All posts by monicabrink

Why it is vital to talk about security with your cloud provider

(c)iStock.com/creative-idea

Cyber security is currently centre stage – no matter where you turn, it is all over the news.

Just this last month we’ve certainly heard a plethora of stories about companies that have been affected by breaches and hacks. A UK telecoms provider experienced a detrimental cyber security attack where customers’ personal data was breached, and in a separate incident at the end of October, three e-tailers all encountered website disruption, with one of the e-tailers confirming this was due to a Bitcoin-based DDoS attack.

With the UK government also doubling funds to support cyber security programmes with plans to fend off more sinister threats, many businesses are realising the very real need to protect the sensitive and confidential data that they hold.

Therefore, focusing on cloud security within your company is not only justified but more important than ever. However, it can be difficult to determine the practical steps that cloud managers, CIOs and architects need to take to ensure cloud security for their enterprises.

Deploying workloads in the cloud does not necessarily present more security risks than deploying in the traditional on-premise data centre – as long as your company has the right security controls in place and you ask the right questions of your cloud services provider.

A partnership with your cloud services provider that is open and transparent about cloud security combined with ongoing support is the foundation for establishing, monitoring and maintaining cloud security. Many companies are simply not talking to their cloud service provider about security issues, nor are they demanding the data about their cloud resources that would help them monitor and maintain the required levels of cloud security that is so essential in the current climate.

Security discussions with your cloud services provider need to start with ground-level issues, like segregation of data from other customers, user access control and two-factor authentication, security of networks and firewalls, availability and performance SLAs, as well as data sovereignty issues.

The most pressing issue for many customers is also whether they’re covered for cloud-based disaster recovery in addition to their IaaS requirements. It is also important to not overlook the details, as customers and service providers also need to work together on very practical aspects of maintaining cloud security, including matters such as:

  • Scanning and reporting on network and server vulnerabilities
  • Detection and remediation of virus and malware intrusions
  • Encryption of servers and networks – with options for the customer to hold the keys themselves
  • Monitoring and reporting on firewall events and login histories

The good news is that there are a lot of advancements in cloud security which can negate cloud risks when matched with cloud service providers like iland, who are willing to work closely with customers to match specific security requirements to cloud infrastructure and services.

There is no doubt that cyber-attacks and security breaches will happen again to businesses in every sector – however they can be prevented, and this starts with the infrastructure implemented, and having an open line of communication with your provider. Organisations can move forward with their cloud initiatives and aspirations without getting held back by the security risks. Now more than ever it is really important to ensure that you have the right cloud security in place. 

Bringing DRaaS to the C-suite: The key job roles analysed

(c)iStock.com/samxmeg

A series of large scale cyberattacks have been in the headlines this year and, according to McAfee, the situation will only worsen as hackers use more advanced techniques to infiltrate networks.

Despite this, there are still a large portion of companies that remain vulnerable, mainly due to the lack of executive interest in preparing for worst-case scenarios. The same report states that 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical.

It is therefore vital that IT leaders effectively communicate the latent threats to the ‘C-suite’ – the top executives at that organisation – to successfully address the weaknesses that may exist and be fully prepared to respond when they happen. Because they do and will happen.

For example, data centres experience total shutdowns an average of more than twice every two years, localised shutdowns nearly six times every two years, and limited outages more than 10 times per year. Therefore organisations must prepare themselves for when this happens. Because disasters create a crisis environment, they increase the need for the immediate return to operation and the ability to test and view the solution. Therefore, DRaaS (Disaster-Recovery- as-a-Service) is not merely an add-on to a cloud service provider’s offerings but it must be a focused discipline with appropriate infrastructure and staffing expertise.

So many of our customers tell us that their path to making the decision to adopt Disaster-Recovery-as-a-Service was not as smooth or as fast as they would have liked. And, one of the common reasons for this is around the difficulties faced in convincing high-level decision makers, often those in the ‘C-Suite’ to prioritise a DR strategy. It’s not that these C-level executives don’t understand the need to protect IT systems from a potential disaster, but that the prospect of such a disaster is sometimes not immediate enough to be the catalyst for a fast decision.

