All posts by James

Salesforce customers: Learn from Code Spaces’ swift demise

Picture credit: iStockPhoto

A benchmark report by Adallom into the uptake of software as a service (SaaS) applications has found that Salesforce customers have the highest percentage of privileged access users – and warned about the problems that may cause businesses.

On average 7% of users on Salesforce accounts are privileged or have admin access, compared with 4% for Google Apps, 2% for Box and 1% for Office 365, the other three services analysed.

The report gave a grave warning over the prevalence of “super admin” accounts – ones with complete and unrestricted access to the SaaS. “A compromised “super admin” account represents a much greater threat to an organisation because it has access not only to view and edit privileged data, but also to modify access rights of other privileged users,” the report notes.

Regular readers of CloudTech will remember the unfortunate story of Code Spaces, the cloud provider which had to wave the white flag in June this year due to a DDoS attack. While their service was Amazon Web Services EC2, the hackers got in to the admin control panel, before creating backup logins and deleting data, backups and machine configurations.

“Customers, not vendors, are responsible for risk management,” the report notes. “While most enterprise SaaS providers have built-in support for two-factor authentication and IP restrictions that can be used with user accounts, sophisticated attackers can circumvent those controls through session hijacks and targeted malware.”

One customer in the study found over 100 Salesforce users with admin privileges. But that’s not the biggest problem.

11% of SaaS accounts are ‘zombie’ accounts according to the study; accounts which haven’t been touched for three months. There are perfectly good reasons why this could be the case, such as maternity leave. Yet 80% of companies still have at least one account on the system of a suspended or terminated employee.

These dormant accounts are the perfect opening point for hackers, the report argues. “An inactive account does not only represent a security risk, it’s also a financial burden on the company,” it argues. “In many of the organisations we protect, we often see double digit percentages of zombies – these are licenses which the company is paying for even though they aren’t being used.”

Similarly scary is the finding that the average company shares its files with 393 external domains, while 29% of employees share 98 corporate files with their personal email accounts on average. It can happen unintentionally through sync agents, but again it represents a serious security risk.

What’s more, 92% of respondents in a recent Forrester survey indicated their security controls for SaaS applications were effective. “Security professionals with this mindset are rolling the dice with their sensitive data,” said Forrester’s Andras Cser. “Perimeter and endpoint protections provide minimal protection against new, emerging and largely unknown threats.”

Earlier this week a report from Databarracks found that human error was responsible for one in five data loss incidents.

Dropbox and Microsoft partner for Office 365 storage: What does this mean for OneDrive?

Cloudy storage provider Dropbox has announced a strategic partnership with Microsoft whereby the service is being integrated more closely with Microsoft Office 365.

Dropbox customers will be able to access their accounts directly from Office apps, edit Office files from the Dropbox app, as well as sharing Dropbox links from Office.

In a blog post on the Dropbox website, head of product Ilya Fushman wrote: “We know that much of the world relies on a combination of Dropbox and Microsoft Office to get work done. That’s why we’re partnering with Microsoft to help you do more on your phones, tablets, and the web.”

The new features will be rolled out onto iOS and Android users, with Dropbox also confirming plans for a Windows Phone and Windows tablet app.

Satya Nadella, Microsoft CEO, has long been using the term ‘mobile-first’ and ‘cloud-first’ in his missives, almost for continuity now as much as anything else. In this instance, it’s more about enterprise and collaboration. “In our mobile-first and cloud-first world, people need easier ways to create, share and collaborate regardless of their device or platform,” he said.

“Together, Microsoft and Dropbox will provide our shared customers with flexible tools that put them at the centre for the way they live and work today.”

The news has come as a bit of a shock to many commentators, but it’s an interesting partnership from both ends. Dropbox has been looking for more of an enterprise focus, especially as it’s been losing out in that battle to Box, who has gained customer wins in the form of General Electric in recent months.

Similarly, Microsoft would be relishing this partnership as it gives the tech giant assurances it will “play nicely” with competitors. Gartner analyst Jeff Mann told the Guardian: “Both of them decided that they’re not really a threat. If they can work with each other, against the common enemy Google, primarily, or to some extent Box, or the other competitors that are in this market.”

