Survey says that UK PLC needs to embrace benefits of IT

London, 26th August - A joint survey carried out by Computer Weekly and 360°IT - The IT Infrastructure Event has discovered an apparent disconnect that exists between senior management, the IT department and the employees of companies. Although 64% of senior managers see IT as being strategic to the business alarmingly a fifth view IT as a necessary evil. In addition, researchers found that only 45% of senior managers have a good understanding of the IT function, which perhaps explains why 31% of senior management apparently fail to fully embrace the potential that IT offers them.

Bryan Glick, Editor In Chief, Computer Weekly “The divide between IT departments and the rest of the business has been a problem for far too long. These days, few businesses can survive and compete without IT and managers who fail to grasp the potential of technology do their employer a gross injustice. But equally, IT managers need to work hard to overcome such barriers and educate their business peers to understand the benefits of a closer working relationship.”

“As a new generation of tech-savvy workers step up into management positions, their expectations of IT will only have a positive effect on IT-business relations. Any senior managers already in place who fail to keep up with technology will find themselves losing out very quickly,” he said.

“The problem is exacerbated” , says Natalie Booth, Event Director for 360°IT - The IT Infrastructure Event, “by the fact that just 20% of senior managers admitting to actually involving their IT peers in the decision making process of their businesses and only a third try to understand the role of IT”.

There is, however, a ray of hope from the survey results as 48% of senior managers view the IT department as part of their business and 44% see IT as a contributor to the success of their business.

Booth went on to say that the poll results show that there is an apparent psychological gulf that exists between management, the IT department and the end users of technology in a large number of businesses.

"The survey shows that senior managers can easily give their organisations a significant competitive advantage by embracing new technology as just 11% of senior managers claim to be IT savvy," she said.

"They also need to embrace advice from their IT colleagues as just 31% turn to IT for help and advice, and 29% of IT professionals say their users turn to them only to complain, presumably when things go wrong," she added.

IT managers said that they take a proactive role in their approach to IT users with 68% stating that they listen and act on their requirements and 55% working closely with them to deliver IT that meets their needs and a fifth thought that users are enthusiastic and keen to learn about IT.

"Overall, the results to our survey show that there is a considerable way to go before UK companies can be said to be taking advantage of new technology. With the current global recession, it’s imperative that businesses should work closely with IT and use the latest technology to gain competitive advantage especially as 96% of senior managers viewed convergence as an opportunity to rise to the challenge of beating the economic gloom”, said Booth. “Visitors to the 360°IT will be able to sample the latest technology and services that IT has to offer and use the education programme to further their knowledge of how IT infrastructure solutions can help to achieve key business objectives such as improving service, reducing cost, managing risk and gaining competitive advantage and growth "
The survey of 417 professionals was carried out during July 2010 for the 360°IT - The IT Infrastructure Event, which takes place on 22-23 September 2010 in Earls Court, London. www.360itevent.com

360°IT is the event dedicated to the IT community addressing the needs of IT professionals responsible for the management and development of a flexible, secure and dynamic IT infrastructure.

With high level strategic content, product demonstrations and technical workshops, 360°IT will provide an essential road map of current and emerging technologies to deliver end to end solutions.

360°IT will facilitate vendor and end user collaboration to create the IT infrastructure necessary to achieve key business objectives - improving service, reducing cost and managing risk whilst gaining competitive advantage and growth.

Source: Eskenzi PR

Open for Business

By Peter Dawes-Huish, CEO LinuxIT

I attended a seminar the other day and I was amazed just how much misinformation there was around the adoption of Open Source based software and the services surrounding it. The reasons, the strategies, the options, the benefits it offers business today.

I’m not sure why. Perhaps it’s because Open Source (OS), by its very nature with such a developer led resource is such a fast moving field, or those within the OS community and providers of Enterprise Open Source, like LinuxIT, just need to work harder at getting across the ability of OS to transform the management and performance of IT environments. Its ability to contribute towards IT innovation, interoperability, return on investment and so on.

