|700 West Pete Rose Way | Cincinnati, Ohio 45203|
|Gripe #1: "Wait, this isn't really infinite, is it?" |
One of the big draws of cloud computing is the ability to start small and then go big at a moment's notice. But this elasticity should not be mistaken for infinity.
"It seems infinite, but it absolutely is not infinite," says Imad Mouline, CTO of Gomez, the web performance division of Compuware. "In some circumstances, you may not be able to get the instance that you want, the data center or availability zone that you want, or the kind of instance that you want."
You may be exposed to operational risk if your business depends upon being able to provision any level of cloud resources at a moment's notice. "Are you willing to bet your business on it?" asks Mouline. "Or are you taking a chance that on the day that you need to ramp up that you'll have the capacity and that you'll get to it quickly, in hours instead of days?"
If several heavy users of cloud services simultaneously have the same idea to scale up, you may end up in the tech equivalent of a financial panic where everyone tries to withdraw money from a bank that holds inadequate reserves.
Gripe #2: "It's too slow!"
Your computing resources are only as fast as the slowest link of the information supply chain, and if your slowest link is an underpowered cloud computing provider, you may have grounds for a gripe.
"We've won customers that way," says Jonathan Hoppe, president and CTO of Cloud Leverage, a provider of cloud performance solutions.
"Say you've got a website that's going to pull images from cloud storage," Hoppe says. "You want that connection to be very fast, and you also need both to be very fast when delivering to the end users."
Perform some simple performance tests before you start doing business with a cloud provider, and make sure you understand the quality of service and performance guarantees in the service level agreements. "You can tell a lot by looking at the SLAs," Hoppe says. "If they're pretty aggressive, they have a lot of confidence in their infrastructure."
And just because you're using an Amazon- or Google-branded cloud doesn't mean that your website will have the same performance as Amazon or Google. Web performance stems from several factors, including overall web traffic, the location of the data centers to which you've been assigned, and even the behavior of other applications in that same data center. "You can't sandbox everything, and someone else's application may impact the performance of yours," observes Mouline from Gomez. "Performance is all over the place."
You can find Gomez's top-level performance results for major public cloud providers at CloudSleuth.net.
Gripe #3: "I can do this cheaper in-house."
The benefits of cloud computing don't necessary scale up. "If you have a large enough organization, the subscription model tends to lose some of its clear cost benefit," says Mike Pearl, principal in PricewaterhouseCoopers' Advisory practice and Leader of PwC's digital transformation and cloud computing initiatives. "Turning potentially thousands of employees loose onto the cloud introduces variability into costs [relative to fixed budgets]."
Chris Weitz, director of Deloitte Consulting, also observes diseconomies of scale at the high end. "For some of the larger enterprise clients of ours, who are able to scale relatively high and have good volumes and get good discounts from vendors, they're finding that it's not particularly advantageous from a cost perspective to go to a public cloud infrastructure, particularly as it relates to storage or other services that are relatively commoditized," Weitz says.
Nor is capacity management necessarily a strong selling point, as large enterprises tend to have a good handle on their demand curve for IT services. "They tend to not be exposed too much to the spikes of usage that a smaller company would have," notes Weitz.
Instead, flexibility is the area where the largest enterprises find the greatest benefit in the cloud. "It's the opposite of a startup situation, which has spiky usage patterns but can provision quickly," observes Weitz. "Big companies have smooth usage patterns but are slow to provision new resources."
Gripe #4: "I don't have enough control."
With internally managed and collocated facilities, IT professionals can precisely match the availability and uptime needs of the enterprise using dedicated equipment, selecting the most appropriate power supplies, cooling equipment, and server hardware.
That's not so easy to manage in the cloud. "When someone puts their data and applications in the cloud, it's almost impossible for them to know what specific hardware they're on, where their data resides, where their power is coming from, or if there's adequate cooling," says Charles O'Donnell, VP of AC power engineering for Emerson Network Power.
If you want to maintain maximum control, you may end up doing it in-house. "We have one very large customer that keeps revenue-generating applications on an enterprise farm, Tier 4 facility, and keeps their e-mail and product development at a Tier 2 facility," says O'Donnell. "If e-mail goes out for a little while, it's not a disaster. It costs them time and money but it's nothing like what happens if their enterprise facility were to go down."
"If I had a mission-critical application, where if it goes out I start losing current or future revenue, that's something I want to have complete control over myself," remarks O'Donnell.
Gripe #5: "We've got clouds popping up all over the enterprise."
Allowing unfettered, enterprise-wide access to cloud resources poses significant business risks, observes Philip Lieberman, founder and CEO of privileged identity management provider Lieberman Software.
"Business users see the cloud as a way of saving money without understanding the security, audit, or regulatory implications," he says. "Cloud is being brought in through the back door, and when auditors discover what's been done, they need to make a judgment as to what the exposure is."
