Cloud Security Is In Decline – What Are Your Options?

Cloud Encryption is in decline

Have you ever felt that awful feeling that the ship you’re on is slowly and steadily sinking, and no one’s telling you a thing about it? If you are in the cloud, then you should know the feeling, because while your captain is reassuring you that everything is A-OK, new holes start appearing in every new version of the product every day, allowing more water to seep in above the keel.

Cloud security has been in a steady decline ever since the cloud existed. It’s just too juicy a target not to try to hack. Imagine yourself as a hacker. You’re a 30-something-year-old geek who’s trying to get a name for himself. One of the quickest ways to do that is to exploit some vulnerability found in an enterprise. You see, hacking individuals is fun and all, but it’s not going to get you kudos among other hackers. Take down an entire enterprise, and you’ve earned yourself a badge. You hear about this “cloud thing” and it piques your interest, not because it’s one of the coolest booms of innovation to ever hit the internet, but because lots of enterprises park their sensitive stuff right there.

This kind of mentality has lead to a constant struggle between cloud providers and hackers, and guess who’s losing? It’s not those college kids or basement dwellers living with their moms. It’s the company that’s giving you the services you depend upon, and I guarantee that you’ll experience the wrath of a compromise one day if you’re not careful.

What makes this security problem worse is what is known as the identity and access management (IAM) gap. Basically, as the Cloud Security Alliance puts it, your employees have as much access to the cloud as you do, and activities happen without the knowledge of your IT staff. This creates a snowball effect where little pieces of information about your enterprise fall bit-by-bit into the hands of companies you don’t know you can trust. Essentially, you’re exposing yourself to a vulnerability without even being equipped to know about such vulnerabilities. Added to this, managers are prone to making mistakes in their adjustments of access management, which in most businesses is currently based on the honor system as opposed to being based on something more concrete, such as a database of users and access groups that can be transparently managed.

This, and your inability to take action quickly, spells an embarrassing future for you!

When the cloud first came into existence, some very smart people were warning everyone about possible security vulnerabilities that might exist in some applications. Now, enterprises on average run about one-third of all their mission critical applications on the cloud. There seems to be no turning back for these businesses, and if you are running one, it’s time you learned what you have to do in order to prevent yourself from getting into a mess that’s difficult to climb out of.

The Road to Iron-Tight Cloud Security

It’s very difficult to give up on a product that’s making you more revenue and producing less headaches. But you can’t ignore the fact that migrating over to the cloud, coupled with the bring-your-own-device (BYOD) phenomenon, can present new challenges for IT departments that have very little to no knowledge of what goes on outside their spheres of influence within the enterprise. For this very reason, you need to do a few things:

1) Adopt a BYOD policy and enforce it!

If you’re going to have BYOD, don’t just let people do what they want on their devices. Be serious about the threats that come with BYOD and address them. Have employees use your applications to bring their work onto their mobile devices. Use a security solution that allows you to track said devices and wipe them if they’re lost.

There’s another way around BYOD, though. Simply forbid employees to use their devices for work, but offer them company devices that are either partially or fully subsidized by you. This way, they will be able to compartmentalize life and work while still being able to maintain a high level of privacy and comforton their own personal devices.

2) Doing backups? Rely on yourself!

It is immensely difficult to set up a backup solution that will be able to store files in a central repository and synchronize folders efficiently. That’s why you don’t have to do it. No, we’re not talking about sticking to the cloud. Instead, you can move the cloud to you. Just use a private cloud backup solution with end-to-end encryption. Make sure it doesn’t “phone home” in any transaction. In other words, as long as you have a private cloud server that doesn’t communicate with the outside world, but backs up via intranet, you could end up with a secure backup method that won’t put your company at risk. Of course, you have to set it up correctly, too.

3) Use a transparent, concrete, and highly-secure identity management solution.

If you’re not taking care of your identity infrastructure, anything else you do for security is worthless. The biggest problem in identity and access management is making sure that your employees are not using cloud apps all willy-nilly without any supervision, right? What if you could have an environment that shows you detailed audits of application access and stores all of the identities in your infrastructure in a safe location? What if that environment allowed everyone to keep the encryption keys in their hands rather than storing it on the server?

These are not the only options you have but take them as a starting point to make sure you’ve less to worry about. As they say, get back to the basics and look at the fundamentals.

