2. 12
C
loud computing is here to stay.
According to the latest CIF survey,
some 78 per cent of UK
organisations are now using at least one form
of cloud service and, perhaps more
remarkably, 11 per cent of British businesses
are now using four or more services. That’s
definitely a sign that it’s no longer a few test
sites that are being deployed.
The trend is ever upwards: this is the fifth
year of the survey and, since the first one in
2010, the growth has been 61.5 per cent: a
healthy growth indeed. That’s not to say that
cloud is taking over these organisations: the
CIF survey found that 85 per cent of
organisations still operate on-premise
datacentres, so most firms are looking for a
way for the systems to co-exist – the hybrid
model of IT.
There’s a structure to CIOs’ choice with
certain services becoming an obvious fit for
cloud: web hosting, email, CRM, data
back-up and disaster recovery are prime
choices. +++++Anything that involves any
confidential client data tends to be kept well
away.
That reflects a seeming paradox among
companies. Yes, there is greater acceptance
of the cloud and more businesses want to use
it, but such attitude goes hand-in-hand with
How to get the most out of
different cloud models
Public, private and hybrid cloud all have their own security challenges. What are
the options for the CIO?
Different cloud models
If you want total data security,
you can put all your data on a drive,
lock it in a safe and drop it at the bottom
of the sea.
CLOUD SECURITY
www.cloudindustryforum.org
02
Contents
www.cloudindustryforum.org
About the Cloud Industry Forum
The Cloud Industry Forum (CIF) was established in
2009 to provide transparency through certification
to a Code of Practice for credible online service
providers and to assist end users in determining
core information necessary to enable them to adopt
these services.
CIF’s Goals:
• Help end users make informed business
decisions about the adoption of cloud services
and the governance of hybrid IT environments
• Provide vendor independent market research
and outlook of cloud adoption trends,
opportunities and inhibitors to offer qualitative
guidance to businesses
• Raise industry standards and bring greater
transparency and trust to doing business in the
cloud with its Code of Practice for Cloud Service
Providers
• Champion and advocate the adoption of cloud
services by businesses and individuals
• For more information, visit: http://www.
cloudindustryforum.org
CONTENTS
Introduction4
A foreword by Maxwell Cooter, founding and contributing editor,
Cloud Pro
Cloud and data governance 5
Is data governance a legal or technical problem? What should cloud
customers be thinking about when they make the move?
Hybrid, private or public: Which way to go? 12
There’s plenty of choice when bringing cloud on board, but which is
the best option for you?
Cloud in regulated industries 19
Certain companies have a real problem with cloud when trying to
keep up with regulatory demands. Are there ways around this?
Drawing up a security policy 27
Moving to the cloud should mean a brand new security policy as the
old one won’t do. What should be included and removed?
Keeping customer data safe 29
Customer data has become gold dust to organisations. How can
these assets be protected?
Mobile and flexible working 31
BYOD is the name of the game, but what challenges does this route
bring to a company?
Current legal situation state of play 36
We speak to Conor Ward, consultant with international law firm
Hogan Lovells and CIF Legal Forum chair, about the issues as they
stand now.
The European legal framework 38
A new EU Regulation is set to change the way data is protected: what
does this mean for companies and their customers?
31
T
here used to be a clear split between
your technology at home and your
technology at work. In the office,
you had access to a powerful desktop,
wide-reaching business software and fast
connections while, at home, you had some
simple programs running on a cheap PC
using a dial-up modem.
That’s the way that things were because
there was no need for it to be otherwise. The
notion that home technology was more
powerful than commercial offerings would
have been deemed nonsense. In the last
decade, however, all that has changed. There
wasn’t a single revolution that changed this
but many smaller steps: the provision of
broadband to homes (especially when
accompanied by an upgrade to fibre); the
development of the smartphone market and,
connected to this, the decision by Apple to
see mobile phones as a means of
disseminating applications. Put that all
together and you have the perfect storm for a
revolution in how devices are viewed and
used.