What’s your view?

More than three quarters of workloads will be through cloud data centres by 2018

Picture credit: iStockPhoto

By 2018, 78% of workloads will be processed by cloud data centres, while annual global cloud IP traffic will reach 6.5 zettabytes (ZB).

These are the two main takeaways from Cisco’s latest Cloud Index study, which aims to show the extent of growth of global data centre and cloud-based IP traffic.

Annual global data centre IP traffic will reach 8.6 ZB by the end of 2018, up significantly from last year’s total of 3.1 ZB. Workload density for cloud data centres will reach 7.5, up from 5.2, whilst global cloud IP traffic will nearly quadruple over the next five years.

By 2018, 69% of global cloud workloads will be in private cloud data centres, with the remaining 31% in private. More than half (59%) will be software as a service workloads, compared to 28% IaaS and 13% PaaS. This represents a downturn for infrastructure as a service, which currently represents 44% of cloud workloads, however, over five years each sector will still see a significant compound annual growth rate (CAGR) – 33% for SaaS, 21% for PaaS and 13% for IaaS.

The report notes that in the private cloud, the majority of deployments were IaaS and PaaS, while th public cloud saw predominantly SaaS deployments.

2 billion people will be using cloud storage in 2018, while the global data created by Internet of Things devices will top 403 ZB each year. These are huge numbers, but the current figures are still extensive – 113.4ZB of IoT data and 922 million users of cloud storage in 2013.

According to the index, significant promoters of cloud traffic growth include the rapid adoption of cloud architectures, as well as the ability of cloud data centres to handle higher traffic loads.

Elsewhere the research found that IPv6 adoption will fuel cloud growth. Globally, the report shows that nearly a quarter (24%) of Internet users will be IPv6-ready by 2018, with nearly half of all fixed and mobile devices IPv6 capable. As of May this year, more than 96% of Internet traffic worldwide is still carried on the elderly IPv4 protocol.

The public versus private cloud discussion in the report will certainly be of interest to those who wrote Verizon’s yearly offering on the state of enterprise cloud computing, which decried that particular debate as “inadequate to describe the massive variety of cloud services available today.”

You can find the full 41 page report here.

7 reasons why cloud governance is a challenge: Should we eradicate shadow IT?

Picture credit: iStockPhoto

Another day, another report bemoaning shadow IT for cloud computing. SafeNet’s Challenges of Cloud Information Governance study, conducted by the Ponemon Institute, is the latest to put the blame of compromising data at the door of unapproved IT activity.

Shadow IT, which involves employees bypassing company policy on website and technology usage, has meant cloud security is “stormy”, according to the report. More than half (55%) of the 1,864 IT and IT security practitioners surveyed admitted they were “not confident” that IT knows all the cloud computing services in use at their company.

Respondents added that payment information (56%) was the data that presented the greatest security risk, ahead of customer information (50%), consumer data (34%) and email (23%). Payment info, however, was the least likely to be stored in the cloud, probably as a result of this risk.

Part of the problem for IT managers is that conventional security methods are difficult to enforce with cloud apps and products. 71% of respondents agreed with that statement, while around half (48%) believe it’s more difficult to control or restrict end-user access. Similarly, 61% said cloud increases the compliance risk, compared to only 8% who thinks it goes down.

Another problem, as the survey revealed, was the age old question of who is responsible for cloud data: the end user, or the cloud provider? It’s still not been answered. 33% argued it was the cloud user’s responsibility, 32% said the provider, while 35% said it was a shared responsibility.

Similarly, there is a lack of encryption in software as a service (SaaS) applications. Three quarters of respondents say they use document sharing and online backup tools, but only 28% say their organisation encrypts sensitive data directly within these apps.