Have any more options to add to this list? Let me know in the comments and I might update the article.


This article was first published on PerfectCloud Blog. Visit the blog to read more about cloud computing, security and privacy.

Why Cloud Security Should Focus on Identity Management

Identity and Access Management system diagram

(Source)

Despite the woes of many that the cloud may not be secure enough for real business to take place on it, many people are hopping on the gravy train. The growth of the cloud has become immense, an inevitable result of the large piles of money corporations and small businesses throw at it. Whether you like it or not, the cloud has become today’s chief business infrastructure and there’s no sign that it will go anywhere.

History’s Lessons

Historically, a correlation can be made between the popularity of a product and its likelihood to become a target for wrongdoers. Technology products are no exceptions. As Microsoft Windows grew more popular, hackers became more interested in swindling unprotected users of their money and computing resources.

Alas, the same thing shall happen in the cloud if we’re not careful enough. Some services are already starting to feel the pressure to become more robust against these threats. However, one service doing the right thing just isn’t enough. We need a tough policy on security, and we need it soon. Otherwise, the hordes will show up at the gates and we might as well have just thrown them the key and run away.

The Chaotic Cloud

In the corporate world, IT management is in chaos. Cloud services are services that fall outside of the company’s scope of control. Therefore, they have to enforce strict policies and assign roles to users that are subject to change at any time. They need a way to get new people on board and people who leave the company off the system.

For each employee, this might mean adding and/or deleting several accounts at once. What a nightmare! Some companies may even get lazy and put the same password on all the accounts for that particular user. Once a company goes down that road, it will one day crash and burn like every ordinary fellow does when he sets the same password for everything. (Learn How To Create Strong Passwords Without Forgetting Them)

To add insult to injury, many solutions that are meant to help with this issue tend to turn it into even greater a problem. Each cloud product developer has a different way of making their login system. Because of all the different conventions, security software providers find it difficult to provide a definitive way to secure every identity. As a consequence, companies continue to create identity silos that become increasingly difficult to manage as they grow.

Today, security providers are trying (mostly unsuccessfully) to catch up with the variety of cloud services out there, making sure that they can remain ahead of the curve. But these cloud services have now become a vital part of our infrastructures and we simply cannot renounce to them so easily. How do you make sure that your presences on the cloud are iron-clad?

The Solution

The overall cloud infrastructure is in desperate need of a knight in shining armor. Who will that be? Cloud security isn’t exactly the most developed sector of the IT sector, but it holds a lot of promise. One of these promising solutions is identity and access management (IAM), which solves virtually every aforementioned issue here.

The market for IAM is growing, with Gartner predicting its 2017 numbers to be somewhere around $4 billion. This means the technology is evolving and will continue to make face to the challenges that lie ahead. The road to a completely secure cloud won’t be easy, but tech innovation inevitably trumps all of the things standing in its way just in the nick of time. We expect that IAM will become one of the principal solutions for cloud security, chiefly because of the way it accounts for basically everything a company needs to manage its IT infrastructure with peace of mind.

IAM seems to hold the key to the future of IT security, as companies migrate more into the cloud and create more accounts for their employees. It makes IT management processes a breeze and allows companies to enforce policies more easily with virtually no chances for making mistakes. It not only lowers the costs involved in paying for wasted time managing tons of accounts, but it also raises the bar significantly in the reliability of your security.

Before you pop out the champagne and celebrate the fact that such an awesome solution exists, however, you ought to know that there’s more to your security than simply signing up for the first IAM your eyes land on.

How “Good” IAMs Manage Data

One question we must ask ourselves is: Who is watching the watchers? Well, IAM watches after your accounts and provides role-based security in a firm. But who makes sure that IAM providers aren’t peeking into your data? Businesses entrust a lot of information to their providers without questions. Perhaps it’s time they asked what exactly is being done to make sure that the company providing the services has no access to the data.

Maybe, just maybe, it’s time to ask how encryption is managed on the server side and on the client side. Do you have any control over the cryptographic functions of anything you use? It would be kind of scary to put all your passwords into a service that offers only promises but no concrete evidence that they’re actually storing your data behind lock and key.

Just imagine for a second what kind of nightmare it would be if a hacker managed to tap into an IAM service’s database and decrypt all of its data. That would mean that the hacker has every one of the provider’s client accounts, and the accounts of each employee. The damage that this person can do is extensive and ultimately fatal to even the most big-budget firms. How do you determine whether this will ever happen?