There’s been an about-turn though as the
sexy devices are now in employees’ pockets
and not on their desktops. What has this
meant for the CIO? The former gatekeeper
for company technology is now relegated to a
bit-part role as companies look to adopt
bring your own device (BYOD) strategies.
This change has massive implications for
the way that a business operates, with CIOs
having to completely rethink all aspects of
their IT infrastructure.
BYOD vs cloud
One of the first things to look at is whether a
move to BYOD means a move to cloud. In
some ways, says Richard Archdeacon from
HP Enterprise Services’ CTO office and IS
strategy, there are similarities. “Look at the
drivers for the move to cloud,” he says. “It’s
driven by a need for greater flexibility and
better management. He says that BYOD has
brought a similar level of flexibility to the
part.”
The 451 Group security analyst Javvad
Malik also sees advantages of moving to the
cloud. “Cloud providers are often in ideal
positions to offer BYOD-specific features,
and many have. Though a large market exists
as ‘middlemen’ to provide BYOD features
in what I like to call ‘missing feature’
Does BYOD mean
bring your own disaster?
BYOD could be a recipe for disaster as the IT department relaxes control, but it
doesn’t need to be a big problem…
BYOD disaster
CLOUD SECURITY www.cloudindustryforum.org
WINTER 2014
CLOUD FORBUSINESS
Where are we now withcloud data governanceand where are we headed?
WHY SECURITY IS NO LONGER A DIRTY WORD
CLOUD FOR BUSINESS
3. HP is on a multi-year
journey to turn HP around,
and has put in place a plan to
restore the company to
growth. It knows where it
needs to go, and is making
progress. It continues to drive
product innovation in its core
markets, with a focus on cloud,
security, and big data.
HP sees big opportunities
ahead, and is well positioned
to take advantage of these
opportunities with its
remarkable set of assets and
strengths. It has the people,
the plan, and the foundation
in place to help it succeed on
the next phase of the journey.
HP Helion Cloud helps
you transform your
enterprise with the most
comprehensive cloud
computing solutions in the
industry.
Cloud is not a destination,
it is part of the journey to the
New Style of IT. For more
information, visit: www.
hp.com/uk/helion
03
About our sponsors
www.cloudindustryforum.org
About our sponsors
Concorde’s breadth and depth
of industry knowledge is
recognised by top software
vendors such as Adobe, IBM,
Microsoft, Oracle, and
Symantec. Its knowledge
extends from the desktop and
datacentre to complex
multi-vendor environments. It
has experience and references
across a variety of market
sectors and industries, and
clientsincludemembers ofthe
Global Fortune 1,000 as well as
investment banks, mid-
market companies, public
sector organisations and
charities.
Concorde’s specialists
bring with them many years
of licensing and software
expertise, from their
experience within end-user
organisations, the software
industry, or from running
SAM teams themselves.
With the emphasis on
creating sustainable solutions
rather thanone-off
engagements,Concordehas
helped customers save and
mitigate over £50 million in
the last four years by
providing the tools, processes
and knowledge to better
manage their software.
Concorde does not re-sell
software or licensing, and its
reputation is one of complete
vendor-independence. It can
therefore offer impartial advice
and support and truly
represent the best interests of
clients. Concorde’s practices
are aligned with the IT
Infrastructure Library (ITIL)
SAM best practice and ISO
Standard 19770-1 for SAM.
At the heart of its solution is
Core Control, a platform for
presenting critical business
intelligence from across your
entire (global) software estate,
enablingpowerfulanalytics,
scenariomodelinganddecision
makingsupport.For more
information, visit: www.
concordeuk.com
Databarracks provides the
most secure and supported
cloud services in the UK.
In 2003, it launched one
of the world’s first true
managed backup services to
bring indestructible resilience
to mission-critical data.
Since then, it has
developed a suite of services
built with superior
technology, support and
security at their core.
