Reducing Risk with Encryption for Multi-Tenant Environments

English: Amazon Virtual Private Cloud diagram

One of the biggest hurdles to cloud adoption is undeniably security. In particular, public cloud services are often under scrutiny as to whether a multi-tenant environment is actually secure. Let’s face it, production virtualized environments are a newer trend, which means that security was never really an issue.

As more business critical resources become virtualized, there is an increasing need to ensure the right security controls are in place. Until recently, multi-tenant encryption solutions weren’t particularly effective. Key management being one of the key reasons for the avoidance, as the portability of VMs across multiple physical servers meant advanced encryption key requirements.

AFORE Solutions Inc., a Cloud Security and Solution Provider, recently announced the release of their CloudLink™ 2.0 with Secure Virtual Storage Appliance, the first solution that enables cloud-based DR solutions to meet key regulatory and compliance requirements . This appliance provides a storage repository that can be accessed by VMs hosted in the cloud. Most encryption is currently applied through storage gateway methods which means it is only encrypted as it is sent to the cloud. CloudLink™ Secure VSA encrypts and protects data at all times, which is particularly important in highly regulated industries. The keys are managed by the enterprise and encryption keys can be controlled through Active integration.

CloudLink™ Secure VSA has already proven itself in Amazon VPC™ (Virtual Private Cloud), VMware vCloud™ Director environments and CA AppLogic based clouds. The main reason for the success is that organizations want to take advantage of the many benefits of the cloud model. If a provider can offer compliant environments, there is an immediate advantage.

Disk encryption is one of the key security controls used in enterprises to reduce the threat of data loss. The same methodology applies to cloud environments where you need to reduce the risk of unauthorized access as much as possible. Having the ability to encrypt individual VMs means an additional (and significant) layer of security to help protect your business critical resources.

Building a Culture of Innovation Through Cloud

As more organizations start planning for 2013 IT initiatives, a new ambiguous focus has started to emerge from the executive offices. IDC recently surveyed 135 North American CIOs and IT leaders, and found that while there was a huge interest in investing in mobile/wireless, SaaS, Cloud, social media and collaboration, the key driver for these investments was innovation.

Why has innovation suddenly become so important that it increased by a margin of 11% over last year’s results? Additionally, why has the focus on datacenter innovation increased from 52% to 61% from 2011-2012? The main reason is that with cloud, the datacenter has suddenly become the “foundational core” of an innovation strategy, comparing it to the “mainframe of yore but with easier access from a wider variety of devices.” Quite simply, executives see the datacenter and cloud as a way to redesign key systems while spurring new ways of doing business.

Most large organizations, especially those who have existed for over 20 years are burdened with legacy systems and inefficient workflows. These are the key reason why many of these organizations cannot make relatively quick decisions or design and launch new products and services in short timeframes. They are tied to large back-office systems that require maintenance simply to continue working, or require a significant investment to replace.

Executives have seen some of the changes that come with adopting new technology, especially through datacenter investments, and believe that by making investments in providing new technology platforms such as SaaS, they can ignite innovation in their organizations to help provide new streams of revenue through service and product innovation, while reducing back-end operating costs.

The problem is that outside these groups, the rest of the organization is not aligned. They do not see how these new investments will help other departments such as operations or marketing innovate. Additionally, many organizations provide an environment that shuns innovation because traditionally it was too cumbersome to listen to new ideas that required change to business workflows. This is a universal problem, not just limited to a specific sector, geographic region or organization size.

By allowing for more open platforms through cloud and virtualization, and leveraging mobile/wireless and business intelligence, organizations can not only empower employees to create new innovative ways to drive more business, but can also help reduce internal operating costs, promote collaboration and innovation, and adapt to market changes faster than through legacy business operation models.

Why Cloud Providers Need to Change Their Approach to Cloud Services

English: Cloud Computing visual diagram

English: Cloud Computing visual diagram (Photo credit: Wikipedia)

While cloud services aren’t exactly a new idea of service delivery for Canadian organizations, there is still much to be desired.

Right now we are seeing a strong offering of IaaS services, the odd SaaS (as in the case of big Blue and their Microsoft partnership) and managed (hosted) network services such as WAN optimization, virtual PBX and security.

The great thing about this is that we are seeing some traction in cloud providers in Canada to offer these types of services, but we’re not quite there yet.  The reason is that decision makers in the provider space are still trying to figure out the business case for cloud.

