Archives for : September2012

Privacy and Data Security In The Cloud (Statistics)

Microsoft recently commissioned the Ponemon  Institute to study the use of Cloud computing by American, German and Scandinavian IT professionals, and the data privacy and security issues associated with Cloud computing.  The Ponemon Institute surveyed 1,771 individuals in positions within IT, compliance, data security, risk management, and privacy in the United States, Germany, and the Nordic countries (Denmark, Finland, Norway, and Sweden), and created three separate reports.  This report focuses primarily on the analysis of American respondents.

The Ponemon Institute queried 24,051 American IT professionals and received 769 responses (3% response rate). American respondents were generally at or above supervisory level (65%), had an average of 11 years of business experience, and reported to either the Chief Information Officer (48%) or Chief Information Security Officer (10%). Respondents were distributed over a wide range of industries, with the largest proportions coming from financial services (17%), health and pharmaceutical services (11%) and the public sector/government (10%).

Three major topics were addressed:

  • Current of projected future utilization of cloud computing in small and medium sized businesses;
  • Perceptions of the security and privacy of data stored and/or analyzed in the Cloud; and
  • Differences in attitudes toward data security in the Cloud among U.S., Germanand Scandinavian IT professions.

Prevalence and Nature of Cloud Computing in U.S. Businesses

Cloud computing is an integral and growing part of IT in the U.S., with 73% of respondents characterizing their company’s utilization of Cloud computing as “heavy” (vs. 17% as “light”), and 69% making use of public Cloud services (vs. 12% private).  The following figure plots the perceived importance of Cloud computing over five qualitative categories (essential, very important, important, not important and irrelevant) now and two years in the future.  Currently 65% of American IT professions consider the Cloud to be somewhere in the range from essential to important, and this percent increased to 81% for operations projected two years into the future.  It is also significant that only 35% of U.S. respondents considered the Cloud to be unimportant or irrelevant now, a percentage that dropped to 19% when projected two years into the future.

Proportion of U.S. respondents who rated the importance of Cloud computing as “essential”, “very important”, “important”, “not important” or “irrelevant”.

 

The growing importance of Cloud computing to U.S. businesses is further illustrated by the chart below, which plots current and projected proportions of survey respondents who accomplish various proportions of their data management and IT needs by making use of the Cloud.  As estimated by the sum of the product of the percent of respondents and their percent of Cloud usage, 35% of all IT needs are met with Cloud resources at the present time.   When Cloud reliance is projected two years into the future, the percent rises to 44%.

Proportion of survey respondents who accomplish various proportions of their data management and IT needs by making use of the Cloud.

The survey revealed that cloud technology is used in roughly seven different ways, with 50% of the usage falling into the first three categories of business Apps (especially customer relationship management), IT infrastructure (on-line backup security)and social media.  Peer-to-peer services, storage, miscellaneous services and solutions stack comprise the remaining categories.  Only 3% of U.S. respondents said their company did not use any Cloud services.

Attitudes and Practices Specifically Related to Data Security in the Cloud

The study shows that there is a large difference in the perception of the importance of security associated with Cloud computing.  While 59% of U.S. respondents said a prospective Cloud provider’s privacy policies and practices had “some to a very significant” impact on their choice of provider, a total of 41% either did not care about a Cloud provider’s privacy practices or were unsure whether privacy practices made a difference.

When asked what measure they thought were most important to protecting the privacy of data used or stored in the Cloud, U.S. IT professionals identified three measures: knowing the physical location of data storage (62%), having effective provisions for segregating data among users (54%) and agreeing not to mine data for advertising (44%).  (Note that multiple responses were allowed to this question).

Attitudes and actions relating to data security in Cloud computing were, however, inconsistent.  While 60% of U.S. respondents claimed their organizations were committed to protecting sensitive or confidential information, only half said they were “extremely careful” about sharing confidential information with third parties, and less than 40% had determined which data were too sensitive for the Cloud or had explicitly assessed the impact of Cloud computing on privacy commitments and obligations.

We also see that there is a marked indifference toward security issues associated with Cloud computing that is definitely inconsistent with a “commitment to protecting sensitive or confidential information”.  Eighty-six percent American IT professionals thought that the use of Cloud resources either had no effect on or actually decreased their company’s responsibility to protect the confidentiality of their clients’ information.  Put another way, only 14 percent of respondents said the use of cloud resources increases an organization’s responsibility to safeguard customer, employee, consumer, and other personal information.

