Cloud security still needs a lot more work, say European experts

Security and privacy remain a stumbling block for cloud computing, according to information experts speaking at the Trust in the Digital World conference in Madrid.

Cloud computing is secure in general, agreed a panel of experts, but there are gaps and there is no such thing as 100% security, said Raul Granadino, cyber security excellence programme manager at Spain’s national cyber security institute, Incibe.

“Cloud computing is secure enough for what it is currently being used, such as e-commerce, but a lot more work will be needed to make it secure enough for critical applications and infrastructure,” said European Union Agency for Network and Information Security Agency (Enisa) head of operations Steve Purser.

“Cloud computing for critical infrastructure is a whole new ball game and the industry will have to do a lot more work before that could happen,” he said.

Enisa believes cloud service providers will have to solve some of the risks of cloud computing, but Purser points out that not all of them are security and privacy-related.

Read more about cloud security

“Availability is key to critical infrastructure and applications, yet that is often overlooked as a stumbling block for cloud computing, with the focus tending to be on security and privacy,” he said.

“Cloud computing is also just one element, but providers of critical infrastructure should be looking at the whole set of components in terms of availability, including things like electricity supplies.”

In the context of security, Enisa believes cryptography and key management is the key challenge when it comes to using cloud computing for critical applications and infrastructure.

“There is a need for strong cryptographic controls in the cloud, but key management in the cloud is still very difficult to do and more research has to be done to find a way forward,” said Purser.

In general, the panel said cloud service providers should seek to build trust through being completely open about their security processes and making it easy for customers to run independent assessments.

“There is a need for greater transparency, particularly for things like processes for incident response, log management and security audits,” said Telefonica chief technology officer David Barroso.

However, the panel said not all consumers of cloud services will be able to make meaningful assessments of their service providers.

Cloud security certification scheme

To get around this problem and make it easier for consumers of cloud services to choose providers that meet their particular security requirements, Enisa is proposing to introduce a certification scheme.

Enisa believes certification against a set of generally agreed security requirements for Europe will go a long way to creating trust and giving customers confidence in their cloud service providers.

NIS will help the whole cloud ecosystem and provide an opportunity for cloud service providers to help businesses that have less mature IT strategies

Raul Granandino, Incibe

“Comprehensive certification for cloud service providers that includes things like legal and service level requirements will make it easier for companies of all sizes make confident choices,” said Purser.

The panel said the public and private sector should work together to improve the security and privacy of cloud services and grow trust in cloud service providers through transparency.

“The role of the public sector is to raise issues to ensure public safety, while the private sector should seek to build the solutions to those problems as market differentiators,” said Purser.

Granadino, who co-chairs one of the working groups for the for the EU’s Network Information Security (NIS) platform, said the planned NIS directive will help set a common security baseline for cloud service providers.

“NIS will help the whole cloud ecosystem and provide an opportunity for cloud service providers to help businesses that have less mature IT strategies, which typically includes most small and medium businesses,” he said.

Enisa considers regulation to be good, but “in limited doses,” said Purser. The organisation believes best practice is important and often the best way forward when it comes to fast-moving technologies such as cloud computing, he said.

However, Purser said the good thing about the proposed NIS directive is that it is very abstract, allowing for plenty of opportunity for Enisa to work with the private sector to find the most “business-friendly” way of implementing the directive.

The ideal, he said, would be to ensure that the principles of the NIS directive are implemented in such a way that businesses are able to realise the full potential of cloud computing or any other new technology.

Security concerns often overlooked

Purser expressed concern that businesses may be getting too comfortable with technology and that security and privacy concerns are often overlooked in favour of functionality and cost savings.

However, Barroso said he is seeing a change in enterprise behaviour, with a growing number of businesses including security requirements as part of their procurement processes.

“Security is becoming increasingly important for enterprises and there is greater scope for CIOs to include security in purchasing decisions, but the final say still rests mostly with non-IT executives,” he said.

Security is becoming increasingly important for enterprises and there is greater scope for CIOs to include security in purchasing decisions, but the final say still rests mostly with non-IT executives

David Barroso, Telefonica

Barroso said another indication of this trend is an increasing demand from customers for datacentres in their own countries or regions. “And that is not limited to customers in Europe, we are getting similar requests from customers in other parts of the world too,” he said.

Looking to the future of cloud computing, most members of the panel were optimistic and said that cloud services would continue to evolve and grow.

But Purser said security, privacy and guaranteed availability are key obstacles to the further development of cloud services.

“The winners will be those who can find practical ways of solving these issues, but so far I can see very little progress in this regard,” he said.

Intel Security panel chair and chief technology officer for Europoe Raj Samani said he believes cloud service brokers will play an important role in the future of cloud computing.

Under this proposed model, a cloud broker would manage the use, performance and deliver of cloud services, and negotiate relationships between cloud service providers and consumers.

Advocates of this model believe it has the potential to eliminate many of the concerns businesses have over cloud computing as well as simplying the process of managing multiple cloud service providers.

“It is surprising that cloud brokers are not already a reality because this approach would help avoid the problem of getting locked into particular cloud service providers,” said Samani.

Barroso said companies with the greatest concerns about public cloud are currently focused on setting up private clouds to realise the benefits of cost reduction and scalability.

“Cloud brokers could be the next step in the evolution, but I think that will still take another five to ten years,” he said.

Granadino said that certification of cloud services is likely to be important, and that big data and data generated by the internet of things will be among the best use cases for cloud computing.

“The winners will be those cloud service providers that can create a secure technology stack for delivering services in these two areas,” he said.

Read More »

Cloud security summit comes to Norway

IT directors and security professionals from across the Nordics will gather in Oslo on 15 June for the first Nordic Summit from the Cloud Security Alliance (CSA).

Keynote speakers include Jim Reavis, co-founder and CEO of the Cloud Security Alliance, and Raj Samani, chief technology officer (CTO) at McAfee Europe, Middle-East and Africa.

“I’m going to share the current trends and where I believe the opportunities lie for companies looking to leverage cloud computing,” said Samani. 

“Cloud computing offers a great opportunity to every business. It allows them to be more productive, more innovative and more profitable,” he said. 

According to Samani, cloud computing is moving towards the management of critical data for critical environments, but he is wary of the risks that come with the opportunity. 

“When using external cloud providers, security risks must be fully understood and properly addressed,” he said. 

“This conference is imperative to security professionals and those in the cloud business to understand the future direction of cloud computing and, most importantly, how to maintain the level of trust your customers have in your business,” he added.

Read more about cloud computing in the Nordics

Also on stage will be Thom Langford, director of Sapient’s global security office and award-winning security blogger, while Jim Reavis, Ramsés Gallego of Dell Software and Torgeir Waterhouse of ICT Norway take part in a panel discussion entitled Cloud, Health and the Future.

The event is hosted by the CSA Norway branch, which was established in 2010 and is the most active branch in the region. It was originally planned as a Norway event, but the focus of the conference widened as the other chapters in the region weren’t planning to host their own events.

“There will be sessions suitable for both security practitioners and those working at a strategic level,” said event spokesperson Rolf Frydenberg.

“Many companies are investigating or are already using cloud-based services, but there’s a lot of misinformation about data security, so we want to discuss and promote best practice security standards,” he said. “For example, the CSA publishes a Cloud Controls Matrix, which is a guide that helps IT professionals make sense of the different security standards and understand what is relevant to them.”

After the conference there is an optional day of training for the Certificate of Cloud Security Knowledge (CCSK), a CSA-created certification programme recognised worldwide. Leading the training is Lars Neupart, founder and CEO of Neupart AS, an information security management company based in Copenhagen.

The CSA Nordic Summit will take place at the Vulcan Arena, a short distance from Oslo’s city centre.

The Cloud Security Alliance is a non-profit organisation that promotes the use of best practices for providing security assurance in cloud computing, and provides education on the uses of cloud computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.

Read More »

Security fears stop small firms using cloud computing

Although 60% of small businesses are using cloud computing services, the remaining 40% are put off by security fears.

According to research by the Federation of Small Businesses (FSB), data theft or loss is the biggest concern for companies that have not yet taken up cloud computing services.

Their concerns were: data theft or loss (61%), reliable access to online services (55%), concerns over who would have access to the data (53%), liability issues (41%), and over-dependence on cloud services (33%).

Citing its 2012 European Commission report, the FSB said using cloud computing could help 80% of organisations reduce their costs by 10-20%.