Of course fear, uncertainty and doubt surrounding the adoption of Open Source such as lack of support, lack of security, liability etc has been spread for years but this is now melting away rapidly. This can be evidenced by the nationals and multi-nationals in the finance, telecoms, retail and government embracing both community and enterprise open source platforms as a key element of their mission critical systems.

Whatever the reason for the scepticism towards OS in some quarters it’s a pity as it can generally provide the answer to the relentless demands on IT professionals for more features, functions and applications - for less or the same cost.

Of course most IT environments use OS derived code, even so, many organisations and IT professionals, are missing out on the proven and unique benefits that Open Source can bring through their passive, even casual, rather than proactive, stance.

We all know, IT is no longer a side show in the corporate structure. Today, IT is central to corporate success and profitability. But in my experience the IT manager still faces the same barriers to success as always. A backlog of projects. An inadequate budget. A shortage of planning time. Unrealistic expectations or worse, unknown expectations. In these respects Open Source can be an IT life saver, enabling the IT manager to do more, with fewer resources.

Leaving aside the freedom, choice and power that OS offers, to my mind the business benefits of OS fall into six categories:

  • Value creation: ensuring return reflects IT investment

  • Economic incentives: real savings, from day one

  • Reliability: robust, proven and supported enterprise platforms

  • Ease of deployment: plenty of support at an engineering and user level

  • Compliance: systems that tick all the boxes

A good example of the growing preference for open source can be seen in the financial services market. Driven by the exponential growth of market volumes and profit pressures all sectors of the financial services industry have increasingly been turning to enterprise open source and Intel and AMD standard servers as a way to dramatically improve performance and price benefits for mission critical applications such as risk applications, market data systems, equity options calculators etc.

There are open source solutions being deployed today to improve performance and cost savings in these areas and more in investment banks, retail banks, insurance specialists and others. Many are also migrating from Unix based systems to enterprise open source such as the Red Hat stack to achieve enhanced application performance and lower total cost of ownership at a capital and operational expenditure level.

The investment bank Brewin Dolphin, an OS user for many years, has developed internal expertise but also relies upon regular and occasional support from LinuxIT, the UKs authority in Linux based systems. They find a combination of outsourced business hours support and informed consultancy enables them to maximise the return on their OS investment.

To accelerate and enhance the adoption of Linux and Open Source software, we now provide a free situation review and proposal service. This enables managers to benefit from free, independent and informed advice on how they can embrace open source or extend their utilisation. You can learn more about us at www.linuxit.com or talk to us on stand B65 at the 360IT Show 22-23 September Earls Court, London.

Courtesy: 360IT PR (Eskenzi PR)

BridgeHead Software Reveals: 'Why Disaster Recovery Is Different In Healthcare'

Free whitepaper explains that an effective Healthcare Disaster Recovery strategy is dependent on a solid understanding of a hospital's applications and data

Ashtead, UK and Woburn, MA, USA - August 25, 2010 - BridgeHead Software today released a whitepaper on Healthcare Disaster Recovery that offers an integrated strategy to address the uniquely complex data and storage management issues healthcare providers must consider as they develop hospital-wide backup and recovery policies. Available for download, the whitepaper details why disaster recovery (DR) is different in healthcare and, therefore, requires a different treatment when compared to disaster recovery in other industries.

As the whitepaper explains, the data landscape in the healthcare industry is more complex than it is in the vast majority of other industrial and commercial sectors. This intricate environment results primarily from the varied data types - namely structured, unstructured and semi-structured - which are generated by both clinical and administration systems. The paper goes on to reveal that the type of data being secured and protected is inextricably linked to how that data needs to be recovered. It also outlines how IT professionals can reduce their backup burden by as much as 70 to 80 per cent.