The survey also looked into the percentage of respondents who considered various kinds of information to be too sensitive to be analyzed with Cloud resources (multiple choices were allowed).  Not surprisingly, intellectual property (source code, architectural renderings, etc.), health records, various kinds of corporate financial records and research data were most frequently considered to be too sensitive for the Cloud, being identified by ~40-50% of the respondents.  However, in another indication of inconsistency toward security and the Cloud, 46% of the respondents did not think any kind of information was too sensitive for the Cloud.

 

Specific measures taken by U.S. IT professionals to ensure data privacy in Cloud computing.

 

Percent of U.S. IT professionals who think the use of Cloud resources increases, has no effect on or decreases their responsibility to protect their clients’ confidential information.

 

Kinds of information considered to be too sensitive for the Cloud by U.S. respondents (multiple choices allowed).

 

Adequate Security Assurances

Specific assurances from Cloud vendors and/or their track record in providing security were important to U.S. respondents.  As mentioned, 59 percent of respondents say that the privacy policies and practices of their cloud providers would impact cloud purchasing decisions.  63 percent of respondents would be much less likely or less likely to purchase cloud services if the cloud vendor reported a material data breach involving the loss or theft of sensitive or confidential personal information.  On the other hand, 34% would not discriminate among Cloud vendors on the basis of their security lapses, and 4% were not sure.

Assurances from Cloud providers did not affect purchasing decisions of respondents as much as evaluations by credible third parties.  51% of respondents would be much more likely or more likely to purchase from Cloud vendors that had been evaluated positively by credible third parties in terms of their ability to meets all privacy and data protection requirements, including regulations and laws in various countries.  Only 34% of respondents would be equally persuaded by vendors who simply promised to meet all security requirements.  It is perhaps indicative of a measure of indifference to Cloud security issues that nearly half (49%) of the respondents would not be swayed or were unsure of the impact of positive third party evaluations of vendor security measures.

The top three steps U.S. respondents indicated their organizations took to vet cloud providers did not explicitly focus on the technical aspects of data privacy.  The most common vetting procedure was contractual negotiation and legal review (59%), followed by an audit report or other type of proof of compliance (51%), and a self-assessment checklist or questionnaire completed by the provider (43%).  When Cloud providers were vetted specifically from the standpoint of information security was made a top concern, 63% relied they rely on assurances from the Cloud provider and 58% relied on contractual agreements with the cloud provider.  Only 37 percent of U.S. IT professionals said they would use conventional data security tools such as encryption to protect information in the cloud.

Finally, 46% of American respondents said they regarded certification standards like the SAS-70 and the SSAE 16 as the most important certifications for evaluating cloud providers, while 38 percent regarded the ISO 27001 certification as most important.

International Comparison

The internal inconsistency in U.S. attitudes toward data security in the Cloud was once more apparent when the attitudes of American IT professionals were compared to their German and Scandinavian counterparts.  The percent of U.S., German and Scandinavian respondents who were either confident or very confident in the general level of security provided by Cloud servicers was 39%, 56% and 46%, respectively.  On the other hand, even though U.S. IT professionals were significantly less confident of Cloud security, they were also less likely than their European counterparts to select Cloud providers on the basis of their security measures.  Only 30% of U.S. respondents said that the privacy policies and practices of Cloud providers would have a significant or very significant impact on their Cloud purchasing decisions.   Comparable figures for Germans and Scandinavians were 45% and 49%, respectively.

On the other hand, there was a fair degree of similarity among the issues considered important in assessing a Cloud provider’s commitment to privacy across countries.  Respondents from all three regions considered disclosure of the physical location of data storage, vendor agreement not to mine data and provisions for segregating data from different customers as the most important indicators of a vendor’s commitment to security. It could be expected that German and Scandinavian IT professionals would consider European Union Model Clauses in contracting as being more important than Americans.