So, if you are looking to address the topic with your executives, below are some of the key aspects to consider depending on their job title:

  • CEO/COO – Components of a DRaaS offering that would appeal most to CEO/COOs are the time to business resumption (e.g. near-zero RTO), the ability to pay as-you-go without a large capital investment, the ability to prioritise data and workloads for restoration and the flexibility to test to ensure proper operation in case a disaster is declared.
  • CIO – CIOs have a tough balancing act; they must balance costs with the need to limit exposure. They may have to meet compliance requirements imposed by regulation or standards bodies. CIOs need to satisfy the needs of different stakeholders and business imperatives with DR – and this is a huge challenge.
  • CFO – As their primary responsibility is financial, they must be approached from a fiscal angle. They look for an unbiased, independent perspective. Often perceived as being risk averse, they will invest in sound decisions, especially when they see a value proposition backed by financials and metrics.
  • CMO- While traditionally associated with branding, advertising, and public relations, more often the CMO has key objectives tied to customer loyalty as well. An obvious concern of CMOs is how the negative press around disasters affects brand image and customer loyalty.  The CMO will not be interested in the details of the services chosen but can be a strong supporter on the need for DR to protect brand image as well as maintain excellent customer support.

It is important to build each individual case based on the key elements of your company’s DR requirements, and focus on the aspects that the target executive needs the most and that will be highly impacted by unplanned outages. These will be the biggest factors that can positively influence the C-suite towards prioritising DRaaS come budget time.

Read more: Selling Disaster Recovery as a Service (DRaaS) to the C-suite

Addressing the hurdles of cloud security: Why you may be setting yourself up for failure

(c)iStock.com/kmlmtz66

Security is trumpeted as a top concern for organisations, especially with increased investment in new technologies like mobile, cloud, and the Internet of Things. As new technologies are introduced and adversaries become more sophisticated, the threat landscape and the attack surface within organisations continues to grow. This means that not only do organisations need protection from threats, they need to protect their data and they also need to protect their reputation and brand. However, not all companies are taking the threat as seriously as perhaps they should.

Just last week, two new industry reports on this subject caught my attention. The first report indicates that UK companies are still failing to protect their sensitive information against cyber-attacks. According to PwC, there has been a 38% increase in detected information security incidents this year, with these incidents now costing an average of £1.7m. PwC’s report found that businesses are failing to take cyber security seriously, despite noting a 24% rise in security budgets this year.

Corero Network Security also recently launched its mid-year report on the current state of DDoS attacks based on the experience of its global customers. In the report Corero stated that attackers are leveraging sub-saturating DDoS attacks with growing frequency and the attackers are using shorter attack durations to evade defences. DDoS scrubbing solutions can cause disruption in a network and are often used to distract victims while other malware penetrates networks and steals customer information and company data.

With DDoS attacks on the up (the report by Corero showed that customers experienced about 4.5 DDoS attacks per day in Q2 2015, a 32 percent increase on Q1) and malware continuing to increase (it has doubled in the first half of 2015), now more than ever companies need a safe and secure place to store sensitive data.  This also means that as companies continue to try and combat the increasing onslaught of cyber-attacks, including DDoS, so they are turning more and more to their service providers to help them achieve this.

Just a couple of weeks ago we released our latest Enterprise Cloud Services – Advanced Security Solution (EC-AS) combining our existing VMware vCloud platform and our management console with advanced security features including vulnerability scanning, whole disk encryption, event and log analysis, antivirus and malware and intrusion detection. We did this because both our customers – and the market – were telling us they needed more sophisticated security solutions to help them achieve cloud security and compliance. The Corero report substantiates the need for more sophisticated security solutions and in particular highlights customer demand for higher levels of security from service providers.

We find that today cloud initiatives are increasingly stalling or getting cancelled altogether because the security risks are deemed to be too high. This results in an uncomfortable situation for IT leaders as lines of business in their organisations are still demanding the agility, scalability and cost savings that cloud computing can deliver. IT leaders know they can’t abandon cloud altogether, the benefits are too high – and yet they also know whose head will be on the line if an outage, data loss or hacking incident was traced to a cloud workload.  So what can they do?

One ECS-AS feature that our customers are particularly excited about is on-demand security reporting. At the click of a button, our customers can get a report showing the security of their cloud resources, data and applications across all of their security parameters. This report can be used to show executives the security status of the organisation’s cloud workloads (thereby quelling any residual fears they have about cloud security) as well as show compliance to auditors as required.

To provide further assistance to the mid-market we have also released a compliance services offering which helps companies meet compliance requirements for industry regulations such as SOC2 and PCI-DSS. Additionally our certified compliance team helps customers interpret reports, provide supporting documentation, answer auditors’ questions, align to ITIL frameworks and so on. Achieving compliance can be a game changer for customers in the mid-market and pave the way for growth acceleration. As a result, this is opening up a whole new level of cloud usage to the mid-market – especially in industries that require stringent security and compliance like Healthcare, Insurance and Finance.

