This is relevant for companies considering opening themselves up to cloud computing and for increasing their privacy efforts.

As all will agree, secure and reliable encryption schemes are essential to secure sensitive information held by individuals, entities, organizations and governments. It’s needed to guarantee we are protected against potential cyber treats. There are several schemas to consider. The first piece to the puzzle is the encryption portion. The AES algorithm-based bulk encryption technique is what is used by most today. This typically constitutes a symmetric block cipher with 128-bit, 192-bit and 256-bit cipher keys.

Information security being critical, securing sensitive data as well as our cyber infrastructure has never been more important. Today the continuing trend must be to secure sensitive data throughout all of its uses. This ranges from communications, transactions, personal accessible data, financial, health, marketing, consumable data, to archived data storage. The unauthorized access to intercepted transmissions as well as gain unauthorized access can result in the compromise of sensitive and vital information falling into the wrong hands. Data and security officers around the globe are facing an ongoing challenge; how to safely store data securely while still being able to access it quickly. Up until now Encryption combined with firewalls was the most effective solution for protecting this valuable data and other informational assets against attacks. Some Tokenization is also used for data up to 17 characters, digits, or numbers.

Encryption is the process of transforming information referred to as plain or accessible text into an unintelligible scrambling of code referred to as cipher-text. It utilizes a secret key and an algorithm is known as ciphering. The cipher-text (encrypted data), is designed to be decoded, transformed, and restored back into its original readable and understandable form by utilizing the original cipher algorithm and the secret key.  The intent of this process is to secure and protect critical information from hackers, thieves, competitors, and others who should not be allowed access for fear of them causing harm, etc. It is and has been quite common to utilize encryption technology in the static archiving of large amounts or blocks of data, communication over local area networks, (LANS), or across an Internet gateways or WANS (Wide Area Networks), or VPNs, (Virtual Private Networks). The Telecommunication industry utilizes these or similar schemes dealing with their particular data protection challenges as well.

Bulk encryption has been providing what many believed to be a safe and effective method for protecting data from being compromised and or stolen. It is apparent that today utilizing solely encryption type protection is quickly becoming obsolete. Bulk encryption technology is a method in which large amounts of data are encrypted all together.  The quantity and size of the data being protected simultaneously tends to cause long delays and extended exceedingly slow response times. It also opens the data to “Total Breach” as when someone is in they have access to the “Bulk” of the data. In many cases currently, the processing power for this type of Bulk Encryption is being met by utilizing cryptographic accelerators. Bottom line is that it requires a great deal of hardware and significant bandwidth resources, and even then, is still not a very fast process.

The Advanced Encryption Standard (AES) symmetric-key encryption standard has been approved by NSA for top secret information and is has been adopted by the United States government. AES is based on a design principle known as a substitution permutation network. The AES ciphers have been tested extensively and are now used worldwide. AES was selected due to the level of security it offers and its widely accepted implementation and optimization techniques. It utilizes efficient methods in an effort to optimize both time and memory requirements. The AES algorithm is designed to specify both cipher and its inverse in order to complete the encrypt/decrypt cycle. Today AES “Bulk Encryption” is the primary protection utilized by a vast majority of those needing security. However, as of just recently, there is a new technology that just hit the public and government sector.

MicroEncryption™ – MicroTokenization™ techniques are beginning to take the industry by storm. A new technology and new way of thinking has evolved in the data protection and security arenas. The technology works off an entirely different premise and methodology. It has be repeatedly proven that “Bulk Encryption” does not appear to be safe due to the fact that once intruders are in they have access to the “Bulk” or most ALL THE DATA/RECORDS ! This alternate approach protects the sensitive data individually, even down to the “Byte” level if that is what is desired. The method in doing so is revolutionary in that speed and accessibility are not sacrificed when utilizing MicroEncryption™ & MicroTokenization™ processes, combined with AES algorithms. By MicroTokenizing™ data and storing it fully encrypted, the data becomes both usable directly from the secure datacenter and simultaneously meets and exceeds industry standards and regulation. In addition, value can be gained from processing the data onsite and avoiding the potential security failure point, as data must move to an analysis server. From Personally Identifiable Information (PII) and Health Insurance Portability and Accountability Act (HIPAA)/ mandated data restrictions to user password tokenization, the need for usable and secure data has never been so great. Companies of all sizes who store any information about their customers, employees, patients or partners must be conscious of how to protect this information.

