Today, organizations can build their own private cloud infrastructure. Private clouds give an organization the flexibility and economics of cloud while retaining the security, transparency and control of internal IT. Some months ago, Amazon started offering an extended solution where organizations can host some of their services in house and others on Amazon’s EC2. Also, in the early days of cloud computing technically savvy organizations had an option to try the technology using an open source project called Eucalyptus that delivers private cloud software. This is an infrastructure software that enables enterprises to establish their own cloud computing environments. Today, Eucalyptus Systems have made major developments and is considered as a big contender.

If some organizations are reluctant to trust online service providers, others are wary of open source solutions such as Eucalyptus. But now we have the major IT hardware vendors into cloud computing! For those organizations that for so many years relied on HP products and services, would definitely give HP’s CloudStart a consideration.

HP CloudStart

On Aug. 30, 2010 – HP announced “HP CloudStart, the industry’s first all-in-one solution for deploying an open and flexible private cloud environment within 30 days”

HP claims that their solution can be setup within a 30 day time frame. While, this is a fast-track private cloud solution, one has to have the required hardware platform in place. Although HP states that CloudStart can be integrated with legacy applications, the solution is tightly integrated with HP proprietary hardware. The architecture allows organizations to integrate their own setup with third-party enterprise portals and public cloud services.

According to HP, CloudStart has the same administrative features of Public cloud solutions and the provisioning of services is simplified and fast. Therefore, one expects to find features such as pay-per-use models, automatic scaling up or down of services, real time reporting, and services based on consumption and chargeback reports. All of the above functions need to be managed from a central portal as we are accustomed to do with Public cloud solutions. HP CloudStart is built on the HP Converged Infrastructure.

HP Converged Infrastructure

HP Converged Infrastructure is a collection of tools that connect all IT assets into an interoperable pool of shared resources such as servers, storage and network devices. It’s the platform that manages and automates operations of all applications and infrastructure components. While it provides all the features that are found in Public clouds HP experts state that you can scale a service securely without worrying about management or upgrade issues.

The main components of the infrastructure are HP’s Blade System Matrix, Cloud Service Automation (HP CSA) and StorageWorks. The main benefits of combining HP components into one whole system which apart from the fast (one-touch) provisioning of applications and services will give you added benefits. Some of the added benefits include reduction in compliancy and governance efforts, improved response times to the changing business requirements, added DR functionality, expert support on workload analysis, legacy integration and service management.

The HP BladeSystem Matrix is the foundation of all shared resources while the Service Automation (HP CSA) is the engine that automates processes based on knowledge and best practices.The Network Storage Systems is the data repository component where HP has a varied choice of storage devices that connect with the infrastructure seamlessly.

HP’s solution is a proprietary solution, apparently you cannot mixed and match hardware from different vendors but it can be extended to the Public cloud. The solution reduces the total cost of ownership (TCO) drastically and provisions of complex setups and applications can be done very fast.  Where organizations have already made their IT investments with adequate resources such as well developed data centers or they are bound with strict regulations then HP’s CloudStart is a prime candidate. From the business point of view, cloud computing promised the abstraction from legacy or proprietary systems. Will that truly happen for organizations implementing private clouds? Is the private cloud trend moving back to the mainframe concept?

Business continuity relies heavily on

Internet connectivity between your offices and the service provider data center is critical, both in terms of availability and speed of access. Network services need to have the required basic capabilities plus advanced features such as load balancing and scaling, they need to monitor traffic and secure all data transmissions. Compute services are very critical for applications performance and if not enough resources are available your business will suffer. Scalability is one feature that gives some service providers a competitive advantage over others, however, with advanced features comes more security concerns as the data may be dispersed across multiple data centers. At the end of the day, it is a compromise between security and availability. Storage services provide the repository lcoation of your data, hence, backups or redundancy is a must.

What makes the underlying infrastructure so solid?

Online service providers or cloud computing providers rely on their data centers in order to be able to provide all of the above services. When deciding to move your business to the cloud you should ask the short-listed providers to supply you with information related to their internal infrastructure and any quality or security certifications they may posses.