"For many hospitals, the sheer volume of data being generated is preventing them from successfully protecting and securing their patient and administrative information," said Tony Cotterill, Chief Executive of BridgeHead Software. "Understanding the unique characteristics of healthcare data is the first step to implementing an effective backup and disaster recovery strategy that will reliably bring a hospital's information back online within minutes and hours, rather than hours and days, after a disaster, systems outage, corruption or loss."

BH MediSafe Helps Meet Hospital DR Requirements

BH MediSafe from BridgeHead Software is a flexible, modular approach that solves a pressing healthcare IT issue: that of implementing a DR strategy that can reliably and realistically deal with the massive upsurge in data demands, now and into the future.

When implemented as the foundation to a DR strategy, BH MediSafe uses a combination of traditional backup and archive to fully protect data and improve the recovery process in the event of outage, corruption or loss. BH MediSafe protects healthcare information by first analysing whether the data is "static" (unlikely to be accessed or changed again) or "dynamic" (regularly accessed and likely to change), then protecting it accordingly. Since it selectively moves static data into a fully protected archive, the traditional backup of the dynamic content is optimised and data recovery both at the file and the system level is vastly improved.

BH MediSafe allows healthcare organisations to:

  • Understand their data, which leads to a more effective data protection and DR policy;

  • Reduce backup windows and improve system administration efficiency by identifying static content and moving it to self-protecting repositories;

  • Create a single management system for protecting static and dynamic data;

  • Improve single-item restore coupled with full and efficient protection against "once in a lifetime" disasters;

  • Make protected data available for secondary or research use;

  • Achieve ROI via its multitasking capabilities.

"While healthcare organisations are generating new data at a dizzying pace, a full 80 per cent of hospital information is static data that, after 14 months, may never be accessed again," said Tony Cotterill. "By significantly reducing the amount of data to be replicated and moving static information onto low cost archives, BH MediSafe helps healthcare organisations implement DR strategies that set and meet realistic Recovery Point Objectives (RPOs) and Recovery Time Objectives (RTOs) goals."

BridgeHead Software, the Healthcare Storage Virtualization™ (HSV™) company, offers a scalable, future-proof platform to overcome rising data volumes and increasing storage costs while delivering peace of mind around the access, availability and protection of critical electronic patient data.

Trusted by more than 1,000 hospitals worldwide, BridgeHead Software solves healthcare organizations' backup, recovery and archiving challenges. BridgeHead's HSV solutions are designed to operate with any hospital's chosen software applications and storage hardware, regardless of vendor. This presents healthcare organizations with more choice, flexibility and control over the way data is accessed, protected and managed. The net effect - better utilization of hardware resources and, more importantly, the efficient distribution, availability and use of vital healthcare data.

Healthcare Storage Virtualization is a technology platform that decouples software applications from the allocation and management of the physical storage hardware on which the application data resides. By separating these applications from the storage device/s, healthcare organisations have a lot more choice, flexibility and control over the way data is accessed, protected and managed. The net effect - better utilisation of hardware resources and, more importantly, the efficient access and use of critical electronic patient data.

HSV allows healthcare organisations to take ownership of their data even though it may reside on disparate software and hardware systems. Being vendor-agnostic, BridgeHead HSV has the ability to interface with any storage platform intelligently, creating better and broader availability of content as well as prohibiting unwanted access and providing comprehensive disaster recovery capability.

In addition, BridgeHead HSV technology offers powerful connectivity to all storage media types. As part of its advanced data protection and archiving features, HSV allows files to be transformed (e.g. compressed and de-duplicated) invisibly in the background, irrespective of media type and functionality, vastly reducing the capacity required across the storage real estate and often delaying the need for hardware upgrades.

Finally, BridgeHead's focus on healthcare lies at the heart of HSV. Consequently, all of the common native standards found within healthcare IT are supported e.g. HL7, DICOM XDS style interfaces etc. This support allows speedy integration of the HSV solution resulting in a more rapid return on investment.