"Many small businesses are recognising the advantages of cloud computing services, but there remains a great deal of concern that sensitive data may not be secure or the service not reliable,” said FSB national chairman John Allan. “Businesses don't want to transition to cloud-based systems without knowing who will be liable if something goes wrong.

"Clearly, there is more for the industry and regulators to do to reassure businesses that their data is safe and secure. But equally apparent is the message from small businesses that pricing and terms and conditions need to be much more transparent."

Read more about SMEs and the cloud

The FSB survey revealed that 45% of small businesses are already greatly or fairly reliant on cloud computing services.

The most common services were storing files online (74%), web-based email and calendars (67%), file-sharing services (64%), web-based office software (38%) and accounting and invoicing services (37%).

About half of respondents (48%) said plain English terms and conditions would help persuade them to use cloud computing services, and 46% wanted more transparent pricing.

"The fact that so many businesses are already heavily reliant on web-based services raises some pointed questions over the resilience of the wider UK economy if we can't find answers to questions like global data security and legal jurisdiction over data held in other countries," Allan added.

In a recent survey conducted by the European Commission’s Eurostat statistics service, public cloud computing was reportedly used by 24% of large enterprises and 12% of small and medium-sized enterprises (SMEs) in the EU.

However, the survey noted that the risk of a security breach scored highest both for large enterprises and SMEs, at 57% and 38% respectively.

Read More »

Singapore hosts Aliyun's new Asean-based cloud data center

Aliyun is set to open its latest cloud data center in Singapore next month.

The Singapore facility will be the seventh globally for the cloud computing arm of Alibaba Group. Aliyun said its headquarters for overseas business will be based in Singapore to drive its overseas expansion plan.

Aliyun is confident that with direct connections to its data center network via Beijing, Hangzhou, Qingdao, Hong Kong, Shenzhen and Silicon Valley, the Singapore cloud data center will cater to the cloud computing needs of businesses investing in south-east Asia.

"Singapore is a natural destination to be our headquarters for overseas expansion," said Sicheng (Ethan) Yu, vice-president of Aliyun. "We are seeing healthy demand for cloud-related data management services in Singapore because of the ease of doing business, comprehensive transport and telecommunications connections, and robust intellectual property regime. The stable geo-political climate and abundance of highly skilled talent are advantages, too."

Danni Xu, data center and cloud computing analyst at Frost & Sullivan in Asia Pacific, said Aliyun’s expansion into Singapore is good news for Asean businesses that are opting for more cost-effective cloud and data center solutions in the local market, while adding the potential to tap into the China market.

“On the other hand, many Chinese enterprises are also looking to expand into the Asean market by leveraging on Aliyun’s platform, which will definitely pose as competition to the local Asean businesses across all sectors,” she said.

Xu said the cloud computing landscape in the Asean region is maturing rapidly, with different countries at various stages of cloud development.

Read more about enterprise IT in the Asean region

“Singapore is the most developed cloud market in the region, accounting for the largest portion of total cloud spending, owing to the strong government support and the aggregation of multinational companies.”

Xu added that Malaysia is the second largest cloud market in the region, with major enterprises beginning to move their services into the cloud.

Indonesia, Thailand and the Philippines are nascent cloud computing markets, taking a wait-and-see approach, while Vietnam is beginning to see initial uptake of cloud services, she said.

The major challenges Xu sees for cloud adoption in the Asean region include: lack of awareness and understanding of the cloud services model and the economic benefit of cloud adoption in certain Asean countries; lack of business cases to migrate from legacy systems; concerns around security, data integrity and privacy, as well as hosting locations; and poor bandwidth and broadband infrastructure in the rural areas of some Asean countries.

Read More »

Scottish government denies "cloud-washing" mobile device procurement framework

The Scottish government has been accused of using “cloud-washing” to generate interest from IT suppliers in a recently announced £20m mobile device procurement framework.

Ministers are currently seeking a single supplier to provide a range of Scottish public sector organisations – including councils, further education institutions and NHS trusts – with a mix of fixed and mobile computing devices.

According to the accompanying framework advisory documents, obtained by Computer Weekly, the government is looking specifically for two types of mobile devices that are “optimised for cloud computing” that feature either a maximum screen size of 11.6 inches or 14 inches.

It’s also looking to procure a “range of fixed and mobile computers” featuring a proprietary operating system.

Suppliers raise cloud concerns

However, suppliers have expressed disappointment to Computer Weekly about the fact it’s being presented as a cloud computing framework, when it’s truly geared towards the procurement of hardware.

Particularly as the latter point isn’t overtly stated in the introductory and full text of the publicly accessible contract notice, it is claimed, which says the framework will be used for the “provision of cloud computing and proprietary devices and associated services”.

This was a view backed by TechMarketView principal analyst Michael Larner, who agreed the framework’s name risks creating confusion among suppliers who – at first look – might assume it’ll be used by government departments to procure cloud services.

“If it’s not clearly stated that it’s a hardware-orientated procurement, there is a risk suppliers will waste time, money and effort engaging in the process before they realise it’s really about procuring a Chromebook, a Microsoft Surface or an iPad, for example,” he said.

Read more about government cloud procurement

“The opportunity really for the cloud software providers will be at a later stage once the hardware is sorted out, and the datacentre consolidation process the Scottish government has embarked on is completed.”

Jessica Figueras, research director at fellow market watcher Kable, said shoehorning “cloud” into the title could be considered opportunistic, given that it will be used to procure low-cost and specification laptops.

“This is just an opportunity to spend a little less on hardware, as the idea is if you have a group of workers who are mainly going to be using cloud services, opposed to traditional fat clients, then they don’t need as high a spec laptop so you can get it cheaper,” she said.

Public sector IT suppliers are used to framework owners employing these kinds of marketing tactics to drum up interest in their procurement opportunities, added Figueras.  

“Part of a framework owner’s job is to market their frameworks and obviously they want to get the widest range of suppliers bidding for them to make things as competitive as possible,” she said.

“You can see how, in some cases, there would always be the temptation to big things up a bit more and give them slightly sexier titles, but suppliers are all pretty grown up and understand what the deal is.”

Hardware type 'clearly specified'

What suppliers should be wary of though, added Figueras, is putting too much stock in the projected amount of money the government claims the framework could generate.

“This, again, is absolutely nothing new for suppliers as all frameworks are legendary for delivering a fraction of the value they say they’re going to,” she said.

In a statement to Computer Weekly, the Scottish government defended the framework’s presentation, as the details about the type of hardware it’s looking for are “clearly specified” in its invite to tender documentation.

“The generic title of 'cloud computing' was selected to differentiate between the lower specification of the devices required predominantly in the education sector to access cloud or internet-based services. These devices differ in specification from the traditional corporate mobile device category of laptops,” the government statement reads.

It also went on to say that it had taken steps to make suppliers aware this was a hardware-orientated framework, rather than a cloud procurement one.

“The requirement is clearly defined as hardware in the tender documentation and the main common procurement vocabulary code used to advertise the opportunity. Any reference to services [made in the tender documents] are the services required to deploy the devices,” the statement continued.

Read More »

IT services procurement: Could G-Cloud be the answer Europe is looking for?

Anyone reading the British press would be left with the impression the UK is, at best, a half-hearted member of the European community and, at worst, positively at odds with its continental neighbours.

While it’s true to say there are some areas of disagreement, there are commercial areas where the UK is not only fully engaged, but actively leading the field.

Cloud computing is one area where British expertise is really showing the way. Take the UK government’s G-Cloud project, which is currently attracting a good deal of interest across Europe, as an example of how public sector procurement can be done differently and more efficiently.

Public sector procurement is a key component of the European Cloud Computing Strategy, launched by former European Union (EU) commissioner Neelie Kroes in 2012.

Speaking at the time of the launch, she said: “Public IT procurement is about 20% of the market, but today it is fragmented with limited impact.

“We can harness this buying power through more harmonisation and integration and through joint public procurement across borders. It is a true win-win: The cloud market will grow, bringing opportunities for existing suppliers and new entrants; and cloud buyers, including the public sector, will buy more with less and become more efficient,” she added.

Lack of enthusiasm for cross-border cloud strategy

It’s fair to say there hasn’t been much movement in establishing a common procurement policy across Europe to date.

There’s been no effort to establish a continent-wide cloud-first approach, for example, as the US and UK governments have done, and there’s still much resistance to the idea of European cloud services crossing borders. Some countries, notably Germany, maintain the attitude that IT services should be acquired nationally – and that philosophy remains a barrier.