Data centers classification

Data centers are classified by tier levels. Tier levels are the standardized methods that we use to define performance and uptime of data centers. Every tier reaches different uptime/availability thresholds. The Uptime Institute, a global data center authority states:

Tier Standard: Operational Sustainability was released by Uptime Institute on 1 July 2010. It provides data center owners and operators with means to unify the uptime potential of the infrastructure with its management. When these two aspects are aligned, owners can achieve optimal, sustainable data center performance. The Operational Sustainability Standard works in tandem with the Institute’s international Tier Classification System

On top of the list, we find data centers that are classified as Tier 4. These data centers are considered to be the most reliable and less susceptible to failures. They are designed to host mission critical systems with no single points of failure. Redundancy is not only provided in the computer hardware but also in cooling, power, network, storage and technical & operational staff. Best practices and control procedures are adhered to while security policies and access controls are in place and monitored. The full list of all Tiers is found below:

• Tier 1 – Non-redundant systems, servers and few or one down/uplink
• Tier 2 – Tier 1 + redundant equipment.
• Tier 3 – Tier 1 + Tier 2 + redundant power and multiple down/uplinks.
• Tier 4 – Tier 1 + Tier 2 + Tier 3 + all components are fully fault-tolerant including uplinks, storage, air conditioning, HVAC systems, servers etc. Everything is dual-powered.

Many cloud providers promote images of large facilities on their main web sites, call their data centers as Internet data centers, state that they can handle large-scale operations but it all boils down to which tier level they classify.

In addition to hardware and physical specs of data centers, operational processes, procedures and best practices must be maintained to high levels. Check for audit certifications such as, SAS 70 and ISO 27001. Certifications and awards are required to prove that a data center is up to its name, some organizations can assist you in determining such factors. For example, the Service Organization Control Reports (formerly SAS 70 reports) – Service Organizations Control (SOC) reports are internal control reports on the services provided by a service organization. SOC reports provide valuable information users need to assess and address the risks associated with an outsourced service.

MSP Underlying Platform

Some MSPs deploy their applications on top of other major MSPs or cloud computing providers. Although, this is transparent to the end customers in terms of functionality as it is fully abstracted from them, customers still need to be aware if the SLA with the MSP covers the underlying platform in full and does not exclude the underlying cloud provider. There may be situations where a problem could not be resolved at a reasonable time or enhancements in performance could not be obtained due to the limitations of the underlying provider and which your MSP has no control over or access to.

On the other hand, there are many benefits gained with MSPs that use major cloud providers as their backend.  Major cloud providers may have more data centers geographically dispersed around the globe which means faster connections for organization with multiple branch offices. The fact that having services running among different data centers has one major implication though, which is the internal bandwidth between data centers of the cloud provider. It recommended to test the internal provider network by performing some process that requests internal services such, data synchronization between resources. Organizations that operate from a singe office would be better off by choosing a service provider that is closer to them in terms of logical proximity. Other benefits of major cloud providers include the expertise they posses in managing large scale infrastructures which smaller MSPs may lack!

Therefore, organizations need to plan ahead before selecting a service provider. They need to consider if the traffic/load created by their requests is constant or may include occasional high spikes. Planning for such traffic/load spikes are managed using scaling up/down in/out mechanisms that the provider may be able to offer. In other words is the provider capable of providing and sustaining such changes in the overall load? In fact available computing resources for a startup service provider are limited and depend on how much customers are on board whereas with major cloud providers there is always the possibility of scaling up to an immediate need, obviously for a cost but better than losing business.

Data Leakage

The largest incidents of data theft are reported to have taken place from activities performed by the organization’s internal staff. Data leakage is not only the result of malicious activities such as theft but it also can occur accidentally. Employee’s lack of data security awareness may cause information disclosure. For example, employee mishandling of information, errors due to lack of technical/operational training and the avoidance of security procedures may all lead to data leakage. The major problem with bad routines is that they may go on unnoticed forever, until a real theft takes place. Intellectual Property and other proprietary theft, and exposure of private or sensitive information are classified as the top major targets. The main motive is the associated potential payoff and the job does not require special skills since internal employees have access to internal data. Some may have full access to all data while others limited or read only!