Unlike other security solutions, this new technology is lightning fast and currently being scaled to enable billions of ultra-secure transactions per second in test portal environments. “Thanks to this new breakthrough in technology, anyone can have access to the same speed and security as the billion-dollar giants” said Mr. Fioto, Chairperson and CEO of RACE.

Micro-encryption™ - MicroTokenization™ solutions provide flexibility that sets a new standard for data security, adaptability, and accessibility. The elements interact seamlessly and transparently, streamlining protocols and saving both time and money. Micro-encryption™ - MicroTokenization™ has the ability to secure any data type including simple text, x-ray files, and top secret documents up to 2 GB in size. While most data integration requires months of time and up to millions of dollars of investment, this technology can be implemented very rapidly! Agnostic integration methods can have a company MicroEncrypted™- MicroTokenized™ and processing data in a matter of weeks, sometimes days, with minimal cost. These protection schemes are applicable on a global basis across dozens of industries including healthcare, financial services, hospitality, retail, energy/smart grid, supply chain management and governmental services sectors. “The last block for so many companies in moving to the cloud is the question of data security, compliance and control. MicroEncryption™ along with MicroTokenization™ removes those blocks with a stick of dynamite! This new and innovative process makes data stored in their cloud or yours fully usable. It just works. This security breakthrough is setting the new standard utilizing MicroEncryption™ and MicroTokenization™. Make no mistake this is the technology that will be most widely utilized going forward.

As the things are unfolding it seems to be unavoidable for businesses but to move to cloud environment to survive in a competitive business condition. However, for many businesses still the idea of hosting important data, files and business applications on a third-party setup is intimidating. The news stories in the past about security breaches, hacker attacks etc. have only worsen the already dwindling confidence on cloud. However, the situation has started to take a positive turn with cloud hosting service providers strengthening the security features of their service model. There is also a new set of companies emerging that offer cloud computing consultation to organizations for smooth and secured cloud transition.

The reasons to worry

The reasons to worry about moving to cloud are emerging from two different areas:

Relinquishing control over data: When the information is hosted on cloud the internal IT team has very little control over it. In the multi-tenant environment of public cloud both infrastructure and security is shared between users. It makes monitoring the performance of the hosted information difficult. It has caused a lot of panic among organizations. Public cloud in particular is kind of a soft target for hacker attacks, spear-phishing, rubber hose and malwares.

Compliance: Another hurdle arising from government laws regarding data security and physically storing data outside its geographical location. Both EU cyber security agency ENISA and the American Federal authority (the Internet’s Patriot Act) are exercising stricter compliance standards to ensure data security on cloud environment.

How to securely migrate data to cloud

Encrypting files: Encrypt your files before transporting them to cloud – making sure that the decryption keys aren’t stored along with. Client’s side encryption, when the files are on transit as well as when stored in vendor’s server, is a good way to ensure data security on cloud. You can opt for either complete data encryption or encrypt only the mission-critical data. This can easily be done using encryption tools like TrueCrypt or BoxCryptor.

Using passphrase: Another way to ensure file security on cloud is by adding passphrases to them. Users will need to insert passwords every time to access the files. You can also allow users to create, change and update their respective passwords and security questions. Password protection can be applied to files that are not encrypted.

Authorizing users: You can categorize users into different groups and set authority levels accordingly. You can also put a trigger that will alert you every time a file is downloaded or uploaded in your virtual environment. You can define access like viewing, editing, modifying, deleting, removing etc for users.