However, the UK G-Cloud approach remains a model that demonstrates how public cloud procurement could be enabled in the future, and some organisations are already looking to it for inspiration.

Bob Jones is head of Helix Nebula – the European Science Cloud initiative which aims to establish a Europe-wide cloud infrastructure – and is grateful for guidance from G-Cloud about how the organisation should approach procurement.

“The G-Cloud has helped. We were keen to learn from G-Cloud as it’s difficult to find something that’s so well developed in other EU member states,” says Jones.

The EU has also set up the Procurement Innovation for Cloud Services in Europe (PICSE) to advise public sector bodies. According to Strategic Blue CEO James Mitchell, a PICSE consultant, the organisation is also looking to advise small to medium-sized enterprises (SMEs).

Jones says PICSE was set up to look at how cloud is procured, particularly by public bodies and research organisations, as there is an issue with the procurement processes organisations are legally obliged to go through.

“Research institutes have to go through request for proposal [RFP] processes, which are not designed for buying utility services,” he says.

He points out some problems faced by procurement bodies: “Contracts will have items such as computing services, so instead of writing ‘computing services’, you’re going to write ‘cloud’ – that doesn’t work very well.”

There are accounting issues too. “A server is an asset, with the cost spread over the lifetime of that server – pay as you go doesn’t fit well into this model,” he adds.

Looking ahead

Procurement managers have to look beyond these difficulties and explore new areas. The three partners of PICSE – Cern; the Cloud Security Alliance and Trust-IT Services – want to build on the work carried out by Helix Nebula to help the process along.

Sara Garavelli, project lifecycle strategist and project manager at Trust-IT Services, describes how Helix Nebula demonstrated the suitability of cloud services for public sector organisations, but there were stark differences according to size.

“We observed two different trends. The big EU research organisations are quite aware of what procuring cloud means, but when it comes to small to mid-sized research organisations, many of them have no clue about cloud. They are attracted by the cloud benefits, but they don’t know how to approach the procurement,” she says.

There are many reasons for this reluctance to adopt cloud. “They are put off by interoperability issues with existing systems and by lock-in issues. They don’t have any idea how to run a cloud business case and they don’t know what legal and financial implications cloud brings,” she says.

To aid the procurement process, PICSE has introduced a self-assessment tool, called the Wizard, to help public research organisations better understand the issues with their procurement processes.

According to Garavelli, the Wizard should help research institutes procure services, even if it does have limitations. “Of course, it cannot replace the legal and procurement advice provided by experts, but it could give them with warnings and suggestions on how to deal with the full cloud procurement cycle,” she says.

The tool is designed for IT managers from public research organisations willing to procure significant amounts of cloud services.

Garavelli says there are considerable difficulties faced by these bodies. “Writing cloud tenders is quite a challenging and expensive task for public sector organisations. Cloud skills – technical, legal and financial – must be there to run successful cloud procurement,” she says.

However, organisations can get some financial assistance with this, thanks to two instruments launched by the European Commission (EC): The pre-commercial procurement (PCP) and the public procurement of innovation (PPI) instruments.

“Buyers can receive some funds from the EC to procure innovative cloud services. This is quite clever as the EC is not allowed to fund any commercial procurement, so in this case it’s a good opportunity for these public sector organisations,” says Garavelli, explaining that these financial initiatives are not widely known.

The challenge ahead

There are serious challenges in trying to procure services across Europe, as the multiplicity of different rules and regulations hinder the take-up of cloud. As Garavelli says: “Different EU countries have different regulations and laws. Managing a procurement of this type is really challenging and expensive.”

The UK’s G-Cloud initiative, with its ease of use, offers a good model, but PICSE’s Mitchell admits it has its limitations.

“If you want to deploy infrastructure as a service [IaaS], platform as a service [PaaS] and Salesforce, and try to do that on one RFP, you’ll need someone to put it all together – it’s going to be expensive,” he says.

Nevertheless, there’s a new awareness across Europe that things have to change and cloud services are on the agenda. The EU has put plenty of initiatives in place to help the process along, recognising the barriers in place.

As yet, the UK’s G-Cloud initiative is in a class of its own, but there’s plenty of time for the rest of the continent to catch up.

Read more about public cloud procurement

Read More »

Alibaba makes data protection pledge to Aliyun cloud users

Aliyun, the cloud computing arm of Chinese internet firm Alibaba, has issued a three-point data protection pact to allay user fears about entrusting their information to the company.

The statement aims to assure potential users of the Aliyun platform that they will retain the right to “freely and safely” access, share, transfer and delete any data they decide to store in its cloud.

Furthermore, the company said customers have the right to stipulate how their data is processed, and that Aliyun has no right to alter or transfer it in anyway.

The final point of the pact sets out Aliyun’s obligations when it comes to keeping the data stored in its cloud safe, which centres on the delivery of threat protection and disaster recovery tools.

“It is the responsibility and duty of Alibaba Cloud Computing [Aliyun] to establish a set of strict management, control and internal audit systems, as well as strive to continuously improve our threat protection, disaster recovery and other capabilities to strengthen the protection we offer to customers regarding data privacy, integrity and accessibility,” the company said in a statement.

While 1.4 million people in China reportedly already use Alibaba’s cloud services, the company has been making a concerted effort to court overseas users by announcing plans to open datacentres in the US and Europe.

The pact appears to have been announced as a follow on to the plans and as a means of building trust in a cloud platform most users are unlikely to have heard of outside of China.

Simon Hu, president of Aliyun, announced the pledge at the company’s inaugural Data Technology Day in Beijing on 22 July 2015, where he said it was proof of its commitment to honouring the data privacy of its customers.

“We aim to make cloud computing the engine of the data technology economy, and big data a driving force of economic development,” he said.

“Aliyun will continuously be committed to building a cloud computing ecosystem to efficiently and securely serve global clients,” he added.

Speaking to Computer Weekly, Bob Tarzey, analyst and director at IT market watcher Quocirca, said it will take more than Aliyun’s three-point pledge and some far-off plans to open local datacentres to convince users to adopt its cloud.

“The issue here is control. When it comes to corporate data storage, Amazon Web Services [AWS] has infrastructure in Europe, which means European businesses can reasonably overcome concerns they may have about using AWS to store data,” said Tarzey.

“However, it is going to take a lot for European businesses to be confident about using a China-based cloud storage service, given the reputation Chinese organisations have for stealing intellectual property,” he said.

Read More »

Building a cloud of clouds to balance flexibility and control

Do you remember the Real Madrid team of the early 2000s? “Los Galacticos” was made up of superstar players from around the world, such as Zidane, Beckham and Ronaldo, with no expense spared. But as a winning strategy, it backfired. Lots of star players don’t necessarily make a great team.

For some CIOs, that’s not so very different from the situation they face as cloud services flow into the organisation through the back door. Of course, it’s great so many business people are doing IT for themselves. Cloud services work really well and provide a terrific platform for innovation. But you can end up with duplication, non-compliance and conflict, which, as Real Madrid found out the hard way, can really hamper your overall performance.

What’s the CIO to do? Research firm Ovum says European enterprises are “torn between a strong theoretical desire to be strategic in their use of cloud computing, and a stronger pragmatic drive to be cautious”. It needs to be easier for organisations to embrace the cloud in all its diversity and use it to deliver long-term success for the business.

A balancing act

From the earliest days of business computing, IT management has always been a balancing act between control and flexibility. Too much control strangles innovation and handicaps your ability to move fast. Too much flexibility and the risks rise, from non-compliance with data protection legislation to a deterioration in your network performance because someone’s new cloud-based videoconferencing is slowing down email for everyone else.

The good news is the cloud itself holds the key to balancing flexibility with control. One approach is a “cloud of clouds” strategy that lets you bring together all those distinct, disconnected cloud services under central management. By using a single network to connect every datacentre where your cloud applications and data are hosted, you effectively create a “cloud of clouds”. 

Such an avenue gives you the ability to manage everything from the centre and enforce good governance, while continuing to provide flexibility and choice to the rest of the organisation. An integrated cloud of clouds strategy will also prepare your organisation to meet all the challenges of big data, the internet of things and the increasingly digital world.

Weaving it all together

With a cloud of clouds approach, you can choose from any cloud service provider, hosting applications in your datacentre or an external provider’s datacentre. Using a trusted network provider as an “honest broker”, you can let your cloud services share even business-critical data securely so whatever your users are doing, you can be confident they are doing it in full compliance with your corporate security policies or regulatory environment. 

