Category Archives: Cloud
Hortonworks announced their plan to acquire XA Secure and open source it. XA Secure claims it is a comprehensive approach to Hadoop security. This made me think of the the various aspects of security in the cloud.
Security in the cloud spans across multiple layers that involve people, compute, network and storage. Security in the cloud requires an integrated strategy of process and tools, to allow end users be able to complete their work in an environment that enforces compliance without getting in their way.
Here is how I think of the top 5 areas of focus for security in the cloud.
Focus Area 1: APPLICATION SECURITY
Application security mainly deals with protecting the application resources. This includes a multi-pronged approach to cover the following:
- Enforcing strong authentication and authorization
- Date encryption on the wire: End-to-end encryption using SSL for all connections, both browser and APIs
- Data encryption for data at rest
- Data encryption for data in memory
- Application white listing
- Role based access to application resources
- Session tracking
- Controls for privileged or elevated access
- Enforce context awareness and notifications
Focus Area 2: DATA SECURITY
According to Forrester’s TechRadar report () on Data security, security is the second largest portion of the IT budget. In 2014, the investment is expected to rise by 45%. Data security is no more an IT issue. It is an important business driver since data is now closely tied to the the financial cost of companies and the business damage that it can cause as a result of data breaches.
Data masking and Data Loss Prevention(DLP) offerings are best suited for addressing data security. To enforce security on the data you would want to know:
- Where the data exists (both structured and unstructured) to secure it
- Continuously monitoring access to the data
- Protecting both production and non-production data
- Regular audits for maintaining compliance
Focus Area 3: NETWORK AND STORAGE
Explosive growth in data and digital assets in the cloud , drives the need for high performance reliable network and storage. This calls for sensitive information flowing through the network and storage to be encrypted both in-motion and at rest.
With customers requiring the need to continue to productively use their prior investments on software, the hybrid cloud is pushing needs for cloud security to operate in a hybrid model. In such hybrid environments there is need to support secure links and encryption across on-premise networks and storage units.
Some of the important features to pay attention around Network and Storage Security are
- Confidentiality and Data level protection
- Certifications for compliance with legislative and regulatory mandates
- Privileged user access and separation of duties
- Centralized key management
- Realtime monitoring of traffic across network
Focus Area 4: DATA PRIVACY
In this digital age especially in the cloud where we end up capturing personal identifiable information or other sensitive information is collected and stored, privacy concerns are highly prominent. The challenge of data privacy is to share data while protecting personally identifiable information. Data privacy has become of a very high priority in certain markets like Healthcare, Criminal Justice, Financial, Life Sciences and more. These days the laws for the protection of privacy have been adopted worldwide , but their definitions and objectives vary from one country to another.
It is important that the cloud vendors make sure that their cloud offerings gets certified under EU, US and other Safe Harbor Programs.
Focus Area 5: DATA CENTERS
Primarily due to cost effectiveness, customers are adopting cloud and hybrid services as their business model in various stages of their business cycle. This is driving data centers to adopt virtualization technologies to rapidly expanding their data center infrastructures reliably and effectively into the cloud.
Some of the common challenges around security in the data center are:
The resources belonging to multiple customers reside on the same physical platforms. Proper security measures must be adopted such that customer data cannot be breached or spilled over, even if the multiple customers are leveraging the same resources and platform in the virtual environment.
2. Compliance and Privacy Restrictions
Even though the infrastructure and resources of the data centers are managed by the cloud vendor, they should be prevented from monitoring and auditing any components or data. This includes preventing them from inspecting the network through which customer data will be passing because of compliance and privacy restrictions. The cloud vendors should think through these privacy and compliance challenges so you can clearly isolate these tasks and provide ownership to the customers to manage, monitor and audit on their own. Providers may need to comply with the ISO17799 based policies and procedures and be regularly reviewed as part of the SAS70 Type II audit process.
In summary, security enforcement in data centers involves
- Data Protection at the application, network and storage through access control and encryption
- Protecting systems through hardening, intrusion detection and prevention
- Monitoring and Auditing through certifications to meet compliance regulations, change control around upgrades and patches, proper role and privileged access management.
For those who have worked and dealt with Middleware software in the past which provided services to software applications beyond the operating system, the term aPaaS should not be a hard to understand concept.
An aPaaS as per Gartner’s definition is as a PaaS (app middleware + cloud characteristics) designed to enable runtime deployment, management and maintenance of cloud business application services. It supports requirements for business application and application projects and is delivered as-a-service..
Middleware has been the commonly used term for on premise software that enabled communication and management of data in distributed applications. Middleware gained popularity in the 1980s as a solution to the problem of how to link newer applications to older legacy systems. The vendors who built and offered Middleware had a strategy of building a complete and integrated suite of middleware to allow our customers to develop, deploy, and manage applications. For customers the middleware software not only offered off the self features around building and hosting application but also the ease around the integration burdens which facilitated the ability to link applications together and provide more consistent access to information.