To learn more about BridgeHead Software, visit: http://www.bridgeheadsoftware.com

Follow BridgeHead Software on Twitter at http://www.twitter.com/BridgeHeadHSV

Source: Rose Ross, Omarketing

New FalconStor® NSS SAN Accelerator for VMware View Enhances Performance and Data Protection for Virtual Desktop Environments

Delivers 10x storage performance improvement while providing integrated, multi-tier data protection for virtual desktops

LONDON, UK, August 24, 2010--FalconStor Software, Inc. (NASDAQ: FALC), the provider of TOTALLY Open(tm) data protection solutions, today announced FalconStor® Network Storage Server (NSS) SAN Accelerator for VMware View(tm), an SSD-enhanced storage solution that increases the performance of VMware virtual desktop environments while delivering integrated, multi-tier data protection. FalconStor NSS SAN Accelerator for VMware View performs backup and recovery for the entire virtual desktop environment and for each virtual desktop - and, for the first time, enables integrated self-service file recovery for individual virtual desktop users.

VMware View delivers tremendous efficiencies in the deployment and management of enterprise users' desktop and laptop computers. Virtual desktop operation and management can be enhanced by storage capabilities to maximize performance, availability and efficiency. FalconStor NSS SAN Accelerator for VMware View dramatically enhances the efficiency of virtual desktop management throughout the virtual desktop lifecycle - accelerating virtual desktop booting, login, operation, logoff, patch/update and security management through 10x storage performance improvement.

Virtual desktop deployments also require advanced data protection and storage efficiency features for storing desktop images, user data and settings that need to be backed up and recoverable in the event of a system failure, user error or data center disaster. The FalconStor NSS SAN Accelerator for VMware View employs snapshots, thin clones, replication and file-level protection to enable a three-tier data protection service:

  • Entire VMware View environment - comprehensive, enterprise-class continuous data protection that allows IT managers to recover locally or from a DR site in the event of system-wide failure.
  • All VMware View user data repositories - complete data protection for user data located within the VMware View environment and redirected folders on a separate NAS appliance.
  • Self-service file-level recovery - users can recover their own individual files as needed, saving storage administrators significant time and expense.

"Virtualization in general and virtualization of desktops in particular have amplified I/O unpredictably as read/write I/O storms occur frequently without warning; the only solution to date has been to add more disk drives," said David Vellante, chief research advocate, Wikibon. "Wikibon has been emphasizing the requirement for different architectures to exploit the potential of flash to improve I/O performance. We are very pleased with the innovation that FalconStor has shown with its flash-on- storage-controller implementation, which is much more efficient for VDI than SSDs. The FalconStor NSS SAN Accelerator neatly exploits the VMware I/O separation improvements to offer a solution that combines low-cost SATA with 2 to 3 percent high-performance flash as a cache that can adapt in real-time. Wikibon believes this is a best-of-breed solution for high-performance workloads."

"The rapidly adopted paradigm shift of virtual servers and desktops ushered in by VMware's innovation has created the need for storage environments with integrated data protection designed for the new virtual data center," said Jim McNiel, chief strategy officer for FalconStor. "Virtual environments not only demand flexible, scalable virtual storage environments, but also require backup and DR systems that work with the unique characteristics of virtual machines. We designed the FalconStor NSS SAN Accelerator for VMware View(tm) to deliver the kind of storage environment that virtual desktops require - improving performance and data protection in one elegant solution."

Pricing and Availability
The FalconStor NSS SAN Accelerator for VMware View is available immediately through FalconStor's network of channel partners. The average cost for an implementation of up to 5,000 users is $35 per virtual desktop.

FalconStor at VMworld 2010
FalconStor Software will be exhibiting at VMworld 2010 in San Francisco from August 30 to September 2, 2010, in booth number 1407. In addition to the FalconStor NSS SAN Accelerator for VMware View, FalconStor will be demonstrating its latest failover/failback capabilities for VMware vCenter(tm) Site Recovery Manager and RecoverTrac physical-to-virtual server recovery.

