(c)iStock.com/BrianAJackson

Two pieces of research have simultaneously hit the inbox of CloudTech, both with surprising findings in terms of cloud providers. A study from Spiceworks argues Microsoft Azure is more popular than Amazon Web Services (AWS) for IT professionals, while analyst house Cloud Spectator has revealed a surprising name at the top of the best ranked European cloud service providers.

The Cloud Spectator report focuses particularly on performance as well as price factors, measuring vCPU, memory, and block storage performance, and found 1&1 to be the best performer. Using 100% at its benchmark, it finished ahead of UpCloud (95), CityCloud (72) and CloudSigma (68). Of the widely considered major players, Google Compute (50) performed best, well ahead of Azure (27), AWS (27), and IBM SoftLayer (22). Verizon, who confirmed its exit from the majority of the public cloud space earlier this year, scored lowest.

1&1 was also cited in January by Cloud Spectator as the best value infrastructure as a service (IaaS) provider, and again the vendor’s high VM performance and competitive pricing saw it come out on top here. AWS scored highly in the VM – vCPU and memory – performance, but lower relative disk performance and higher monthly costs saw it drop, while CloudSigma came top in storage only for VM performance to see it slip to fourth overall.

“Price performance benchmarks offer important insight into the value of IaaS offerings, and this report compares the value of both large and small EU providers,” said Philbert Shih, managing director of Structure Research, adding: “It’s interesting to see the differences in performance even between different sized VMs, and that some small VMs outperform many large VMs. This type of insight can potentially provide large cost savings.”

Elsewhere, Spiceworks argues that not only is Microsoft more popular than AWS in IaaS public cloud – 16% of respondents compared to 13% – it also has more scope for growth. 21% of the almost 350 people polled said they are considering Azure, compared to 11% for Amazon.

The report also examined the what, why and where of cloud services. The most popular option according to survey respondents was web hosting, cited by more than three quarters (76%) of those polled, followed by email hosting (56%), and storage and file sharing (53%). One in five organisations is adopting infrastructure as a service currently, with an additional 16% considering it.

You can find more about the latest Cloud Spectator report here.

This post provides an update on the ongoing battle between Apple and the U.S. government regarding Syed Rizwan Farook’s iPhone, recovered by police after the horrific massacre in San Bernadino on December 2, 2015.
It is just days before the March 22, 2016 hearing in this long-running, highly publicized dispute between the FBI and Apple, with the FBI’s demands of Apple being variously termed “jailbreak”, put a backdoor into, brute force access, compromise security of, or any number of other descriptors, in the case officially known as In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203. It is a good time, amongst all the massive press coverage and legal wrangling, to get back to some of the basics of the legal proceedings.

read more

(c)iStock.com/baluzek

As businesses look to clouds for faster, more flexible growth, they confront significant challenges from a legacy application base that has varying levels of cloud suitability. It is therefore worth examining how security and compliance requirements can impact choice of cloud or architecture strategies within a cloud. 

Maintaining privacy for data that must be protected for business or regulatory reasons is a substantial concern in cloud migration, public or private. Security and compliance organisations vary in their acceptance of shared environments, even within a single organisation.

Public clouds particularly can highlight weaknesses in data security practices. As firms consider moving applications into a public cloud it is important to be sure basic policies and procedures are in place.  Data classification is a core practice that enables risk-aware protection of data as it moves to the cloud. Having a formal classification system defining what data is public, company confidential, or eyes only is the first step to being able to track compliance in an explicit way. Data life cycle management, decommissioning and disposal in particular, gain increased importance in public cloud.  Encryption and key management have new wrinkles when infrastructure is owned by outside parties.

In addition to basic security concerns, legal regulatory issues for data management must also be considered. Distributing data in any cloud environment, public or private, can trip over legal restrictions in global enterprises. It is important to establish what’s permissible in the jurisdictions an application is operating in, and preventing cross-border flows of data is sometimes required. Similarly, for international applications, it’s important to be aware of any requirements for electronic discovery, integrity, and data custody in the countries where data exists.  Firms considering moving applications into the public cloud should require their providers to detail the legal requests the provider will respond to and the manner in which they will respond.

