Posts Tagged ‘cloud computing data security’

Considerations for Choosing a Cloud Provider

For many organizations, cloud computing is cost-effective for at least some applications.  Determining which applications are appropriate for the cloud takes careful evaluation.  The following checklist covers some of the factors you need to consider before selecting a cloud computing provider:

  1. Does the cloud you are considering meet your business availability needs?  What information can the provider give about historical and recent cloud availability?  What investment has the provider made in resilience and high availability?
  2. What service level agreements does the provider offer?  What compensation is available if the service is lost?
  3. Do you need the cloud provider to comply with certain regulatory requirements?  Where will your data reside, and is that location acceptable?  Does data archiving meet your regulatory requirements?
  4. o the cloud services meet and exceed your IT and data security policies, or do they fall short?  Will it be in a private or public cloud?  Will it be in a secure data center?
  5. Where is the data actually stored and who has access to the data?  What happens to the data when production tasks are completed?  How are archives accessed?  How is the data finally destroyed?
  6. What will costs be tomorrow?  What are your baseline costs?  Agility, flexibility, and strategy are part of the future costs, but you need a baseline for comparison.  How is the agreement structured?  Can the provider change the cost of the service to you?  If so, how much notice is required?
  7. How viable is the cloud provider?  It is important to select a provider with sufficient resources and services to provide the high levels of availability, resiliency, and security your business requires.  Is cloud computing part of the provider’s core business, or is it a new venture that could fail if it does not attract and retain sufficient customers?  Does the cloud offer multiple, highly resilient data centers with very strong network links between them?

In a business environment where information availability is critical, it makes sense to proceed cautiously, using a deliberate and systematic approach to mitigate risk.  A sensible first step is to testing a cloud provider with a non-critical process.  This lets you gain hands-on experience without risking major problems with day-to-day operations.

Does your organization have a business impact analysis (BIA) that audit all your business processes and defines the availability, resiliency and security each needs?

For more information, visit our Cloud microsite

How Managed Multi-Site Availability Changes the Cloud

As traditional on-premise computing and data storage moves to the cloud, many companies have questions about data outages.  What happens when the cloud experiences an outage?

It is unlikely that an entire cloud data center will go down, but it is not impossible, as Amazon’s recent outage in Dublin showed.  Fortunately, companies can look to managed multisite availability to provide a higher level of service to keep the customer environment up and running, even in the event of an entire site disaster.

The phrase “managed multi-site availability” essentially defined itself.  “Managed” refers to the ability of your vendor to help re-create your information technology in the event of a natural disaster or man-made incident.  A Do-It-Yourself (DIY) service provider offers infrastructure only, while a cloud provider offering managed services has all the capabilities and processes you expect with IT, like change management, security, operations control, and the ability to resolve problems and issues.

Multi-site means your vendor has multiple sites where the cloud is available.  That means you have options and different price points for satisfying back-up and recovery requirements in line with your business requirements, from high availability to highly resilient, failover and recovery, with many nuances in-between.

In effect, multi-site capabilities means the vendor has a “continuum of availability” at your disposal.  “Availability” refers to the how accessible an application must be.  The more important an application is to your business, the higher the availability it requires.

The availability requirements for production applications are much higher than the availability requirements for a development or testing environment.  To accommodate production applications, the cloud environment is built from the ground up for production-level availability.  It is not enough to add change management, security, operations control, etc. on top of a DIY environment.

How many applications in your data center require high availability?

Learn more about SunGard’s Enterprise Cloud Services.

SunGard Availability Services Brings Enterprise-class Availability for SAP to the Cloud

Today we are announcing the availability of cloud-based SAP ERP Services.   You will probably see the formal announcement in the blogs, trade pubs and various news services, but we thought we would be remiss if we did not give you a heads-up here.  Don’t hesitate to contact me for more info.  Thanks,           -CM

For the last 10 years, SunGard has provided SAP production support services (SAP-hosting certified since 2009), so it is only logical that we extend those services to our Enterprise Cloud.  With our Enterprise Cloud as its foundation, our SAP ERP production-ready cloud services leverage the best-in-class Vblock™ platform with the multiple layers of availability, scalable and elastic resources, and cost advantages that make cloud computing attractive.

