Wednesday, October 26, 2011

What are Enterprises Really Doing in the Cloud?


by James Staten on October 25, 2011
You know there are developers in your company using public cloud platforms but do you really know what they are doing? You suspect it’s just test and development work but are you sure? And if it is production workloads are they taking the steps necessary to protect the company? We have the answers to these questions and you may be surprised by how far they are going.
It’s tough being an infrastructure & operations professional these days. According to our ForrSight surveys for every cloud project you know about there could be 3 to 6 others you don’t know about. Business unit leaders, marketing and sales professionals and Empowered developers are leading the charge. They aren’t circumventing I&O as a sign of rebellion – they simply are trying to move quickly to drive revenue and increase productivity. While every I&O professional should be concerned about this pattern of shadow IT and its implications on the role of I&O in the future, the more immediate concern is about whether these shadow efforts are putting the company at risk.
The bottom line: Cloud use isn’t just test and development. In fact, according to our ForrSight research there’s more production use of IaaS cloud platforms than test and development and broader use is coming (see Figure 1 below). The prominent uses are for training, product demonstration and other marketing purposes. Our research also shows that test and development projects in the cloud are just as likely to go to production in the cloud as they are to come back to your data center.
So how much should you be concerned about this trend? Well first off, you can probably forget about trying to stop it. Your focus should be on determining how much risk there is in this pattern and this may take a leap of faith on your part because as of right now, your developers know more about how to use public cloud platforms than you do. This means they are more knowledgeable than you about what it takes to make them highly available and secure. This experience deficit is a much more problematic issue than anything else because when you start asking your developers what they are doing to ensure the availability of their applications on IaaS, you don’t really even know what to ask.
Sure, you can ask what they are doing to ensure availability but do you even know what the availability options are on the leading clouds and how best to leverage them? Do you know what data replication takes place by default and what options they could turn on?
At the same time, you can’t just trust the developers to care as much about data integrity, BCDR and availability as you do because, normally, they entrust this to you. So rather than engage in a frustrating back and forth that risks misunderstanding by both parties, let’s see if we can accelerate your learnings, bring these cloud efforts out of the shadows so you can learn exactly what is going on and how much you really should be worried.

Friday, October 21, 2011

Dynamic Cloud Security: Test Driving the Benefits


Cloud security represents a spectrum of capabilities that you can tailor to your needs

Many IT organizations assume that security risks increase with a shift to cloud computing. The reality, however, is not so clear-cut. In fact, many of these same organizations will be surprised to learn that adopting cloud operating models with appropriate governance and security controls can actually reduce the level of risk relative to their current IT environments. Here's why:
IT professionals frequently develop unwarranted security concerns regarding cloud computing primarily because cloud environments are dynamic and enable new levels of workload portability that are very different from what they're familiar with. In cloud environments, application workloads can be moved to totally different physical infrastructure or service providers from one deployment to the next. The underlying application data can move even more frequently, depending on the type of instance and persistent storage options you've selected.
This means your security boundaries have to be dynamic too. They have to move with the workload and the data, and self-configure themselves in new environments in a consistent and automated manner.
Taking Cloud Security for a Spin
A simple analogy can be made between securing cloud workloads and securing a car. When you park your car in your home garage, typically you just close the garage door and that's it. You assume your car is safe inside your garage along with your other belongings, so you typically don't worry about locking your car doors or taking other precautions.
However, when you park your car somewhere else, you typically lock the doors to secure it. There are several ways you can do this. The door locks could be activated by a remote, a keypad on the door, or the proximity of an RFID tag in the key fob. You may decide to upgrade your security by adding a factory alarm system, steering wheel lock, LOJACK tracking system, or other security system depending on the car's value. Finally, you can also decide where to park your car depending upon your risk tolerance. For example, you may accept your favorite restaurant's offer of valet parking in a monitored lot instead parking down a secluded street.
The point is that you can create a portable security boundary around your car that can be equal to or even more secure than your garage. Cloud security is similar in concept where portable cloud workloads offer a wide range of options to establish a very effective portable security boundary. In fact, cloud workload security has an additional important benefit over the car analogy, which is that security configurations can be completely automated and policy-driven. Using the car analogy, this means you no longer have to worry about forgetting to lock your door or arming your alarm system in the parking lot, because the car will automatically do it for you.
Under the Hood: Cloud Security Options
This new approach to securing a moving workload is a big departure for many IT groups that are used to working in more static and controlled environments (similar to the home garage). These IT groups are used to working with physical data center infrastructure, traditional firewalls, mostly static networks, and familiar resources that they own and control. The idea of moving workloads in and out of new environments they don't control is a big concern, especially knowing they've expended tremendous time and attention manually configuring their own environment.
However, today a broad range of proven technologies can deliver consistent, automated security for portable cloud workloads. They include virtual private networks, encrypted data storage, host intrusion detection systems, hypervisor-based firewalls, and federated identity management systems. These systems can complement each other to provide an end-to-end security solution that encompasses instances, data, network, and role-based access as desired.