FalconStor Software, Inc. (NASDAQ: FALC) is the market leader in disk-based data protection. FalconStor delivers proven, comprehensive data protection solutions that facilitate the continuous availability of business-critical data with speed, integrity and simplicity. The Company's TOTALLY Open(tm) technology solutions, built upon the award-winning IPStor® platform, include the industry leading Virtual Tape Library (VTL) with deduplication, Continuous Data Protector (CDP), File-interface Deduplication System (FDS), and Network Storage Server (NSS), each enabled with WAN-optimized replication for disaster recovery and remote office protection, and the HyperFS(TM) file system. FalconStor products are available as OEM or branded solutions from industry leaders, including Acer, Data Direct Networks, Dynamic Solutions International, EMC, Fujitsu, Hitachi Data Systems, Huawei, Pillar Data Systems, SGI, SeaChange and Spectra Logic and are deployed by thousands of customers worldwide, from small businesses to Fortune 1000 enterprises. FalconStor is headquartered in Melville, N.Y., with offices throughout Europe and the Asia Pacific region. FalconStor is an active member of the Storage Networking Industry Association (SNIA). For more information, visit www.falconstor.com.

Source: bbcomms.co.uk

DEF CON survey reveals vast scale of cloud hacking

- and the need to bolster security to counter the problem

London and San Mateo, Calif., August 24, 2010 – An in-depth survey carried out amongst 100 of the elite IT professionals attending this year's DEF CON 2010 Hacker conference in Las Vegas recently has revealed that hackers view the cloud as having a silver lining for them.

And a gold, platinum and diamond one, it seems, as an overwhelming 96 per cent of the respondents to the Fortify Software-sponsored poll said they believed the cloud would open up more hacking opportunities for them.

This is being driven, says Barmak Meftah, chief products officer with the software assurance specialist, by the belief from the hackers, that cloud vendors are not doing enough to address the security issues of their services.

"89 per cent of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45 per cent of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem," he said.

"While ‘only’ 12 per cent said they hacked cloud systems for financial gain, that still means a sizeable headache for any IT manager planning to migrate their IT resources into the cloud," he added.

According to Meftah, when you factor in the prediction from numerous analysts that at the start of 2010 20 per cent of businesses would have their IT resources in the cloud within four years (http://bit.ly/7dvygF), you begin to appreciate the potential scale and complexity of the security issues involved.

In the many predictions, he explained, 20 per cent of organizations would own no appreciable IT assets, but would instead rely on cloud computing resources - the same resources that 45 per cent of the DEF CON 2010 attendees in the survey cheerfully admitted to already having tried to hack.

Breaking down the survey responses, 21 per cent believe that Software-as-a-Service (SaaS) cloud systems are viewed as being the most vulnerable, with 33 per cent of the hackers having discovered public DNS vulnerabilities, followed by log files (16 per cent) and communication profiles (12 per cent) in their cloud travels.

Remember, says Meftah, we are talking about hackers having DISCOVERED these types of vulnerabilities in the cloud, rather than merely making an observation.

DEF CON has evolved considerably since the first event was held way back in 1993, and the hackerfest in the last couple of years has attracted 8,500 of the world's top hackers and IT security researchers. “Anecdotal evidence suggests this year's Las Vegas event was even more successful, meaning that our survey results highlight the very real security challenges that lie ahead for cloud vendors and security defense professionals," he said.

"More than anything, this research confirms our ongoing observations that cloud vendors - as well as the IT software industry as a whole - need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource," he added.

"It is of great concern to us here at Fortify that the message about software assurance has still to get through to everyone in the software development community, and the DEF CON survey results strengthen our resolve to get this message across to as large an audience as possible."

For more on Fortify Software: www.fortify.com 

Source: Eskenzi PR

Employee survey highlights dangers of insider threat

Imperva says employee survey highlights dangers of insider threat

London, 24th August 2010 - Whilst the media seems pre-occupied with the problems of cybercriminals and hackers causing problems for organisations from outside their network, a survey just published shows that 23 per cent of UK employees will take customer lists and other sensitive data when they leave their employer.