Often, the risks aren't worth the ostensible cost savings from the cloud providers. "It's their business to give you compute power at a low cost," Lieberman adds. "They're not in the security business."
Enterprise IT departments are advised to reclaim the relationship between business units and external providers. "As you begin to look at cloud computing at the enterprise level, you need to first go throughout the business units to clean out the early adopters," says PwC's Pearl. "Bring those that jumped out in front into your overall enterprise strategy."
Gripe #6: "Without standards, I'm locked into my cloud vendor."
Portability has become the biggest gripe in cloud computing at the enterprise level, according to Edward Newman, global practice director of private cloud services at EMC. "It's not as if you can burst a workload out to Amazon today and then burst it out to Rackspace or Terremark tomorrow," he says. "The standards haven't yet been adopted that allow for easy movement of workloads and data to multiple cloud vendors."
Portability in the cloud would have to encompass a complicated set of policies and business requirements with regard to IT policies, regulatory compliance, and information security practices, which makes for a particularly challenging set of standards.
"You need the ability to migrate data from one cloud service provider to another, and there are cloud interoperability scenarios that need to be addressed as well," notes Matt Edwards, director of the cloud services initiative at TM Forum, a communications industry association. "There are multiple things that need to be addressed to avoid vendor lock-in and to remove the barriers for the adoption of cloud services."
Although the issues are widely recognized, consensus on the best solution is harder to reach. "New standards organizations for cloud crop up every day," says Edwards.
For its part, TM Forum has formed the Enterprise Cloud Leadership Council, with members from the banking, pharmaceutical, energy, healthcare, manufacturing, automotive, aerospace, government, and communications sectors. "While there are specific business requirements in each industry, there's no need to reinvent the wheel for every vertical," says Edwards. "The key is to have a coordinated approach, and to make sure that the actual business requirements of enterprise consumers are being addressed."
Gripe #7: "My cloud's in the way of my M&A."
Before entering into an outsourcing arrangement, consider the likelihood that your organization will be involved in an acquisition or divestiture, suggests Daren Orzechowski, New York-based partner in White & Case's intellectual property practice. "One of the most important provisions in outsourcing for cloud is to have certain divestiture and acquisition support provisions," Orzechowski says.
Essentially, it's a matter of ensuring that you can scale up or down no matter the direction your business takes you. If you acquire a company, you'll want to support it with the same or better terms for enterprise cloud resources. Similarly, if you sell off a part of your company, ensure that both buyer and seller won't be held hostage by rate hikes after the deal closes.
"Make sure you'll get the assistance you need from your vendor, and that the terms of how that will work are fixed at the beginning of the relationship, when you have more leverage," says Orzechowski. "Like any commercial relationship, if you've signed the original big contract and you're in, and then you need help down the road, your leverage isn't as good."
Gripe #8: "I'm relying on reputation as a security policy."
High-profile technology providers face enormous scrutiny from customers and investors, with reputational risk involved with even the smallest lapses in availability and security. Accordingly, cloud providers have the incentive and wherewithal to retain teams of dedicated security experts capable of coping with a wide range of fast-moving threats. All things considered, public cloud providers may be better than you at information security.
Smaller, non-IT-focused enterprises find it harder to locate, hire, and retain top information security talent, and it's not uncommon in business to see small, overworked IT departments where the responsibility for security is diffused and even a few steps behind.
But just because the largest cloud vendors employ the smartest guys in the room doesn't automatically mean that they should have oversight of your enterprise data.
Before entrusting enterprise data to a cloud provider, do your homework. "Go to their website and read the discussion boards and blogs. Go to the analysts. Go to the regulations in your industry," advises Mohammad Zaman, head of global solutions at Logicworks, a low-latency hosting provider in New York. "There are many different ways to find the right cloud service provider from a security perspective."
Or, simply follow the herd. "Everybody publishes customer references on their website," Zaman says. "How do you match up against them?"
Unfortunately, it's all too common that these reputation-based approaches to due diligence represent the extent of information that's available from cloud vendors for purchasing decisions.
It's a "buyer beware," remarks Zaman.
Gripe #9: "Good enough for government work? Nope."
You won't find more security-conscious users than in government, and it may take a while before they go into the cloud. "Until someone says that they can meet the NIST criteria for cloud security, I don't see many government customers trusting their applications and data to the cloud infrastructure," says Jim Sweeney, principal solutions consultant for GTSI, a government solutions provider.
Security concerns include the integrity of data, protections in a multi-tenant environment, management of loading and offloading of data, and the trustworthiness of vendor employees, along with questions about the financial stability of vendors.
But it's not just information security that's holding up adoption. "People are using security as an excuse to not move to the cloud in order to protect their jobs," Sweeney says. The typical game plan: "I'm going to have my own internal cloud for my customers."
That's not much of an improvement over existing infrastructure, Sweeney counters. "Why move to a cloud at all?" he asks.
