Cloud Computing Security Standards

As Cloud Computing gains traction both among enterprises and consumers, security on the cloud still commands the greatest mind share when talking about reluctance in cloud adoption. While enterprises question security of their data and information, consumers are concerned about privacy related issues. Cloud Computing vendors are under tremendous pressure to demonstrate their commitment to address these hot buttons of their customers. In this context it pays for all stakeholders to be aware of some of the prevalent and widely accepted Security standards, the adoption of which helps alleviate some of the security concerns and push for greater cloud adoption.

SAS 70 - Statement on Auditing Standards No 70

What is it?

A well recognized auditing standard put in place by the American Institute of Certified Public Accountants (AICPA)

What does it do?

Modern data centers and hosting providers have to deal with their customers' data being processed or residing on their servers and storage devices. SAS 70 audit checks if the necessary safeguards and controls are in place at the data centers to ensure safety of customers' data.

Who asks for it?

Customers who want to enter into contracts with data centers, website hosting providers, cloud computing infrastructure providers typically enquire about SAS 70 compliance.

More Info @ http://www.sas70.com/

PCI-DSS - Payment Card Industry- Data Security Standard

What is it?

A defined standard by the PCI Security Standards Council that defines the needed protection to be put in place to ensure data safety while dealing with digital payments involving cards and information provided therein.

What does it do?

The standard framework specifies requirements for security management, policies, procedures, network architecture, software design and other aspects while dealing with card related information leading to digital payments. It specifies 12 requirements to be put in place. To ensure compliance a continuous 3 step process has to be established

• Assess: Take stock of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could giveaway cardholder data
• Remediate: Fix the revealed vulnerabilities
• Report: Generate records as specified by PCI DSS to validate remediation. Also submit compliance reports to the financial enterprises that you do business with.

Who asks for it?

Customers who want to enter into contracts with data centers, website hosting providers, cloud computing infrastructure providers typically enquire about SAS 70 compliance.

More Info @ https://www.pcisecuritystandards.org/

ISO 27001

What is it?

A Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)

What does it do?

The standard attempts to bring a structure around information management in enterprises. As information becomes a key asset for enterprises, the need to define standard processes around Information Management and continually keep refining these became the driving factors for the establishment of this standard. The standard defines a model that covers legal, physical and technical aspects of information management. It is a top down, risk-based approach and is technology-neutral. The model is defined in 6 steps

• Define a security policy.
• Define the scope of the ISMS.
• Conduct a risk assessment.
• Manage identified risks.
• Select control objectives and controls to be implemented.
• Prepare a statement

Who asks for it?

Customers while dealing with cross border transactions are more comfortable in ensuring that information passed on to other organizations are safe and do not fall into the false hands. 

More Info @ http://www.27000.org/

Data Protection Directive (DPD)

What is it?

A set of European Union (EU) regulations that deal with personal data of individuals and their processing & movement.

What does it do?

With privacy laws being some of the most stringent among the European nations, the EU has made the DPD a part of its privacy and human rights laws. This directive governs both automated and non automated processing of data. It assumes significance in the cloud computing scenario as more and more online services require individuals to divulge personal data while subscribing to services.

The EU directive incorporates the seven principles recommended by OECD (Organization for Economic Cooperation and Development) earlier. The seven principles state

• Notice: Give the individual notice when data is being collected
• Purpose: State the purpose for which the data is being collected and data collected should be used only for this purpose
• Consent: Get the individual's consent before disclosing data
• Security: Ensure data collected is secure from potential misuse
• Disclosure: Individuals need to be informed on who is collecting their data
• Access: Individuals should be allowed access to their data and must be allowed to changer erroneous data.
• Accountability: Individuals should have an ability to hold the data collectors accountable for the above principles

Who asks for it?

EU directive is basically for the member nations who in turn have to enact laws to give the directive legal binding.