Today, it delivers
Infrastructure as a Service,
Disaster Recovery as a
Service and Backup as a
Service from some of the
most secure datacentres in
the world, 30 metres below
ground in ex-military
nuclear bunkers.
The company backs this
up with unbeatable support
from a team of handpicked
experts. There’s no such
thing as ‘above and beyond’
for the firm’s engineers
because they only work to
one standard: to keep your
systems running perfectly.
Databarracks is certified
by the Cloud Industry
Forum, ISO 27001 certified
for Information Security and
has been selected as a
provider for the G-Cloud
framework.
For more information, visit:
www.databarracks.com
CLOUD FOR BUSINESS
Ingram Micro Cloud is a
master cloud service
provider (mCSP), offering
channel partners and
professionals access to a
global marketplace,
expertise, solutions and
enablement programs that
empower organisations to
configure, provision and
manage cloud
technologies with
confidence and ease.
Ingram Micro Cloud is
part of Ingram Micro,
which helps businesses
Realise the Promise of
Technology. It delivers a
full spectrum of global
technology and supply
chain services to
businesses around the
world.
Deep expertise in
technology solutions,
mobility, cloud, and
supply chain solutions
enables its business
partners to operate
efficiently and successfully
in the markets they serve.
Unrivaled agility,
deep market insights and
the trust and dependability
that come from decades
of proven relationships,
set Ingram Micro Cloud
apart and ahead.
Discover how Ingram
Micro Cloud can help you
Realise the Promise of
Technology.
For more information
on Ingram Micro Cloud,
please visit: www.
ingrammicrocloud.com
4. S
ecurity is often held up as one of
the main concerns for not going
down the cloud route: it seems to set
off all manner of nervous reactions in even
the most sensible of organisations.
In some ways this is a natural reaction.
After all, by definition, cloud means
losing some sort of control. But security is
too much of a catch-all term: what does it
actually mean? Do we mean perimeter
security? (something that becomes harder
in an era of flexible and remote working) Do
we mean device security? (something that’s
harder in the age of BYOD)
Do we mean data governance? (That’s a
serious issue but are we talking legal
concerns or technical ones?)
In the midst of all this confusion, there’s
also a greater drive towards letting lines of
business choose software and run services
themselves. But can we really trust non-IT
people with data security?
There are so many questions to ask and
that’s before we decide whether we’re
talking about threats from cyber criminals
or the rather more commonplace array of
spam or bloatware.
This special report, produced by the
experts at Cloud Pro in association with
The Cloud Industry Forum (CIF), aims to
explore the key issues. We will examine the
techniques that some CIOs can employ to
ensure cloud implementations are running
smoothly and with little risk. We believe
that cloud in itself can be a secure option
and that if you choose the right provider,
it can be even more secure than what’s
possible on-premise.
The interesting challenge for CIOs is to
make their systems more secure at a time of
greater openness. The prevailing philosophy
is towards more sharing and greater
collaboration, but the demand for cloud
security could make actioning that more
difficult. However, there are ways to ensure
that the modern company can be more open
and accessible while still ensuring secure
access - the ideal approach for all
organisations.
Cloud is here to stay and more businesses
are going down that route. The key, then, is
to try to stay secure while doing so.
We hope this report provides plenty
of food for thought.
04
Introduction
Cloud is here to stay and more
businesses are going down that route.
The key, then, is to try to stay secure while
doing so.
www.cloudindustryforum.org
Welcome!
Editor, Cloud Pro
For further information please
visit www.cloudpro.co.uk
CLOUD FOR BUSINESS
5. 05
T
he arrival of cloud has shaken up
many IT departments and long-held
ways of doing business have been
shoved aside. For example, the idea that
business expansion could only occur by
provisioning new servers has all but
disappeared. Even more radically, the notion
that IT departments are solely in charge of
buying software has also stepped to one side.
Indeed, business departments are assessing and
even purchasing applications, and that’s a
situation that is not going away any time soon.
Cloud touches every aspect of a business.