With our solution at SmartSignin, at least, you’ll be able to create your own encryption key, which means that we delegate control of half of the encryption process to you. In this manner, any breach would only succeed to gather a bunch of gibberish. Your key is safely tucked inside your brain and the hacker won’t know how to crack your safe open.

The next time you look for a proper security provider, don’t forget to ask yourself this question: How much control do they give me over my data? You’ll find yourself surprised at how much you were willing to trust to someone else without any concrete assurance that your data is safe!

Privacy Matters and Procurement best practices: Edmonton and Google Cloud services

Buyers-Guide1Case studies are the building blocks of solid best practices, and especially in the Cloud computing field where they can share repeatable knowledge and assets for others to repeat these practices.

For example not only is the City of Edmonton moving to Google Apps a flagship example of a Canadian user of Cloud services but they also share critical insights and resources for how they questioned and addressed the privacy aspects of hosting such sensitive information from schools on the Google Cloud service.

The CIO is a leading champion of Cloud adoption, discussing issues like the Patriot Act in this IT World Canada interview, and on the Schools site they share this detailed documentation of how they ensure it met the requirements of their Privacy laws, and includes resources for others to support their own Privacy Impact Assessments.

The Business Case for Cloud

Very importantly the City of Edmonton also had a very clear and well documented business case for the migration.

As described by David Eaves, Edmonton was the first city to move to Google Apps. He also includes a link to the business case proposal for making the move.

Edmonton described their implementation of Google Apps will enable them to achieve their ‘Workspace Edmonton’ program goals.

As described in their announcement:

“An agreement recently signed with Google opens the door for all City employees to access their online resources from any place, location and with any device.

For the first time, those City employees who do not have an email account will have one as well as access to other office technology tools called Google Apps, such as docs, spreadsheets and presentations. Currently, about 3,000 employees who work throughout the City and not in an office setting do not have email accounts.

Google Apps will enhance productivity, efficiency and collaboration between departments while maintaining strong security and privacy standards.

“This move supports our City Vision, The Way Ahead, to use the most innovative technologies available,”

said city manager Simon Farbrother.”

Is Your IDaaS Vendor Really Securing Your Identity?

One major problem with Identity as a Service

With no huge capital investment, and almost equal operational expenditure, organizations all across the globe are rapidly moving to a cloud based infrastructure.

The benefits of moving to cloud may be plenty, but where sensitive corporate data is involved, adopting cloud leaves the enterprise in a fix. Reason being, that almost all the cloud based applications are in a public domain, and the maximum level of security offered by all of the cloud application providers is a secure channel of communication between the SAAS vendor and the consumer.

In older days, enterprises used to manage security by putting big bad firewalls to keep the data within the premises. If the data was to move outside the firewall, there were VPNs. With cloud, all the data residing with the vendor is in clear text and god forbid if the notorious hacker is to get hold of it.

This inherent problem with cloud SAAS has followed organizations in the identity domain as well. But identity is a different beast altogether and the security aspect must not be overlooked when adopting IAAS (identity as a service).

SAML, the protocol to establish trust between two different identity systems, will be the answer provided by many cloud identity providers, but is SAML really the answer? Not so much! SAML just take cares of the establishing a secure channel for transporting identity, but the actual data residing with identity providers may not be secure. This is the question that really needs be to be answered before adopting a cloud based identity provider. Why? Well digital persona theft exposes the organization to plenty of hazards both monetary and reputation wise.

In older days, the organizations used to get rid of the incompetency in the data breach by making a change in the organizational structure of the team responsible for managing security. With cloud, in case of security risk, moving to a different cloud IAAS vendor is harder to do because the digital personas reside with the provider, and replicating those records along with roles and policies would be a nightmare, both in terms of time and cost.

So what to look for in a cloud IAAS vendor if not SAML? Yes, you got it right! The answer is: what is the IAAS vendor doing to protect sensitive data?

1. Are they putting firewalls?

2. Are they getting security audits done for their infrastructure?

3. Or are they doing real-time encryption?

1 & 2 are the norm and comes by default with IAAS vendors. However, encryption is the trickiest part, because simple encryption is nothing without carefully crafted key management system. IAAS providers for a non-collaborative way of providing SSO, the key management is usually poor. Either the keys reside with data that it is being stored with, or the keys generated are through an algorithm, making the encrypted data exposed to rainbow tables.