That said, the threat landscape and attack surface is only set to get worse and unfortunately, despite the scale of threats, many businesses are still not doing enough to protect themselves from what could be a financially crippling attack. My advice is make sure that you are working with a cloud service provider that can help you address security and protect your cloud workload, otherwise you could  be setting your cloud projects up for failure.

You may be right to be worried about DRaaS – but help is at hand

(c)iStock.com/stevanovicigor

Latest figures from the Cloud Industry Forum (CIF) indicate that cloud adoption is at its highest figure to date, with 78 per cent of organisations now having formally adopted at least one type of cloud-based service. TechNavio echoes this surge and in particular the surge in growth of disaster recovery as a service, forecasting a compound annual growth rate of 54.64 per cent between 2014 and 2018. However, despite the striking numbers and growth expectations there are still many IT professionals out there who have fears about adopting disaster recovery as a service.

Today, most companies are beginning to realise that they are not well prepared to face adversities. Right now business and IT executives want guarantees that disaster recovery processes actually work and they owe it to themselves, their employees, customers and investors to make sure this is the case.

That said, we constantly hear that most IT executives cannot satisfactorily answer a simple question: “If your systems went down, would your company be able to get them up and running again within a timeframe that meets your business requirements and are you able to recover critical business data?”

A recent example that just highlights how easily this can happen is the lightning strike that hit one of Google’s data centres four times and resulted in some people losing their data forever. Losing data is never a good thing, but losing data forever, as a business is unthinkable.  Apparently a number of the disks in the Belgian data centre were completely wiped, meaning some people have permanently lost files.  This event illustrates that even providers like Google can find themselves subject to acts of nature that can disrupt or destroy critical business data.

This underlines the need for all businesses to adopt geographic and even multi-vendor redundancy to ensure proper measures for disaster recovery. The good news is that the industry has evolved to the point that there are disaster recovery solutions for any budget – as long as we can convince those that are worried about DRaaS.

IT folks who have fears around DRaaS tend to become the ‘worriers’ or ‘blockers’ in their organisations and resist attempts from IT management and the C-suite to implement a cloud-based disaster recovery solution. That’s not good for either them or the organisation as the potential for data centre outages is only increasing and DRaaS is a proven, reliable and cost-effective way to maintain business continuity when faced with a disaster.

So, what specifically is IT afraid of when it comes to DRaaS? We’ve found it falls into three main areas:

– Losing control and visibility – you don’t want your applications and data sent into the abyss. You want to know exactly where everything is at all times, how it is performing and define exactly what needs to be failed over and when.

– Trusting cloud infrastructure – trusting your data and applications to a cloud service provider and being able to rely on that in a disaster is a challenge for many, particularly for those in highly regulated industries such as healthcare and finance.

– Uncontrollable costs – one of the reassuring things about a physical disaster recovery solution is that costs are predictable – you may want to avoid complex DRaaS pricing algorithms that make budgeting a nightmare.  IT should be wary about hidden costs in any disaster recovery or backup solution.

These fears are all valid and yet all of these can be overcome with the right DRaaS solution.

In terms of maintaining control and visibility, the cloud portal that iland offers delivers granular management of cloud resources and costs. Customers can view performance, capacity and usage metrics, initiate failover and failback, re-allocate workloads and much more. With that kind of control, the IT ‘worriers’ should have no need to fear the unknown – they have full visibility into their resources and costs and can proactively manage them, along with backup should they need it.

Security of cloud infrastructure should absolutely be at the top of your DRaaS shopping list. Additionally our US, UK and APAC data centres are designed to meet advanced security and compliance standards with vulnerability scanning, intrusion detection and whole disk encryption being just some of the security features. iland data centershold SSAE 16 and ISO 9001/27001 certifications and cloud to cloud replication is available if our customers need a secondary failover site.

Our DRaaS offering enables a near-zero Recovery Time Objective (RTO) and self-service testing so you get the peace of mind that comes with knowing that business continuity is assured. Mind you, we get the need for straight-forward pricing. Disaster Recovery is too important to be spending hours trying to figure out what it’s going to cost to protect your business.

So I hope you can see that if you’re a DRaaS worrier, there are now a lot fewer reasons to be afraid of DRaaS and resist implementing it in your organisation. In fact, you may want to jump on board with the DRaaS optimists.

Businesses, driven by customer expectations and auditors will begin to care about more than just data restoration, they will care about business service restoration. As a result, there is and will continue to be a greater need to verify the ability of an organisation to bring virtual and cloud-based business applications back into service within strict and very fast service level agreements.