Conclusions and Recommendations

The Ponemon Institute recommended that organizations assess specific, proactive steps to protect sensitive information in the cloud, including:

  • Creating policies and procedures that clearly state the importance of protecting sensitive information stored in the cloud including the kinds of information are considered sensitive and proprietary;
  • Evaluating the security posture of third parties before sharing confidential or sensitive information;
  • Utilizing corporate IT or IT security for thorough reviews and audits of the vendor’s security qualification;
  • Training employees to mitigate the security risks specific to cloud technology to ensure that sensitive and confidential information is not threatened;
  • Establishing an organizational structure that allows the CIO, CISO, or other security or privacy leaders to participate actively in the vetting, purchasing, and implementing processes to ensure that they are handled appropriately;
  • Establishing a functional role dedicated to information governance oversight to better protect the business;
  • Defining a policy that governs the protection of sensitive and confidential data and applications that organizations are willing to put in the Cloud; and
  • The provision of greater transparency by Cloud providers into their security infrastructure to help ensure customer confidence that information stored in the cloud is secure.

You can go here to download the full study.

Merced College Avoids Costly Disk-Backup Investment With Zetta.net 3-IN-1 Online Server Backup Solution

College Uses Zetta.net Integrated Backup, Disaster Recovery and Archiving to Protect Critical Server Data and Enable Data Access in Minutes vs. Days 

SUNNYVALE, Calif.– August 29, 2012 —Zetta.net, a provider of 3-in-1 online server backup solutions, today announced that Merced College has selected Zetta.net for critical server backup and disaster recovery. The community college has deployed Zetta.net DataProtect to speed data recovery when required while reducing the cost of campus-wide data protection.

California’s Merced College serves more than 17,000 students with 500 faculty and adjunct professors, and another 200 staff members. The college’s data center had rapidly grown to the point where its traditional tape-based system was no longer a viable option. With 65 virtual servers, another 30 physical servers and 24TB in SAN storage, a more reliable and economical backup and disaster recovery solution was needed.

“We were dealing with the highly manual and time consuming process of storing tapes and tapes that were aging out,” said Don Peterson, director of information technology, Merced College. “The system wasn’t meeting our needs, and traditional disk-to-disk systems required a large, outright investment that was simply beyond our budget. We soon began to evaluate our options for online backup.”

Peterson’s IT staff initiated its evaluations with the goal of finding a secure, reliable and economical solution that would eliminate performance bottlenecks of working with tape. They also wanted the ability to go back at any point in time to recover files or restore machines that might go down.

Today, Merced College is using Zetta.net to achieve complete backup and disaster recovery for 80 percent of its live server data, including virtual machines, SQL and files. The college has eliminated having to purchase costly backup hardware and software, while eliminating the need to manage backup tapes. When restores are required, the college has confidence in knowing files can be recovered with ease.

“We’re saving an enormous amount of time compared to our old system which required many hours to manage, and restoring data could take days,” said Arlis Brotner, network manager, Merced College. “With Zetta.net, there’s very little to maintain and not only can we recover at any point in time, we have almost immediate access to files when needed. We’re definitely getting a lot more value for much less cost.”

“Our customers have found that integrated 3-in-1 backup that includes online backup, disaster recovery and archiving is ideal for replacing tape-based systems or the heavy investment of disk-to-disk,” said Gary Sevounts, vice president of marketing, Zetta.net. “With Zetta.net they get the full functionality of backup, disaster recovery and archiving, all in one solution – an unparalleled value in today’s market.”

 

About Zetta.net: Zetta.net is an award-winning provider of enterprise-grade online backup and disaster recovery solutions for small and mid-size enterprises. Zetta enables companies to simplify and automate backups and instantly recover data using just a web browser. Advanced security, high redundancy and a high-performance architecture deliver true enterprise-grade data protection that scales to meet customers’ business requirements.

Tips while negotiating SLAs with Cloud Computing Providers

As the IT needs of a company expand in order to stay competitive, so too does it seem the number of companies offering cloud computing services. A quick search online for “hosted Microsoft Exchange” will yield well over 7 million results! With the exponential growth of “service providers,” it seems even more difficult to sift through potential candidates for a provider with whom you can trust your mission critical system.  Once you have finalized couple of good choices, next step is to decode the SLAs of cloud computing providers. You need to understand and negotiate the SLA to get most of the cloud computing services.