You can now relate the same middleware software capabilities to an aPaaS in the cloud that offers the following services
- Platform services
- Identity Services
- Integration services
- Business Process Management Services
- Development Tools
- Deployment Tools
- Management Tools
Why would anyone need an aPaaS?
These days cloud services is picking up lot of traction when it comes to SaaS, PaaS or IaaS. Refer to my earlier blog post ” Why Software-as-a-Service (SaaS) model matters for both customers as well as vendors” as to the reasons why oth customers and vendors are investing in the rapidly evolving application platform.
Gartner recently published their first Magic Quadrant (MQ) for aPaaS with their focuses on public cloud enterprise aPaaS offerings. – See more at: https://www.gartner.com/doc/2645317?pcp=itg. It’s interesting to see how quickly the aPaaS market has evolved in a period of less than 9 months, now that Gartner now has a MQ for this space. Quite a few Platform as a Service (PaaS) vendors whose primary focus in 2013 was providing Platform Services are now posiioing and evolving their services to address the aPaaS space. This is a clear indication that PaaS market has matured and the revenue opportunities are shrinking. The PaaS vendors clearly see that the growth opportunity is to move into the application space and they need to innovate quickly to become market leaders.
An aPaaS infrastructure is a self contained environment that will offer the following
1. Build applications
The application platform provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project
2. Deploy apps in minutes, with tools you love.
Reduces development and deployment time. They offer a way to rollout new application features into production has never been easier. Set up staging and test environments that match production so you can deliver functionality without fear, and continuously make improvements.
3. Scale the application to millions of users.
Tools and features that will help to scale your application at the same time ability to upgrade your database software in a few simple steps.The growth could happen over a year or overnight, but aPaaS will facilitate you to grow on demand to capture opportunity.
4. Integrate with various other applications
Provides additional software services like operating system, database, security and vulnerability management, API and integration infrastructure and more
Stay tuned, in my next log topic that I would like to explore is “What’s next after aPaaS for both vendors and customers?.”
When times are hard, winning a business or selling smart is important for both customers and vendors who are competing head-to-head which can be cut throat especially when markets are flat or growing slowly.
These days the idea of IT installing and maintaining software onPremise at customer sites is completely winding down. Customers are looking to transition more to make their IT as a service. Meanwhile, software vendors are offering increasing amount of software via direct download or as a cloud hosted service known as Software as a Service (SaaS). The SaaS model is growing popular for personal, business and mobile applications and the market is only expected to get bigger in the coming years. This is why the Software-as-a-Service (SaaS) matters as a very scalable and an economical model for both a software vendor as well as for the customer, who are looking for a easy and a cost effective way to address their immediate software needs.
Take a look at how a SaaS model can address the functional areas for both a vendor and a customer:
|Market Problems||The vendor understands the market problems and has a close working relationship with its existing customers and knows what the future potential customers wants. This helps vendors to bring in rapid innovations to market thereby mapping a solid innovation strategy to creating a new market space for their products and solutions||Customers look for a solution with minimal initial investment but with a greater return and value that is easy to onboard, solves their problem and can be accessed from anywhere.|
|Technology||Vendors provides, maintains and manages the hardware and software components of their product and/or solution. The vendor has more control over which hardware/software configurations to support.Vendors need to address scalability and multi tenancy requirements at the software level to allow multiple customers to share hardware and software services.On a long term this becomes a very cost-effective model to support infinite scalability.||Customers don’t care much about the back-end system as long as it works when they want it, fast, securely, and reliably.Each customer will have specific requirements around performance, scalability, and security requirements that vendors to meet so their personal data and information is secure and do not get breached at any point in time.|
|Product/Solution Support||Quality issues might impact everyone in customer base at same time. Hence greater attention will have to be taken by the vendor to provide and maintain controlled quality of serviceNew releases of the product or solution, application of patches and service packs can be released more timely and quickly to the customers, but requires more rigorous quality control.||Customer have a greater need for the Service level agreements(SLAs) to be met by the Vendor specifically around production requirements for system performance and capacity for multiple tenants will have to be addressed.Customers often have higher usability expectations as well.Customers experience a painless software upgrades.|
|Initial & Operational Cost||The initial cost to set up the service (hardware and services) are incurred by the vendor. Also, all the ongoing operational costs of running the service are incurred by the vendor, not the customer.||Customers have overall reduced operations costs and Zero infrastructure cost.|
|Product Performance||Customers will have to monitor and analyze how well the product is performing including product profitability, actual to planned revenue, customer satisfaction, and market share.Areas to focus to monitor performance are:
||Customers as buyers want proof of uptime and performance level.Customers want predictability and efficiency with more automation of services.|
|Revenue & Pricing||Revenue is recurring for the vendor but is recognized as the service is rendered, not in a lump sum up front like on-premise product/solution.||Pricing for the customer is typically subscription-based with a “pay as you go” model based on the value received for the vendor’s services. This provides better cash flow for the customer.Up-front implementation services cost might be charged to the customer.|
|Sales Process||Sales cycles are typically shorter.||Customers will have greater flexibility to shift to competitive product if they do not see value with an existing vendor offering and services.|