The Smart-Key Algorithm developed by SmartSignin and its inferred system architecture make possible a new class of security and trust for cloud based identity and access management. One can think of this as perfect trust because it is based on the principle of mutual distrust of all elements in the system.

By using key splitting, mutual authentication of client and server, and ensuring that an actual encryption key used for entity/password protection is never stored or used on a server (encrypted or otherwise), it gives absolute assurance that even if an attacker was to penetrate that said server they would never have enough information (even if actively stealing data out of memory) to ever reconstitute a key or steal an online identity. By ensuring decryption and use of credentials exclusively on the client it renders cloud servers (which are the single point of security failure and highest risk element in any system) immune to any attacks associated with account compromise.

In summary beyond the Smart-Key Algorithm offering a high level of security with the right implementation, it also offers cloud based security and identity management a significant forward evolution that is very compelling and worthy of broad use and deeper integration (i.e. direct use of the algorithm rather than just encryption of regular passwords) into various web services.

SmartSignin takes security very seriously. With its patent pending Smart-key algorithm & carefully crafted key generation and management architecture, it leads the way and stands apart from all the players in the cloud.

Cloud Service Brokerage – The Missing Link for Government Cloud Adoption

By Ilyas Iyoob, PhD, Gravitant

Dr. Iyoob is presenting at our upcoming workshop: Building the Canadian G-Cloud.

This week’s top story in FEDConnects says that “General Dynamics Information Technology (GDIT) and NJVC are leading the way when it comes to helping agencies meet the Cloud First mandates” in the US.  Wait a minute…  didn’t the CATAAlliance just launch the G-Cloud First for Canada campaign a few days ago as well?

What if we leverage the success of GDIT and NJVC for successful G-Cloud First adoption in Canada?

Why Cloud Services Brokerage?

CalloutGDIT and NJVC are large Service Integrators for the US government.  Their experience with IT for the military as well as the intelligence community led them to believe that the agencies would have a tough time with Cloud First…  unless…  there’s a way for them to quickly and securely test cloud solutions in a controlled environment.

However, the agencies face a number of issues.  Here’s a short list of them:

  • There are so many certified providers out there.  How do we know which of them will truly satisfy our IT needs?
  • There is no standardization of terminology.  How do we know what to order from the provider?
  • Each provider has a different pricing model.  How do we compare offerings and providers side-by-side?
  • Each provider has a different process for provisioning.  How do we quickly provision resources?
  • The on-demand pricing model is very unpredictable.  How do we know what the actual bill would be?
  • There are many people in the organization with access the resources.  How do we control this access?

As a result, Gartner identified this as the critical piece in making the cloud consumable and coined the term Cloud Service Brokerage (CSB).  It is the job of the CSB to answer these questions, and well established CSBs even have self service portals for their customers.

How will it work?

Consumers access the CSB portal and begin designing their architecture using virtual resources on a canvas.  Then, they compare the cost of this architecture across providers and select one or more providers.  A sample bill of materials is shown to the consumer, and once the consumer approves it, a push of a button is all it takes to automatically provision all the virtual resources across all the providers simultaneously.

Once the resources are provisioned, consumers have the ability to customize access to each resource.  Based on monitored utilization data, consumers are also given recommendations to reduce cost and continually operate in an optimal manner.

Has it been done before?

Gravitant’s CloudMatrix technology currently powers the Texas Cloud Services Portal for the Texas government.  Seeing this success, NJVC established a branded cloud portal using CloudMatrix as the underlying technology and GDIT followed soon after.  And within a year, both NJVC and GDIT have been branded as leaders in helping agencies meet the Cloud First mandate.

How does this apply to Canada?

Seeing as Canada is in the initial stages of G-Cloud First, it only makes sense to adopt cloud brokerage from the very beginning and propel Canada into the forefront of cloud adoption.

Let us assume that we have the following constraints;

  • all data and infrastructure should be housed within Canadian borders,
  • only Canadian cloud providers should be available to consumers, and
  • access to the brokerage portal should be controlled.

CSB technology such as CloudMatrix should integrate with Canadian cloud providers, aggregate managed services from 3rd party Canadian providers, and customize to Canadian cloud requirements.

In other words, Cloud Services Brokerage is the key to operationalizing G-Cloud First in Canada.