This can be demonstrated by the way that it
impacts on data governance. The arrival of a
cloud provider changes everything. If you
look at the definition of data governance
from the Data Governance Institute (DGI),
you can see where some of the sticking
points are: “Data Governance is a system of
decision rights and accountabilities for
information-related processes, executed
according to agreed-upon models which
describe who can take what actions with
what information, and when, under what
circumstances, using what methods.”
There are some obvious hot points here:
“accountabilities” and “who can take what
actions” are areas where meanings can be
interpreted very differently.
Data governance in the cloud
Moving to the cloud has plenty of implications for the way that data governance is
handled within organisations. How should firms approach this?
Data governance in the cloud
Data governance is a big problem for
CIOs, particularly people who have been
a long time in the industry, ones who
started off as more akin to CTOs looking
after hardware and wires. They don’t really
understand the business issues.
CLOUD FOR BUSINESS www.cloudindustryforum.org
6. 06
Business issue
According to HP fellow Mateen Greenway,
there’s a more fundamental problem. It’s one
that’s to do with the way that CIOs operate.
“Data governance is a big problem for CIOs,
particularly people who have been a long
time in the industry, ones who started off as
more akin to CTOs looking after hardware
and wires. They don’t really understand the
business issues,” he says.
In this world where lines of business have
a big impact on the way that software is
chosen, this can really matter. CIO thinking
has to change, according to Greenway.
“They’re still thinking in bits. They need to
start thinking at the opposite end. ‘Who are
the people who want this information and
who gets value from it?’. Data governance
becomes how to meet that need too,” he
adds. “CIOs are used to worrying about the
storage of data, now it needs to be about
getting that data to the right people.”
There’s also the concern about what else
happens to that data. Individuals have been
considerably more agitated about threats to
data security and privacy since the
revelations by Edward Snowden that NSA
agents were looking into Europeans’ data.
The news made many businesses extremely
jumpy about putting their data (or customer
data) in multi-tenanted cloud providers.
According to Clive Longbottom, founder
of analyst firm Quocirca, companies are
certainly questioning who’s looking at their
data – whether that be the NSA, GCHQ or
whoever – but he says that much of this is
overstated. “For the average company, there’s
going to be little interest from the security
forces. It’s only in industries like defence,
petrochemical or aerospace that they’re going
to be interested,” he says. “Your main worry
is going to be the black hats, who certainly
will be interested in things of financial value
that you have.”
Trust
Trust is at the heart of the problem when it
comes to moving to cloud. Do you trust your
provider? It’s a problem that’s particularly
acute for small businesses, as they may not
have security resources on hand in-house.
According to a recent survey from the
University of Bournemouth, just over half
(54.6 per cent) of small businesses cited data
protection and privacy as the main reasons
for shying away from cloud services. The
ironic thing is that it is precisely these
companies who would most benefit from the
cloud – it’s a way to bring enterprise-class
security to SMBs.
Some SMBs are worried that cloud
service providers will not bring industry best
practice to the table. There are also concerns
that companies will not know where their
data is being held. Any company that has
dealings internationally or sends data across
borders has such worries. All cloud users
need to have an idea of national laws and
regulations from the outset.
CIOs should start off by asking cloud
providers some basic questions, advises
Longbottom. “For a start, you should ask
whether their datacentres are ISO 27001
compliant and then you should be asking
them how they deal with data sovereignty:
you want them to say where the data is,”
he says.
Some of the low-cost providers may try to
Data governance in the cloud
CLOUD FOR BUSINESS www.cloudindustryforum.org
Cloud covers a multitude of sins
and you have to realise that not all cloud
providers are the same: some clouds have
high SLAs, some have none. You can only
select the right tool if you understand the
needs. For example, you wouldn’t treat a
Porsche and a truck the same. The Porsche
has a lot going for it, but you can’t deliver a
piano with a Porsche.