In the US, domestic regulatory concerns can also come into play with shared service environments.  They can vary depending on the particular standards being enforced.  Two common U.S. examples are information protected by the Health Insurance Portability and Accountability Act (HIPAA) and data segregation required to maintain credit card privacy: the Payment Card Industry Data Security Standards (PCI-DSS).

HIPAA’s primary focus is preserving administrative security and integrity controls around protected data.  Core areas of concern are access control, audit points, encryption of data at rest and in flight. The implementation of each of these varies based on type of cloud model implemented.  Virtualisation introduces additional control points and risks. Audit logs should be continuously reviewed for unwarranted access in any shared service environment. 

There are vendor solutions that can help: role-based access control ensuring administrators have the least privilege possible for accomplishing their tasks, cloud volume encryption methods that render keys unreadable to public cloud service providers. But planning and awareness are imperative to implementing protection that meets compliance obligations without being operationally burdensome.

While HIPAA emphasises only administrative data access, PCI-DSS adds the burden of technical segregation of protected data.  In virtualised, shared environments, this can lead to difficult tradeoffs and increased diligence around audit readiness.

A virtual machine that contains data that is in scope for PCI-DSS compliance renders the hosting hypervisor in scope as well as any virtual machines hosted by the same hypervisor.  That means all the shared VMs must be treated with the same strict security management as those with PCI-DSS protected data, even if no PCI-DSS protected data exists on the shared VMs. “Compensating controls” and additional proofs may make logical separation compliant, but there is no one-size-fits-all method to meet PCI-DSS requirements.  Specific controls and procedures will depend on how virtualisation is used and implemented.

If, in addition to sharing hardware inside an organisation, you are also sharing that hardware with other organisations in a public cloud, there is additional complexity.  Multi-tenancy, nested service-provider relationships, converged administrative responsibilities, can all expand compliance requirements in undesirable ways. Many public clouds, including Google Compute, Amazon Web Services, and Microsoft Azure, market themselves as PCI-DSS compliant, but it is important to note that the final burden of compliance for an application falls to the client organisation.  Specific responsibilities and proofs for compliance should be carefully spelled out when contracting for cloud services requiring PCI-DSS compliance.

Security and compliance requirements may be met in cloud environments, but special attention and close cooperation with a firm’s risk management organisation is called for.

In summary, while moving applications into a private or public cloud environment may present an opportunity to save costs or improve operations, applications vary in their requirements for data security, privacy and management.  The common concerns presented here can add complexity but are manageable with proper care around planning, design, and execution.  Performing detailed application analysis for cloud security requirements can create evidence-based guidance on migration costs and requirements rather than letting panic-stricken hand-waving dictate decisions around whether and what to migrate.

Why a discussion around Application Performance Analytics? There’s a lot of buzz in this industry around the topic of performance analytics – an informal subset of IT operations analytics (ITOA) – as a solution to the growing mountains of monitoring data and the increasing complexity of application and network architectures.
At the same time, there exist many purpose-built performance analysis solutions. Many are domain-centric – server monitoring and network monitoring, for example – while some exhibit a key ITOA characteristic by incorporating and correlating data from multiple sources. Most perform some level of analysis to expose predefined insights.

read more

ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business.
ITIL has been around for a long time, and has helped large teams (particularly those that are heavily regulated) manage the way services are delivered in a predictable and consistent way, as a way to mitigate risk. DevOps, as we know, has a very similar goal.

What is the relationship between DevOps and ITIL? What can one learn from the other? is it ITIL vs. DevOps, or ITIL and DevOps? Can they co-exist?

read more

Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications.
In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, will describe how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability.
He will address the challenges of scaling document repositories to this level; architectural approaches for coordinating data; search and storage technologies, Solr, and Amazon storage and database technologies; the breadth of use cases that modern content systems need to support; how to support user applications that require subsecond response times.

read more