Here’s an example of a CSB portal for the government of Ontario.

GCModel

For a more concrete discussion on CSB for Canada with lessons learned from the state of Texas, please join us on June 20th at the Toronto Business Development Center.  Register here

Is now the time to put backup data to the cloud?

All cloud requirements are not created equal

Today, cloud technologies mean a lot of different things to a lot of different people. One thing is for sure, the way one organization leverages a cloud technology is unique from others. As long as we’ve had a robust portfolio of cloud storage technologies, the natural decision exists to identify what data would be good for a storage cloud.

Public cloud storage is a great technology, in fact, it’s long overdue and we may be surprised that it has taken this long to arrive. Finding the use cases can be a challenge today and into the future. But cloud storage may have an option that seems too good to be true: offsite storage of backup data.

There are many indicators that cloud storage can be an excellent resource for backup data, the first of which is cost. Like storage solutions on-premise, there can always be a storage solution of lesser cost. The same goes for cloud storage, it seems there is a virtual race to free going on right now. Another indicator that cloud technologies are a good candidate for backup data is the simple fact that they are offsite. It sounds simple enough, but there are a lot of hurdles to moving data offsite for some organizations. The steadfast example here is tape, which oddly isn’t well revered yet is still widely used. One last indicator that backup data is a good candidate for a storage cloud is the fundamental unlimited amount of storage available. It’s very difficult to predict storage needs; so the growth capabilities of a public storage cloud can work in favor of uncertainty.

With any cloud decision (and storage decision for that matter), there needs to be solid controls in place. The fundamental unit of control for cloud storage specific to backup data is encryption. Encryption can take on multiple forms for cloud storage. Transfers are usually encrypted via SSL or similar technologies, much like logging into a secure web site over the web; and for some situations that is where it stops. The sophisticated cloud storage solution will put backup data to the cloud encrypted before it leaves (which in that step is encrypted as well). That way, backup data landing on a public storage cloud can be encrypted in a process that is managed and controlled by the owner of that backup data.

Cloud Storage Conceptual View

No two clouds are the same; and the same goes for backup data profiles. Will cloud storage be a viable option for backup data? For some will it serve the exclusive need, for others possibly in addition to other backup data techniques? Share your comments below.

Editor’s note: Rick Vanover works for Veeam Software, a client of Canada Cloud

The Evolution of Single Sign-on

Replacing mainframes with 21st century identity

By Paul Madsen, senior technical architect

The concept of single sign-on (SSO) is not a new one, and over the years it has successfully bridged the gap between security and productivity for organizations all over the globe.

Allowing users to authenticate once to gain access to enterprise applications improves access security and user productivity by reducing the need for passwords.

In the days of mainframes, SSO was used to help maintain productivity and security from inside the protection of firewalls. As organizations moved to custom-built authentication systems in the 1990’s, it became recognized as enterprise SSO (ESSO) and later evolved into browser-based plugin or web-proxy methods known as web access management (WAM). IT’s focus was on integrating applications exclusively within the network perimeter.

However, as enterprises shifted toward cloud-based services at the turn of the century and software-as-a-service (SaaS) applications became more prevalent, the domain-based SSO mechanisms began breaking. This shift created a new need for a secure connection to multiple applications outside of the enterprise perimeter and transformed the perception on SSO.

ping-cloud1Large-scale Internet providers like Facebook and Google also created a need for consumer-facing SSO, which did not previously exist.

Prior to these social networks, SSO was used only within the enterprise and new technology was created to meet the demands of businesses as well as securely authenticate billions of Internet users.

There are many SSO options available today that fit all types of use cases for the enterprise, business and consumer, and they have been divided into three tiers—Tier 1 SSO being the strongest and most advanced of the trio. Tier 1 SSO offers maximum security when moving to the cloud, the highest convenience to all parties, the highest reliability as browser and web applications go through revisions and generally have the lowest total cost of ownership. Tier 2 SSO is the mid-level offering meant for enterprises with a cloud second strategy. Tier 3 SSO offers the least amount of security and is generally used by small businesses moving to the cloud outside of high-security environments.

The defining aspect of Tier 1 SSO is that authentication is driven by standards-based token exchange while the user directories remain in place within the centrally administered domain as opposed to synchronized externally. Standards such as SAML (Security Assertion Markup Language), OpenID Connect and OAuth have allowed for this new class of SSO to emerge for the cloud generation. Standards are important because they provide a framework that promotes consistent authentication of identity by government agencies to ensure security.