The biggest disconnect I am seeing is the failure to link all these disparate solutions together.  Right now most services are offered a la carte, from different corporate divisions (Security, UC, Network) and there is no alignment.  I would love to see a provider who is not afraid to start from scratch and realign services to vertical, but don’t expect it from the larger, slower moving providers.

Here is where the little providers have a chance.  By realigning services to vertical markets, you can build service portfolios that speak to these groups individually.  For example, if you decide that education is a good market, you can build services that address the unique needs of education (BYOD, content filtering, security/privacy) and offer a solution that provides all the components for them to outsource their IT services.  After all, what sense does it make to recreate the same thing in-house when you are under-funded, under-staffed and have better things to focus on?  As a provider, if you are able to say “We understand your market.  We know these privacy and compliance issues are critical, integration between systems (standardization) is a must and that you struggle to keep up with students thwarting your security controls.”  Why wouldn’t an education organization at least hear you out?  It not only saves them money, but saves them tons of hassle and headaches and they can offload everything knowing it makes them compliant to whatever controls they need to be compliant with.

Replicate this across other verticals using the same story and your value proposition has gone from “We sell everything to make you more productive/secure/innovative” to “here is what we do to secure educational organizations like yourself.”  Who doesn’t want someone else to deal with vendors and figuring out the best solutions, selling internally to make sure everyone is onboard to fund the project.

By relying on cloud providers to give them the right technology mix while taking advantage of an OPEX vs CAPEX situation means these organizations can actually focus on their core business instead of wasting time figuring out what everyone else is doing to stay ahead of technology changes.

Educating the Cloud Industry in Canada

As part of the ongoing evolution of the business landscape in Canada, the need for more accessible resources to help share ideas in new technologies.  It’s impossible to assume that any organization can keep up with the fast change in technology and IT practices, we need to start to look to our vendor partners and industry associations are the source for open discussion on best practices and practical examples of “This is what we did, and this is what we learned from it”.

The first place to start is with industry groups that can provide practical information.  There are tons large, International groups like the Cloud Security Alliance and other neutral, volunteer-sponsored groups.  These groups focus on driving research and sharing information to help reduce the learning curve associated with cloud.

But these groups are often too large to provide an open group for discussion.  There are tons of LinkedIN groups dedicated to cloud and security, but there are so many that half become vendor product placement forums.

Canada has a huge advantage in that we  are small enough of a population, and one of the most digital-savvy.  We just need to start having better resources to help spread these ideas, which means forums dedicated to Canadian businesses, which address the unique compliance laws such as those around Privacy or the unique structure of our health organizations.

Additionally, we need to better engage our vendors and academics to help better share information through events, meetings or even social media.  The market is still young when it comes to next-generation business solutions, and Canada has the right service backbone.  We need to create a better forum so that our startups can be heard, our vendors share the latest developments, and our employees to start sharing information more effectively.

Canada’s opportunity in Cloud

KPMG released some news yesterday that Canada has a 14.9% cost competitiveness advantage over the US in the digital industries sector. This is due to the “lowest effective corporate income tax rates”. So I have to ask the question, why aren’t we seeing more tech companies setting up base here in Canada, especially with cloud looming?

It’s not for the lack of qualified employees. There is a huge workforce available for this sector, especially if you look at Burlington or Waterloo Ontario. Additionally, we have pretty relaxed immigration laws that allow for businesses to start up here in Canada and recruit from a global candidate pool.

The climate in Canada is also a boon for cloud. If you look at organizations like Rack Force, they figured out that the cool climate found in Canada is a perfect place to host a data centre. It’s the cornerstone of their “green” advantage. We also are immune to a lot of the natural disasters that unfortunately happen to the rest of the world.

Thirdly, we have a ton of organizations in Canada that can benefit from cloud services. Canada is primarily made up of mid-market customers who are struggling to figure out what to do with cloud and how to transform their business. There is tons of blue sky for the creation of services targeted towards this market.

Additionally, we also have some of the strictest privacy guidelines which makes outsourcing to another country a nightmare for all organizations. What better reason to see Canadian expansion (as we see with some of the bigger cloud enterprises) or new business startups. Your market is already captive, so setting up new services that reflect successful ones from other countries is a great opportunity.