An alternative model places the most technologically savvy agencies as operators of cloud-based services and infrastructures on behalf of other agencies. Leading the way in this regard is the Defense Information Systems Agency (DISA), an arm of the Department of Defense that provides computing infrastructure and services to the military.
At the InformationWeek Government IT Leadership Forum in June, DISA's CIO Henry Sienkiewicz announced plans to deliver storage and office productivity applications through DISA's private cloud, which could potentially be extended elsewhere within government.
Gripe #10: "Cloud computing is going to put me out of a job."
For the people responsible for maintaining enterprise hardware, the cloud can appear to have the guise of a deadly fog. Should IT professionals fear the cloud?
"If your dream is to build servers and to be on call 24x7 when routers or servers go down, maybe you should be afraid," Stephen J. Roux, founder and president of Farmington, Conn.-based solution architect Innovative Computer Systems. "But if your goal is to see your company grow and become more agile, they still need someone to show them how to make the whole thing work.
"Rather than turning a wrench, sit down and have strategic conversations with the business," adds Roux. "Instead of provisioning servers and data centers, help the business get the most out of their applications."
As reported by Ivan Schneider, Information Week
|Trend Micro™ HouseCall is an application for checking whether your computer has been infected by viruses, spyware, or other malware. HouseCall performs additional security checks to identify and fix vulnerabilities to prevent reinfection. |
To download this free application, go to:
http://housecall.trendmicro.com/ and download the application yourself to check your PC for viruses.
Too busy or don't know how? Contact firstname.lastname@example.org and we can perform the scan for you.
|Computerworld - Microsoft today said it will issue an emergency patch for the critical Windows shortcut bug on Monday, Aug. 2.|
The company said that it is satisfied with the quality of the "out-of-band" update -- Microsoft's term for a patch that falls outside the usual monthly delivery schedule -- but also acknowledged that it has tracked an upswing in attacks.
"In the past few days, we've seen an increase in attempts to exploit the vulnerability," Christopher Budd, a spokesman for the Microsoft Security Response Center, said in a entry on the team's blog. "We firmly believe that releasing the update out of band is the best thing to do to help protect our customers."
Budd said that Microsoft would release the patch on Monday at approximately 1 p.m. Eastern.
Two weeks ago, Microsoft confirmed a flaw in how Windows parses shortcut files, the small files displayed by icons on the desktop, on the toolbar and in the Start menu that launch applications and documents when clicked. By crafting malicious shortcuts, hackers could automatically execute malware whenever a user viewed the shortcut or the contents of a folder containing the malevolent shortcut.
The bug was first described in mid-June by VirusBlokAda, a little-known security firm based in Belarus, but attracted widespread attention only after security blogger Brian Krebs reported on it July 15. A day later, Microsoft admitted that attackers were already exploiting the flaw using the "Stuxnet" worm, which targets Windows PCs that manage large-scale industrial-control systems in manufacturing and utility firms.
Exploit code has been widely distributed on the Internet, and Microsoft and others have spotted several attack campaigns based on the bug.
One of those campaigns apparently tipped the scales toward an early patch.
The Microsoft group responsible for crafting malware signatures to defend customers using the company's antivirus products, including the free Security Essentials software, said that an especially nasty malware family had added exploits of the unpatched shortcut flaw to its arsenal.
"Sality is a highly virulent strain ... known to infect other files, making full removal after infection challenging, copy itself to removable media, disable security, and then download other malware," wrote Holly Stewart of the Microsoft Malware Protection Center, on the group's blog Friday. "It is also a very large family -- one of the most prevalent families this year. "
Sality's inclusion of the shortcut exploit quickly drove up the number of PCs that have faced attack. "After the inclusion of the [shortcut] vector, the numbers of machines seeing attack attempts combining malicious [shortcuts] and Sality.AT soon surpassed the numbers we saw with Stuxnet," said Stewart.
"We know that it is only a matter of time before more families pick up the technique," she added.
Other security researchers had spotted Sality exploiting the shortcut bug earlier this week. On Tuesday, Trend Micro reported that the shortcut vector was being used not only by Sality, but also by other malware clans, such as the Zeus botnet-building Trojan.
Last week, security researchers had argued over Microsoft's ability to quickly patch the vulnerability, with HD Moore, chief security officer of Rapid7 and the creator of the well-known Metasploit hacking tool kit, betting that Microsoft would fix the flaw within two weeks. Moore's prediction was nearly on the dot.
All versions of Windows contain the shortcut vulnerability, including the preview of Windows 7 Service Pack 1 and the recently retired-from-support Windows XP SP2 and Windows 2000.
|Fantastic white paper from InformationWeek Analytics for every small to medium sized business.|
Learn how to lay out a plan to help companies protect their assets without spending a fortune.
|It's a nightmare scenario every business fears.|
Your tech department has spotted suspicious activity on the company network. Your customers and employees are getting hit with credit-card fraud and identity theft. MasterCard Inc. is on line one.
The panic sets in: Your company has been hacked!
So, what do you do?
Read the full story here.