As enterprise cloud usage will inevitably increase in the coming years, the 30 page full report (pdf here) paints a fairly bleak picture. SafeNet goes through seven reasons why cloud governance is a challenge:

  • Uncertainty about who is accountable for safeguarding confidential or sensitive information stored in the cloud
  • IT is out of the loop when companies make decisions on the usage of cloud resources
  • IT functions are not confident they know all the cloud resources being used
  • Companies say encryption is important, but aren’t walking the walk on protecting apps
  • An inability to control how employees and third parties handle sensitive data makes compliance more difficult
  • More employees are using cloud apps without appropriate security training
  • Third parties are allowed to access sensitive data without security reinforcement, such as multi-factor authentication

Shadow IT is often blamed for this lapse in security. Can you be certain as a CIO or senior manager that your workforce isn’t using Dropbox to ping over collaborative documents, for instance? A blog from MobileIron back in March pondered the question: “If an auditor had full access to your Dropbox account right now, would they find a single bit of corporate data that shouldn’t be there?”

In almost all of the cases, it’s difficult to say no. So what’s the solution? Blacklisting apps is a brute force method, although innovative employees can find many ways to break the system, whether it’s for malicious purposes or just an honest attempt to be more productive. As a CloudTech article mused yesterday, your employees are a bigger risk to data loss than cybercriminals.

Education, and increased visibility into cloud app usage is key to mitigating the risk of shadow IT, the report concludes – and it’s a good starting point. If you keep your head in the sand and pretend there isn’t a problem, your data could be seriously at risk.

Beware the fat finger when it comes to cloudy data loss

Picture credit: iStockPhoto

Human error is responsible for one in five data loss errors, according to the latest study from cloud provider Databarracks.

The study, the fifth annual Data Health Check report, found that employee idiocy was the third most popular reason for data going missing with 18% of the vote, behind software failure (19%) and hardware failure (21%). Interestingly, corruption and theft were responsible for 15% and 7% of the poll respectively.

Yet it’s the larger companies who continue to foul up. 22% of large organisations listed human error as the main cause of data loss over the last 12 months, compared to 6% of small organisations.

The report examines the cost of backup and disaster recovery. While a third (32%) of respondents spend less than half an hour on backup, a similar number (33%) take more than two hours or employ dedicated staff.

Worryingly, 41% of small organisations don’t have a business continuity plan and don’t intend to implement one in the next year. A third (35%) of respondents don’t test their disaster systems due to lack of time, compared with 18% for cost and 18% for lack of relevant skills.

“This isn’t a case of security becoming less important as you adopt more cloud services – data security is always going to be a priority for both the organisation and the provider,” said Peter Groucutt, managing director of Databarracks. “What we’re actually seeing is organisations moving past the ‘fear of the unknown’, as they experience cloud services first-hand.”

A fat finger can still have the power to bring down the cloud, at least temporarily. Back in May Joyent’s entire US-East-1 data centre hit the skids because of a typo. The command may have been mistyped, yet there was no override or verification: a reboot command to every server in the US-East-1 zone was sent, to the chagrin of commentators.

“There are broader systemic issues that allowed a fat finger to take down a data centre,” Joyent CTO Brian Cantrill wrote.

This case wasn’t so much data loss as data inconvenience, but plenty of cases in recent memory have proved employees are a serious risk to your corporate data, by accident or design. British supermarket chain Morrisons had data of employee salaries breached by an employee, while a study from EE in March found that employees were more of a threat to businesses than cyber criminals.

Databarracks released a complete disaster recovery kit tool last month in a bid to help smaller businesses get themselves organised in the case of a data breach.

You can take a look at the full set of survey results here.

Report slams Oracle’s relationship with customers for software licensing

Picture credit: iStockPhoto

A report from the Campaign for Clear Licensing (CCL) has found that the majority of Oracle licensees have an “arms length, impoverished relationship” with the software giant.

The report found an alarming number of complaints, the majority of which resulting from poor communication between seller and client. 92% of those polled argued Oracle does not clearly communicate licensing changes, while 88% disagreed that Oracle audit requests were clear and easy to manage.

“Whilst every organisation entering into contracts must be accountable for the agreements they purchase, a disproportionate amount of risk and management overhead appears to be placed on the customer by Oracle,” the report notes. “Similarly, many customers have not invested, or are not capable of investing, sufficient resource to manage their Oracle estate, or are aware of the investment in management overhead that they will require prior to engaging with Oracle.”

Naturally the researchers gave Oracle right of reply, and it was the expected rebuttals. The charge of unknown compliance got the reply “Oracle LMS state they are there to help customers.” With the charge of poor contract terms, Oracle argued some customers didn’t have time to read their contracts.