As you would agree cloud services are usually flexible and predictable (in terms of costs). Hosted providers assure their customers – flawless services with 99.9% uptime. But, do they deliver all their promises? What if they don’t?  What is the difference between promises and reality?  This is where SLAs or Service level agreement are an important document to study and understand carefully.  It is more than a document in case of cloud services because unlike other services cloud services are actually an extension of the organisation.

The SLA paper, usually drawn in favor of the provider carries all the negotiations regarding the contract and the compensation to be provided in case of faulty service. This agreement signed between the cloud providers and the service availing party is the key constituent in concluding the deal.  Though everybody is aware of the cloud benefits but the priorities of cloud consumer and cloud provider could be different. A cloud provider would be proud in the IT cost reduction they are offering to client but in actual the major priority for client could be less downtime. Many businesses pay for their employees on per hour basis so it is crucial for them to get zero downtime else they would be losing productivity. As per a recent cloud survey 77% of SMBs would be deploying mobile technologies at workplace by 2015 to enable their employees to be able to work anywhere and from any mobile device. Well it is obvious – expectations of client and focus of vendor differs. It is important to be synchronized and hence you should understand and negotiate SLA properly.

Crucial points to consider in a SLA

The business manager or IT manager responsible for signing the deal should be very specific on certain terms and conditions to avoid fretting later.

Security: Hiring a cloud service provider means, client is entrusting all the core activities related to their email or data to a third party. Security is the major cause of concern in this case. The client authorities should make sure that SLA has specific details about the people handling their core data, their authenticity and the various measures taken to shield their valuable data. This part could be overlooked in many SLAs. But it is important to frame certain clauses claiming the ultimate authority handling the client’s data and measures for settling any security infringement. SLA must encompass the security levels (as per the criticality and sensitivity of your data) and responsibilities of vendor in case a security breach happens.

Stable performance: Though all the online hosted services promise permanent uptime and of course this should be their goal. But sometime situations are truly out of control like a natural disaster or any unavoidable circumstance. You need to know how prepared is your vendor and what SLA says about the vendor role in supporting your business operations in case any such situation occurs. You should have an idea regarding how your service requests are going to be handled and what is the response or resolution timeframe.

Next thing related to performance is downtime. Of course ideal situation is zero downtime and this is probably a metric you want to be 100% ensured of. So what is an outage according to cloud provider? This might seem funny. The SLA should define anything interrupting the process of serving the customers is an outage. It is up to the client to stress this point carefully. This is truly the most basic of which is uptime guarantee. Most service providers offer more than 99% uptime, which sounds quite good, but there are some key variations that must be examined.

 

  • 99% uptime = approximately 7.5 hours of downtime per month
  • 99.5% uptime = approximately 3.5 hours of downtime per month
  • 99.9% uptime = less than 45 minutes of downtime per month

 

For the most part, guarantees of this nature exclude certain conditions, such as weekly maintenance periods, for instance. As a general rule, any SLA that makes provisions for more than 1 hour of scheduled maintenance time per week should be viewed carefully to ensure that this time is scheduled at a time that is most convenient to your users.

 

The SLA should also address these questions.

  1. What measures will the cloud computing providers take in case of interruption?
  2. Do they have a division in a geographically different area, from where they can keep the process running uninterruptedly?
  3. What is the worst case scenario or the maximum number of hours a SMB can be affected? Is the compensation provided the same for worst case scenario and the minor repairs?

Obviously a clever customer should not select the cloud computing services which offer better compensation. Instead they should go for services which have strong backup plan to keep the service running continuously. Companies which offer the following should be preferred:

  • Regular services through scheduled downtimes for maintenance and prior communication
  • Companies which have an alternate data access plans
  • Redundant staff with relevant tools to clear the outage immediately
  • Companies with proper incident reporting systems

Cost: When it comes to cost SLA usually define the basic fee structure. What you need to explore is

  1. Hidden costs usually termed as external fees
  2. Taxes
  3. License cost and upgrading cost if any
  4. Costs for exceeding storage limits
  5. Charges for using high level customer support extensively

The only way to know about these charges is to have a detailed look at the SLA and get the slightest doubts cleared immediately.

