Q3 - Cloud Computing (CA Technologies)

CQUILAN wrote:For information, I've just read in a French newspaper that mentioned some rules in the cloud computing that are supposed to limit the risk.

Medical Records cannot be stored outside France for example, and some important info cannot leave the European zone at all.

I guess there are hackers everywhere, but it is a start !

So far this geography localization seems to be one of the only thing we can really do in cloud computing to improve security. Some cloud computing service like Amazone's one do even offer a geographic limit area: that is to say that they ensure your data to be store in this delimited area only. The cloud starts then to be a bit delimited and less of a pervasive system.

For information, I've just read in a French newspaper that mentioned some rules in the cloud computing that are supposed to limit the risk.

Medical Records cannot be stored outside France for example, and some important info cannot leave the European zone at all.

I guess there are hackers everywhere, but it is a start !

Thanks a lot for your contributions especially on comparison between private VS public cloud. For both options you actually rely on a storage player to host your data.

1/ For Private Cloud Services, the company lend fixed and exclusive storage capacity from the storage player.

2/ For Public Cloud, the storage player allocates the capacity in function of demand and no company have any exclusive data space.

In both systems, data are still hosted by a specialized player outside of the company so security levels should be the same. What mainly change is the cost for the company and the flexibility.

Could you discuss a little bit the difference in term of costs of the two options? In terms of data availability? According to you what can of benefits a company could take from switching from private to public cloud?

Cheers

I am not sure whether cloud security is up to par with no cloud solutions yet, but I see no issues in fortune 500 companies using cloud storage when technology is ready. I think a highly specialized company offering secure cloud services will be just as good as any fortune 500 it-department in providing secure it-solutions, as others mention there also risk associated with in-house solutions and any computer connected a network runs the risk of being hacked as other mentions.

If there is a third-party assurance to bridge the gap between customers and cloud providers, I believe it will be more reliable to the users. For the cloud provider, they can increase the trust from the customer because they have the assurance of third-party. Also for the customer, they will be more confident when they store important data on the cloud.

And if so, I'm willing to trust my intellectual property to a cloud computing framework. I think the largest advantage of cloud computing compared to the original storage is the convenience. I can access my data anytime and anywhere through the internet without take a troublesome original storage device. Without worry about missing storage device or being edited by others, using cloud computing could save a lot of resources. But this is on the premise that both the cloud provider and third-party are trustworthy.

I think cloud computing providers should keep investing in security and build a competitive advantage around that. Its the case for example of FireHost, a Dallas based cloud hosting provider that has made security the focus of its offerings and recently invested $10 millions to improve sustainably its security and hosting platform. Moreover, I find interesting the fact that this provider also host a website of a famous hacker that is facing several attacks everyday. The company that host also several fortune 500 companies, does not hesitate to unveil this fact. It could be a good way to promote the company's performance while knowing how to improve the security of the cloud after these attacks.

i think the majority of a company's data could be stored in the cloud, but there is no way i would store really important things in the cloud. just last month, my data was hacked by a banladeshi hacker who somehow got into the every server of my provider, InMotion hosting. if data is out there on the web, i think it is possible for anyone to get to it.

patrick.cato wrote:To conclude, to benefit from the technological advantages of Cloud Storage, a Fortune 500 company needs to use a PRIVATE cloud and they need to know the server locations. If furthermore good encryption is used, I don’t see any risk. However, I do not recommend using any PUBLIC cloud as you do not know where you data are.

Some additional point to what Patick has metioned,
many companies are now trying to move forward to Hybrid Cloud to deal with the security and privacy problems of public cloud,
and combine the advantage of both private and public cloud,
which simplify the work of IT management and lower maintenance costs at the same time,
if I were the CIO, I'll consider to use the Hybrid Cloud for my company.

I completely agree with Patrick on this point, especially regarding the need of a private cloud for a Fortune 500 company. For instance Dropbox faced some criticisms in May because some customers noticed that DB's employees could get access to their files (and not only to the files metadata as DB's website currently states). More than security, the issue was privacy then. If the data shared on the cloud are that important, big companies can't take the risk for a third party to have a look at it (unless this third party is under a really strict privacy contract) and should keep it within their own IT department.

patrick.cato wrote:I think when talking about data security and cloud computing, you really need to distinguish between public and private cloud. I think generally I don’t see a big difference between private cloud and “original storage of information”. A private cloud – meaning you do not share any server resources with any other company – is the same for me as having a server somewhere in a datacenter. However, I think a Fortune 500 company cannot trust a third provider to host any data service of critical data. Thus, the private cloud needs to be hosted by the same company that wants to use it through their IT department.