We have been certified as a cloud service provider by SAP, and we have optimized our infrastructure for SAP ERP production.  Our services include advanced SAP monitoring and range from configuration support to application administration, patches and updates.  Because the SAP ERP services interconnect with our hosted physical environment, we can provide flexible, hybrid solutions as well.

We meet the needs of SAP ERP environments ranging from  new development environments to full multi-landscape deployments, including:

Available
Availability features range from automated fail-over of virtualized systems to managed multi-site availability with secure data replication and managed SAP recovery options.  Our Service Level Agreement (SLA) covers 99.95% VM uptime in combination with a 99.9% SAP production uptime SLA.

Compliance
As a SAP-certified cloud services provider, we provides ITILv3 framework production application services in hardened data centers audited under SSAE 16 Type II criteria and certified to the ISO 20000-1 standard.

Security
We provides a range of secure network access, performance and security options, from Internet-based virtual private networks and private carrier circuits to geographic load balancing and intrusion detection systems (IDS).

Now, new SAP ERP installations can deploy with no upfront costs, low minimums for cloud resources and predictable, predetermined costs—making this an attractive, cost-effective alternative to in-house deployment.  Likewise, existing installations can leverage the on-demand resources and predictable costs of the cloud to reduce in-house data center costs when equipment upgrades approach.

Moving to the SAP ERP production-ready cloud services lets your in-house IT experts manage their production work, rather than being consumed with the day-to-day execution details.  In short, it frees them to focus more on the company’s IT priorities and initiatives.  We can help you get there.

How much time could your IT department save with an enterprise-class SAP ERP cloud?

See a demo of the SunGard Enterprise Cloud Services here.

Scalability Requires People and Services, Not Just Technology

Scalability is one of the most attractive features of the cloud.  It lets you meet demand-based business requirements, whether those demands are the results of ads, business growth, seasonal activity or economic cycles.

However, scalability is more than just provisioning more technology and/or increasing a data center footprint.  Scaling horizontally to add hardware is the easy part.  Data centers have been doing it for years, first as managed service offerings and now as enterprise caliber cloud offerings. 

However, the ability to scale vertically is one of the most attractive features of an Enterprise Cloud.  As your business grows, it also becomes more complex, and an Enterprise Cloud offers not just the infrastructure but also the service offerings you need, such as advanced data management services, enhanced security services and multi-site integration to support the complexity of your business.

Storage Tiering Services

As your data grows to multiple terabytes, you need storage tiering to deliver the right scaling costs at the right performance levels.  Tiered storage, where different classes of storage are defined and  available depending on the storage tier/data requirement, allows for the matching of performance and costs to the specific data-set and application(s). 

Enhanced Security Services

Similarly, as your technology footprint grows, you need additional security services beyond the standard firewall, VPN and related security access.  Examples include host-based intrusion prevention, log management/analytics and, in many cases, security information event management (SIEM).  Additional monitoring/reporting tools that report on capacity, performance and health are needed to make informed decisions across the application(s) architecture. 

Multi-site Integration

In addition, since everything is not likely to be in the cloud, you need the ability to inter-connect your Cloud environment to collocated or other managed environments as well as SaaS or self-hosted application infrastructure. This version of the hybrid cloud will continue to build in demand and necessity as more enterprises embrace the various delivery mechanisms, including SaaS, Managed Services, Cloud, Colocation, etc.  Finally, the Enterprise Cloud gives you access to the technical specialists and experts that can help you manage the new challenges.