The key roadblock that seems to come up with this type of conversation is that Canada is lagging behind in technology adoption. It’s true, us Canadians are pretty conservative when it comes to trying something new. However, we are also the country that spawned huge innovative organizations such as RIM and Nortel (think Patents). So there is a great opportunity for Canada to become a cloud leader, we just need the right ecosystem, and that will come from tech corporations investing in local talent.

The opportunities for Cloud Desktops

Recently the US Navy announced that they would start a 7,500 seat virtual desktop deployment next month as a way to lower IT and maintenance costs.

The implementation leverages zero client laptops connected to desktop images streamed from regional data centres. The advantage of this type of deployment is not just the savings from lower priced hardware, but administrative costs and extra staffing required to maintain them. But there is a bigger advantage for governments who want to follow in these footsteps.

The enhanced security benefits, on top of the ease of administering these types of systems is a critical driving force behind the adoption of virtual desktop deployments in government. Firstly, because the new laptops have no operating system, the need to update, upgrade and manage content is practically eliminated. Additionally, without USB ports or CD drives, the risk of data loss is reduced significantly, and because the operating systems are hosted centrally, in the even of theft the risk of personal data loss is less than with traditional devices.

On the administration side, since images can be standardized depending on job functions, the complexity of managing applications is reduced. The images can be deployed across multiple platforms including smartphones and tablets, or more notably on home computers using secured authentication controls. IT and Security departments also control the applications that are available to end users, making systems more efficient and eliminating the risk of unsupported and potentially harmful applications being installed by end users.

From a content management perspective, government adoption of virtual desktop models would provide more stringent controls over data usage as data would only be accessible during the remote session, not on the systems themselves. This is key since the number one risk of sensitive data leakage is caused by theft of computer systems. By keeping data centrally located, there is no risk of files being copied locally for offline editing or viewing, and the need for large hard drive storage is no longer required. For industries such as the government, where data must be controlled under strict regulations, the ability to eliminate the risk of data leakage is a key benefit of implementing this type of cloud-based model.

While virtual desktop models are still in early phases of adoption, and there are still barriers to full implementation, it’s promising to see government agencies recognize the benefits that these types of models provide. Not just from a cost savings perspective, but as a way to introduce new security models and flexibility in end user experiences.

GovCloud – Community Cloud service models

As cloud models start to become more mature, a new subset of models have started to create niche markets. One of these models is community clouds, which is aimed at simplifying cloud services for specific industries such as finance, healthcare or government.

The benefit is that these environments are tailored to meet the unique requirements of these industries such as regulatory requirements or security controls.

The benefit for customers is that they get a standardized offering that is tailored to their specific vertical. Instead of buying a generic service and customizing it with the right applications and data controls, they can leverage a pre-built infrastructure with these considerations already included. It really moves the discussion from buying an IT service to buying a business enablement service.

But there is hesitation when it comes to creating community clouds. Many customers aren’t thrilled with the idea of sharing the same infrastructure with their competitors. But the benefits that a tailored environment provides should take precedence over these fears. In any public cloud offering, there will always be a risk of sharing infrastructure services with competition, but the service provider should have the proper controls in place to make this a non-issue.

In fact, vendors are seeing the idea of community clouds as a way to create industry specific solutions such as incorporating identity access solutions to maintain HIPAA compliancy or assigning different levels of security depending on the types of email communication (doctor to doctor or doctor to patient). A financial vertical solution might include WAN optimization to handle the large amount of traffic generated by transactional data. By specializing in key industry areas, solutions can be offered as part of a whole cloud package, driving down costs for the vendor and customers, while providing the solutions that best meet the needs of that industry.

Cloud is still emerging as a mainstream business practice. The ability for service providers to differentiate themselves from traditional IT shops through services designed to meet the needs of specific industries is a way to help simplify cloud adoption for customers while making it easier to manage them on the provider side.

Legal considerations for Canadian Cloud hosting

Last week SunGard announced the opening of a Canadian data centre to host Canadian cloud environments.

This simple announcement spread like wildfire through social media for one major reason, the Patriot Act. It seems like there are 2 sides when it comes to discussions around the Patriot Act; those who use it as an excuse to not undertake IT projects (“Sorry, we’d love to outsource our IT, but you don’t have a  Canadian-based data centre, and you know we have to comply with the Patriot Act.”) and those who see it as a way to innovate.