The threat of using a public cloud is higher, although I think other users are not the main threat. Personally I think if you encrypt your data, mere technically as a computer science student I know it is impossible to hack the data. Mere legally spoken, it is tricky. For instance if the cloud server would be hosted in the USA, the US authorities have a legal right to access the data. So the main problem with public cloud is that you do not know where you critical data are.

To conclude, to benefit from the technological advantages of Cloud Storage, a Fortune 500 company needs to use a PRIVATE cloud and they need to know the server locations. If furthermore good encryption is used, I don’t see any risk. However, I do not recommend using any PUBLIC cloud as you do not know where you data are.

I think when talking about data security and cloud computing, you really need to distinguish between public and private cloud. I think generally I don’t see a big difference between private cloud and “original storage of information”. A private cloud – meaning you do not share any server resources with any other company – is the same for me as having a server somewhere in a datacenter. However, I think a Fortune 500 company cannot trust a third provider to host any data service of critical data. Thus, the private cloud needs to be hosted by the same company that wants to use it through their IT department.

The threat of using a public cloud is higher, although I think other users are not the main threat. Personally I think if you encrypt your data, mere technically as a computer science student I know it is impossible to hack the data. Mere legally spoken, it is tricky. For instance if the cloud server would be hosted in the USA, the US authorities have a legal right to access the data. So the main problem with public cloud is that you do not know where you critical data are.

To conclude, to benefit from the technological advantages of Cloud Storage, a Fortune 500 company needs to use a PRIVATE cloud and they need to know the server locations. If furthermore good encryption is used, I don’t see any risk. However, I do not recommend using any PUBLIC cloud as you do not know where you data are.

As far as i am concerned , I think that it could be better to trust the secure of cloud than our own company security. As our frien charles gras said, you will always have a strong contract when the security of your data is the most important point. No company is secured from hacking if their information system is not realy strong.
So i think that if ou can't give better security to your data, it is better to trust "some" of this companies.

charles.gras wrote:Guys,

I just would like to come back on two aspects.

1/ When you have a contract with a Cloud Storage player, the security of your data is of course at the main concern of the deal. All the scenario are taken into account and several layers of data saving are used. For special scenarios like bankruptcy or hacking or data leaks, compensation or exit strategies are put into practice. Companies can also hedge the risk using different Storage players for vital data.

2/ Keeping your data with a classic mainframe model also implies great risks. Phising, haking attack, data leaks and thefts happen really often (which explains why the security software market has been thriving http://www.gartner.com/it/page.jsp?id=1714714 and big companies and government are still being hacked with the best mainframe infrastructures)

Do you really think a company with inhouse data storage is not exposed to attacks and has better security systems than a specialized players?
For you are the advantages of cloud computing just in term of saving and not in term of performance and above all better security?

Isn't there an illusion of physical location of the server whereas the threat is virtual?
Comments, short-peeches?

Let me just add this extract to inspire your thoughts
"The guarantees that providers offers ensures that they support their claims with guarantees. For instance, the infrastructure is 100% guaranteed, the Cloud Server hardware is 100% guaranteed, and also the network uptime is 100% guaranteed. It comes with a full line of computing solutions, giving each consumer the flexibility in addition to control to perform their business the way that they will need to."

http://isimplifytech.com/2011/05/internet/cloud-computing-a-revolutionary-technical-invention/

Ps. Sorry for quoting myself...

Guys,

I just would like to come back on two aspects.

1/ When you have a contract with a Cloud Storage player, the security of your data is of course at the main concern of the deal. All the scenario are taken into account and several layers of data saving are used. For special scenarios like bankruptcy or hacking or data leaks, compensation or exit strategies are put into practice. Companies can also hedge the risk using different Storage players for vital data.

2/ Keeping your data with a classic mainframe model also implies great risks. Phising, haking attack, data leaks and thefts happen really often (which explains why the security software market has been thriving http://www.gartner.com/it/page.jsp?id=1714714 and big companies and government are still being hacked with the best mainframe infrastructures)

Do you really think a company with inhouse data storage is not exposed to attacks and has better security systems than a specialized players?
For you are the advantages of cloud computing just in term of saving and not in term of performance and above all better security?