Security is often listed as one of the challenges to overcome with cloud computing. There can, though, be a number of security benefits, in particular when it comes to public cloud. This article looks at some of the security benefits of the public cloud computing model, covering storing files in the cloud and using cloud based software applications.
There are various benefits of storing files in the cloud, whether storing personal documents, business documents, photographs or video files. Within a business there may be important financial documents or confidential files that need to be stored somewhere, while individuals may have invaluable photographs of their children which they wish to store safely. If losing such files would prove catastrophic (either financially or personally) then there is no better place to store them than in a secure cloud environment. One of the security benefits here is that the loss of one server needn’t be a problem. Cloud hosting involves utilizing multiple servers, meaning that if one encounters problems there are others to take the load. Where clouds draw from multiple data centres, an entire data centre could conceivably be offline without the customer noticing any change to their service. Not only does this mean files will not be lost, but there won’t be a period of time that they are not accessible for either.

There is the potential for disaster where files are stored on personal devices that are redundant when stored in a cloud environment. This goes for those stored on laptops or personal computers, on external hard drives and on other devices such as USB drives. Where this is the case the device used for this storage can get damaged, be misplaces or even stolen. Where important security files are concerned, such as government documents, there is an increasing likelihood of theft, and it can be catastrophic. These possibilities are not an issue when stored in the cloud, meaning that as long as the correct security is put in place files will be safe, both from loss and from unauthorised persons gaining access.

Providers of cloud computing services will usually make automatic updates. Therefore, customers of these services, particularly software offerings, will benefit. Security updates will be included here, giving cloud based software a security benefits over off-the-shelf software packages.

One of the major advantages of any type of cloud computing service is scalability. With infinite computing resource available it means that additional resource can be utilised if necessary. If an organisation, for example, finds that they require more resource to support their needs then it is not a problem. The best thing about this is that resource that may not be required does not have to be paid for upfront; it is instead paid for on a usage basis. When more resource is utilised it is paid for at this stage and if it later becomes unrequired again, then it is no longer paid for.

Public cloud services are generally accessible at any time, from anywhere, as long as the user has an internet connection. While this isn’t always seen as a security benefit it is something that can protect organisations in some instances. Should an organisation suddenly need to access something via a cloud service, such as a piece of software or data stored in the cloud, then they can gain access from whichever destination they find themselves in.

There are numerous possible benefits to cloud computing. While sometimes seen as a disadvantage, in many instances security is one of these. Files stored in the cloud can be less at risk than those stored on other devices, while being able to access cloud based software from any computer has its benefits.

Insurance provides the comfort of knowing that you will be taken care of in an unexpected situation. From general liability to data breach insurance, you make sure your business is covered. You prepare all aspects of your company for those unforeseen situations, but have you forgotten one of your most important assets? Have you insured your data? Investing in a disaster recovery solution can provide the same insurance for your company’s mission-critical data to ensure your business is always up and running.

After a disruption of IT services, it is critical to get your business back online quickly. Studies have shown that even small outages can have an effect on profits and customer loyalty. Further, every 24-hour outage that a company experiences decreases overall chances of business survival by 50 percent. According to Vicky McKim, Master Business Continuity Professional and member of the Business Continuity Institute, “A three-day outage can close a business permanently.” Don’t be caught unprepared: invest in disaster recovery services and insure your business for the future.

Disaster recovery acts as a mechanism to protect your mission-critical data and involves resumption and restoration of those operations during a failure. A disaster recovery plan defines the resources, actions, tasks and data required to manage the technology recovery effort, helping to simplify and smooth the transition process. McKim suggests that businesses should look into purchasing cloud disaster recovery services as soon as they open their doors or at the end of their current recovery contract commitments.

The gap in disaster planning for many small- to mid-sized businesses and for those looking to reduce the overhead of the corporate data center is their backup strategy and plan documentation. Most of those with contracted or recovery subscription have realized that those services are a gamble at best, and there is still no guarantee you will be allocated what you contracted. Cloud can help eliminate gaps in your disaster recovery plan.