These standards have become such a staple in the authentication industry that government agencies like the United States Federal CIO Council, NIST (National Institute of Standards and Technology) and Industry Canada have created programs to ensure these standards are viable, robust, reliable, sustainable and interoperable as documented.

The Federal CIO Council has created the Identity, Credential, and Access Management (ICAM) committee to define a process where the government profiles identity management standards to incorporate the government’s security and privacy requirements, to ensure secure and reliable processes.

The committee created the Federal Identity, Credential, and Access Management (FICAM) roadmap to provide agencies with architecture and implementation guidance that addresses security problems, concerns and best practices. Industry Canada’s Authentication Principles Working Group created the Principles for Electronic Authentication which was designed to function as benchmarks for the development, provision and use of authentication services in Canada.

As enterprises continue to adopt cloud-based technologies outside of their network perimeter, the need for reliable SSO solutions becomes more vital. Vendors that support these government-issued guidelines offer strongest and most secure access management available today. Since the establishment of SSO, the technological capabilities have greatly advanced and SSO has been forced to evolve over the past few decades. First generation SSO solutions were not faced with Internet scale or exterior network access, whereas today’s SSO is up against many more obstacles.

As IT technology progresses in the future, SSO will have to grow with it and strengthen its security. For instance, while SSO is the expectation for web browser applications, the emergence of native applications (downloaded and installed onto mobile devices) has hilted the necessity of a similar SSO experience for this class of applications. To address these new use cases, new standards (or profiles of existing standards) are emerging and initiatives like the Principles for Electronic Authentication will have to adapt accordingly in order to offer the best guidance possible.

Top 10 Cloud apps useful for SMB’s

As a small business owner, I adore using the Cloud. I’m constantly searching for the latest online widgets and SaaS apps that will help me manage and grow my business. “SaaS” or Software as a Service includes any application that is delivered as a service via a Web browser, from a public or a private cloud.

What are the benefits of SaaS? SaaS or Cloud apps are about cutting cost, easy deployment, improving business productivity and increasing revenue. Cloud apps can be accessed from anywhere using any device that can connect to the internet, including smartphones, and tablets.  Some other advantages include pay-as-you-go subscriptions, which typically include the app itself, tech support, and access to all upgrades.

Popular app categories with SMBs are e-mail, CRM, collaboration & project management, customer support, accounting/billing, and marketing automation. I personally get most of my app information from http://www.smallbiztechnology.com and Getapp.com. These great sites recommend SaaS applications specifically for SMB’s.

Allow me to share some of the free and paid SaaS webapps that I use in my business

1. E-mail service – email is the life-blood of a business. Without efficient and timely communication internally and externally, a business cannot function properly.

My choice is Google Apps Gmail. It is simple to integrate with all devices and is easy on the wallet at $5/user a month. Google Apps also allows you to access all other Google services including Google Drive, Google Analytics, YouTube, and Google+.

2Online Document Storing, Managing and Sharing – Collaboration plays an important role in every business. This is especially true with telecommuting employees and globally distributed teams, suppliers, and customers needing to communicate and share notes, designs, and documents from different locations.

Google docs & Mavenlink – Google Apps is the cheapest choice but it is very limited in function and I’ve noticed formatting is often lost in the conversion to/from MS Office. Mavenlink on the other hand is very intuitive, easy to use app and it can be integrated with Google Apps if desired.  Mavenlink not only includes Project management and collaboration tools, but it also provides time and expense tracking. The only downside is that it cost $39/month for the basic package, and it can be expensive for some small businesses.

3.  Payment gateway A payment gateway is a crucial part to enable Internet based businesses to accept e-payments.  Paypal is a good option for SMB’s as it is universally accepted around the world. But, all client payment data& history reside with Paypal. I personally prefer Stripe. I highly recommend SMB’s (that need to accept online credit card payments) to utilize Stripe as it is very easy to use and very cost effective. The charges include a flat fee of 2.9 per cent, plus 30 cents per transaction.

 4. VOIP and Video conferencing/Chat – Although Skype is one of the popular cloud-based companies offering free and paid Internet calling, I find that most of the time the video and sound quality is lacking. I recently came across Zoom.us and I found it offered a much better user experience than Skype.  Zoom is very simple to use, offers high quality video conferencing, screen sharing through both pc browsers & iOS devices and allows up to 15 people to meet online for free.