When you think about scaling your business, recognize that three components—technology, services and people—are needed to scale it.  The Enterprise Cloud makes all those components available as you need them.

Will your data grow beyond your current data center practices  in 2012?

Learn more about SunGard’s Enterprise Cloud Services.

What does an Enterprise-Class Cloud Really Mean?

One of the most critical decisions a CTO can make is selecting the cloud environment for his or her company.  It is intimidating, complicated and crucially important.  When making that decision, it helps to know the attributes of the enterprise-class cloud, the “gold standard” for cloud computing.  Here are just a few.

Fully managed and Highly Consultative

By partnering with a leading vendor, you can leverage their IT expertise to architect the high-quality operations, recovery and business continuity processes your organization needs.  Their consultative approach helps to protect you from the many vulnerabilities experienced by companies acting without expert guidance.

An enterprise-class cloud is service-rich and supports fully managed operations for both cloud-ready and non-cloud-ready applications (which require dedicated solutions).  It comes with a holistic Service Level Agreements (SLA) that covers the complete environment—from performance levels for each component to 24/7/365 support, security, production processes, problem resolution steps and required staff certifications, along with ITIL, ISO9001 and governance procedures.

Resiliency

While the vBlock that underpins most enterprise-class clouds is highly resilient and redundant, it cannot prevent a server from crashing or a power outage from occurring.  Consequently, individual vendors are responsible for overall resiliency, whether that means automating failover capabilities or establishing integrated, multi-site, disaster recovery locations.  Similarly, vendors must specifically build into their offerings the security to monitor the access, use, disclosure, disruption, modification and destruction of data by users and programs.  It will serve you well to question potential vendors diligently about their resiliency capabilities.

Different Expectations for Different Use Cases
Different use cases require different levels of quality (reliability, up time, security, etc).  Once you define the requirements for your application, you can determine the price-performance trade offs your company can afford to make.  For example, a commodity cloud (like Amazon) offers:

  • Unlimited capacity,
  • Quick provisioning (turns on fast; shuts off fast.  Swipe your credit care and run your job),
  • Low cost and lots of control (e.g., root access and API-level access) and self-service.

However, the trade-offs include:

  • A weaker security infrastructure,
  • Little, if any, technical support (i.e.,  no consultation on set-up or phone support), and
  • No backup or disaster recovery plan except the one you devise and request.

Use cases for Amazon might include a test site or support for a start-up company that needs a cheap development environment with a high degree of control.

By contrast, an enterprise-class cloud (like SunGard’s) offers:

  • Consulting to assess and deploy applications wisely,
  • High-quality security, uptime and compliance,
  • High levels of customer support,
  • A service-rich environment,
  • Fully managed operating system and VMware for  provisioning, and
  • Architecture with built-in resiliency.

The trade-off for the enterprise cloud is that more time is required to move to the cloud.  Use cases include production environments that need security and compliance capabilities.

Not all clouds are created equal.  It pays to ask questions about every aspect of the cloud environment, carefully identify your company’s needs and match them to the capabilities of the vendor and make sure your SLA spells out the service levels you expect.

Does your company have service level requirements for your data center?

Download SunGard’s white paper,All clouds are not created equal.”


PaaS: The cost saving “middleware” for cloud infrastructures

Today we hear from  Sarabjeet Chugh on  – PaaS: The cost saving “middleware” for cloud infrastructures

Not long ago, a survey of Fortune 100 companies showed that 77% of IT budgets go to maintaining the status quo.  Only 23% of the budget actually drives new revenue.  In recent years, a few dents have been made in IT costs by better development tools and clouds.   Development frameworks like Spring, Ruby on Rails, PHP, Python, Django framework, etc., let programmers code websites, web applications and web services more quickly, and clouds spread the cost of infrastructure components across multiple companies.