7. 07 CLOUD SECURITY
blur the issue of where data is being held by
using content delivery networks (CDNs) or
wide area data accelerators but, as
Longbottom explains, this is little comfort
to customers. “The best service providers
don’t do this – the low cost do and will shift
everything to Akamai or Limelight. You
have to understand that you’ll have to pay to
get the best solution,” he adds.
HP’s Greenway concurs, saying: “Cloud
covers a multitude of sins and you have to
realise that not all cloud providers are the
same: some clouds have high SLAs, some
have none. You can only select the right tool
if you understand the needs. For example,
you wouldn’t treat a
Porsche and a
truck the same.
The Porsche has
a lot going for it,
but you can’t
deliver a piano
with a Porsche.”
If a company has a
data governance
professional, it’s key that
they are involved in the decision
to move to the cloud from the outset.
Only a data governance professional can
address all the regulatory concerns: CIOs
don’t have that expertise or that level of
experience.
So, what should a CIO be doing? They
need to make sure they address all these
concerns up front, then work out what data
could be stored in the cloud. Active customer
data must be treated very differently from
archived data, for example. Policies should
be defined and then also strictly adhered to.
Longbottom advises a slightly
different order to proceedings,
adding: “The first thing a
CIO should be doing is
taking a look at the
existing internal
infrastructure, as it’s
probably pretty bad.
You can’t look to
external suppliers if
your internal structure
is a mess.”
There’s an old adage
that one shouldn’t outsource
chaos because the end result
will be chaos. It’s a similar story with
data governance. Cloud won’t solve a
problem if you haven’t got the principles
right in the first place.
www.cloudindustryforum.org
• Enable much more effective decision-
making within firms
• Reduce operational friction
• Protect needs of data stakeholders
• Train management and staff to adopt
common approaches to data issues
• Build standard, repeatable processes
• Reduce costs and increase
effectiveness through coordination
of efforts
• Ensure transparent
processes
DATA GOVERNANCE INSTITUTE GOALS
FOR A DATA GOVERNANCE PROGRAMME
Pull quote hea dvadva dre ishgio
fvhso i hisha va vdvio hisa vadvad
fhip hvihspivh sijvj b ua dvadvaghva
dvadvlk mkl;cmavbadoicn kamdckba
va dvadv adv iandvlkn nadv ;n;oamdva
dvadvadvaa dvad advad vadv adv
dcuadhiadmcklmnnvajkhviaj.
Data governance in the cloud
www.concordesolutions.com
Software Clarity and Control
in a changing world
Core Control simplifying
software asset management
• Using data from any source
• Automated Vendor Logic and
Licensing rules for all major Vendors
• Easy to use - complete SAM
functionality
• What-if Scenario Modeling
• Trend analysis and variance alerting
Concorde’s flexible service and
support empowers organisations to
embrace new technology and drive
value from their IT investment.
Call today to see how Concorde can
help you deliver clarity and control
to your Hybrid IT Environment.
Enabling complex
global organisations to:
• Control Contracts
• Reduce Cost
• Plan for the future based
on fact
• Measure vendor
performance
Our services provide:
• Independent knowledge
and expertise
• On demand or as a
service support
• Pre-audit assessment support
• Compliance reporting
+44(0)1491870250
Concorde delivers best practice
SAM platform and services for
complex hybrid IT environments
8. 08
Concorde QA
CLOUD FOR BUSINESS www.cloudindustryforum.org
How is cloud computing changing
software asset management?
The difference with cloud
computing when it comes to license
management is that your software
is now being delivered as a service.
Updates and security patches are
instant and can happen undetected,
with your software estate
constantly changing.
This is presenting a visibility
challenge for businesses, especially
in enterprises that often deal with
the management of much bigger
and much more complex
infrastructure.
Trends like BYOD are also further
complicating this; with employers
also having to take licences
employees have downloaded onto
mobile devices into consideration.
How have vendors changed their
approach to software licensing in
light of the emergence of cloud?