The computing experience you give your cloud users will be hugely dependent on the performance of your network. In a cloud environment, there is only one way to guarantee performance – with a single, end-to-end global network that can prioritise applications, manage access to data and optimise traffic. For more than perhaps a handful of CIOs in the world, this is quite a tall order.

Consequently, CIOs are increasingly looking for partners who can help weave together their cloud services, as well as manage the migration from legacy infrastructure. They want cloud service integrators to provide them with choice, experience and skills, along with network and infrastructure assets that deliver economies of scale and flexibility – and all available globally.

Do you have what it takes?

Finally, just like getting the most from a football team packed with star players, much will depend on the CIO’s qualities as a manager. Managing a cloud of clouds will require a different set of skills and talents from running a traditional internal IT department. 

You’ll need to be good at managing relationships and connecting with colleagues in all sorts of roles, as well as understanding the wider needs of the business. Above all, you’ll be creative and visionary and ambitious for your organisation, and ready to use the cloud of clouds to bring about breakthroughs in business performance.

---

Ashish Gupta is CIO at BT Global Services.

Read more about cloud services

Read More »

Symantec bets on simplicity, cloud and mobile

Symantec is betting on making life simpler for information security professionals and embracing mobile and cloud in the company’s post-storage era.

Nine months after announcing plans to spin off its storage business that came with the acquisition of Veritas in 2005, Symantec is putting finishing touches to a strategy for its security products.

The strategy is based on a review of Symantec’s technology in light of the fact that attackers are becoming increasingly sophisticated, a proliferation of security tools is overwhelming information security professionals, and most companies are embracing mobile and cloud computing.

“Attackers are overtaking the capacity and ability of the average private and public sector security teams to keep up,” said Amit Jasuja, senior vice-president of products and enterprise security at Symantec.

At the same time, the average chief information security officer (CISO) is being overwhelmed by the number of technologies they have, he told Computer Weekly.

A recent survey of CISOs by The Research Board revealed the average number of security tools used by medium-sized and large companies is 70, with the largest companies reporting 100 tools or more.

“A lot of our customers are looking to simplify their lives. They do not want any more tools because they do not have the capacity to look at the alerts it would generate,” said Jasuja.

The third major trend affecting information security, he said, is that most organisations are already using mobile computing devices and cloud computing services.

“Traditional security technologies such as virtual private networks (VPNs), firewalls and other perimeter-based defences do not apply very much any more, as companies move their servers and software applications into the cloud,” said Jasuja.  

Simple yet sophisticated security

Symantec is gearing to address these three major trends by grouping its products to focus on threat protection, information protection and security analytics, over-arched by its cyber security services.

The threat protection products are aimed at addressing the increased sophistication of threats driven by state sponsors and organised crime groups.

Symantec hopes to reduce the complexity of multiple dashboards and multiple agents on servers and mobile devices by using a single agent across the whole IT estate, which is managed using a single console.

“We have opted for a cloud-based management console and a single agent configurable to do what the organisation requires and is easily updated and managed from the cloud,” said Jasuja.

With a single agent across its servers, point of sales systems, mobile computing devices and smartphones that has been extended to do more, he said Symantec aims to provide comprehensive threat protection and enable organisations to get a view of everything that is happening.

“The same agent that has been doing anti-virus, intrusion prevention and intrusion detection on more than 175 million endpoints around the world is being extended to do things like detection and response,” said Jasuja.

This means organisations will be able to query their entire network to find out if particular threats exist anywhere on that network and take the appropriate actions to remove any instances that are found.

“We want to deliver the power for organisations to see alerts and the evolution of a threat and carry out remedial actions – all from a single screen on a single console,” said Jasuja. This means organisations could consolidate from five or six tools down to one.

Securing mobile and cloud environments

Symantec’s information protection products are aimed at enabling organisations to use mobile and cloud computing securely by using biometrics to stop the abuse of credentials and by protecting data directly. This is done through encryption and data loss prevention (DLP) working together to prevent exfiltration.

“DLP and encryption are fairly well established in the enterprise, but we are looking to extend that to mobile and cloud computing environments, with the latest version of our DLP product enabling scanning and DLP policy enforcement for all data in Microsoft Office 365 and Box,” said Jasuja.

Intelligent Security

The security analytics group of products are supported by telemetry and threat data received from the 175 million endpoints worldwide under Symantec’s protection.

“The huge amount of data we have about what is happening around the world and the database we have built of more than four trillion threats enables us to find problems faster and make our products more effective by building analytic and heuristic capabilities on top,” said Jasuja.

“In our strategy we are exposing that security analytics platform, which can deliver a verdict on suspected malware in minutes, directly to customers. This means it is no longer necessary to have a Symantec product to be able to make use of that intelligence network,” he said.

Symantec claims its global intelligence network (GIN) is the largest civilian intelligence network, surpassed only by five government intelligence networks.

“By getting direct access to our GIN, organisations will be able to answer questions such as what malware they are most likely to encounter, how they compare with their peers in terms of cyber hygiene and what level of hygiene exists among their customers,” said Jasuja.

Security expertise on tap

The fourth component of Symantec’s new strategy is its cyber security services (CSS), which are designed to enable organisations to tap into security specialists as and when they are needed.

“We can go and work with organisations to provide security expertise, including responding to incidents, providing security training and even conducting attack simulations and red team exercises,” said Jasuja

As part of Symantec’s strategy to simplify security and help organisations cope better with demands on their security teams, he said that regardless of an organisation’s security technologies, CSS will monitor, repond and provide forensics and insight as required.

In terms of achieving this strategy, Jasuja said biometric authentication, data protection in Microsoft Office and Box, the cyber security services and the security analytics platform are already in place.

Still under development, he said, is the ability to deliver results instantaneously on telemetry data, the multi-control point detection and forensics capability, and cloud-based encryption and DLP.

In the meantime, Jasuja said Symantec is helping existing customers to get their tools to work together, working with third-party suppliers where necessary, as Symantec products are all brought under a single console and a single set of policies.

“The advantage for exiting customers is that there is a path forward for all of the products. As new capabilities are added, they will just have to update the existing client without having to deploy new software,” he said.

According to Jasuja, although fees will be payable for new capabilities, Symantec expects customers to see a return on investment through no longer needing five other tools from five other suppliers with associated licensing fees and integration costs.

All the products and services underpinning the strategy are scheduled for completion by the end of 2016, but most will be done within 12 months, said Jasuja.

“A good chunk of it will become available in the last three months of 2015, with more coming in the early part of 2016,” he added.

In the new era, Jasuja said Symantec is not trying to be all things to all people, but instead is focusing on threats and protecting information in the mobile and cloud environments.

“We also want to be the people organisations call when they have a problem because we have a tremendous amount of research and research capabilities to be able to dissect threats and provide insights into the actors behind the threats,” he said.

Read more about threat intelligence

Read More »

Cloud Native Computing Foundation forms to drive open-source cloud standards

Google has joined forces with the Linux Foundation in a combined industry effort to develop the future of container-based computing.

Organisations supporting the initiative include Docker, IBM, VMware, Intel, Cisco, Joyent, CoreOS, Mesosphere, Univa and Red Hat.

Google said the industry partners will collaborate on developing the Cloud Native Computing Foundation (CNCF), which will work with the open-source community to manage the future development of Kubernetes and build software that makes tools for containers more robust.

This latest expansion of Kubernetes follows swiftly on from Google becoming a sponsor of OpenStack. The combination of OpenStack with developments arising from the Cloud Native Computing Foundation could offer businesses a way to run cloud-based applications across public and private cloud infrastructures using open-source technology.

"The Cloud Native Computing Foundation will help facilitate collaboration among developers and operators on common technologies for deploying cloud native applications and services," said Jim Zemlin, executive director at The Linux Foundation.

"By bringing together the open-source community’s very best talent and code in a neutral and collaborative forum, the Cloud Native Computing Foundation aims to advance the state of the art of application development at internet scale."

According to Intel, cloud native application development offers the promise of workload portability across stacks. "Standardisation helps drive full portability," said Jonathan Donaldson, vice-president of software-defined infrastructure at Intel.

Read more about container technology

Ying Xiong, chief architect of PaaS at Huawei, said: "We believe the foundation will drive standards and integrate common technologies, such as container and container orchestration, into an advanced, end-to-end, open-source solution that promotes business adoption."

Lars Herrmann, general manager of the integrated solutions business unit and container strategy at Red Hat, said: "The rapid ascent of Linux containers and complementary technologies like Kubernetes shows that the future of enterprise application is not based in proprietary code; rather, these applications are born in the cloud and driven by open innovation."