"More than anything, this highlights something we've been saying for some time, namely that with insider threats, IT managers are fighting a less visible, but not less difficult threat in addition to the well publicised external threats. Staff are precisely the people who have access to data that needs to be secured and carefully controlled," said Amichai Shulman, CTO of data security specialist Imperva.

"In addition, the survey shows that the insider threat is not always the potentially rogue employee for whom a background check has been completed - staff also need to be monitored during their employment as the information may not necessarily be ‘maliciously’ downloaded after the termination notice but rather information was rightfully obtained and collected by the employee over time and actually should have been removed upon termination by the IT Team” he added.

According to Shulman, this scenario is similar to the scientist at DuPont who claimed ownership at the formulas he discovered and was part of his work portfolio to be presented at his next company, despite the fact they were allegedly worth $400 million (http://bit.ly/ahxeHc). In general any documentation that is not explicitly marked as public should be considered sensitive and proprietary by all“

The problem with the insider threat in this case, the Imperva CTO says, is drawing the line between what is company intellectual property and what are your skills that you have established over the years. There should be a clear distinction between an employee’s claim regarding the ownership of certain knowledge and the ownership of any materialized form of that knowledge. I’ll give two examples. In the Dupont example, I don’t believe that the employee had any true legal claim regarding the knowledge and most certainly should not be allowed to take the documents with him. In the case of a contact list, there is probably much truth in the fact that these relationships are the employee’s “core competence” (much like a programmer’s coding skills obtained during his employment period). However, retrieving the list of contacts from a company database and storing them to a file should be considered illegal.”

Shulman says it is interesting to note that the survey also asked workers what they would do if they were inadvertently granted access to a confidential file - such as one containing salary information, personal data, or plans for a pending merger. The survey revealed that only 57 per cent of UK respondents would look at the file. This figure is surprising as I would have thought that that 99% of people accidently stumbling into such information in the web would have read the file. The fact that the percentage among employees is lower is an indication of loyalty. However, employers still need to be cautious as this shows how existing employees can be considered a snooping risk," he said, adding that this is a prima facie case for securing access to data within an organisation.

"The moral here is that you must secure all your company data and only allow authenticated plus logged access on a carefully controlled access basis," he said.

For more on the SailPoint survey: http://bit.ly/9bO5Wg

For more on Imperva: www.imperva.com

Source: Eskenzi PR

Capturing the New Frontier: How To Unlock the Power of Cloud Computing

By Mike Armistead, VP Corporate Development, Fortify Software

So here’s a question: Which IT sector accounts for fully 25% of the industry’s year-over-year growth and, if the same growth trajectories continue, will generate about one-third of the IT industry’s net new growth by 2013? The answer is Cloud Services, according to research firm IDC1. Cloud computing is garnering its fair share of industry buzz as well. Its promise of revolutionary cost savings and agile, just-in-time capacity has driven IT organizations at enterprises of all sizes to build cloud deployment strategies into their plans.

The Benefits of the Cloud

Cloud computing is immensely popular with companies and government agencies in search of revolutionary cost savings and operational flexibility. According to industry research firm IDC, cloud computing’s growth trajectory is, at 27% CAGR, more than five times the growth rate of the traditional, on-premise IT delivery/consumption model.2

Cloud computing practitioners cite numerous benefits, but most often point to two fundamental benefits:

  • Adaptability: An enterprise can get computing resources implemented in record time, for a fraction of the cost of an on-premise solution, and then shut them off just as easily. IT departments are free to scale capacity up and down as usage demands at will, with no up-front network, hardware or storage investment required. Users can access information wherever they are, rather than having to remain at their desks.

  • Cost Reduction: Cloud computing follows a model in which service costs are based on consumption and make use of highly shared infrastructure. Companies pay for only what they use and providers can spread their costs across multiple customers. In addition to deferring additional infrastructure investment, IT can scale its budget spend up and down just as flexibly. This leads to an order of magnitude cost savings that wasn’t possible with 100% proprietary infrastructure.