Are internal employees the only insiders?

At face value, one would start the risk list with departing employees, especially the disgruntled ones; however, as the main motive of data theft has become financially motivated, I would include other parties with the insider’s domain. Is not an Internet service provider somehow connected with the business activity? They can monitor and collect all of the business data and what if, they are discontented providers? They may be experiencing difficulties due to late payments or have someone on board with a hidden agenda. This goes true for any displeased third-party contractor that may have limited or full access to the business assets (confidential data). Is it not possible for an offsite tape backup service provider to try their luck in restoring data from tapes in case IT staff forgot to lock a tape with a strong password? You may also find dissatisfied business customers that may have enough technical knowledge and some knowledge of the business and may use their limited access (Intranets, unsecure customer accounts) to cause disruption or steal confidential information. Are these considerations trivial?

Some way or another, all of the above mentioned entities can somehow shock the business by modifying or removing sensitive data, inducing malicious code or disclosing information to third-parties – the business competitors! All third-party entities need to be considered when assessing risks and establishing security controls. I have personally experienced environments where the internal IT staff was adequately controlled and had access only to the relevant areas (which is correct) while a third-party security firm engineer had access to all areas without any limitations or control!

How things happen?

It starts with a good or optimal relationship. The company has a good turnover and treats the employees well, pays service providers on time, the internal staff feels part of the business and works very hard, IT staff manage a service uptime of over 99% of all resources, etc. Briefly, a two-way trust is established and the IT staff has the key to the house. Then SLAs and security measures may slack a bit, and so on so forth. The business is doing well and the overall perspective is that all entities are functioning well…..But what if the trusted employee turns entrepreneur or is offered a good deal from a competitor, or become discontented when extra benefits are revoked? During difficult times senior management tend to take bad decisions and most often release their stress onto employees, and the hard work and long time building of a wonderful work environment can be destroyed in a couple days. The one-time employee of the month, a good programmer or system administrator may become discontented and act wrongly. These people have leverage, as they know the business strengths and weaknesses, can go undercover very easily, can be overlooked, can be hard to detect and know when you’re not at home!

Counter measures

As a first step it is always suggested to perform a risk assessment exercise where all critical assets are identified. Focus all your efforts on top sensitive data. Make sure that a good classification methodology is used. Review the security procedures surrounding these sensitive assets or create them if they do not exist – these include access controls, logical, storage, processing, etc. Identify data storage locations, data transmission path, departments managing such data and data change management approval/rejection methods. Consider using data leakage prevention software that can help you detect such incidents. Do a good Internet search for such software companies. Audit all procedures and controls and test such mechanisms as if you were the hacker, disgruntled employee or thief. While conducting all of the above drills remember to focus on those areas that are most prone to internals threats.

Many reviews and surveys agree that most threats originate from technical departments such as IT and customer support departments. The main tools used in data leakage incidents are reported to be webmail, social networking sites and removable media, so make sure that these are monitored continuously and appropriately. Mobile devices are good medium for such activities as they are easy to hide, can connect to the corporate network and can be transported without any problems. Some surveys identify as Friday afternons as the most popular time of action by most criminals. This may be due to the fact that control procedures lack in such times and there may be less personnel onsite.

Conclusion

Trust is good but blind-folded trust may bring on lack of security. The biggest data leakage incidents were carried out by internal employees whether they were seeking revenge, hoping of making money or for any other reason you must think like a thief when implementing security controls. Make sure that you have identified all sensitive data and its movement.

A customer (Cardholder) is purchasing a product form a merchant who accepts credit card on-line payments. The merchant uses a third-party organization (called the acquirer) that provides card processing services. Customers obtain their credit cards from an organization (called issuer) such as, banks or financial institutions. There are various brands (card associations) of credit card networks such as, VISA, MasterCard, etc. These networks act as a gateway between the third-party company (acquirer) servicing the merchants on-line payment and the bank or financial institution (issuer) for authorizing and funding transactions.