The Patriot Act was a reflex answer to 9/11, a way to give the US Government power of all data held on US soil. This led to the creation of companies such as IBM Canada and Microsoft Canada (since US companies can’t hold our data either) as a way to comply with Canadian legislation. In fact, in Alberta and moreso in British Columbia, the data privacy requirements are even more strict. So what does this mean for the future of Cloud in Canada? Does this mean we have forego the unique benefits that cloud offers and just accept services from Canadian corporations without due diligence? Not necessarily.

Cloud computing has a large amount of benefits due to infinite storage potential and elasticity. But the accumulation of data containing personal information in these environments increases the risks exponentially and the impact of a breach. If this happens outside Canada where foreign laws apply, it becomes even more problematic. This is why it is so critical to perform due diligence with your cloud provider before signing an agreement where your data (especially data subject to the Patriot Act) resides in their cloud environments. But what does this entail?

First, ask your cloud provider to provide specific information on the circumstances of which the provider can use your data. It should only be used with your consent, and remain solely your property. If the provider is required to disclose information about your data, it should only be done without your consent in specific situations, and if you can, consider including a liquidated damages provision for any disclosure without consent. This is because if there damage caused by the disclosure, the provider may make it hard for you to claim a specific amount as quantifying damage is very subjective.

Second, find out if your service provider is under a requirement to refute (as much as the law allows) the disclosure of information without your consent, or are they under an obligation to cooperate with your organization in any audit and to not deal with any regulators without your consent or participation. What kind of security provisions are in place such as regulation compliant environments? How often are they audited, and who does the work? Is it a Canadian firm, or a foreign one?

The third key area you want to focus on when it comes to selecting a service provider that meets the regulations of Canadian legislation is around data classification. Make sure that your personal data is protected by the right safeguards and that it is excluded from the general limit (if not completely excluded) of liability. If sensitive or business critical data is breached, it should have a higher liability penalty than regular non-critical data. This is to ensure that the provider focuses on this data primarily, not just the whole environment as a whole. Ask your provider if there are different data classifications and security controls, and most importantly where does the data reside physically. What happens to the data if you move to another service provider or terminate the service? You want a specific deletion schedule that explains timelines for deletion, controls to ensure the data is eliminated along with the destruction of backup or duplicate sources of the data. How can data be moved to a new provider, is there a migration path?

While most of these controls focus on personal information, it is important to note that you need to ensure your service provider agreement includes the same provisions who information that falls outside the legislation. While business critical information such as financial data, business plans and patents are not classified as personal data under PIPEDA, these are just as important as your customer information and need to be considered in the same context.

As more Canadian-based cloud service providers become available, it is important to remember that many of these providers are subsidiaries of US firms. This means that although they have a Canadian data centre, the data may be moved to other global locations for maintenance or load balancing. It is your responsibility to ensure that you include in your contract provisions that restrict this movement, and the requirement for your provider to comply with Canadian legislation.

How can we include Cloud in the Economic Action Plan?

It’s quite curious to see the large amount of cloud innovation events that seem to be constantly ongoing across the US and globally, from VMworld to Cloud Expo.

How can 2 countries that are so close geographically have such different views on Cloud? Most would argue it is because as a country, Canada puts heavy emphasis on regulation to protect data services. Others might argue it is that because we don’t have a lot of the same ambition for creating new cloud services as the US or Europe does.

Regardless of the reasons, if Canada wants to increase adoption of cloud services in Canada, we need to take a note from the work of the US government.

There are a few things that we can look to the US for inspiration on as it relates to driving innovation; for example, their government’s commitment to supporting the development of cloud services through the existence of 125 separate awards to cloud computing projects and big data initiatives. The National Science Foundation released its “Report on Support for Cloud Computing” a few weeks ago which is a response to the America Competes Reauthorizatoin Act of 2010. The document highlights the initiatives of the Computer and Information Science and Engineering (CISE) Directorate of NSF.

The CISE is increasingly funding awards in 6 areas including computer systems, networks, security and privacy, algorithms and data management, applications and software engineering and computer science education. Of the 125 separate awards, there are 76 active awards managed by the Computer and Network Systems (CNS) Division, 40 awards managed by the Computing and Communications Foundations (CCF), and 9 managed by the Information and Intelligent Systems (IIS) Division.

