Category Archives: Cloud Technology

MSI Strategy & Tactics Talk Ep. 25: An Introduction to Cloud Computing – What to Choose and Why

Posted on by
3

Cloud computing has become a buzzword over the past few years. Some organizations wonder if it would benefit them or not. What are some of the questions an organization should be asking?  In this episode of MSI Strategy & Tactics, Adam Hostetler and Phil Grimes discuss the various aspects of “the cloud” and how it can affect an organization.  If you are considering transitioning your data to the cloud, you’ll want to listen! Discussion questions include:

  • How can you determine which cloud computing model is right for you?
  • What are some of the security issues with cloud deployment?
  • How can moving data to the cloud help an organization’s overall efficiency? 
Resources:
 
Panelists:
Adam Hostetler, Network Engineer, Security Analyst
Phil Grimes, Security Analyst
Mary Rose Maguire, Marketing Communication Specialist and moderator
 

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

7 Security Areas of Concern With Cloud Computing

Posted on by
1

One of the government’s major initiatives is to promote the efficient use of information technology, including the federal use of cloud computing. So good, bad or indifferent, the government is now moving into the wild, world of cloud computing – despite the fact that it is a new way of doing business that still has many unaddressed problems with security and the general form that it is going to take.

At the Cloud Computing Summit in April 29 2009, it was announced that the government is going to use cloud for email, portals, remote hosting and other apps that will grow in complexity as they learn about security in the cloud. They are going to use a tiered approach to cloud computing.

All businesses, both large and small, are now investing resources in cloud computing. Here are seven problematic areas for which solutions need to be found:

  1. Vendor lock-in – Most service providers use proprietary software, so an app built for one cloud cannot be ported to another. Once people are locked into the infrastructure, what is to keep providers from upping the price?
  2. Lack of standards – National Institute of Standards and Technology (NIST) is getting involved and is still in development. This feeds the vendor lock-in problem since every provider uses a proprietary set of access protocols and programming interfaces for their cloud services. Think of the effect on security!
  3. Security and compliance – Limited security offerings for data at rest and in motion have not agreed on compliance methods for provider certification. (i.e., FISMA) or common criteria. Data must be protected while at rest, while in motion, while being processed and while awaiting or during disposal.
  4. Trust – Cloud providers offer limited visibility of their methods, which limits the opportunity to build trust. Complete transparency is needed, especially for government.
  5. Service Level Agreements – Enterprise class SLAs will be needed (99.99% availability). How is the data encrypted? What level of account access is present and how is access controlled?
  6. Personnel – Many of these companies span the globe – how can we trust sensitive data to those in other countries? There are legal concerns such as a limited ability to audit or prosecute.
  7. Integration – Much work is needed on integrating the cloud provider’s services with enterprise services and make them work together.

Opportunities abound for those who desire to guide cloud computing. Those concerned with keeping cloud computing an open system drafted an Open Cloud Manifesto, asking that a straightforward conversation needs to occur in order to avoid potential pitfalls. Keep alert as the standards develop and contribute, if possible.

3 Things To Do About Consumer Cloud Technology

Posted on by
2

We hear a lot of questions about how organizations should handle the increasing consumer use of IT services based on the cloud. Services like Dropbox, Google Apps, Github and many others offer unique and powerful tools for users that they have come to depend on in their personal lives, and thus, some of those tools “leak” into their work lives as well. Often this means that data that was once considered corporate in nature is increasingly in play in these largely consumer-focused services. In fact, with the coming iCloud integration from Apple on the horizon into all iOS devices, some organizations are in a down right panic about how to manage these new services in their user populations.

We want to offer up three suggestions for organizations facing these issues (most of us):

  1. Accept that these changes are coming and that they are impactful. If your security focus is still on the “perimeter”, this should be the last of the warning bells. That ship is sinking and FAST. Today, organizations need data-centric controls that allow for flexibility in data usage and protection. Users are in a rapidly dynamic set of locations and using data in a very dynamic set of ways. Your IT architectures and controls need to allow for those changes or face increasing levels of danger and obsolesce. You can not stop consumer cloud services from leaking into your enterprise. Accept it and figure out how to adapt or you will be left behind by competition and brain power.
  2. Create a dialog between users and technology teams to discuss how consumer cloud services are being used today and how they could be leveraged tomorrow. The greater the dialog, the better the insight your team will have into exactly how data is REALLY flowing in and out of your enterprise and how users are getting their work done in the real world. These discussions require trust and ongoing relationships, so begin to foster them in your organization.
  3. Understand your threats and controls. In this new cloud-focused world, especially when consumer-grade tools are all the rage, organizations MUST begin to switch their thinking away from “do the minimum” attitudes and tunnel vision on compliance. Instead, they must create effective security initiatives that focus on the specific data they must protect, the controls they have in place that they have to manage and monitor and the threats that data face when in play. If they build proper security programs around these ideas, not only will their risk decrease, but their compliance problems will likely be automatically ensured as well. At the very least, they will find that the resources needed to comply with regulation x or guideline y has been largely reduced to academic exercises, since they will have data properly mapped, segmented and controlled.

We know these three suggestions have a “soft skills” feel. Maybe you expected a suggestion for more firewalls, detection tools or crypto? But, the real story here is, we need not only better tactical approaches and toolkits to solve the coming security issues we face, but we need a holistic strategy to do it effectively as well. That said, before you invest in another round of cloud-based detection thingees or a new quantum cryptography system with geo-spacial locations for keys, how about we all take a moment, sit down, discuss how users are really working now and what they want for the future? Maybe if we think this next huge step forward through a bit more and take a more strategic approach, we can figure out how to make users happy AND secure their data. Hey, I can dream, can’t I? 🙂