More Info @ http://www.dataprotectiondirective.com/

Technorati Tags: Cloud Security Standards,SAS70,DPD,PCI-DSS,ISO

If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post

Understanding Cloud Computing – 5 – SaaS

In my previous posts on IaaS and PaaS, we covered the building blocks of Cloud Computing. SaaS is the top most layer in our cloud computing stack that rides on top of the power unleashed by the Infrastructure and Platform layers to really deliver value to consumers and enterprises.

SaaS or Software as a Service is quite a buzz word these days. Why so? Is it a new concept?

Not really. SaaS is about hosting a software application on a server and allowing users to use it via Internet connected computers from anywhere in the world. The user need not install the application to start using it on his computer. He/She can just access it as a service over the Internet. Web based email is a basic example of SaaS.

Other more recent examples include photo editing that certain website allow, word document to pdf conversion, Google word processing, spreadsheet applications, etc which you can access through a simple Internet browser and more. If SaaS had been around for so long, then why the buzz now?

Several reasons can be attributed to it

SaaS as a business centered concept

SaaS as a concept has worked successfully for individual centered applications but not business centered applications. There are both technology related and business related reasons for this. While SaaS applications like e-mail, office suites, etc have taken off quite well, business related SaaS applications like CRM (Customer Relationship Management) software, sales force automation software, payroll applications, procurement, logistics software have only started gaining traction now.

Why so?

Technology has matured

• New software design and delivery models allow multiple instances of an application to run at once
• Internet bandwidth costs have dropped significantly to allow companies to buy the connectivity necessary to allow the remotely hosted applications to run smoothly
• Media rich AJAX based UIs that do not go for a full page refresh when you click on a button.

Business customers are realizing the benefits SaaS can offer

• Delayed deployments and high Total Cost of Ownership are forcing CIOs to look away from the traditional software delivery format.
• Business customers are frustrated with endless cycles of buying software licenses, paying for maintenance contracts, unresponsive helplines, costly upgrades, etc.
• Pay-as-you-go benefits
• Easy add ons
• Easy ability to switch vendors if current vendor is unresponsive to business problems
• No software maintenance headaches

And add to this the early successes that the world is seeing in early pioneers of SaaS like Salesforce.com, WebEx, Digital Insight, etc. The model has proven viable. We need to wait and see how the trends in SaaS unfold.

Technorati Tags: SaaS,SalesForce,WebEx,Cloud Computing

If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post

Understanding Cloud Computing – 4 – PaaS

Platform as a Service corresponds to the second layer in my analogy of cloud computing to your commonplace desktop at home.

PaaS – Platform as a Service is akin to an operating system that allows application developers, programmers and the like to install their language support systems, write and test code, package and distribute and finally deploy/install them to render the apps usable by end customers.

The difference lies purely in the ‘as a Service’ aspect. The platform in the case of cloud computing context is not tied down to a Operating System – rather it is something that is hosted on the cloud and available on demand to developers and programmers via any machine connected to the internet. The developed requests the environment and the same gets provisioned to him over the cloud.

PaaS also follows the 4 tenets of Cloud Computing.

Examples of PaaS platforms include Azure from Microsoft, SalesForce’s Force.com, Google’s AppEngine.

We will explore SaaS in our next part in this series.

Technorati Tags: Google. Microsoft,SalesForce,PaaS,Platform as a Service,Cloud computing

If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post

Cloud Startups – Asankya

In the first of the series on Cloud Startups – a series of posts that will over time cover some of the unique cloud startup companies that are working to resolve challenges that cloud computing realization poses.

Asankya, an Atlanta based cloud startup is working on the transport layer of the Internet. Working to make it more efficient, fault tolerant and enable it to deliver Cloud applications more rapidly and reliably.

The company has patented a Internet transport layer routing technology that hinges on dynamic network characterization and scheduling capabilities to optimize data flow. It calls it the RAPID protocol.

The interesting part of this ‘hyper-mesh technology’ is the ability of the patented algorithms to break up a file into 10 parts each of which is transmitted along a pre-scanned path on the Internet to the destination. The pre-scan helps establish the reliability of the path’s performance.The end result is a transmission rate that is 40 times the current speeds offered by normal routers.