There were also positives, however, including plenty of public information available on Oracle.com, and the fact that Oracle verifies third party tools.

In all, there were three positive points and 11 negatives, with seven calls to action. Oracle needs to ensure there is only one corporate voice, to invest in a well organised knowledge base, and to provide better business communications among others.

“Based on our research and conversations over the last six months, we have found that customers’ relationships with Oracle are hostile and filled with deep-rooted mistrust,” said report author Martin Thompson in a canned quote. “So entrenched is this feeling of mistrust that some organisations were fearful of speaking to us in case of any audit repercussions.”

It’s strong stuff, but it’s worth noting this isn’t just a hatchet job from CCL. Back in February, Oracle became the first software publisher to meet with the group, with the aim “to build a mutually beneficial feedback mechanism with constructive dialogue over the longer term.”

According to a source: “Oracle was first in the firing line as they are notorious for their licensing practices and were willing and open to cooperating with the campaign.”

The CCL confirmed to CloudTech it was looking at engaging with other software vendors in due course. Microsoft, SAP and IBM were mentioned, but nothing concrete has been announced. A seminar has been organised on November 21 to go through some of the report’s pain points.

In a few years time, of course, Oracle will want this to be ancient history. After being slow movers in the cloud space, the company is making a swift about turn and slowly culling its legacy software revenue. It’s a long term strategy but it hits the short term bottom line, as the company’s most recent financial results proved. Net income stood still while total revenues were up only 3% – lower than Wall Street was expecting.

Despite that the company’s aggressive push to cloud is evident. The company hired former Google App Engine chief Peter Magnusson and ex-SAP head of cloud Shawn Price in recent weeks.

You can read the full report here.

Postscript: The report also catalogued the various pieces of anecdotal evidence from survey respondents. One of the most damning, when asked what they liked about Oracle licensing, was: “Nothing. Such practices should be considered illegal.”

Salesforce opens first UK data centre, more European expansion planned

Picture credit: Salesforce

It was first announced at the Salesforce1 World Tour back in May, but now Salesforce has finally launched its first UK data centre, with France and Germany on the hit list for the future.

“It sends a signal to the market about the seriousness and the strategic nature of this market to us,” commented Salesforce chief operating officer George Hu at the time. The announcement also sends out a signal about Salesforce’s strategy; the UK data centre will be fully powered by renewable energy, as well as the proposed French and German centres, supporting the firm’s sustainability goals.

“The opening of Salesforce’s first European data centre underscores our commitment to customers and partners in the UK,” said Andrew Lawson, Salesforce SVP for UK and Ireland.

“The new data centre will support the unprecedented growth we’ve seen in the region and further accelerates the adoption of cloud, social and mobile technologies, empowering UK companies to connect with their customers in a whole new way.”

The big cloud vendors are moving towards European expansion. It’s the same path being taken by IBM. Back in July Big Blue announced a UK data centre from SoftLayer, with France and Germany also in the firm’s sights. Amazon Web Services also announced a new region in Germany last week.

Salesforce is going one step further to woo UK based customers, opening up an entire London base at the Heron Tower, near Liverpool Street.

The cloudy firm had aimed to call it the Salesforce Tower, but the proposal was nixed for now by the City of London Corporation. As Salesforce only rents six of the Tower’s 46 floors, opponents argue this isn’t a sufficient investment to warrant a whole name change.

IBM inks partnership deal with Tencent for Chinese cloud opportunities

Picture credit: iStockPhoto

It’s official: IBM is going partnership mad. A couple of months after announcing a huge mobility collaboration with Apple, and only a week after inking a deal with Twitter for enterprise social analytics, Big Blue has announced a deal with Chinese Internet provider Tencent for cloud software.

The goal is to enable Chinese industries to provide public cloud with software as a service (SaaS), to utilise mobile, cloud computing and big data tools. It also gives IBM an interesting business angle in China.

“The industry dimension makes this especially appealing for businesses,” said Nancy Thomas, managing partner with IBM business consulting services in China. “IBM and Tencent’s shared vision is not only to bring the scale and cost benefits of cloud computing to enterprises in China, but to add differentiating value by serving the particular needs of specific industries.

