There is truly a difference in terms of scope, application and business need between security “in” the cloud and security “from” the cloud.
No, this isn’t 7th grade English…I promise.
With all the important decisions IT departments make, what’s the big deal whether cloud security means from the cloud, in the cloud, of the cloud or for the cloud. Well, a lot. Amongst the various media, blogs, professional chatter, webinars, conferences and the like, the concept of cloud security is getting a significant amount of airplay. However, the difference in the application of a simple preposition completely alters the scope and meaning of these conversations to that of a problem or a solution.
Cloud Computing: SOASTA Measures Real Mobile & Web Users in Real-Time
Somebody oughta buy Facebook one of these.
SOASTA, a big cheese in cloud and mobile testing, has come out with mPulse.
It’s supposed to be the first and only Real User Measurement (RUM) data analysis solution to deliver real-time information based on actual mobile user behavior. Naturally it’s cloud-ified and the analytics are patented.
The company has also made its very first acquisition, picking up LogNormal, which, as you might suspect, does real user measurement and monitoring for mobile and web applications.
Anyway, the company says existing tools collect data about the past, not the present, and hence fail to capture the real mobile users’ experience. mPulse, on the other hand, “instantly delivers actionable intelligence to operations and marketing professionals.”
Cloud Expo Silicon Valley: Simplify Enterprise Deployments of OpenStack
OpenStack delivers powerful capabilities for deploying an Infrastructure-as-a-Service cloud, but getting up and running can take time and effort you can’t afford. SUSE Cloud delivers an enterprise ready OpenStack-based solution that eases your cloud deployment.
In their session at the 11th International Cloud Expo, Peter Linnell, SUSE Linux Technical Specialist for the West Coast at SUSE, and Cameron Seader, a SUSE Sales Engineer, will discuss the dos and don’ts of deploying OpenStack and show how SUSE Cloud speeds your journey to the cloud.
Cloud Computing: Ellison Swears Off Big Acquisitions
Larry Ellison, who spent $50 billion more or less on acquisitions in the last 10 years, is swearing off making any big acquisitions to add to Oracle for a couple of years to focus instead on growing the company organically in an attempt to dominate the cloud, a technology he used to call “complete gibberish” and a “fad.”
Of course Larry can resist anything but temptation and didn’t rule out a big deal “down the road,” when he spoke to CNBC’s Maria Bartiromo in his first interview in years. But he’s especially not going to buy NetApp, the storage concern rumored to be a target. It would cost a lot of money and doesn’t fit Oracle’s current strategy.
“We have all the assets in-house to grow very rapidly on an organic basis,” he said.
Mimecast: Email Regulation Issues Leaving Businesses Confused
Corporate email archiving and retention policies are muddled and unclear, with many businesses leaving themselves exposed to potential litigation or compliance issues, according to new research launched today by Mimecast®, the leading supplier of cloud-based email archiving, security and continuity for Microsoft Exchange and Office 365.
The research, which surveyed IT managers on their organizations’ email policies and archiving practices, found that just 20 percent of businesses (23 percent globally) retain archived email for three years or more, with one in four businesses (25 percent U.S.; 26 percent globally) admitting that they do not have a clear policy on retaining email at all.
Key findings:
- Email retention policies are often ad hoc or based on guesswork – Just
one in four IT departments (30 percent U.S.; 26 percent globally) have
an email retention policy designed to comply with industry regulations:
- Forty-one percent of businesses surveyed (43 percent globally) say
their archiving policies are based on ‘internal best practice’
with no consideration given to industry or country specific
regulations - Six percent of U.S. and global businesses admit to deciding their
email retention policy around a ‘random future date’ with ‘no
basis’ - eDiscovery for email is a major area of concern – Many
businesses are not confident that they would be able to identify all
emails relating to a specific customer in a timely manner:- On average, it would take a U.S. business 15 working days to
identify all emails relating to a potential litigation - Eighteen percent of U.S. businesses do not think they would be
able to comply with this kind of email eDiscovery request within a
month
- On average, it would take a U.S. business 15 working days to
- Forty-one percent of businesses surveyed (43 percent globally) say
their archiving policies are based on ‘internal best practice’
with no consideration given to industry or country specific
regulations - Six percent of U.S. and global businesses admit to deciding their
email retention policy around a ‘random future date’ with ‘no
basis’
- On average, it would take a U.S. business 15 working days to
identify all emails relating to a potential litigation - Eighteen percent of U.S. businesses do not think they would be
able to comply with this kind of email eDiscovery request within a
month
- Concern around email compliance – IT departments are concerned
that they are leaving their businesses exposed:- Just one in four (24 percent U.S.; 27 percent globally) IT teams
are ‘completely confident’ that their email policies comply with
all relevant regulations - Forty-eight percent (46 percent globally) are ‘mostly confident’
with 34 percent (23 percent globally) ‘minimally confident’ or
‘not at all confident’
- Just one in four (24 percent U.S.; 27 percent globally) IT teams
- Just one in four (24 percent U.S.; 27 percent globally) IT teams
are ‘completely confident’ that their email policies comply with
all relevant regulations - Forty-eight percent (46 percent globally) are ‘mostly confident’
with 34 percent (23 percent globally) ‘minimally confident’ or
‘not at all confident’
“Taking fifteen days to identify all relevant emails sent and received by a client is a massive and unnecessary resource drain,” said Jim Darsigny, CIO, Brown Rudnick LLP. “For IT departments, managing and enforcing email policies can no longer be an ad-hoc approach as the risk potential and time wasted is too high to ignore. In our organization, the cloud enables our business to significantly reduce the pain, costs and resources normally dedicated to sourcing archived email data. With a solid email eDiscovery strategy in place, we are not only able to better serve our clients, but we can also more accurately assess their level of risk.”
“IT departments can and should be doing more to protect their organizations by adopting a more rigorous approach to email archiving,” Eliza Hedegaard, Account Director Legal, Mimecast. “However, the businesses I speak to are not being helped by a regulatory system that is incredibly confusing and difficult to navigate. Regulators should be helping businesses by simplifying the regulatory framework and putting greater emphasis on clearly communicating what organizations need to do to in order to comply instead of adopting scare tactics that focus on what will happen if organizations fall foul of the rules.”
LogRhythm Partners with VMware to Automate Regulatory Compliance in Virtualized Environments
LogRhythm today announced that it has partnered with VMware to contribute to its newly introduced VMware Compliance Reference Architectures, a set of resources including solution guides and design architectures intended to simplify compliance for business-critical applications in the cloud era. As part of this initiative, LogRhythm has published the LogRhythm Solution Guide for Payment Card Industry (PCI), an addendum to the VMware Solution Guide for PCI. The LogRhythm solution addendum is a QSA-reviewed guide that outlines how the company’s SIEM 2.0 platform complements existing VMware security capabilities to help customers assure PCI compliance when virtualizing mission-critical business applications with VMware vSphere®.
“Security and compliance are top concerns for organizations seeking to virtualize critical business systems such as PCI payment processing,” said Parag Patel, vice president, Global Strategic Alliances, VMware. “We’re committed to helping customers address these concerns on their journey to the cloud, and partners like LogRhythm extend our native security capabilities to make this possible. Through our solution guides, VMware and LogRhythm are delivering a validated roadmap that details how organizations can achieve PCI compliance in virtualized environments.”
LogRhythm’s SIEM 2.0 platform delivers the visibility and insight needed to detect, defend against and respond to increasingly sophisticated cyber threats, efficiently meet compliance requirements, and proactively respond to operational challenges. The company provides out-of-the box compliance solutions that enable organizations to meet their requirements for log data collection, review, archive, reporting, and alerting under mandates such as PCI, HIPAA, NERC-CIP, GLBA, Sarbanes Oxley, GPG 13, and other regulatory regimes. LogRhythm’s PCI compliance package features specific investigations, alarms and reports designed to meet PCI reporting requirements, and directly addresses or augments at least 80 individual PCI controls. With fully integrated file integrity monitoring, advanced multi-tenant support, robust reporting, and rapid search and drill-down capabilities, LogRhythm is an ideal solution for addressing PCI compliance requirements in virtual environments. LogRhythm can ensure that sensitive data, such as credit card account information, is not inappropriately accessed by shared virtual resources or unauthorized individuals. LogRhythm is field-proven in numerous deployments where the solution is being used to automate and assure regulatory compliance in virtual environments.
“We’re very pleased to have been selected by VMware to help address the compliance requirements of customers moving their critical systems to virtual and private cloud environments,” said Matt Winter, vice president corporate and business development at LogRhythm. “LogRhythm has a significant track record helping customers meet their regulatory compliance obligations in virtual, physical and hybrid environments. Our compliance capabilities dovetail well with VMware’s native security offerings to create a robust and comprehensive solution. With the VMware Solution Guide for PCI and LogRhythm’s addendum solution guide, organizations can have confidence that there is a detailed, validated path to maintaining PCI compliance in virtualized environments.”
The LogRhythm Solution Guide for PCI has been reviewed by Coalfire, an independent Qualified Security Assessor specializing in IT audit, risk assessment and compliance management, and is available for download on the LogRhythm website and VMware Solution Exchange.
It is All About Repeatability and Consistency
Not that I need to tell you, but there are several things in your network that you could have better control of. Whether it is consistent application of security policy or consistent configuration of servers, or even the setup of network devices, they’re in there, being non-standard.
And they’re costing you resources in the long run. Sure, the staff today knows exactly how to tweak settings on each box to make things perform better, and knows how to improve security on this given device for this given use, but eventually, it won’t be your current staff responsible for these things, and that new staff will have one heck of a learning curve unless you’re far better at documentation of exceptions than most organizations.
Sometimes, exceptions are inevitable. This device has a specific use that requires specific settings you would not want to apply across the data center. That’s one of the reasons IT exists, is to figure that stuff out so the business runs smoothly, no?
How Government Early-Adopters Use Cloud Services
What are the best practices for deploying managed cloud services? Case studies have now confirmed that cloud services can be a better, faster, less expensive and less risky way to source Information and Communications Technology (ICT) solutions, according to the latest market study by Ovum.
Results from recent research conducted by Ovum details the experiences of five public sector organizations that have successfully deployed cloud services — either with Infrastructure-as-Service (IaaS), Software-as-a-Service (SaaS) or Platform-as-a-Service (PaaS).
Highlighting the known benefits and the catalysts that empower organizations to embrace the cloud service delivery model, Ovum says they have developed a framework to assist government agencies in understanding the organizational factors associated with early adoption of managed cloud services.
A Cloud That Cares? Or About Eating Your Cloud and Having It Too
Although self-service -together with elasticity, pooling/sharing, etc. – is a defining attribute of cloud computing, many of the companies expressing an interest in cloud computing do not seem to be aware of that.
In fact, when asked: who do you expect to provision your services to the cloud?; who will monitor your services’ performance and availability? and; who do you expect to take action if something goes wrong?, a majority of the companies asked look to be somewhat surprised by the question, as they simply assumed that their service provider would do so.
This is a bit like going to a supermarket (a typical self-service facility), pointing to the ingredients you like and expecting the cashier to clean, cook and serve them for you. The name we generally use for such a service however is “restaurant” and it comes with significant different expectations and pricing, as demonstrated by the price of a bottle of the wine in a restaurant versus that same bottle at a supermarket (which is one reason restaurants prefer to buy from exclusive wine merchants and not to put bottles or their wine list that are available in retail).
The growth of Chinese cloud computing
China is the latest country to realise the full potential of cloud computing as they are now pushing a huge amount of money into it.
Chinese cloud computing now accounts for 3% of the global cloud computing market share, which in monetary terms equates to an awful lot – especially if you consider the fact that the market was said to be worth around $90 bn US dollars back in 2011 and it has continued to grow exponentially since.
Growth Plans
It is expected that the Chinese cloud computing market will grow to around 117.4 billion CNY, which is equal to $18.6bn US dollars, or £11.5bn, by 2013.
Furthermore, it has been reported that the Internet Society of China predicts that the country will have reached 1 trillion CNY by 2015 – a simply staggering amount of money!
The Chinese government is said to be encouraging the growth of …