Nevertheless, infrastructure maintenance—at 42% of the budget—remains the single biggest component of the maintenance burden.  One thing that could make another dent in maintenance costs is an easy way to on-ramp an application into production in a cloud.  Getting applications to the cloud more quickly and deploying them with less programming to link the application to the infrastructure resources would decrease both development and maintenance costs.

New Middleware for New Architectures 

To do that, new middleware that works with the new hardware architecture of the cloud is needed. Existing middleware is antiquated.  Programmers spend nearly 50% of their time coding non-application functions, such as database caching, billing, metering, messaging and authorization. Different framework and database combinations need different versions of the middleware, and every version has to be maintained as databases and servers move within  enterprise data centers, public clouds or both.   

The new middleware should be a PaaS element that is open and supports multiple programming frameworks, from Java-based spring to PHP-based micro frameworks and Microsoft .Net, among others.  It also needs to be independent of the infrastructure, so it can support environments from public clouds built using different hypervisor technology to local laptops.  Similarly, it should be independent of the application business logic, so the application is not muddies with the logic for addressing databases and constructing messages and, thus, is more portable.  Finally, it needs to include a reusable library of services that can be easily assimilated into new and existing application code to simplify the programming of 3-tier applications. 

Accelerate Time-to-Market

The major benefit of PaaS is improved developer productivity and, therefore, an accelerated time-to-market. Organizations using PaaS techniques typically report operational savings of 30% or higher. 2011 is being termed as the year of the PaaS and for good reasons. Enterprise-grade IaaS has gained mindshare and acceptance in small-medium enterprises.  By leveraging PaaS, developers avoid the many hassles of updating machines and configuring middleware and can focus their attention on delivering applications. Reducing these obstacles means faster delivery of applications and making cloud portability a reality for enterprise applications.

 How much time does your staff spend maintaining applications for infrastructure changes?

An Enabling Architecture for Cloud Services

Today’s post is from Rahul Bakshi, vice president, managed services strategy & solution design 

While many different types of architectures can support cloud computing, architecture can limit a cloud’s capabilities and the therefore the use cases for cloud. Cloud architecture should not be proprietary in its technology so that it limits the applications that can be deployed.  The more agnostic the architecture is to the applications, the better.  For example, some databases, are not designed to be virtualized so dedicated computer resources, at a minimum, are required for this type of application. 

 Open and Secure

Architecture should be designed to offer as much flexibility as possible without sacrificing quality.  It not only has to be accessible to end users via various network connectivity requirements, many solutions require the need to support hybrid connectivity. A closed architecture would prevent one application from communicating with another application. For example, an e-commerce application in a closed system might not be able to communicate with a manufacturing application on dedicated infrastructure required for order fulfillment.

With Cloud computing, the increased dependency on security solutions has risen significantly.  Companies are looking to understand the layers of security the cloud solution offers as well as how that security pertains to their specific environment.  Depending on the business or application requirements, general-use “consumer clouds” will not support the appropriate level of security controls or compliance.  Most lack the ability to identify, prevent and track access, attempted access, and actual intrusions and may not include controls for authorized access.  If the infrastructure lacks the controls to detect, log and perform forensics against an intrusion, it limits the types of use cases.

Redundant and Agnostic

In addition to security, true enterprise-grade for cloud offerings means high performance, scalability, and reliability.  Enterprise cloud solutions must provide appropriate layers of redundancy to support true high availability for the application layer.  Redundancy must be built-in across the infrastructure and associated tools ensuring there are no single points of failure as well as seamless failover for the application(s).  This requires automation and appropriate tooling to prevent any requirement for human interaction.  Further, capacity management and process automation are required to maintain the right levels of availability.    Special automation should move the workload wherever needed to maintain availability. 

Performance transparency and automation

Cloud solutions require tools around monitoring, reporting, and managing now more than ever due to how clouds are architected, shared, and made available for applications.  Organizations need to understand how the resources are being used so they can manage and plan for capacity and growth while having confidence in the current performance and health. 