In many cases, vendors are taking
the perceived weakness of end-
users, which is their lack of
software licensing visibility, and
turning it into their strength, by
treating it as a revenue generating
opportunity.
While the typical vendor audit
selection process was usually at
random and every few years, audits
are becoming more frequent and
many high profile vendors now
have special software compliance
teams in place to specifically target
organisations that may be under-
licensed.
Vendors have a lot to gain from
this process. Take, for example, the
recent situation with CommVault
where it revealed that it had only
met its revenue growth target
because of its recognition of deferred
licensing revenue.
In some cases, vendors are
making strides to cut down the
complexity of licensing brought on
by cloud by changing the licensing
structure. One example is Microsoft,
who recently implemented Server
and Cloud Enrolment (SCE), a
licensing model that enables
customers to standardise on several
Microsoft Server and Cloud
technologies.
Martin Prendergast,
CEO co-founder,
Concorde
We speak to Martin Prendergast, CEO and co-founder of Concorde, about the
changing nature of software asset management and the role cloud plays here
Profile
Martin brings 10 years-plus of domain and industry
experience to Concorde. He has held senior management
roles at Unitrans and Morse and a number of operational
roles at Peregrine Systems. Martin has worked with a large
number of companies around the world and has helped
architect, sell and deliver solutions for market leaders such
as Computacenter, CSC, EDS and HP. He also sits on the
Governance Board of the Cloud Industry Forum and, prior
to moving into business, served as an army officer.
If you have an in-house IT team,
you may be paying for a service that
isn’t needed, so it’s a good idea to check
in order to skim off additional
(unnecessary) costs.
9. 09
How should end-users now be
handing their software licensing?
Many enterprises are changing the
way they look at software asset
management to adapt to the
changes happening in the industry,
and this is through the
consideration of software value
management (SVM). It’s not about
simply counting licences anymore.
Instead, the focus should be on
obtaining and maintaining
visibility of your entire software
estate at all times.
Governance is an ongoing
effort rather than a tick box
exercise and many organisations
are seeing the benefits of using
real-time business intelligence to
help facilitate this. Scenario
modelling and comparing historic
estate software values is a good way
to keep track of software licensing
as it continues to change.
Furthermore, keeping track of
software on mobile devices and
having usage policies in place
will help provide a clearer picture
to help avoid compliance risk.
What should end-users
specifically pay attention to in
their cloud contracts to keep on
top of SVM?
Audit and maintenance clauses
are the main ones here. If you have
an in-house IT team, you may be
paying for a service that isn’t
needed, so it’s a good idea to check
in order to skim off additional
(unnecessary) costs.
When it comes to audit clauses,
make sure that you understand
your contractual obligations and
have a clear understanding of what
information you will need
to provide in the event of a
licence audit.
The majority (94 per cent) of
vendors have audit clauses in their
contracts, and the notice period for
an audit can range from a few
weeks to a few days, so it’s important
to be aware of exactly what
information needs to be provided
before it happens.
What changes should we expect for
the IT department in the coming
months?
The role of the IT department has
changed dramatically with the
emergence of cloud computing.
We’ll soon see more organisations
take action to get to grips with the
complexity in order to gain
complete visibility of their estate.
Some companies have already
taken steps by using business
intelligence tools to achieve this
and we’re likely to see more IT
departments making use of these
to be in a better position to
negotiate pricing with vendors
and avoid being fined for non-
compliance.
Transparency, compliance and
governance will be key
considerations for software asset
managers especially, as the risk of
audits and, equally, paying over the
odds for software licensing
continues to grow.
Concorde QA
CLOUD FOR BUSINESS www.cloudindustryforum.org
The role of the IT department has
changed dramatically with the emergence
of cloud computing. We’ll soon see more
organisations take action to get to grips
with the complexity to gain complete
visibility of their estate.
10. 10
Concorde
CLOUD FOR BUSINESS www.cloudindustryforum.org
Contact us today on
+44 (0)1491 870 250
or assist@concordesoftware.com
www.concordesolutions.com
Understanding
what software a
business is using
has never been a
straightforward task.