Negotiation: Any unacceptable clause or fees in the SLA can be negotiated and a genuine provider would understand that one size cannot fit all. For example if you are a medical or financial organization, keeping your data private is a legal requirement and hence you need to mention this to your provider that data privacy and security is quite critical  for you and hence there should be extra terms of data protection. Similarly you need to know what happened to the data created in the process or simply metadata. Of course you are the owner of your business data but software would create additional meta data like user feedbacks, traffic statistics, usage trends, failed login attempts and much more. You need to know what happens and who owns this metadata created while adopting SaaS.

To summarize cloud computing is continuously changing the traditional IT landscape.  Now the aesthetic appeal of IT is not about installing and managing complex infrastructure on premise. Cloud computing where companies lease their IT infrastructure and operations have power to affect the most important things you are concerned about – productivity, scalability, costs and business growth.  Because of this cloud may seem quite attractive but it is extremely important to find a reliable service provider as well as a client centric and effective SLA.

About The Author: This post is contributed by Richa Pokhriyal , Digital Media Specialist @ Egocentrix. Egocentrix is Canada based reliable cloud computing provider offering Hosted Exchange 2010, Hosted Sharepoint, VPS, online backup, Hosted Blackberry and other related cloud services.

Linux Web Hosting versus Windows Web Hosting

The market for web hosting has changed dramatically in the past few years.  Ten to fifteen years ago the best way to ensure a stable web application deployment was to build your own server and do all of your own administration and coding. By the twenty first century, web hosting providers were much more numerous, stable and cost efficient. It was possible to host several kinds of web applications from Microsoft based to UNIX based applications through a hosted provider who could do your administration for you. By 2010, we saw Cloud based web hosting take a strong foot hold in the web application hosting market. Companies like Google, Rackspace and Amazon were able to provide everything from the hardware to the web application programming platform, based on the user’s needs and proficiency level.

In today’s world, cloud hosting fits many needs, but it is not always the right solution for web applications. If you are looking to develop your own custom web applications and feel more confident knowing that you have a dedicated environment instead of a shared cloud environment, dedicated managed hosting is a good option. Also, if you plan to develop your application in a programming environment not supported by a cloud host, dedicated web hosting may be your only option.

The next consideration is which hosting platform is the best for your particular situation. In the past, UNIX based environments were very popular. However, due to cheaper hardware costs for Windows and Linux environments, along with new technologies, UNIX is pretty much confined to large enterprise implementations or small hobby applications.

Windows is a good environment for developing code that is based on the Microsoft development and BackOffice suite of tools. Development tools such as Microsoft SQL Server, the .Net programming environment, Access and Excel are offered almost exclusively on the Windows platform. While solutions such as Mono do allow you to run .Net on Linux, reliability is shaky and support for these solutions is often very costly.

Many people assume that the use of a Linux environment means that they will not have good access tools into their web server since they currently use a Windows operating system on their desktop computers. This is not the case; however, as server access is usually done through FTP file transfer tools, a command line interface or a custom GUI app. Your access to your server will consist almost exclusively of loading files – scripts, images, html – onto your main server file directories. Administrative duties that would require specific knowledge of Linux or Windows server administration would be performed by your hosting provider’s administrative staff.

From a security perspective, Microsoft has gotten a bad reputation for being a target of several malicious hacking attacks. The main reason for this however, is not because the Microsoft environment is any less secure than the Linux environment, but due to the fact that Windows servers have traditionally been easy to set up, and therefore often set up by inexperienced users, making them an easy attack vector for hackers. The reality of the situation, however, is that either operating system, Linux or Windows, can be locked down and secured equally well with the help of competent administrators.

Finally, many people have assumed that Linux solutions are less expensive because they are based on a free open source operating system. The mantra of the open source software community, however, is “free as in free speech, not free beer.”  What this means is that open source software comes at a price that is different, but often equally monetarily to proprietary systems such as Windows. While Windows based solutions require a licensing fee for the OS, the administrative staff often comes at a lower price.  The complexity of running a Linux server can often be much higher than a Windows environment, and administrative staff is less plentiful in the market and therefore demand a bit of a higher pay grade.  Either way, monetarily it ends up being about the same price for the consumer of the hosted service in the end.

 

Author Bio: Jason Phillips is a fun loving person. He is passionate about latest gadgets. Apart from that he is a writer and blogger and has a great pool of knowledge about web hosting and hosted Microsoft dynamics. He is very enthusiastic about writing.