Disaster recovery services in the cloud are simple, manageable and cost effective compared to traditional methods. They can reduce recurring monthly costs by over 80 percent and give you control of the recovery strategy, management, testing and execution at time of disaster. There are several benefits of using cloud disaster recovery services, including:

• Ability to suspend your recovery servers so you are only charged for the storage of your backup data
• Accessibility to your cloud disaster recovery system through any device with Internet access
• Ability to activate the servers when you need to test or recover
• No recovery contract for data center space that sits unused for most of each year
• No costs for duplicate hardware
• No support fees for testing your data backups other than the metered network
• Server usage fees apply only for the hours the server is running

Statistically, those who have a business continuity management program in place that includes testing and maintaining their disaster recovery plans have increased their ability to survive even a catastrophic event by 90 percent.

Don’t risk losing your data, your customers or your business. A business would never operate without insurance and cloud disaster recovery services are just that, insuring that you can still operate if your primary data access is disrupted. Cloud computing solutions provide just this – a flexible and attainable solution for all businesses.

Thanks to the cloud, businesses large and small are taking advantage of cheap easy to access applications to increase their business productivity and reduce the costs associated with purchasing enterprise grade IT hardware. Virtualization, whilst by no means a new technology, has matured, and is allowing whole internal IT infrastructure of servers, storage and networks to be moved into third party data centres. All the major IT vendors are building up their cloud offerings alongside a host of small specialist providers many of whom started out as web hosting firms. The global recession is helping to fuel the drive to the cloud as firms see cloud services as a quick and cheaper way to build out their IT infrastructure. So, for many it’s not a decision of whether to move to the cloud, but what to move to the cloud, when to do it, and what factors do I need to consider. As with internal IT systems one of the biggest factors to consider is security, here’s a run-down of some of those security risks and what to consider.

Secure systems

Secure systems, fairly obvious, but are a must. You are putting your trust in a third party to run your applications and store your data and prevent intrusions. That means firewalls, updated OS and application software, network penetration testing and the credentials to prove their competence. The good news is cloud IT vendors should have greater experience in this than you could ever hope to provide internally as a non IT vendor. Cloud providers can prove their competence by adhering to rigorous standards such as ISO27001 Information Security Management System and show their management competence and desire to constantly evolve their internal protocols through ISO9001 Quality Management Standards.

Physical location

Physical location of cloud data centres has an impact on factors such as local legislation but at a more basic level things to consider are the premises secure. Could the data centre be subject to equipment theft or equipment destruction? Back in 2011 Vodafone experienced a major outage in its services due to a break in and theft of network equipment and servers at its Basingstoke data centre. In this instance, data centres housed within buildings with 24-hour security guards would have the upper hand over those which did not.

Local Legislation

Does local legislation protect the data you store in keeping with the expectations of your customers, clients and partners? By having your cloud services provided within the confines of the EU a common data protection standard has to be adhered to. This provides greater assurances that you will not become subject to obscure local legislation.

Resilience

How readily can you access your data and what happens if nature or human’s intervene to stop you from accessing it? Having your cloud services distributed over multiple locations is going to help in major outages caused by nature. Recently, in New York, a data centre hub was hit by Hurricane Sandy knocking out some of its data centres for a number of days due to an explosion at a power sub-station on Manhattan. Could your organisation withstand a couple of day’s downtime when nature decides to destroy major power lines and sub-stations? If not, then the answer is to seek out co-location cloud services that distribute your operations across multiple geographic locations.

Unfortunately Mother Nature is not the only force effecting cloud services, Denial of Service attacks (DDoS) are constantly occurring potential blocking out organisation from accessing their own systems. British firm, Memset, a cloud service provider, is used to repelling DOS attacks at a rate of 20 per hour. A robust cloud service provider should have the ability to detect and mitigate the effect of such attacks through large bandwidth resources.