Automation is also a key component of cloud architectures as automation delivers on the value proposition of services needed with high degree of quality.  Operational automation to provision the services businesses need drives costs down while improving time to market.  Integrating this automation into the overall performance management delivers capacity on demand.

Can Cloud Computing Improve Your Security?

Cloud Security continues to dominiate the cloud conversation.  I asked Nik Weidenbacher, director of product engineering for cloud computing to give us his thoughts on cloud improving security.  Nik and his team are responsible for designing, building and testing the infrastructure for SunGard’s Cloud Computing Service…CM

Can Cloud Computing Improve Your Security?

Obviously, the answer is “it depends.”  How good is your security now?  A number of factors play into that question.

Security in a Data Center

If your technology runs in a traditional data center and you move to a cloud where the same technology is used, security is quite similar.  Essentially, you’ve been using virtual local area networks (VLANs) to separate your departments, and now your cloud provider use that same technology to separate your departments and to separate other tenants from you. 

Security in a cloud

If your company doesn’t use a technology like VMware to run multiple operating systems within VLANs, than the security landscape changes significantly.  A physical switch connecting the network to one machine in your data center is now replaced by software switches connected to multiple machines and managed by a “hypervisor.” 

Just as you secured that physical switch in your data center, the cloud technician must secure the software switches and the hypervisor to control who can/cannot access it, and they also need to adding invasion protection software to thwart unauthorized outside access. 

Then they have to consider security maintenance.  Are patches being received, evaluated and placed operation on a timely basis?   Clouds have lots of moving parts and, since it is the weakest link that is most vulnerable, you have to think about security everywhere all the time. 

Security gains

Ultimately, the most important security question is “who’s running your cloud.”  Many companies can’t afford all the software and technical skill it takes to manage a highly-secured data center, so they aren’t doing it.  A cloud provider can share that cost among many companies to not only provide a more secure environment but also to pay constant attention to it.  Similarly, where PCI-DSS certification for credit card transaction may be an on-going project in a company, the cloud provider may already have that security in place. 

What additional security measures could your organization gain with the right cloud provider?

Is the Cloud Security Risk Overstated?

Gregory L. Smith, Senior Product Architect for Cloud Computing, is a liaison to clients for defining and shaping the security components of SunGard’s Cloud Computing Services.

Is the Cloud Security Risk Overstated?

Is the cloud security risk overstated?  If you work with a trusted partner and already have good security practices in place before you move to a cloud, I think the security risk in the cloud is slightly overstated.  It is not cloud computing itself that is the risk.

The Security Risk Realization

Unfortunately, it is not uncommon for a company to be planning a move to a cloud and suddenly see risks everywhere, including places that they had naively overlooked in their existing environment.  However, in you are moving to a trusted cloud computing provider, that provider probably offers more security capabilities than most managed service or infrastructure providers. 

The Key to Reducing Security Risk

The key to reducing the security risk within a cloud is to know how your provider approached the security requirements. Did the cloud computing provider retrofit security or design it in from scratch?

Retro-fitting security capabilities to handle, say, PCI-DSS, HIPAA, ISO 27001/2 regulatory requirements means extracting whatever information is available from low-level system logs after the fact.  This approach offers limited information, and testing security is difficult.

Designing security into a cloud means you can embed audit trails with needed data across all layers of the environment.  From a due diligence perspective, you can produce reports that provide transparency and prove that security is in place, not only for the auditors, but for the client and their customers as well. 

Large enterprises, especially, need built-in security.  The existing security information provided by a vendor may meet the needs of low-level use cases but not that of more closely regulated organizations.  Adding those capabilities could be difficult.

Enable the Client

The goal is not just to put a check mark by each security item on the list.  Rather, the goal is to enable the customer.  With embedded security, applications can ride on top of the infrastructure and transparently hand-off data that your organization needs for its applications.

Download SunGard’s white paper, “All clouds are not created equal.”