Read More »

Build in resilience to simplify workloads with hybrid cloud

Hybrid cloud offers benefits of hosted applications and offloading manual tasks but beware latency and outages in mission-critical functions.

Hybrid cloud storage has evolved in recent years to become a deployment methodology that blends on-premises storage infrastructure with public and hosted cloud services.

The road to hybrid cloud will not be short or easy for many organisations, and many will have to make detours along the way to fully exploit the rapid innovation of hyperscale cloud storage environments.

The workload and data mobility of hybrid cloud storage strategies will allow infrastructure and operations (I&O) professionals to hedge their cloud bets and switch providers when terms or capabilities no longer meet expectations, or when cloud storage providers offer a new "can’t miss" service.

Enterprises have treated cloud storage resources as complementary storage silos to support next-generation analytics and systems of engagement cloud applications, and offload menial unstructured storage burdens.

Three tips to stay on top of hybrid storage

1. Facilitate cloud mobility. The cloud computing market is evolving rapidly, with innovative services and price wars ramping up competition. Any supporting hybrid cloud storage strategy should use resources such as AWS Direct Connect, Azure ExpressRoute, NetApp Private Storage for Cloud, and Zadara Storage to make data available to multiple cloud services.


2. Prioritise resilience. Cloud services outages do happen, and you should not expect them to end any time soon. As mission-critical and business-critical workloads make their way into the cloud, your teams should use multiple availability zones and colocation sites to ensure that workloads can continue to function in the event of a failure.


3. Be mindful of bandwidth costs. Premium network charges for DirectConnect and ExpressRoute will save money in the long run if large datasets must be moved to or between clouds. Migrations should be cost-justified and planned accordingly, because these operations could take days or weeks to complete.

But cloud storage has much more to offer. Next-generation hybrid cloud storage technologies are already available and ready to bridge the gap between your on-premises applications and resources and cloud storage services by simplifying workload mobility and cloud federation between service providers.

Drawbacks to mass cloud storage migration

The rapidly falling price of cloud storage services is pushing organisations to migrate away from expensive conventional storage systems, toward cloud storage services. While cloud storage should absolutely be a part of your future storage infrastructure, there are a few limitations that should be kept in mind.

The untimely collapse of Nirvanix forced its clients to hastily move away from its cloud storage services, shocked early adopters and highlighted the need for cloud federation and data migration services. Long-distance data migration is still a struggle for enterprises, particularly those with large workloads on the scale of hundreds of terabytes to petabytes.

The inconsistent network connectivity commonly found in remote sites exacerbates this. Data transfer across internet protocol (IP) networks can take a significant amount of time when data payloads go beyond 100 terabytes. The cost of outbound bandwidth and time associated with migrations make cloud migrations difficult and effectively lock in clients.

Cloud security is still the top impediment to full-scale cloud service adoption, although the steady stream of improvements cloud providers are making go some way in addressing this objection. Enterprise storage teams may be hesitant in handing over control of their data to cloud providers, using security and compliance concerns to slow down cloud deployments.

Strategies to mitigate data latency

While the physics limitations of rapid data movement cannot change, progressive enterprises and service providers have come up with clever strategies to put computing and storage resources closer together. A handful of colocation and datacentre providers – such as Equinix, CoreSite, and TelecityGroup – have facilities either physically close to a cloud service provider or house an instance in their datacentre.

This proximity allows customers to bypass the internet and connect directly to their cloud service providers, (often for a flat monthly rate, via fibre-cross-connections at port speeds of 1Gb/s to 10Gb/s), which can provide sub-millisecond latency.

Amazon’s Direct Connect emerged in 2011 as a means of accelerating data movement, and its partner Equinix claims that Direct Connect can transfer files to Amazon 138% faster than public internet connections.

Clouds, and the workloads they house, are getting larger and more business-critical on a daily basis. Beyond raw scale, you must leverage new strategies and technologies and super charge your hybrid cloud storage strategy to keep pace with innovation.

Henry Baltazar is a senior analyst at Forrester Research.

This was first published in March 2015

Read More »

Cut IT team by a third, says VMware cloud chief

Cloud computing is here and IT leaders need to rethink their cloud IT plans, says Bill Fathers, executive vice-president and general manager of VMware’s cloud services business.

Rather than migrate applications to the cloud, he says CIOs should restructure their IT department and the applications they support, for a cloud-first way of working.

In an interview with Computer Weekly, Bill Fathers says he has seen a massive shift in people's perception of cloud computing. "It is certainly very dynamic," he says. 

According to Fathers’ estimates, 6% of workloads now run in the public cloud. While there will, inevitably, be issues of privacy and data protection that preclude all applications from being migrated, Fathers says that behind the scenes there are billions of dollars worth of infrastructure going into the cloud.

In his experience, while IT leaders may express concerns about hosting data in the cloud, the same cannot be said for developers: "The developers will put 40,000 VMs [virtual machines] in the public cloud."

Speaking of the business drivers for migrating systems to the cloud, Fathers points out that lowering IT expenditure is still a major one. 

"We see top-down mandates – a pragmatic view that 'I don't have enough money to spend on my existing infrastructure'," he says.

Complexities of cloud adoption

But Fathers warns cloud migration for the sake of cost-cutting raises integration and compatibility issues. This is particularly apparent when IT teams attempt to bridge their on-premise environment and the cloud. 

"Invest in people who understand what the next version of your business is going to look like"

Bill Fathers, VMware

In such an environment, the challenge, says Fathers, is how customers connect their existing IT environment with the cloud. One common problem area Fathers has encountered is the MAC address (media access control address) that is used to identify networked resources uniquely.

"VMware has worked with the top 5% of its customers to enable networking across the cloud and on-premise applications. The problems become apparent when organisations attempt to put hundreds of virtual LANs in the cloud. Mirroring multiple LAN environments that straddle on-premise and cloud [environments] is extremely complex," he says.

Fathers admits that most of VMware's NSX research has been poured into solving this problem. "If you move an application to the cloud and you want to move it back, the original MAC address may be used by some other application," he says.

Another example is IP addresses. "If you have an IP address on-premise, Amazon gives you an IP address too, so you need intelligent ways in the network to enable IP address translation to happen."

Few businesses push cloud agility

While many organisations have moved infrastructure to the cloud, Fathers says few have taken the next step to looking at how the cloud can help the business run more dynamically. 

Fathers cites disaster recovery (DR) as being one of the biggest triggers for cloud adoption. "It’s a no-brainer," he says.

DR in the cloud has been a great business for VMware, according to Fathers. But he says once a CIO has migrated the first three or four applications to the cloud, and has demonstrated agility and cost savings using the same application portfolio as was previously run on-premise, they have to start thinking about how they can really push this great new cloud infrastructure.

As an example, he points out that some of the most strategic cloud transformations have been when VMware has worked with Pivotal Labs to use Cloud Foundry to rewrite existing applications.

Re-skilling IT for the cloud era

As cloud skills mature, Fathers warns that CIOs will need to understand both applications and infrastructure.

"Just being cloud-savvy and being able to run IaaS [infrastructure as a service] and your own cloud portfolio will last about three years," he says. "You used to be an application or infrastructure specialist, but [with new ways to deliver IT in the cloud] you will have to understand both because software-defined [IT] is all software. You'll effectively get out of appliances. As you get into software-defined mode, you will have to understand the applications."

Read more about cloud transformation

Fathers' advice to storage, network and IT infrastructure experts is to embrace the change. "If you are deeply worried about the scale and magnitude of the change that you’ll be going through, it's a good thing. Live with it and ask yourself how you transition your business to the cloud over the next five years," he says. 

Fathers believes this five-year transition plan will be how the tenure of a CIO will ultimately be measured.

He urges CIOs to look at the make-up of their IT teams and be prepared to make dramatic cuts. "Invest forward," he says. "Chances are, 95% of your team understands your existing infrastructure technology platforms extremely well. You’ll be getting rid of a third of them to invest in people who understand what the next version of your business is going to look like."

Dump bi-modal thinking

IT advisory firms recommend CIOs bifurcate IT – as in "mode one" and "mode two" – to use Gartner’s terminology. 

It is not a strategy Fathers would recommend. "Just don’t do that," he says. "The systems of record tend to be less glamorous. The people who get left with legacy IT or bad IT will undermine new IT. Who wants to be there?" 

There needs to be a tight link between the front-office IT – the so-called systems of engagement – and the back-office systems of record, according to Fathers.