You might be wondering where the cloud and Asankya’s ideas cross paths. Think of a private cloud that an enterprise wants to have. Having it in house guarantees LAN speeds. However having a 3rd party data center to create a private cloud for your enterprise means that all data between the enterprise and the private cloud has to negotiate the bottle-neck in the middle – the Internet. Asankya’s technology leaps to the rescue. Having special routers deployed at the gateways of your enterprise and the remote private cloud ensure that the bottle-neck problem is solved/minimized.

Technorati Tags: Asankya,HyperMesh,RAPID Protocol,dynamic network characterization,cloud technology

If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post

US Fed extracting the juice out of the cloud

If ever there was to be a generic case study sought by enterprises seeking to leverage cloud computing, there can’t be a better one than the US Federal Government whose “Cloud First” policy.

Two key lessons that come out crystal clear from US government’s experiments with cloud computing

1. Move the essentials but non-core items to the cloud. Focus on the low hanging fruit first.

Case in Point 1: US government has saved $40 million a year by moving e-mail services for General Services Administration (GSA) and Dept. of Agriculture.

Case in Point 2: The Recovery Accountability and Transparency Board have saved $750,000 by moving to Amazon Web Services’ cloud-computing infrastructure; a move started in May 2010. About 100 data centers nationwide are closed this year  The government has an ultimate goal of shuttering 800 data centers by 2015.

2. Move those apps to the cloud that can take advantage of at least 2-3 basic tenets that cloud computing promises.

Case in Point 1: GSA moved its website to the cloud thus ensuring that website content could be updated in hours instead of days and weeks. This allows the staff to turn to other tasks rather than site maintenance. This move alone is supposed to save $1.7 billion to the US tax payer. The website application took advantage of the cloud’s on-demand ability to scale up/down and also lent itself to a pay-go model for GSA to pay for the support and maintenance of the website.

Technorati Tags: USA,Federal,US Government,Cloud Computing,Case Study,GSA

If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post

Virtualization and Cloud Computing – Is there a difference?

One common question I keep getting asked is the difference between Virtualization and Cloud Computing. I even have colleagues and friends who swear that Cloud Computing is glorified Virtualization.

Lets explore this subject.

Virtualization in its simplest form is all about enabling a virtual access to a physical computing resource. Why do you need this? A single physical resource can be accessed in multiple ways or by multiple users simultaneously. Each user uses their own OS or access mechanism to interact with the underlying physical resource. A technology known as the ‘hypervisor’ that abstracts the physical resource from the users/systems accessing it is core to the virtualization technology.

Cloud computing is about allowing users to access computer resources on a need basis (basically as a service) and do away with the concept of ownership. This also would mean aspects of self service, pay for what you use and inherently unlimited computing power. Cloud Computing is not a technology, it is a business paradigm. Virtualization is an important technology that enables cloud computing by optimizing physical resource sharing.Cloud computing can also be enabled without virtualization but it would be an inefficient way of doing it.

Simply put, as one website succinctly captures the differences in the following statement

“Virtualization is basically one physical computer pretending to be many computing environments; cloud computing is many different computers pretending to be the one computing environment, hence allowing easier scaling”

Do share your thoughts on where else the differences lie.

Technorati Tags: Cloud Computing,Virtualization

If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post

Gang of Four on the Cloud

Eric Schmidt, the former CEO of Google, has called his company belonging to a Gang of Four that is revolutionizing the Consumer activity on the Internet and Cloud today.

• Google with its Search
• Facebook with its Social Site
• Amazon with its E-Commerce site
• Apple with its Devices

This sure has led to a comparison with the former Gang of Four as per TechCrunch viz., Microsoft, Intel, Cisco and Dell formerly.

If I were to take a swipe to extend the Gang of Four to make it a Gang of Six, here’s my choices

• Microsoft with its Enterprise Offerings
• VMware with its Infrastructure Offerings

Do you have anything to extend this list?

Technorati Tags: Microsoft,Google,Facebook,Amazon,Apple,Cloud Computing

If you enjoyed reading this post, Subscribe to the feed here ...And never miss a post