These awards illustrate that cloud computing is a key part of the US government’s commitment to innovation and that they recognize it as an area vital to the economic growth and competitiveness of the nation. And companies are responding with a slew of initiatives to drive global cloud adoption, but not through creation specifically to obtain funding, but driven from a recognized need for these solutions. The only gaps outlined through the NSF’s document are the same gaps in areas noted by NIST as barriers to adoption of cloud, which are part of the CISE/CNS Division Core program Solicitation for FY 2012 and included Cloud Computing as a “Highlighted Area” for its Computer Systems Research (CSR) program.

Canada should take a note of the success this program has created in the US, and perhaps include it as part of our Economic Plan as a way to drive innovation and create a Cloud Computing environment which could potentially spur the next generation of global market leaders that we have seen in the past with organizations such as RIM and Nortel. But we also have to be careful to make it easy for these organizations to thrive in the Canadian marketplace so that we don’t lose them to foreign investors as we have seen with the recent acquisitions of Kobo and Radian6.

We need to realize that cloud isn’t a trend, it’s an evolution of the way companies need to do business to increase efficiency and innovation. We need to stop being the last ones at the party, and use this opportunity to the be one with the invite cards.

Cloud Security best practices – Skills overview

The first two months of the year are always filled with whitepapers and analyst reports talking about what the key trends in security and technology are expected to be.

Sometimes they have lofty goals; we’ve all seen these reports in which they expect full adoption of new technologies where most companies are simply testing the water. Canada tends to be a very slow adopter of new technology, much slower than those of our European and American counterparts.

This is partly due to the heavy regulations that surround the flow of information (Patriot Act) and security in general, but also because as a culture we like to see what everyone else is doing, let them make the early adopter mistakes, and then adopt the process once its been figured out for the most part. So while I don’t expect to see mass adoption of cloud anytime soon, I think there are some key trends that we really need to start paying attention to, and dare I say, start adopting.

Some of the key trends that analysts are expecting to see throughout 2012 is the increase in the importance placed on visibility and compliance as it relates to both internal and cloud services. As systems are moved to cloud environments, managing user access privileges is critical to reduce the risk of insider threats. Because these types of threats are caused by internal users, the technologies in place to protect the network from external threats simply won’t work.

It is much easier to use employee credentials to gain access to the network than to try to hack in from an outside source, this is exactly what happened in some of the largest breaches of 2011. We need to make sure that all employees, contractors and partners are aware of security policies and that these policies are enforced to reduce the threat of insider attacks. Companies should have already invested in these technologies and perhaps start looking towards next generation solutions including cloud authentication solutions and advanced identification management tools.

In keeping with the importance of monitoring policies, reporting must adapt to show a full, 360 degree view of the environment. Virtualization has already made this more complicated because it allows for data to be located in disperse locations, duplicated and even in a state of constant motion.

As these virtual environments get pushed into cloud data centres, the need for accurate reporting that can show the state of all network and data sources is critical to reduce risk and to give valuable information should forensics be required. Cloud is a great abstraction technology in that it allows for tons of different resources to be interconnected in ways that have never been possible, with lots of intermediaries in the form of cloud providers. We need to start to incorporate all layers of reporting, from those provided by the cloud service providers to the data monitoring tools used locally to ensure we have a holistic view of all segments.

If our visibility stops at the provider’s network, we are opening up the risk of missing early detection warnings that might signal an ongoing vulnerability such as an unprotected port or unauthorized user access. But it isn’t just the quality of the reporting that will be increasingly important, the ability to streamline reporting so that it can be automated and run consistently for auditing purposes instead of relying on periodic audit requirements.

The third stage of visibility will extend to incident response and forensics. The need for skilled resources who can identify vulnerabilities and act as a full time incident responder, security threat analyst (think reverse engineering malware) and forensic investigator will be crucial for organizations. This doesn’t mean that the requirement for MSSPs will necessarily decrease, but larger organizations will start to adopt their own in-house specialist team to deal with the increased complexity of threats from hacktivist groups and organized crime.

There is a significant need for security specialists who can help transform the security departments of organizations and merge the traditional technology with new cloud and virtualization security solutions. It’s not surprising that the hottest IT career paths are all inline with cloud and virtualization, and a new generation of certifications including the Cloud Computing Security Knowledge (CCSK) certification from the Cloud Security Alliance are helping to educate the security community on how to transition to meet these new demands.

Canada is fortunate that we have such a large IT specialist community, so transitioning them to be as effective in traditional environments and cloud/virtual environments is where we need to start make the investment to ensure we have the right skillsets in place when cloud adoption hits critical mass.