Systems of record are often run on the VMware hypervisor, and the systems of engagement use cloud infrastructure. “I spend a lot of my life helping clients connect the two. It is harder than they think,” warns Fathers.

Read More »

HP Cloud 28+ enters beta and introduces self-certification scheme for providers

Hewlett-Packard's’s bid to create a Europe-wide one-stop cloud shop has moved up a gear, with the introduction of a self-certification system for providers that want to sell their services through it.

Dubbed Cloud 28+, the initiative was formally unveiled by HP in March 2015 after a year of preparation, and is geared towards driving adoption of off-premise technologies across Europe by providing users with a centralised catalogue of cloud services.

HP claims this will help make it easier for commercial and public sector organisations to adopt cloud – as they can consult the catalogue before embarking on a deployment, to find a provider and service that fits the bill.

Speaking at the Cloud 28+ in Action event on 30 September 2015 in Brussels, Xavier Poisson, Emea vice-president of HP Converged Cloud, marked the beta launch of the project by talking up the attention it has garnered in other parts of the world looking to replicate what HP is trying to achieve.

Similarly, the cloud provider community has also thrown its weight behind it, he continued, helping the firm exceed its target of having 200 services listed through it by September 2015.

“We had a dream in March that the catalogue would be live in September and we would have 200 cloud services in the catalogue for this meeting,” he said.

“Not only is Cloud 28+ live, but it is hosted by one of the members and we have 320 cloud services.”

In light of this, Poisson said the aim now is to have 600 services listed on the catalogue by the time of its official go-live date in early December.

Turning his attention back to the problems providers face when trying to do business with users in other countries, he claimed it can cost up to €9,000 to ensure a service does not infringe on local laws.

And it’s those kinds of financial and legislative barriers to doing business across borders, Cloud 28+ is looking to eradicate, he said.

“I’m hoping to generate what all of us are working for everyday. That’s employment and to generate growth. That’s the ‘why’ of everything we’re doing today with Cloud 28+.” 

Cloud 28+ self-certification scheme

Every cloud provider, reseller or independent software vendor (ISV) that secures a listing on the portal can now have their offerings rated via Eurocloud’s Star Audit system – a move HP claims will make it easier for users to pit one firm’s offerings against another.

Eurocloud board member Tobias Höllwarth told attendees the rating system should streamline the procurement process by providing users with certified assurances about the quality of the services they provide.

Otherwise, providers can find themselves repeatedly fielding the same questions about security and uptime, from users trying to work out whether or not to trust those suppliers with their data.

This results in slower and more expensive cloud procurements, driving up the costs of doing business.

“Answering the same questions again is boring and is not generating business,” he said.

Read more about HP's Cloud 28+

For smaller firms – that don’t have access to dedicated IT, legal or procurement teams to guide them through the process – knowing which provider to go with can be fraught with challenges.

“They need to buy cloud services as they may have a big competitive disadvantage if they don’t,” he said, adding that the rating system should accelerate the buying process for them too.

The EC Digital Single Market

Cloud 28+ initiative has drawn parallels in the past with the UK government’s G-Cloud scheme, and – in the light of that programme's success – on the continent, attention has focused on recreating a similar cloud services procurement portal for European public-sector users.

Similarly, what HP is trying to achieve with Cloud 28+ fits in quite well with the European Commission’s Digital Single Market initiative, which seeks to create a single marketplace for digital services within the European Union (EU).

Speaking at the event, Francisco Medeiros, deputy head of the software and services and cloud computing unit at the EC, said that – while the organisation could not directly endorse the work HP is doing with Cloud 28+ – such initiatives had an important role to play in supporting the EC’s cloud goals.

“This is indeed a promising and enriching initiative that has the potential to substantially contribute to the development of the European cloud services market and will provide opportunities for small and large cloud service providers,” Medeiros said.

"Of course, we – as the commission – are not in a position to endorse specific market initiatives but, in general terms, I can tell you initiatives like Cloud 28+ and others are key, in our view, for the establishment of a competitive market for cloud services.”

Read More »

John Swainson, president of Dell Software, argues the case for rethinking datacentres

Technology has the potential to change humanity, at least according to John Swainson, president of Dell Software.

During the 2015 Dell Innovation Summit in Copenhagen, Swainson discussed the opportunities IT can offer business and humanity, saying in his keynote presentation that “technology is the catalyst fuelling the evolution of our planet and unlocking the potential of billions of people”.

In the 1970s, IT was used to automate business processes. Swainson said the advent of the PC made IT available to everyone, and IT can hook the fabric of business together, giving “the ability to rethink business models”. 

Referring to the booking service Uber, which is often cited as an example of a new business model, Swainson said: “Uber is, in fact, online scheduling of just-in-time logistics.”

In an interview with Computer Weekly, Swainson called for businesses to revamp their datacentres to support these new business models.

He joined Dell in 2012 to create a software division, having previously worked at management software supplier CA Technologies as the CEO, and at IBM, where he headed up WebSphere. 

“I had the opportunity to build a software business [at Dell] to look for areas representing unmet needs on the part of customers,” he says.

These areas needed to fit in with the rest of Dell’s business and would potentially support disruptive change. This has led the company to focus on systems management, information management and security. 

“CA and IBM were constrained in some ways by their prior business successes, but at Dell we didn't have that,” Swainson says.

Speaking on systems management, he says: “The integration between hardware and software is becoming more important in the enterprise. We are moving to a server-defined world where the boundaries between what the hardware does and what the software does disappears. This has profound implications on the software you build and how you manage and secure it.”

According to Swainson, Dell is well placed to support customers’ technology strategies as the world moves from physical hardware, such as storage area networks, to software-defined devices.

Windows server migration

As with many server makers, Dell is seeing a lot of interest among its customers who need to move from Microsoft Windows Server 2003 before support ends on 14 July. It is a major migration because Windows 2003, Exchange and Active Directory have to be moved in parallel, Swainson says.

Some organisations will use the migration to rethink their datacentre strategy, but Swainson has seen a number of organisations simply migrate to Windows Server 2008, as it is still a supported operating system and does not require the major application reworking associated with shifting the whole Windows Server infrastructure onto Windows Server 2012.

“Moving to Windows 2012 requires changing applications, and this a far more expensive upgrade from Windows Server 2003,” says Swainson.

Private cloud is ready for the mass market

Dell is a major provider of hyperscale infrastructure used by small and large cloud service providers, but it is also providing hardware and software infrastructure for private clouds. 

Dell works with Microsoft, VMware and Red Hat (for Openstack) and provides appliances to support private cloud deployments. Cloud computing is starting to gain a greater level of acceptance in the enterprise, says Swainson. 

“The cloud has involved a lot of pilots and experimentation, but this is changing very quickly to become a viable part of the server marketplace,” he adds.

According to Swainson, traditional monolithic applications cannot simply be re-hosted on the cloud to achieve the benefits of scalability and agility promised by cloud computing. 

“You can’t just take an application running on a big Unix server or a mainframe and put it into the cloud and expect to get the advantages of cloud economics. The transformation of datacentres is fundamentally about re-architecting the applications so they work differently,” he says. 

He believes the economics of the cloud are only achieved if the infrastructure can be scaled up and down as required by the business, meaning applications have to be engineered for cloud computing.

For Swainson, such a change cannot be achieved overnight because it requires a fundamental rethink of how to approach a datacentre design.

So far, Dell has primarily focused on providing hardware to the public cloud providers and building blocks to the private clouds in major enterprises.

“Mass adoption of private clouds is just around the corner, and we see a much bigger role for Dell as the provider of integrated appliances,” says Swainson. 

Read More »

Cloud computing in schools: privacy under threat

Schools are increasingly adopting cloud computing to take advantage of the associated flexibility and cost savings. 

From a budgetary standpoint, schools can achieve better value for money and improved functionality through the cloud. New pedagogical models such as the flipped classroom, which have been largely associated with massive open online courses (Moocs), are improving both teaching and learning processes.

However, this new scenario also implies substantial risks to privacy, which should be addressed to ease the transition to a digital environment. For this reason, the Spanish Data Protection Agency (AEPD) has introduced Europe's first inspection of cloud computing services in education.

According to the Spanish National Institute of Statistics, more than eight million primary and secondary school students are using these new technologies in Spain. Most of their personal data is rarely stored in private clouds, with storage in hybrid clouds from infrastructure as a service (IaaS) providers more common.

The AEPD report distinguishes between school management platforms and learning platforms, both of them under a software as a service (SaaS) model.