“That is the key to unlocking the transformative power of cloud computing.”

China remains a very interesting market for cloud vendors to penetrate. CenturyLink, best known as a telco but weighing its options in the cloud space, offers a managed hosting facility in China, launched last month.

Similar to IBM CenturyLink is partnering up, this time going with Neusoft. Amazon Web Services launched a Chinese region in December last year, patterning with various local providers including ChinaNetCenter and SINNET.

A report released last year on the state of cloud computing in China found that “systematic” weaknesses in Chinese infrastructure were key to the region not fulfilling its potential as a cloud IT power. Amazon, CenturyLink and IBM among others have started partnering up and moving over – which can only be good news for Chinese IT.

Is your CFO hot under the collar? It might be due to missed cloud revenue

Picture credit: iStockPhoto

Even though ensuring the company is iterating and innovating is more the CIO’s bag, the CIO and the CFO both have a keen interest in the bottom line. New research from Canopy has found that 81% of CIOs and CFOs worry their business will become uncompetitive if they miss out on cloud revenues.

The research, of 950 CIOs and CFOs in mid market and enterprise firms in the US and Europe, further noted that three quarters of CFOs think their business is missing out on revenue opportunities if they don’t have the optimum cloud applications and infrastructure in place.

It’s been a fine balancing act between CIOs and CFOs in terms of keeping the company on track. CIOs in particular worry of the issues their company will face if IT doesn’t move towards a cloud-based approach:

  • 38% globally believe lack of cloud would lead to reduced staff productivity
  • 34% argue it would result in increased time to market
  • 35% reported a potential risk of data theft

Similarly, nearly half (44%) said their IT department was not able to develop applications fast enough without adequate cloud technologies.

From the CFO’s perspective, 94% recognised the need to embrace cloud based applications, and more than two thirds (68%) admitted a lack of cloud investment was holding back digital projects.

“Digital must be in the DNA of every department to help the business maximise market share and revenue,” said Canopy CEO Jacques Pommeraud. “Right now digital transformation is only happening in pockets. One key to unlocking digital transformation is cloud computing.”

When it comes to profit margins, CIOs and CFOs are often singing from the same page. One issue which hasn’t been completely solved is downtime, which can cause both financial and temporal pain for businesses. Last week Databarracks unveiled its complete disaster recovery toolkit, featuring a cost of downtime calculator, and a roadmap for each department to get back on its feet. While downtimes can sometimes be unavoidable, it can now be comfortably mitigated.

This Polish startup aims to “do to open source what DigitalOcean did to SaaS”

Picture credit: Damian Nowak/YouTube

Say hello to VirtKick. This startup, based out of Gdansk, Poland, has a simple goal: to make virtualisation easier.

The company has launched an Indiegogo campaign to put together an ambitious $57,000 to add a series of new features, but the company aims to make complexity with spinning up virtual machines a thing of the past.

“Virtualisation technology is tough,” VirtKick trumpets in a press release. “DigitalOcean did their job and revolutionised the cloud/VPs business. But it doesn’t look that great in [the] open source world.

“Existing open source cloud panels are hard to setup and use – they focus on technological aspects, not users’ needs. VirtKick solves it – it’s an open source cloud panel allowing anyone to become their [own] VPS provider and regain full control over cloud.”

With almost 80,000 followers on Twitter and series A funding of $37.2 million in the bank, cloud hosting firm DigitalOcean is a suitable company to look up to for VirtKick.

As it’s all open source, naturally every line of code the company writes will be available on GitHub. Currently you can spin up a VM in three clicks, as you can see in a demo here, but VirtKick aims in future to be able to do it in one.

“The project is revolutionary,” said VirtKick co-founder Damian Nowak in an email. “There’s no open source project that would simply let users manage their virtualisation without having to dig into configuration files, system internals, networks and such.”

VirtKick is offering ‘bundles’ – tasks to be ticked off as soon as a certain amount of money is raised. $7,000 will enable the one-click install of VMs, $17,000 will enable the implementation of credit card payments and invoices, while later deals hint at partnerships between Amazon, SoftLayer, and MIT among others.

You can take a look at the hosted alpha here and have a play around, and the company’s video below: