Content Cookbook #5: Cloud Security

marketing campaign cloud security CIOs love the agility, flexibility and lower prices offered by the cloud. But year after year, security breach after security breach, fear keeps them from moving more sensitive data and applications to off-premise data centers.

If you’re selling cloud security, either as a cloud service  or in the form of consulting to help clients assure cloud security, what sort of content do you need to find, score, and nurture prospects?

Based on my recent reporting and a recent global survey of IT executives I helped execute for Oracle, here are some security-related questions you can use to build content for each nervous step along the cloud purchase funnel. Each of these topics can easily be expanded into a blog post, white paper, Webinar, ebook or “Top Ten Questions to Ask” cheat sheet.

Awareness/General Education Stage

  1. What questions should I, as a customer, ask to determine if the cloud is likely to be more or less secure than my in-house environment?
  2. What general questions should I ask my cloud provider about security?
  3. What types of applications and data are my peers trusting to the cloud?
  4. How do assess my applications and data to determine which are most suitable for the cloud from a security perspective?
  5. How much can I trust security certifications such as PCI? What are the hidden “gotchas” that can make such certifications worth less than they seem?
  6. (For cloud-based security as a service:
    1. What is “security as a service?” How does it work?
    2. What forms of security are available as a service (Identity management? Remote monitoring?) What are the pros and cons of each?

Product/Service Consideration Stage

  1.  What specific questions should I ask a cloud provider based on my vertical market and its industry/governmental compliance requirements?
  2. What processes, and technologies, should the service provider use to alert me to security issues? How quickly will I be notified, and what are the escalation paths if the problem isn’t solved quickly
  3. What types of encryption should they provide for data in transit and at rest?
  4. What are the different methods of isolating customer environments in the cloud (such as network traffic isolation vs. database traffic isolation? How does a customer determine which is best for them?
  5. What security service level agreements (SLAs) should I expect from a cloud provider, or a security as a service provider?

Product/Service Evaluation/Purchase Stage

  1. What specific security-related controls and reports should I insist on from my service provider?
  2. How will the provider give my internal or external auditors the information they need to help prove my compliance with essential security requirements?
  3. Specifically how do they assure my data and applications are isolated from those of other customers?
  4. Do they offer any federated identity or access management capabilities that make it easier for me to integrate my on-site security mechanisms with the cloud?
  5. Specifically how does each provider assure only proper access to the administrative accounts that are the “keys to the kingdom” for their cloud? Who performs patching, and who on their staff is authorized to log onto each host and guest
  6. How quickly will they inform me about the existence of a security breach, their progress toward resolving it, and what if any of my data was compromised?

The specific points you address at each point in the sales cycle may differ. The point is, the closer your prospect is to the evaluation/purchase stage, the more specific the questions become. Let me know how this list looks to you, and what content has worked well in selling cloud security.

 If you’d like to see a content cookbook for any other product or service, email or call at (508) 725-7258. 

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

survey shows cloud concerns Senior IT buyers want the cloud to make them more agile, not just save them money. But they’re also skeptical about whether such Web-based services can meet traditional IT standards for performance, interoperability and security.

To succeed, cloud marketers need to address in detail both these hopes and fears. Those are my top takeaways from a survey of more than 300 IT executives in midsize to large organizations I helped craft for Oracle.

They are open to “up-scale” pitches for the cloud that include enabling new business models, not just cutting costs. But they need detailed, specific explanations of how these cloud services can meet traditional datacenter requirements like performance, reliability, application lifecycle management and integration.

Cloud Promise

The 87 percent ranking “lower capital expenditures” as important in considering cloud was not a shocker. I was surprised, though, to see equally high (or higher) rankings for modernizing operations and better competing in global markets. A large majority also mentioned greater business agility and more rapid implementation of new business models. That makes such business benefits important to include in marketing collateral, and not just the bits and bytes of cloud implementation.

Application development and testing remains one of the most popular uses of the private

Cloud (controlled by customers rather than a public provider such as Amazon) predicted to rise from 39 percent of respondents today to 52 percent in two years. That’s because the cloud is well-suited to the sudden, unpredictable nature of app dev and testing needs. It may also reflect the growing popularity of “DevOps” that combines development and operations to speed new applications to market.

Next up for private cloud adoption are core business applications (rising from 41 percent to 50 percent); high-performance computing, such as analytics (rising from 38 percent to 47 percent); and data storage and retrieval (rising from 46 percent to 54 percent).

With the explosive growth of mobile apps, it’s no surprise more companies are using the cloud to develop them. One reason is that development code, while sensitive, isn’t as life or death as customer credit numbers or the molecular structure of your breakthrough cancer medication.

But in a sign of caution, deployment of online transaction processing applications—long considered some of the most sensitive and business-critical—is expected to remain steady in the public cloud, at 36 percent of respondents, while rising in the private cloud from 38 percent of respondents to 44 percent.

Still Scared

In fact, doubts about whether the cloud is ready for prime time was a surprisingly constant theme.

survey concerns cloud customers

Click to enlarge

Moving existing applications with very high requirements for performance, availability and security to even private clouds concerns 78 percent of respondents. Their doubts included whether the cloud is ready to support mission-critical applications, can integrate well with applications, data and services still housed in  internal datacenters, and can be easily managed with existing tools.

Just over two-thirds mentioned legal or regulatory requirements as their top public cloud challenges. (Note: If you can track and prove whether a customer’s data is in Bergen, N.J. or in Berlin to meet European security regulations, flout it!)

Enterprises also favor private clouds dedicated to their own apps and data, rather than to multitenant public clouds shared with other customers. In two years respondents expect to have 47 percent of their workloads running in a private cloud, compared to only 15 percent expecting to run them in a pure public cloud.

 Public? Private? Huh?

Vendors make a big deal out of the differences between public and private clouds. I was surprised at how many respondents showed similar levels of concern for both in areas including:

  •  Migrating applications with very high performance, availability and security requirements.
  •  Inability to easily migrate existing application data.
  •  Lack of ability to manage/monitor or modify existing applications in the cloud, and
  •  Inability to integrate with non-cloud applications.

For marketers, these means customers might need more education about the real differences between public and private clouds and how these differences meet specific business needs. And in each of these are areas where, if you have a good story to tell, flesh it out specific explanations, proof points and explanations of how you’re better than your competitors.

 Déjà vu All Over Again

After about 25 years covering each “new” shift in the IT industry, from minicomputers to client-server to cloud/mobile/ social/Big Data, some things never change. The latest razzle-dazzle technology may be great, but the old stuff never goes away and there’s always a market for the dull, but essential, job of making sure it all works right.

As marketers, our challenge is to explain clearly and concisely how the new stuff works and how it helps the customers.

 (The survey was conducted by Computerworld Strategic Marketing Services and Triangle Publishing Services Co. Inc. on behalf of Oracle. Read the full results, check out a sample content marketing sequence for cloud services here and tips for using “how-to” stories to sell the cloud.) 

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Anything as a Cloud Service

Environmental PCStartups are vacuuming up every conceivable IT function and service and putting them in the cloud, all in the service of lower cost and simplicity. Since those are prime requirements for small to medium businesses, it’s no accident the startup lineup at the recent SpiceWorld was full of new cloud-based services. Among them:

Authentic8:  Web-based apps have an inherent security problem:  The browser(s), running on a variety of devices and networks, are “inherently insecure, and IT can’t do anything about it.  says CEO Scott Petry. His answer: “Run the browser(s) in the cloud, in a secure sandbox,” converting the browser session into a secure remote display protocol that displays only the interface on the mobile device.

Think of Authentic8’s SILO  like VDI (virtual desktop infrastructure used to display application interfaces on PCs) but for browsers. While not designed for streaming video applications like Hulu or YouTube, its built-in compression can deliver up to twice the performance of traditional HTTP for text- and form-based content, says Petry.

This approach also eliminates the need to “containerize” corporate apps or data on the devices employees bring from home, he says, as the mobile device is not receiving HTTP data and stores no data, cookies or other “state” information.

There’s even an ease-of-use play. Once an administrator has set up the proper user profiles, an organization can create a single-sign-on portal that lets employees, customers or partners provide or revoke access to all their authorized applications and data. There’s even provision for multi-factor authentication and policies to control functionality such as device access or file download.

Target markets include finance departments that delegate sensitive financial transactions to outside accounts or business process outsourcers, or organizations that maintain distributed DevOps teams, says co-founder Ramesh Rajagopal.

Authentic8’s downloadable client now works only with iPads and traditional computing platforms, but not Android, and pricing starts at $15/user/month.

Exablox: For years, vendors have been trying to hide the complexity of storage from users and applications, making it easier to grow, shrink or change the storage infrastructure without having to reconfigure servers or rewrite applications.

Exablox, founded in 2010 and backed by $22.5 million in VC funding, claims to radically simplify storage with cloud-based management of on-premise disks with an object-based file system. Its 2U appliance comes with four Gbit Ethernet connections and eight drive bays, which the customer fills with any capacity SATA/SAS drives purchased at retail for as little as four cents a Gbyte. Its cloud-based management service automatically configures the drives with enterprise features such as inline deduplication; continuous data protection, real time drag and drop replication and encryption. It eliminates the entire concept of RAID and LUNs, says Senior Director, Products, Sean Derrington. The object-based file system “lets you place information anywhere you want, without being tied to any particular volume or RAID group. If there’s a site failure, the users see the same global name space but can be redirected to a different IP address.”

Keeping all the storage on site eases security concerns about the cloud, and eliminates the expense of transporting data to and from the cloud. Exablox is focused now on the unstructured, file-based market, presenting its storage as SMB (server message block) or its CIFS (Common Internet File System) dialect. It is currently scalable to about 200Tbytes of raw storage in a single file system with near-liner performance scalability. Pricing starts at $9,995.

Pertino: VPNs (virtual private networks) are one way to securely “tunnel” information over the Internet. However, expensive hardware and complex IT and licensing management make VPNs a poor fit for many SMBs. Pertino aims to solve this problem with cloud-based networks that run on  infrastructure-as-a service cloud platforms such as Amazon Web Services and Rackspace. Its Cloud Network Engine service and downloadable client software allows customers to create networks in minutes “as easily as setting up a Dropbox account,” says Vice President of Marketing Todd Krautkremer. There’s no need to enter IP addresses, configure firewall rules or manage security certificates. Removing users (such as departing employees) and devices and managing network access can be done with a single click, without the need to change access control lists, he says.

The Cloud Network Engine automatically re-provisions a customer’s network on another virtual machine or even another data center if a failure is detected, he says, and because the IaaS vendors are located on or near the Internet backbone, performance is better than with a conventional VPN.

Pertino, which relied on extensive feedback from the Spiceworks community when shaping the product, is focused on organizations of up to 500 employees. It recently announced a new management console that makes it easier to monitor and manage users, devices and policies, unveiled an app store and plans support for Android devices early next year. Pricing starts at $29 a month for ten devices.

Quorum: Testing backups is like flossing: Not enough people do it, and even fewer do it right. Quorum’s cloud-based backup service not only captures incremental, deduplicated backups in the cloud, but  automatically tests them every day, said President and CEO Larry Lang. Each snapshot is a “recovery node, which is a virtual clone of every machine we’re protecting,” he said. Quorum allows users to do file- and message-level restores, and goes up against mainstream products such as Symantec Backup Exec, he says. The typical deployment cost for several hundred servers is $20-30,000. (Quorum just announced $10 million in Series C funding, and that Walter Angerer will step in as interim CEO.)

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Killer App for SaaS: Clear Security Rules

bigstock-Senior-Woman-Using-Tablet-Comp-43726603 (2)

In the cloud, as in so many other areas of IT, customers want results they can quantify and measure. Vendors that can provide “industrialized” services that are not only lower-cost, but more measurable, will have a significant leg up over their competitors.

The most recent evidence comes from recent research from Gartner, which reports that software as a service contracts “often have ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident. This leads to dissatisfaction among cloud services users.” It also, the analyst firm says, “makes it harder for service providers to manage risk and defend their risk position to auditors and regulators.”

This lack of clarity around security is particularly dangerous for cloud vendors, since (whether justified or not) security continues to be one of the – if not the – main reason some organizations avoid the cloud. But that also makes clarify around cloud security a competitive differentiator, if the SaaS provider can deliver it and marketers can explain it.

Needed: Audits and Penalties

For starters, Gartner said customers “need to ensure that SaaS contracts allow for an annual security audit and certification by a third party, with an option to terminate the agreement in the event of a security breach if the provider fails on any material measure. In addition, it is reasonable for cloud service buyers to ask a provider to respond to the findings of assessment tools.”

Gartner also recommended customers get very specific in their contracts about what constitute adequate service levels for security and recovery of data in case of an attack.  “We recommend they also include recovery time and recovery point objectives and data integrity measures in the SLAs, with meaningful penalties if these are missed, wrote Alexa Bona, vice president and distinguished analyst at Gartner.

In short, maybe it’s time we all – cloud providers especially – start treating security as a  measurable, verifiable deliverable subject to rewards and punishments much less uptime or performance. That assumes, of course, the provider themselves have strong enough internal processes to deliver what they promise and measure what they’re delivering.

Next: Explain Clearly

And it requires cloud marketers to explain, in equally clear terms, the benefits of this measurable, accountable approach to security, and how it’s a differentiator from the sloppier practices of their competitors.

You may be tempted, as Gardner did, to use the “T” word – transparency – to describe this new approach. Don’t. “Transparency” is exactly the kind of vague buzzword that gets SaaS (and other) vendors in trouble. Transparency can mean either “visibility” into how strong a vendor’s security is, or “accountability” in which the vendor pays a penalty if they mess up. (Gartner has also noted that  transformation is a vague buzzword that can mess up outsourcing contracts.)

Instead, describe in your marketing material exactly what you’re providing (such as visibility through reports or portals) or accountability (through penalties or refunds) to show you understand and are avoiding the perils of ambiguity. If customers are demanding more clarity and specifics in security contracts, why not show them you get it by being clear and specific in your marketing material?

Let me know how you’re clarifying cloud and SaaS security, and whether muddied security rules – or muddied marketing – are doing more harm.

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Easy Cloud Security: The Next Killer App?

Conventional wisdom has it that security fears keep the largest customers and their most critical applications away from clouds (at least public, multitenant providers such as Amazon.com)

But security isn’t the bugaboo it used to be. In fact, “security as a service” that matches the agility and ease of use of the cloud is a huge potential market current security vendors aren’t reaching. And therein lies potential opportunity for security vendors.

That was the message from customers, analysts and cloud providers at a dinner discussion hosted by security software and services provider StillSecure the other night in Boston. Customer surveys show security dropping as a barrier to cloud adoption by customers, said Carl Brooks, an analyst at Tier1 Research. Compliance, however, is holding steady as a major concern.

Security vs. Compliance

That rang a bell with many around my table, who lamented that security is a “nice to have” that companies are reluctant to spend on until they’ve been breached, while compliance is forced on them by outsiders such as regulators. They also pointed out that the security provided by cloud players such as Amazon is at least as strong as that most organizations can provide themselves, at least at the infrastructure level of servers and networks.

Application-level security is another story, though, and where cloud security (while achievable) is often too expensive and cumbersome. While businesses do want more “visibility” into security through dashboards and reports, the last thing they need are endless reams of log file data that don’t mean anything to them, said Brooks. Nor, said StillSecure Chairman and CEO Rajat Bhargava, do they want to manage security themselves.

Wanted: “Click and Go” Security

What they do want was described to me by David Greenstein, co-founder and CTO of startup Kibits, a mobile micro social-networking and information sharing platform. He wants “click and go” cloud security that allows him to instantly apply security policies to new servers as he spins them up in the cloud, without the need for manual configuration. As for reports, he only wants to receive alerts for an attack or vulnerability he needs to do something about. Trying to grow a company on a limited budget, he doesn’t want to spend any more time, money or effort than absolutely necessary for functions such as security that aren’t his core competence.

While there are “frameworks” for cloud development and deployment (a topic of an upcoming story I’m doing for Computerworld) no one around my table knew of a comparable framework for security. Larger security and systems management vendors, it seems, are either too busy solving security problems in current customer environments or not sufficiently clued in to the needs of the new, cloud-based corporate infrastructures.

Hurdles and Opportunities 

Some of the hurdles to this “security as a service” include educating customers (especially small to mid-size businesses) about basics such as firewalls and the dangers of giving users root (or administrator) access to systems. Assuring compliance is even trickier given the vague requirements of regulations such as HIPAA (governing patient care) and Sarbanes-Oxley (protecting corporate financial information.) But given customers’ desire to cut costs, services that could boost both compliance and security could be a huge win.

But there does seem to be a market out there for automatic, policy-based, server and application layer security services that can be applied and monitored as easily as spinning up a server in the public cloud. What companies out there are offering such services we at the dinner haven’t heard about?

 

 

 

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.

Advanced cloud computing customers, and providers, are moving beyond the first conversations around security and cost to more sophisticated models of virtual compute, storage and network resources delivered over the Web. These include tested and reliable “productized” cloud services, detailed conversations about how much security is “enough” for specific cloud services in specific industries, and even new models for sharing liability.

But reaching this next level of cloud value will require new thinking from both cloud providers and customers. That was the subject of a Q&A I did recently with backup vendor eVault’s “Expert’s Corner,”, based on recent stories I’ve done defining a cloud security checklist and exploring, whether and where, there’s a cloud silver lining for outsourcing firms. (Editor’s note: Please disregard the “BS” before each of my answers. Ouch!)

i365: In your blog, you note that customers are demanding “more ‘productized’ cloud services that can be rolled out in a predictable, consistent way” and that providers are increasingly delivering commoditized services. There are obvious advantages to this trend from both the customer and provider’s standpoint, but do you foresee any drawbacks to the growth of this “pre-tested, pre-integrated, and pre-priced” service model? What will the better service providers to do ensure quality is not compromised?

BS: The key success factor here is how well both the cloud vendor and the customer can identify which services are actual “commodities” and can be delivered (and purchased) as a “black box” without customization or configuration. Vendors need to do the right amount of market research to understand which services are common enough that a critical mass of customers will buy them, and that can be cost-effectively packaged to run on the most common hardware and software platforms. It is also, of course, up to customers to look “under the hood” enough to assure they are getting the services they need (including reliability, performance and up-time.) Even in “commodities” such as notebook computers, cleaning services and payroll services, not all providers are created equal. The best service providers will base their services on industry standard “best practices” such as those from ITIL, and will test them under real world loads. This may raise costs, but you get what you pay for, even in commodity services.

i365: Your “Cloud Security Checklist” in Computerworld reflects the need for dialogue between cloud customer and service providers. To what extent do you think these dialogues take place?

BS: My guess is that it happens fairly often, and around fairly specific metrics, with the larger customers who already have security standards and processes. Smaller firms who themselves lack strong security policies or skills are more likely to trust either the service provider to ensure “good enough” security, or trust the provider’s larger customers to demand a level of security that will protect smaller customers also. This is risky – every customer should understand their individual “must haves” in security protection (especially around areas such as protecting customer data, or assuring critical regulatory compliance) rather than trust either the vendor or its larger customers.

i365: You note that security “remains the big bug-a-boo supposedly scaring the biggest enterprises from the cloud.” Do you foresee data security as remaining one of the biggest challenges in cloud computing? How will the issue of data security change over time?

BS: From my reporting, the biggest challenge is for cloud providers to explain that adequate levels of security are as possible in the cloud as within the enterprise, as long as the provider uses the proper technology AND processes. Customers, for their part, need to understand how much risk they are running by providing their own security, and that the issue isn’t public cloud vs. private cloud, but understanding and addressing the most critical risks.

Over time I see the focus shifting to the specifics of how security is implemented, and how it relates to business needs, rather than whether it is implemented in a public, private or hybrid environment.

i365: You also comment that there is “a lot of opportunity for differentiation and innovation as the cloud matures.” What key trends do you think cloud providers will continue to innovate and differentiate around?

BS: They include:

 1) Specialized offerings for vertical markets, built with an understanding of the specific needs of say, retail vs. financial services vs. industrial customers.

2) Innovative models for handling liability, which in many cases service providers now push back to the customer. For example, a group of large customers in financial services may pool their business and steer it to a large (even semi-captive) public provider who can, by also pooling the risk, assume the liability for security breaches at an affordable level.

3) A move to provide not only IT services (such as servers) or applications (such as CRM) but also full-fledged business services, such as accounts payable or invoice management. This is a way for business process outsourcers to move into the cloud market and, potentially, into higher value-add services.

4) More real-time reports and analysis for the customer of where their data is being processed and stored, especially for those (such as in the EU) who face geographic limits on where they may store their data.

5) And, finally, a greater variety of offerings, ranging from “black box” services for customers who only need a given level of performance and uptime, to more configurable services for customers who need to, for example, control server or storage configuration for compliance or security reasons.

i365: Thanks Bob.

If you’d like to discuss how to communicate your thought leadership on cloud to the market, email me or call at 781 599-3262. 

Author: Bob Scheier
Visit Bob's Website - Email Bob
I'm a veteran IT trade press reporter and editor with a passion for clear writing that explains how technology can help businesses. To learn more about my content marketing services, email bob@scheierassociates.com or call me at 508 725-7258.