The payment process goes through the following steps:

1. The customer pays for a purchase from the merchant on-line store
2. The acquirer verifies with the bank that the card number & transaction amount are both valid and then processes the transaction – transaction authorized
3. Transaction is stored in a batch for later processing by the acquirer
4. Transactions batch is sent to the bank by the acquirer using the respective card association network, which debits the customer accounts and credits the acquirer – acquirer has been paid for all transactions
5. The acquirer pays the merchant, less the processing fee

Credit card companies and banks can be trusted, hopefully! But what security controls are in place for the merchants and acquirers setups? We need a secure process, in other words, a mechanism that oversees that the cardholder’s data is stored, processed and transmitted securely from the Merchant’s website to the Bank.

Payment Card Industry (PCI) Data Security Standard (DSS) governs all the security procedures that all entities involved should adhere to. It started with the major card associations having their own security programs and progressed to a combined effort to develop the PCI standard and council. Apart from acquirers and issuers as PCIs’ member organizations we find service providers. Service providers are companies that provide card related services to acquirers and issuers.

PCI compliance requirements are based on different levels where such levels relate to the volume of credit card transactions performed annually. For example, merchants with more than 6 million annual transactions fall under level 1 while major payment gateways are at level 1 in the service provider’s category. However, a small merchant with a small amount of transactions annually but with a history of data breaches can be moved to level 1. All levels carry the same security requirements, with top levels having more stringent validation requirements. For example, Level 1 requires that merchants or service providers meet the DSS standard, conduct and pass yearly penetration tests, quarterly scans and pass a yearly audit by external auditors. Lower levels have less firm validation requirements.

When we say security requirements we mean that entities should install and maintain a firewall configuration to protect cardholder data, use strong passwords, restrict logical and physical access to data, use updated anti-virus software on their systems, develop and maintain secure systems, protect cardholder data, etc. The list goes on not only to the internal environment but to the cardholder data overall environment which can be a networked system connected to a public network or an off-site data storage service. Most audits fail because merchants or service providers fail to protect stored data according to these requirements!

 
So what is SAS 70 (Statement on Auditing Standard 70) Audit? – The AICPA (American Institute of Certified Public Accountants) responsible body defines it as “Report on the Processing of Transactions by Service Organizations” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the “Service Auditor’s Report”

Now there two types of SAS 70 audits, Type I and Type II. Type I focuses on the validity of the controls in operation and that they according the specified control objectives objectives while Type II enhances Type I by checking that these controls are actually in place and being executed by the service provider.

In other words, a SAS 70 Audit is an in-depth examination of a service provider control objectives and control activities, including IT controls! Briefly, a service provider must have adequate controls and safeguards over their customers’ data in order to be able to achieve this certificate. However, SAS 70 Audit is slightly flexible and service provider/auditor dependant. That is, you may have customers that may agree or disagree with Amazon’s control objectives or operational standards!

 SAS 70 Type II may be seen as the basis for future more rigid certifications. It may lack some important aspects of security but surely it examines operational performance and the service’s ability to safeguard customer data and many hosting organizations are achieving it.

I have read many expert articles stating that SAS 70 is limited to policies and procedures inside data centers and it does not cover major security weaknesses, such as, personnel unintentional errors. This is quite a pro cloud computing statement. Why? Would an organization (with in-house solutions) take their IT staff (individual) to court in the event of data mishandling? They might and if they do, do they will be able to be paid for the lost revenue/damages from an individual? However, an organization being a customer of a service provider would take that service provider to court in case their data is mishandled. With cloud computing providers, you have higher assurance of getting something back when terrible incidents happen.