Other benefits of the cloud include collaboration, scaling and availability, but revolutionary cost savings and the almost “instant gratification” offered by the agility of the cloud will be the key contributors to adoption of the cloud.

What is the Cloud?

So much has been written, advertised and discussed about cloud computing, it is appropriate to define the term for common understanding. Cloud computing generally describes a method to supplement, consume and deliver IT services over the Internet. Web-based network resources, software and data services are shared under multi-tenancy and provided on-demand to customers. It is this central tenet of sharing - and the standardization it implies - that is the enabler of cloud computing’s core benefits. Cloud computing providers can amortize their costs across many clients and pass these savings on to them. This paradigm shift in computing infrastructure was a logical byproduct and consequence of the ease-of-access to remote and virtual computing sites provided by the Internet.

The U.S. National Institute of Standards & Technology (NIST) defines four cloud deployment models:

  1. Private Cloud, wherein the cloud infrastructure is owned or leased by a single organization and is operated solely for that organization

  2. Community Cloud, wherein the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns, including security requirements

  3. Public Cloud, wherein the cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group

  4. Hybrid Cloud, wherein the cloud infrastructure is a composition of two or more cloud models that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability

NIST’s definition of cloud computing not only defines HOW infrastructure is shared, but also outlines WHAT will be shared. These service models shift the burden of security accordingly between provider and user:

Software-as-a-Service, or “SaaS”, is the most mature of the cloud services. SaaS offers a “soup to nuts” environment for consumption of a common application on demand via a browser. Typically, the customer controls little or nothing to do with the application, or anything else for that matter, and is only allowed to configure user settings. Security is completely controlled by the vendor. Examples of providers include Salesforce.com, Workday, Mint.com and hundreds of other vendors.

Platform-as-a-Service, or “PaaS”, is an emerging cloud service model. The customer is able to develop applications and deploy onto the cloud infrastructure using programming languages and tools supported by the cloud service provider. They are not able to control the actual infrastructure – such as network, OS, servers or storage – the platform itself. Because the customer controls application hosting configurations as well as development, responsibility for software security shifts largely to their hands. Examples include Google App Engine and Amazon Web Services.

Infrastructure-as-a-Service, or “IaaS”, is where even more of the infrastructure is exposed to multi-tenant users. The cloud service provider provisions processing, storage, networks and other fundamental computing resources. The customer is able to deploy and run arbitrary software, which can include operating systems and deployed applications. Software security in this deployment model is completely in the customer’s hands, including such components as firewalls. Examples include Amazon Elastic Compute Cloud and Rackspace Cloud.

While SaaS gained popularity as an alternative to on-premise software licensing, the models that are driving much of the current interest in cloud computing are the PaaS and IaaS models. Enterprises are especially drawn to the alternative development infrastructure and data center strategies that PaaS and IaaS offer. At this point in time, smaller enterprises seem to have more traction with PaaS, enabling them to rapidly bring websites to market; whereas larger enterprises are more comfortable beginning their cloud deployments with an existing application moved to an IaaS cloud service.

How do we fully realize the benefits of the Cloud?

Realizing the cloud’s benefits is greatly determined by the trustworthiness of the cloud infrastructure – in particular the software applications that control private data and automate critical processes. Cyber-threats increasingly target these applications, leaving IT organizations forced to sub-optimize the cloud deployments containing this software, limiting flexibility and cost savings. Assuring the inherent security of software, therefore, is a key factor to unlock the power of cloud computing and realize its ultimate flexibility and cost benefits.