School management platforms not only store economic and administrative data, but also the identities of everyone involved in the school as well as other personal information, including medical histories.  

“All the school management platforms reviewed collect and store data specially protected, such as health information (data on allergies, supplied medicines, medical examinations and diseases reported by parents), along with data from the Guidance Department (psychological data),” said an AEPD spokesperson.

As regards learning platforms, the report points out that they are aimed at creating an environment for collaborative work between teachers and students to facilitate the management of online courses. These platforms, which are managed by teachers and students, enable the monitoring of pupils' progress across the virtual learning environments (VLEs).

A VLE allows the creation of a bespoke system, saving thousands of euros in licensing costs and creating flexibility benefits. VLEs are usually based on the open-source learning management system Moodle and contain real-time academic information, such as test scores and the number of attempts at tests.  

Access to this information should be limited to authorised staff of the education centre and students, who have access only to their own information.

Shared responsibility

The AEPD report warns that one of the most common problems is the division of responsibilities between the different actors in the protection of personal data. “While IaaS providers argue that they do not have the 360 insight and ignore the nature of the stored data, schools say they are not security experts and that is not their business,” said the AEPD spokesperson.

However, the responsibility is clearly shared. While the physical security aspects are the responsibility of the infrastructure providers, all the aspects related to the users’ management depends on the SaaS providers and the schools. In this regard, the SaaS providers are used to deliver to schools a user with administrator privileges for managing users, delegating that responsibility to the school.

The AEPD spokesperson added: “The contracts should clearly specify the responsibilities of all those involved in the delivery of cloud services, both customers and entities.” These include responsibilities for the security measures to be implemented.

Read more about cloud computing services

The report also warned about the legal issues related to data location. Where in the world that a cloud service provider keeps students’ data is very important, and the AEPD recommends that schools gather information on the location of data. 

If data is located in the EU, Iceland, Liechtenstein or Norway, there is no problem because there will be no international transfer of data. But if the datacentre is located in another country, the national data protection agency must be notified.

Responsibility for backup and recovery of data should be included in contracts with cloud service providers to ensure backups are carried out with appropriate frequency and that backed-up data is stored in a different location from the original databases.

Recommendations

The report also recommends that user consent policies signed by parents on behalf of their children should comply with requests from EU data protection authorities.

The research highlighted that schools have largely adopted the use of learning apps from third parties. The AEPD spokesperson said that because the apps that assist the teacher to develop lessons contain students’ personal data, schools should establish rules of procedure for using these tools, which could include in-service training for teachers.

The use of personal devices, such as tablets and smartphones, must comply with the privacy policy defined by the school and the guarantees established in EU data protection legislation, the AEPD spokesperson said. This means that no identification or authentication information should be stored on the mobile devices. 

As an additional security measure, it would be a good practice to link the access to a single device, so that if a user logs into the platform through another device, additional authentication will be required.

Another sticking point for data privacy could come from publishing houses. While many schools are adopting e-books instead of traditional paper books, they are also giving students access to publishing houses’ platforms, which implies a transfer of personal data.

The AEPD says: “The publishing houses are not entitled to treat any personal data that can be obtained from these learning platforms without consent from the user, such as the results of the exercises done by students or the profiles that could be obtained from them.”

The AEPD recommends that schools should not surrender control of student information when using cloud services and should specify the purpose for disclosure of student information in any agreement, restricting the sale or marketing of student information by third-party suppliers.

Read More »

Asean financial services firms more cautious on cloud

Global financial institutions are putting personally identifiable data, such as names, addresses and phone numbers, in the cloud, according a global study – but companies in the Asean region are treading with more caution.

While CipherCloud’s recent Global Cloud Data Security revealed that banks across the world are putting customer data in the cloud, Asean finance firms are using the cloud for specific business lines and functions, say regional analysts.

The CipherCloud report surveyed more than 50 global banking and financial services firms, including some in the Asia-Pacific region. One-third of those surveyed use the cloud to store highly sensitive personally identifiable information, such as social security numbers, birth dates and tax IDs. The survey showed 47% use the cloud to process personal finance data and 53% have business confidential data in the cloud.

But Asean firms prefer to focus on internal functions. For instance, Thailand’s TMB Bank allows its staff to use Microsoft Office 365 as a cloud-based productivity system for communications and collaboration, Philippines Business Bank (PBB) has implemented a private cloud strategy for datacentre and virtual disaster recovery, and Hong Leong Bank in Malaysia has decided to deploy a private cloud strategy.

The CipherCloud findings debunk the notion that financial institutions shy away from the cloud and show that these firms are increasingly mature in their cloud data protection practices.

But Ho Sui-Jon, market analyst at IDC Financial Insights Asia/Pacific, says these figures may not apply to the Asean region. Ho says the maturity of cloud technology adoption among financial institutions in the region varies by country and by sector.

“Financial services is one of the leading industries that continues to champion the cloud agenda, surpassed only by the communications and media sector for most of the Asia-Pacific region,” he said.

As regards financial services' use of cloud, the issue has never been about security, as is often cited as holding back adoption, said Ho. “It is likely that the fragmentation of policies and regulation have done more to hold back forays into the cloud than actual breaches,” he added.

Read more about enterprise IT in the Asean region

Although financial institutions are venturing into the cloud arena, it will be a while before an Asean bank embraces the cloud as fully as Australia's ING Direct, one of the first banks in the Apac region to fully migrate its core systems onto a (private) cloud, said Ho.

“Financial institutions [in Asean] are likely to continue pursuing their cloud agenda in specific business lines or functions – social analytics, prospect management, data management and internal shared services, and will continue to do so opportunistically until market-wide structural reforms are seen,” he said.

Structural reforms that could encourage cloud adoption include regulatory requirements and major infrastructure investments, such as a national high-speed broadband initiative.

The CipherCloud report pointed to security challenges as the main reason why organisations might miss early opportunities in the cloud. “Today, organisations struggle to extend their on-premises data protection practices into the cloud,” the report said. 

“The result is inconsistent security practices, data protection gaps and security blind spots. This may slow down firms’ cloud migration journey and impede the business from fully capturing the potential of cloud computing.”

Read More »

How Deutsche Telekom plans to challenge AWS and Google in the cloud

Deutsche Telekom has made no bones about its ambitions to become a market leader in Europe’s cloud services market. The German company recently proclaimed its goal of doubling current annual revenue of €1bn from business customers by the end of 2018, as it extends its focus from the private cloud to the public cloud.

“At Deutsche Telekom, we want to grow by more than 20% each year in the field of cloud platforms, and to become the leading provider for businesses in Europe,” said Ferri Abolhassan, head of the IT division at Deutsche Telekom’s enterprise-focused unit, T-Systems.

Last year, revenue from cloud services, in particular in the highly secure private cloud, increased by double-figure percentage points at T-Systems alone, the company added.

To achieve its goals, the Bonn-based company intends to intensify its collaborations with technology partners “who are, in turn, market leaders”, including Microsoft, Airbnb and Huawei. Abolhassan firmly emphasised that such partnerships are essential to support Deutsche Telekom’s over-arching cloud business strategy.

Indeed, China-based Huawei, which is in turn is placing an increased focus on IT services, is already collaborating with Deutsche Telekom in both the private and public cloud, with the intention of helping the German operator to develop services in both these areas in future.

“After we agreed on our co-operation regarding IT infrastructure and private cloud services during CeBit [2015], we are now taking the next step and combining our know-how and cutting-edge technology in the public cloud area to ensure that companies of all sizes are provided with the cloud of their choice,” said Haibo Zhang, president of Huawei Deutsche Telekom key account department.

Speaking at Huawei’s Innovation Day in Munich in June, Abolhassan went further still. Not only does he want to see Deutsche Telekom become a leading provider of cloud services in Europe, he also wants to see Europe produce a competitor to the cloud-based companies that have so far emerged from the US.

Read more about cloud services

“There must also be in Europe a force that is an answer to all the initiatives coming from the US,” he said. Together with Huawei and its other partners, Deutsche Telekom plans to pit itself more strongly against Google and Amazon Web Services (AWS) in future.

Competitive advantages in the cloud market

The German company certainly has its work cut out if it intends to be part of the European answer to such cloud heavyweights.

AWS, for example, “is a $5bn business and still growing fast – in fact it’s accelerating”, said Amazon founder Jeff Bezos during the company’s first-quarter results presentation. “Born a decade ago, AWS is a good example of how we approach ideas and risk-taking at Amazon.”