 5. Customer Feedback & Support – Customer feedback and support is necessary for a businesses as it provides insights to what your customers need and how best to improve your businesses.

We decided on UserVoice as it was easy to implement, very user friendly, and had great functionality. With UserVoice all you need to do is embed a widget on your website and then you can create a forum for your customers to submit their feedback and ideas. Customers can also vote on the best feedback/ideas submitted. They can create comment threads they can discuss problems, develop ideas, and even share them. The prices range from free to $125/month.

6. Web Analytics – Today every business requires a company website to attract new customers and serve existing ones. Any business with an online presence should employ website analytics to track the numerous ways people use your website. Web analytics can help SMBs increase marketing efficiency by monitoring and analyzing the web traffic (where it’s coming from and why?) and the visitors’ behavior on the site (what users like and dislike about your site). The statistics help determine what aspects of the website is engaging and what changes need to be made to increase traffic flow and develop new customers.

Google Analytics is free and by far the most comprehensive and easy to use app to analyze website traffic and behavior. You can find data on visitors coming to your website, their location, the sites that referred them to your website, the search keyword they used, the pages on your website that have high traffic and low traffic, the bounce rate (percentage of visitors that leave your site without signing up) and the average time spent by the visitors on your site.

7.  Inbound marketing and automation – Inbound Marketing is a way to increase traffic through SEO and Social media vehicles by providing high quality and engaging content for your audience. The idea is that instead of looking for customers, your content and social media efforts should attract potential customers to your website.

Optify is online suite that has helped us improve our inbound marketing by helping us choose the best key words for SEO which in turn has increased traffic and leads from organic search and social media. The app also helps manage, track and measure a company’s marketing efforts. Optify is very easy to use, and SMBs, with no dedicated staff for inbound marketing, can use Optify to track their SEO performance and leads. The customer support is excellent and the staff went out of their way to assist our team in getting a better handle on the Optify tools.

8. Email marketing – e-mail is one of the most important means of communication SMB’s can have with prospective clients, current customers and business partners. It is as important as social media marketing and is much more affordable than off-line marketing.

We decided to go with Mailchimp. The company offers a very user-friendly and easy to use application, with affordable plans, prices ranging from $9 to $250 per month. The best feature is that Mailchimp not only has ready-made email templates available but also allows the user to design email templates from scratch and integrate email marketing campaigns with social media. There are also very good tracking tools to manage email campaigns and monitor how many subscribers actually opened the email message.

9. Accounting  – We use Expensify (Google Apps) to track our expenses and we use Freshbooks to manage our invoicing.  We use Expensify because it is very easy to use and we can sync everything with Freshbooks. As an international company with clients all over the world we found Freshbooks had the best coverage.  Freshbooks is super simple to use and supports multiple currencies and geographical locales.  Freshbooks also has easy and secure back-up that encrypts the data.

10. CRM – There are now a good number of Salesforce alternatives out there from which to choose a solution to manage your relationship with your customers.  We found it difficult to single out CRM solutions as there so many.  Because we use Google Apps Gmail for our email solution, we find Insight.ly (also Google Apps) irreplaceable for our CRM purposes as it can instantly provide us with a complete history of our communication with a customer, company or individual. Insight.ly is fully integrated with Google Apps full range of solutions, including Contacts, Google Docs, and Calendar. Insight.ly is a no brainer if your company uses Google Apps.

That said, Insight.ly doesn’t provide all of the CRM features we desired (i.e., campaigns & progress reporting). As a result, we chose Campaigner CRM (formerly Landslide) to fill those gaps and more (e.g., Campaigner has iPhone, iPad, and Android support …Insight.ly does not). Campaigner provides all the CRM features we need at a significantly lower cost than Zoho.  Campaigner is incredibly easy to use, integrates with Google Apps and MS Outlook, and syncs with Quickbooks.  Using Campaigner CRM we were able to tie our entire workflow together in a cost-effective manner.