Access Controls

How does your potential cloud provider vet and monitor their employees to ensure your data doesn’t walk out the door? Only those that need access to your systems should have access. Background checks should be run on employees to prevent those with criminal records from getting anywhere near your data or systems.

A Recent research reviewing SMB’s website traffic showed that 51% of web site traffic is non-human, and that 31% is potentially damaging and includes automated malicious traffic from scrapers, hackers, scanners and spammers.

With these numbers, no one wishes to leave the website’s “front door” wide open. Website owners work hard to attract quality legitimate human traffic, but it’s as important as to identify and filter out the “bad” visitors – bots that can steal customer data, access proprietary business information, hack and disable a site, and worse.

SMB Websites are Attacked with Increasing Frequency

A study by WhiteHat Website Security published at 2011, found that 64% of websites were attacked in 2010. Of these, the most harmful attacks were DoS (Denial of Service) and network application attacks as SQL Injection & Cross Site Scripting. Amazingly, the study also found that 40% of the attacks were against small- to medium websites, and that this percentage is growing.
Despite this clear trend, until recently, there was no easy-to-setup, efficient and affordable solution for SMB website security. The available solutions were expensive and appliance-based, and required resources that most of the SMBs didn’t have.

The Solution: Cloud-Based Website Security Service 

Cloud-based security solutions (as Incapsula) have lately become more and more popular among SMB websites, since they provide easy-to-setup and affordable protection against all existing and new threats, while also providing website acceleration which reduce page-load time and improve the website visitor experience.

How it Works

When joining such cloud-based service, Instructions to change the website’s DNS settings are presented. Once the changes are completed, website traffic is routed through the service’s globally distributed network of data centers. Incoming traffic is intelligently profiled in real-time, blocking all the latest web threats. Meanwhile outgoing traffic is accelerated and optimized with a global CDN for faster load times, keeping welcome visitors speeding through.

What to Look For

When considering a cloud-based website security service, a number of key factors should be taken into account, notably:


No hardware or software; Setup in minutes: Joining the service should take no more than a few minutes, and should involve only a DNS settings change. No software or hardware installation should be involved, nor any changes to the website.

Website acceleration: The service should include a global CDN which improves website performance by caching and optimizing its content and delivering it directly from the Internet’s backbone. This results in much faster load times and significantly less bandwidth consumption.

Simple PCI Compliance: Since these kind of services transmit customer data, eCommerce website owners must ensure that the service is in compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Protection against DDoS attacks: These services should include DDoS protection services that are easily activated in minutes on a monthly subscription with on-demand upgrade options, eliminating the need to purchase any equipment.

Website Analytics: Services should provide access to a dashboard including real-time stats for all website traffic as human visitors and bots, performance statistics and detailed threats reports.

Conclusion

Cloud-based website security services allow all websites – from small to large, to protect and accelerate their websites in an easy to setup, simple to use and affordable way – without having to require the skillset of a website security specialist or allocate expensive resources to maintain the service.

The cloud is changing the way companies look at IT, but it has also become a buzzword. An unscrupulous vendor might take advantage of someone who is eager to jump on the cloud bandwagon. Even if you don’t understand exactly how the technology works, there is one way you can protect yourself: with a service level agreement (SLA).

SLAs are essentially a service contract in which you predefine what is acceptable and you agree on what happens when performance falls below these levels. When you use common metrics to define these levels, you can ensure that your vendor’s performance remains in line with your business needs.

Common Metrics

At a minimum, make sure that your SLA addresses these five metrics:

1. Availability: Your data should always be available in the cloud and it should never go missing. You want availability to be as high as possible.
2. Turn-Around Time (TAT): Time taken to complete a certain task. You should ensure the average TAT will not disrupt your business operations.
3. Mean Time to Recover (MTTR): Time taken to recover after an outage of service. The average downtime from a SAN failure is 114 minutes – but you should know how long your business could continue without access to your data.
4. Uptime: Uptime refers to how long the system has been continuously running. It may include the percentage of network uptime, power uptime and number of schedule maintenance windows.
5. Composite Metrics:  These metrics vary – this is where you have the opportunity to define formulas for metrics that directly affect your business, like average response time, transactions per hour and network latency.