Isn't there an illusion of physical location of the server whereas the threat is virtual?
Comments, short-peeches?

Until now I still can't totally trust the secure of cloud. Of course it's very low cost and low maintain if using cloud computing, but if comes to some secrets of enterprise, some detail of operation, it's hard to decide to store in the third party.
Cloud is not so clear and most of the users don;t need to understand what cloud really do, this is good to customers that they don't need to learn new things, but also they can't control it.
Security is the main issue in cloud computing, and if I'm a CEO/CIO of fortune 500, I won't be such a risk taker that for cutting cost then transform our information to cloud.

I do agree with you guys, it is safer to keep sensitive information internally: you wouldn’t like your supplier to have access to your strategy or your accounting sheets.
Besides, I am wondering, has any Cloud-Computing provider gone bankrupt? What happened to the documents online? How would the customers deal with that?

I think the main issue is that the cloud infrastructure is much more accessible than for example a stand-alone server platform. as a consequence one can currently never be sure whether or not the data will be entirely secure. Furthermore I think a third party involved will only complicate the process and leave more room for errors and therefore result in less reliability. In the end even these party's cannot guarantee the safety of my data.

Many cloud providers have invested heavily to develop highly secure and available environments. Yet every cloud provider is different. The technologies and processes used to deliver cloud computing are evolving, and there are no established standards. To choose a provider you can trust, you need transparency into how providers' environments protect you from risk.

I think that one solution could be the use of third party assurance to bridge the gap between customers and cloud providers.
What is your opinion on that? In doing so which kind of benefits customers and/or cloud providers will gain?

Part of the "technical" cloud security concerns are Internet security issues, which aren't really new things, and public provider might even be more reliable due to its economics of scale. So for simplicity, we can leave them out of this discussion.

"New" security concerns of cloud can generally be traced back to trust issues. For Fortune 500 companies, data and software are not the only asset worth protecting, activity patterns also need to be protected. But sharing resources in the public clouds means that other cloud users residing on the same resource may be able to reverse-engineer to estimiate customer base, revenue size, and etc. The management system of the cloud need to provide mutual auditability to resolve the conflict, because the cloud environment essentially includes stakeholders with potentially conflicting interests, such as competitive business operate within the same environment. However, this kind of regulation and monitoring procedures aren't mature enough yet.

The reputation fate-sharing reality between the cloud provider and users is also worth noting. Suppose the cloud provider was truly trustworthy, there's still not guarantee that other users of the cloud won't engage in misconduct that cause the cloud service being shutdown for federal investigation. The user's business reputation can be severely damaged even though it was no fault on his own.

Therefore, I think it's highly impossible for companies to put sensitive data on the public cloud. Important data will still be better off when hosted internally. Of course, this doesn't mean big companies can't leverage the public cloud, it only means they need to carefully consider what kind of workload is viable (ex.software development, testing, public websites hosting....).

I strongly agree with joern; I think that security is the main issue in cloud computing and if I would be a CEO of fortune 500, I will be reluctant about leaving critical information somewhere on the internet. As a result, a cloud computing provider should be transparent concerning the security used and allow the client to track the data he gave to the service provider.
For example In a law firm context, the use of cloud computing raises ethics issues around storing confidential client data on a system the attorney may not own or otherwise control.

On the other hand, cloud computing present several advantages: it eliminate server costs (also fixed electricity costs) including the reduction of consulting and installation fees, you can access at your files anywhere, it is easy to use and compatible with most of operating software.

I would say, it is very difficult to assess the privacy and security situation for data within cloud storage. You do not know where exactly your data is, often, there is no specific data center. Through that arise issues by governmental laws which allow the government to access data, which is stored within their borders. An example is the Patriot Act of the USA. Individual users and also enterprises which use cloud services from American companies ( Microsoft, Amazon, Google, CA Technologies, ...). So enterprises, if they are really paranoid, cannot really know if their data is save or is secretly extracted and compromised.

A recent debate over this in Germany was about the Patriot Act, allowing the USA to even extract data stored in European data centers of American companies. As they argue, the companies are liable to American law.

Question #3 CA Technologies: Bringing the Cloud to Earth

Imagine that you are the CEO/CIO of a prominent Fortune 500 company.
In this case the security of your software, resources and information is highly important and defects or violations are highly undesirable.

Would you trust your intellectual property to a cloud computing framework?
- If yes, what are the advantages of cloud computing compared to the original storage of your intellectual property?

Thanks!