To meet such challenges head-on, Deutsche Telekom is stepping up cloud activities across the group and establishing a strategy for services in the public cloud, including infrastructure, platforms and applications.

What’s more, Abolhassan noted that the company has a major advantage up its sleeve: security. Since cloud services for Europe are provided from datacentres in Germany, this means they are subject to strict German data protection guidelines.

“In cloud computing, datacentre location brings the valuable advantage of security. Our customers and partners place their full trust in Deutsche Telekom in this regard,” said Abolhassan.

Indeed, the Experton group, which produces the annual Cloud Vendor Benchmark for the German and Swiss markets, noted that the cloud offerings from Deutsche Telekom and T-Systems gained a positive rating overall in 2015 for their high data security and data protection standards, noted as “an advantage in the cloud market, which is set to reach a volume of more than €12bn in Germany in 2016”.

According to Experton, “there is still a preference for offerings with high data protection compliance”, and this is supposedly “so attractive that more and more US IT service providers are choosing to slip under this cloak of security”.

Building a cloud strategy

In essence, cloud services form a core part of the German company’s new strategy, which embraces other new areas such as the digitisation of industry, machine-to-machine applications, security and big data. 

This all forms part of a fundamental overhaul of the T-Systems group, which is emerging from a major transformation programme. This process saw the company sell off less profitable activities such as hardware reselling, as well as businesses such as T-Systems Italia and the systems integration unit in France.

Abolhassan said the company plans to take a step-by-step approach to the development of its future cloud strategy. “I want to make cloud more tangible,” he said, noting that most people now have digital content in one form or another but often don’t know where it actually is. What they need is someone who will take care of their content, he added. 

Devices, networks and content all need to be connected together. The challenge is also to achieve connectivity without disruption.

Virtual platforms

An example of a virtualised end-to-end service developed by Deutsche Telekom is Mall2Go. Introduced at CeBit in 2014, Mall2Go is a shopping app that enables employees of large companies to do their daily shopping by mobile phone and receive deliveries to their office on the same day.

The virtual platform is designed to enable regional supermarkets and smaller businesses to reach larger groups of customers than they can via their physical locations, while same-day delivery is an added value for customers. 

Now available as a service, employees can order what they need via the Mall2Go app. With the app, they can browse a store’s products and add items to their shopping cart using barcode or QR-code scan. Via a sharing function, they can also allow friends and family to check the shopping list and add items.

Meeting future challenges

The company already appears to be making an impression with its cloud strategy. In Experton’s Cloud Vendor Benchmark for 2015, Deutsche Telekom and T-Systems achieved top scores among Germany’s leading cloud providers in more than 10 disciplines.

The Experton analysts also drew attention to the change in strategy at Deutsche Telekom’s corporate customer arm in their benchmark study: “Thanks to its own internal transformation, T-Systems has also made the permanent leap to the ranks of the top IT players and is strategically aligning its portfolio with the challenges of the future.”

Read More »

Cloud users speak out about day-to-day SaaS frustrations

The day-to-day frustrations of cloud users have been laid bare in a new survey, which suggests high levels of discontent exist among adopters of off-premise tools and technologies.

Cloud services firm StratoGen conducted a survey featuring responses from 1,000 UK senior business decision makers. The survey found nearly three quarters of cloud adopters (73.84%) experienced frustrations on a day-to-day basis while using off-premise apps.

The biggest frustration – cited by 21.41% of respondents – was the cost of hosting applications in the cloud, followed by availability issues, which was flagged by 16.95%. Meanwhile, 16.45% flagged the lack of IT support as their biggest bugbear when using cloud.

Planned and unplanned downtime was a gripe reported by 10.5% of cloud users, while scalability issues were noted as an issue by 6.4%.

The research’s aim was to uncover the reasons why companies move their apps and data to the cloud, while looking at the concerns they have about doing so and any frustrations they encounter along the way.

From a cloud concern point of view, nearly 80% said they had cause to worry about using cloud services, with the greatest source of their anxiety being a lack of knowledge about using them.

The effect cloud downtime could have on their company’s productivity was another cause for concern for 13.5% of respondents, along with the inability to migrate legacy apps off-premise (10.7%) and fear of network performance issues (9.71%).

Karl Robinson, chief commercial officer of StratoGen, said many of these challenges can be easily avoided if users take the time to find a cloud platform right for them.

“The perceived high cost of cloud hosting is a direct result of the unexpected metered costs businesses are all too often hit with. Migration challenges and the time invested in integrating cloud technology with legacy applications can further increase the cost of cloud computing,” he said.

“This doesn’t have to be the case. A cloud platform should always be fit for a business’s individual needs, with in-built scalability to allow for growth, without surprising cost hikes.”

The reason why the research concentrated on the downsides of using cloud was to find out what might prompt a company to backtrack on their cloud strategies and move their IT back on-premise.

On the back of the frustrations and concerns aired by respondents, more than a third (33.5%) said the problems they encountered would be sufficient enough for them to move their applications back in-house.

Robinson said the research shows the UK has some way to go until cloud users are in a position to unleash the full business benefits of using the technology.

“The research highlights a major problem for cloud technology, but in reality the actual ‘pain’ point lies in companies not having the right cloud solution in place from the outset,” said Robinson.

“It is clear UK businesses today have a distinct lack of confidence in the cloud’s ability to deliver the benefits it is capable of. To truly instil trust, cloud solutions must prove the business value being provided. Until then, business benefits of mass cloud adoption will not be realised,” he added.

Read more about cloud adoption trends

Read More »

Cloud maturity still rare in Nordic organisations

Nordic countries are leading Europe in cloud service take-up, but lag behind in terms of strategic use. Only one in 10 Finnish, Norwegian and Swedish organisations can be regarded as cloud mature, according to a new study.

More than two-thirds of organisations in these countries are still at an immature (18%) or basic (51%) level in terms of cloud usage, according to the Cloud Maturity Index (CMI) study published by Finnish IT services provider Tieto and research company Radar. This means they are lacking a clear definition of and strategy for cloud services.

“The survey indicates that many organisations still use cloud services ineffectively to a large degree. Quite often, the actual use is not anchored to the joint business strategy but is rather driven by a short-term need to cut costs,” said Niraj Sood, head of business development for managed services at Tieto.

“Paradoxically, these [non-mature] organisations seem to be less successful with cutting costs than cloud-mature organisations, where focus instead lies on innovation and business development.”

According to the study, on average, mature organisations invest twice the proportion – almost 10% – of their IT budget on cloud services compared with those that are not mature. But this pays off – on average, cloud mature organisations have 34% lower IT operations costs compared with competitors and more than twice the budget for innovation.

The Nordic split

Finland leads its neighbours in operational cloud maturity with a higher proportion of cloud-based IT services than Sweden and Norway. Finnish organisations also use more types of cloud services in a greater number of sectors. But in Sweden, strategic cloud use – having an established strategy for cloud services – is slightly more mature.

“IT outsourcing has been adopted from very early on in Finland and, in general, outsourcing is more common,” Sood said. “In Sweden out-tasking and resource procurement are used more often. For example, [Swedish] banks buy lots of resources and consultancy from outside but don’t really do large scale outsourcing contracts like in Finland.”

Read more about cloud computing in the Nordics

In addition, penetration of software as a service (SaaS) is high in both countries. Sood said that because IT outsourcing has traditionally been driven by cost efficiency, the incentives for it have been lower in Norway’s prosperous economy. According to the study, operational cloud maturity is 43% lower in Norway than Finland.

Where Norway bucks the trend is in growth speed. It had the highest growth in cloud services usage in the past year. Currently, the report states, 69% of Finnish organisations use cloud in some form compared with 60% and 46% in Sweden and Norway respectively.

Barriers are disappearing

Gartner Finland’s Leena Mäntysaari pointed out that while growth in cloud service adoption has been fast, cloud maturity is unlikely to ever reach 100%.

“When talking about maturity [of any technology] it’s good to remember only a small percentage of companies will ever reach the highest level – it’s natural,” she said.

Furthermore, barriers for cloud adoption still exist. According to Tieto’s CMI study, security and regulatory requirements were seen as the most common barriers to implementing cloud services, yet only 10% of cloud-mature organisations saw them as an issue, which implies the perceived barriers are addressable.

“Data security is a good example,” Mäntysaari said. “A few years ago it was a major worry for companies, but based on [Gartner's] studies companies have had good experiences [with cloud services] and this is reflected on how they now perceive their safety.”

Read More »