Any additional metrics should help measure, monitor and report on your cloud performance as it relates to your end user experience, network performance, and the system’s ability to consume resources.

What should your contract address?

1. Data Storage/Volume: Address your data exchange rate defining the amount of data coming in and going out, peak transaction rate and usage volumes.
2. Security Incidents: Address the type of security identification you would like. Most cloud services now provide active directory federation services that allow you link your active directory to the cloud and set up permissions for your departments. This saves your company time from manually entering your employees’ information. Or you set up two types of account one that is for an average user and one that is for administrators. But these identities need to be addressed prior to deployment.
3. Maximum Outage Time: This is the time your company has defined to the vendor that your business can operate efficiently without the cloud. Without this defined in the contract, it’s hard for businesses to maintain continuity if an outage occurs.
4. Checks and Balances: Institute checks and balances between metrics. Consider each service level in the context of the overall SLA framework and outcome you want. Address any potential adverse incentives with a counterbalancing metric.

Cloud computing is still a pretty new technology that most companies aren’t aware what they should address in their contracts and typically sign a standard “black box” cloud model where customers give up the right to direct how and when most tasks are performed. Before signing up with a vendor make sure you address your concerns, deliverables and are meticulous to ensure limited business interruption.

Cloud computing is the next big thing, whilst initial take-up was slow due to a number of concerns expressed by enterprises, there’s now little doubt as to the benefits of cloud. However, cloud takes many forms and there is usually a solution to be found for most businesses.

Faster broadband and fiber optic have opened up a whole new world for businesses, both large and small. Flexibility, scalability, energy saving; all of these are big factors alongside the lack of capital outlay required which have meant that SMEs are proving to be one of the biggest beneficiaries of cloud so far.

But not all companies want to switch to the cloud and below are the four most common reasons why:

• Security is cited as the top reasons why organizations resist moving to the cloud by Gartner Research. Concerns surrounding the security of the actual data center software, whether it can be hacked and data being stored away from the business premises are all cited. However, it’s more likely that data is more secure in a data center, which not only has decent firewalls and suchlike in place, but is often also physically protected by security personnel.
• Capital outlay is another concern, but only if your company is rebuilding its existing legacy infrastructure and putting in place a private cloud. Often, services such as hosted desktops (SaaS) can be paid for month-by-month and as such can represent significant cost savings, especially for smaller companies who would otherwise have to setup and pay for their own servers and internal infrastructure.
• Disaster recovery – many businesses worry that in case of a fire, flood or some other disaster such as server failure will mean that all of their data will be lost. However, most data centers have by far better disaster recovery plans set out than your average corporation.
• Deployment – organizations with large infrastructures already in place that work perfectly well will say that there is no need to deploy to the cloud. Further to this, the logistics can give even the biggest IT departments a headache – however, there’s no real reason that deployment can’t be carried out gradually or a hybrid solution put in place.

All in all, there are no good reasons that companies shouldn’t be considering cloud services, whether it be PaaS, IaaS or SaaS. The benefits of the cloud are enormous, especially for small startups as the cloud can offer a way of beginning your business in the right way and free up valuable funding, which can be used for marketing and so forth.

Whilst take-up has been slow, this is something that is changing rapidly and a recent survey by IT industry association CompTIA found that 85% of companies now feel more positive about deployment to the cloud in 2012, as opposed to 72% in 2011.

Currently, 8 out of 10 businesses use cloud services, although the majority of these are based in web email services; about 25% use SaaS and this is growing all the time. Whilst moving to the cloud may seem like a bad idea, it’s the most rapidly growing section of the industry and if you don’t want your business to be left behind, then it’s definitely worth more consideration.