The cloud is not just a cool technology model but it is also a business model. It is a well-known fact that Amazon at the outset, designed the infrastructure for their own use but it evolved into a product or better a service offered as – Amazon’s Web, EC2, S3, or Amazon’s cloud. It is quite evident that now they are trying to increase their revenue by pushing their infrastructure to the limits through new offers such as, – Spot Instances enable you to bid for unused Amazon EC2 capacity. We all heard of power outages, resources that disappear and slower response times that may be a consequence of an overloaded setup. However, through personal experience I can say that these incidents are very rare with big providers such as, Amazon. Remember, that downtime is also possible with in-house solutions!

One common SaaS is email – if the main criteria are costs, then outsourcing email is your best option. Although, big corporations can negotiate favorable agreements with email providers such as, Google – remember that small to medium businesses may not get the same favor! A word about Google email and applications services – it is very hard to get reasonable support and you may need to rely on third-party tools for basic stuff such as, backing up email boxes. In addition, there is no guarantee that user data would be secure and backed up.

All cloud services share the available resources and therefore, you are competing for computer resources with other customers. A good alternative would be to place your assets with two different providers or use the cloud just to scale-up your systems when the demand rises. Although, you may implement all of the security measures provided by the cloud provider and by the systems themselves, there is still the risk of possible intrusion/destruction from neighboring hosts. Neighboring hosts are virtual machines that are running on the same server or in the same data center. One university claims to have a prototype/model that can identify the exact location of a virtual machine and eventually can start a neighboring VM (Virtual Machine) with high utilization that can hook the underlying platform! In the event of using the cloud as a storage provider, implementing data encryption would adequately harden security – read Securing your online backup archives

No cloud standards yet exist! If you are using the cloud as an infrastructure service, it is impossible to move your assets elsewhere say, to another cloud provider without rebuilding your systems from scratch and moving all your data, as virtual machines setups are not compatible from one provider to another. If you are using software as a service then you need to find another provider that provides the same service and data migration capabilities. Apart from all this, one of the major setbacks remains your Internet connection – so before contemplating to use cloud services make sure to invest in a good and reliable Internet connection, otherwise, you will be disappointed!

Preston starts his article by pointing out the major setback of remote online backups that is the first full backup execution time and mentions the seating option. The seating option is when a service provider offers the customer to shift a complete set of all data through a physical means such as, removable drives. In addition, he mentions the long backup time that the initial full backup job would take and the bandwidth limitations associated with large uploads of data. This is true and I would consider these factors as the only limitations of remote online backups. In fact, we both agree that home users and SMBs are the ideal customers of these services.

In my opinion Curtis missed one important benefit here, the off-site functionality these services provide! One should not forget the time taken to transfer a backup set off-site using the conventional services! Using tapes to backup all data takes time, having a service provider collecting tapes from different locations means that your backup tapes spend a good deal of time in a vehicle until they arrive to their destination. Then what about the retrieval arrangement? In case, you want to recover some data from the off-site tapes how fast can you get them?

Furthermore, Curtis tackles the backup requirements and mentions SLAs but forgets to add one important requirement! I would definitely include security requirements in the SLA – what type of security mechanism is the service provider willing to offer – are they going to provide me with a security key and how are they going to transfer me this key, etc. In my opinion these are the main concerns and hence, would require major attention than the frequency of backup/restore times. Connection speeds are hard to get them black on white in SLAs, as these are subjective to the full network path from your host to the provider’s location. Here, the best approach would be to test run the selected provider for a trial period and compare with other providers’ overall connection.

One of the major pitfalls as Curtis correctly points out is the restore test runs. If you do not verify that the backed up data can be actually recovered then you are good as having no backup at all. I came across some providers that allow an optional direct access to the backup location. That is, the provider would be managing your account, logging all activity and providing a fast backup mechanism but with the added functionality of direct restores from the backup location. This added functionality would allow you to download/restore your data when the provider is partially down or in some cases completely down. Such case exists where a service provider uses a third-party storage provider (ex: Amazon’s cloud) and they act as the middle-ware between you and the storage location, however, you need to negotiate direct access functionality prior to signing any agreements! In the articles to follow, I will write more about remote online backups :)