Recommended approaches to Cloud software Security

According to the Cloud Security Alliance, a not-for-profit organization promoting security assurance best practices in cloud computing, the ultimate approach to software security in this unique environment must be both tactical and strategic. Some of their detailed recommendations include the following:

  • Pay attention to application security architecture, tracking dynamic dependencies to the level of discrete third party service providers and making modifications as necessary

  • Use a software development life cycle (SDLC) model that integrates the particular challenges of a cloud computing deployment environment throughout its processes

  • Understand the ownership of tools and services such as software testing, including the ramifications of who provides, owns, operates, and assumes responsibility

  • Track new and emerging vulnerabilities, both with web applications as well as machine-to-machine Service Oriented Architecture (SOA) which is increasingly cloud-based

The key to achieving the benefits of the cloud and to putting the above recommendations into practice is Software Security Assurance, or “SSA”. Recognized by leading authorities such as CERT and NIST, SSA is is a risk-managed approach to improving the inherent security of software, from the inside. There are three steps to a successful SSA program:

  1. Find and fix vulnerabilities in existing applications before they are moved into a cloud environment

  2. Audit new code/applications for resiliency in the target cloud environment

  3. Establish a remediation / feedback loop with software developers and outside vendors to deal with on-going issues and remediation.

To realize the full benefits of cloud computing, organizations must assess and mitigate the risk posed by application vulnerabilities deployed in the cloud with equal vigor as those within their own data center. It is only then that they will be able to take full advantage of Cloud Computing to save cost and increase the efficiency of their business.

Resources:

IDC on IT Cloud Services

NIST definition of Cloud Computing

Cloud Security Alliance “Security Guidance for Critical Areas of Focus in Cloud Computing v2.1”

1 Worldwide IT Cloud Services Spending, 2008-2012, IDC, October 2008)

2 Worldwide IT Cloud Services Spending, 2008-2012, IDC, October 2008)

500 million users. Where to from here?

by Michael Smith (Veshengro)

In mid-July 2010 the number of people using Facebook has reached the 500 million mark. This is more members than many a country has citizens.

What this means is that now one in every 14 people on the Planet has now signed up to the online social-networking service. But where does it go from here?

Facebook founder Mark Zuckerberg said, "Our mission at Facebook is to help make the world more open and connected. I could have never imagined all of the ways people would use Facebook when we were getting started 6 years ago."

The problem is that Facebook is often trying to make it too open in that it keeps changing the privacy settings of users – across the board – thus making some people very uneasy about its aims.

A study released in July 2010 in the United States indicates that while people may be addicted to Facebook they do not rate it highly in terms of customer satisfaction.

In the study, Facebook was grouped alongside airlines and cable television companies in the lowest 5% of private companies ranked in the 2010 American Customer Satisfaction Index (E-Business Report) produced in partnership with ForeSee Results. Perhaps this explains why a recent PARN (Professional Associations Research Network) study presented at the Association Congress reported that only 14% use the social networking giant for "business" - which includes fundraising and membership communications.

ForeSee chief executive Larry Freed summarized his feelings: "Our research shows that privacy concerns, frequent changes to the website, and commercialization and advertising adversely affect the consumer experience," he said in a press release.

Facebook was designed for the Intranet of a University College and it would seem that Mark Zuckerberg has not understood as yet that the big wide open Internet needs different and more secure settings.

The dissatisfaction of users could easily lead to a wholesale exodus, especially if someone else would come along with a platform and concept that does the same but has better security.

A website that is being change all the time, whether intranet or world-wide web, does not make for a good “customer experience”, as Larry Freed rightly states, and makes people turn off, in more than one sense.

It is not just Facebook that makes those mistakes about the constant changes to the website and such. Many a commercial and government website undergoes those almost constant changes and it makes the use of those a pain in the posterior.

I always advise people to design a website on the KISS principle and also to use as few graphics as possible and, if they use graphics then make them low in bytes so that the page loads fast enough.

No one wants to sit for minutes waiting for a page to load, and considering that still a greatest part of the USA, for instance, is on dial-up that is something that must be taken into account.

While we know that advertising is often needed to keep things running – and that is definitely the case with media – it should, in my opinion, not be something that jumps out at you and that is always in your face.

© 2010