With so many useful Cloud apps there is of course the difficulty of remembering numerous ID’s and Passwords. For that there is SmartSignin, a simple and secure Single Sign-on app for your personal and business web accounts, ID’s and passwords! SmartSignin is a cloud-based Identity and Access Management (IAM) solution with Single Sign-On for browser-based and cloud applications. SmartSignin enables both businesses and professionals to manage their identities and access privileges in the cloud in a simple and secure manner. SmartSignin’s patented security was developed in conjunction with Ganita Labs, a cryptography lab at the University of Toronto, and it ensures there is no single point of failure in the application and only you have the keys to your online identity.

Reducing Risk with Encryption for Multi-Tenant Environments

English: Amazon Virtual Private Cloud diagram

One of the biggest hurdles to cloud adoption is undeniably security. In particular, public cloud services are often under scrutiny as to whether a multi-tenant environment is actually secure. Let’s face it, production virtualized environments are a newer trend, which means that security was never really an issue.

As more business critical resources become virtualized, there is an increasing need to ensure the right security controls are in place. Until recently, multi-tenant encryption solutions weren’t particularly effective. Key management being one of the key reasons for the avoidance, as the portability of VMs across multiple physical servers meant advanced encryption key requirements.

AFORE Solutions Inc., a Cloud Security and Solution Provider, recently announced the release of their CloudLink™ 2.0 with Secure Virtual Storage Appliance, the first solution that enables cloud-based DR solutions to meet key regulatory and compliance requirements . This appliance provides a storage repository that can be accessed by VMs hosted in the cloud. Most encryption is currently applied through storage gateway methods which means it is only encrypted as it is sent to the cloud. CloudLink™ Secure VSA encrypts and protects data at all times, which is particularly important in highly regulated industries. The keys are managed by the enterprise and encryption keys can be controlled through Active integration.

CloudLink™ Secure VSA has already proven itself in Amazon VPC™ (Virtual Private Cloud), VMware vCloud™ Director environments and CA AppLogic based clouds. The main reason for the success is that organizations want to take advantage of the many benefits of the cloud model. If a provider can offer compliant environments, there is an immediate advantage.

Disk encryption is one of the key security controls used in enterprises to reduce the threat of data loss. The same methodology applies to cloud environments where you need to reduce the risk of unauthorized access as much as possible. Having the ability to encrypt individual VMs means an additional (and significant) layer of security to help protect your business critical resources.

Why Cloud Providers Need to Change Their Approach to Cloud Services

English: Cloud Computing visual diagram

English: Cloud Computing visual diagram (Photo credit: Wikipedia)

While cloud services aren’t exactly a new idea of service delivery for Canadian organizations, there is still much to be desired.

Right now we are seeing a strong offering of IaaS services, the odd SaaS (as in the case of big Blue and their Microsoft partnership) and managed (hosted) network services such as WAN optimization, virtual PBX and security.

The great thing about this is that we are seeing some traction in cloud providers in Canada to offer these types of services, but we’re not quite there yet.  The reason is that decision makers in the provider space are still trying to figure out the business case for cloud.

The biggest disconnect I am seeing is the failure to link all these disparate solutions together.  Right now most services are offered a la carte, from different corporate divisions (Security, UC, Network) and there is no alignment.  I would love to see a provider who is not afraid to start from scratch and realign services to vertical, but don’t expect it from the larger, slower moving providers.

Here is where the little providers have a chance.  By realigning services to vertical markets, you can build service portfolios that speak to these groups individually.  For example, if you decide that education is a good market, you can build services that address the unique needs of education (BYOD, content filtering, security/privacy) and offer a solution that provides all the components for them to outsource their IT services.  After all, what sense does it make to recreate the same thing in-house when you are under-funded, under-staffed and have better things to focus on?  As a provider, if you are able to say “We understand your market.  We know these privacy and compliance issues are critical, integration between systems (standardization) is a must and that you struggle to keep up with students thwarting your security controls.”  Why wouldn’t an education organization at least hear you out?  It not only saves them money, but saves them tons of hassle and headaches and they can offload everything knowing it makes them compliant to whatever controls they need to be compliant with.

Replicate this across other verticals using the same story and your value proposition has gone from “We sell everything to make you more productive/secure/innovative” to “here is what we do to secure educational organizations like yourself.”  Who doesn’t want someone else to deal with vendors and figuring out the best solutions, selling internally to make sure everyone is onboard to fund the project.

By relying on cloud providers to give them the right technology mix while taking advantage of an OPEX vs CAPEX situation means these organizations can actually focus on their core business instead of wasting time figuring out what everyone else is doing to stay ahead of technology changes.