Concorde delivers intelligent solutions
for managing software assets across
the hybrid IT infrastructure, enabling
end-users across a range of sectors to
take control of their software estates,
by optimising IT investment through
measuring, planning, and implementing
change. For one enterprise client in the
manufacturing sector, the increased need
for license and software transparency
was becoming a key priority that could no
longer be ignored.
Working alongside the client’s software
asset management team, Concorde’s
licencing and technology experts gathered
data from across the IT landscape,
hardware information, software usage
data, contracts and entitlement. By
increasing the range and type of data
– ADDM, SCCM, LANDesk and existing
discovery tools, the team could start
to identify how the organisation’s IT
functioned.
Using Concorde’s Core Control Software
Asset Management (SAM) solution, the
client’s team mapped the IT environment
and identified those programmes,
applications and systems that were
used for business, easily identifying the
common software types using the Core
Control Definitive Software Library (DSL).
This enabled the client to visualise the
relationship between users and their
specific software requirements. In addition
to identifying what software was used
for business, Core Control also identified
those consumer applications that were
installed but not approved or relevant to
the organisation. With this detailed and
transparent intelligence, the
client was able to initiate
their IT governance policy.
With the client driving
the SAM programme across the global
IT estate, Core Control had links to data
from every device connected to the
network, enabling accurate measurement
of software usage, where it was located
and at any given time. This real-time
data enabled the client to rationalise its
IT strategy, to identify if and where cloud
applications were relevant and make
informed decisions on the contract types
that best suited their needs.
This programme has brought considerable
benefits to the client, driving governance
alongside flexibility and increasing data
security throughout the business.
Defining a strategy
for governance
Figures from the latest Cloud
Industry Forum (CIF) white paper
‘The Normalisation of Cloud in a Hybrid
IT market’ tell us that despite the fact
that most UK organisations have adopted
some sort of cloud solution, 92 per cent
of UK businesses don’t intend on placing
everything in the cloud just yet. Many
resellers have largely adapted to this
model, and are now in a more confident
position to be able to offer this. However,
while some businesses are finding the best
models that work for them and resellers
are becoming more accustomed to
delivering this, many end-users are leaving
themselves vulnerable to exploitation
by vendors.
The CIF results
also revealed that
private enterprises
had the highest rate
of cloud adoption in the last year at just
over 80 per cent. Considering that larger
companies have the hardest job keeping
track of licenses due to the sheer volume
of users, visibility of an entire software
estate is progressively becoming an issue.
The tables are turning from the world of
traditional IT with its limited choice and
risk of vendor audit. Now the challenge is
to make sure you know what you’re being
billed for and whether your vendor is
meeting their SLAs.
Without proper governance policies and
a system for identifying non-approved
applications on business devices, it is
difficult for an organisation to accurately
identify the risks. This leaves them open to
hidden costs and obscure licensing rules
or tricky exit clauses and undefined data
ownership. Cloud contracts are a whole
new breed of agreement, and it is evolving
very quickly.
Concorde delivers accurate insight into
software usage, the ability to drive
governance and maintain security of data
across an entire IT landscape, whether it
is cloud-based, on-premises or a hybrid
model, providing visibility of software
and service usage down to the device
level. Concorde has built performance
measures into vendor contracts, and can
track usage or utilisation against plan,
and above all, it has established global
enterprise governance.
See how you can use SAM to help your business
adapt to the changing IT Environment
Best Practice- the driving
force behind
governanceSAM
Using accurate software
business intelligence,
the client is now driving
governance alongside
flexibility and increasing
data security throughout
the business.
CS050_advertA_v2.indd 1 24/11/2014 22:34
11. 11
Concorde
CLOUD FOR BUSINESS www.cloudindustryforum.org
Cloud—software, infrastructure
or platform-as-a-service, has
radically changed the traditional
role of software procurement,
software asset managers
and vendor managers.
With cloud adoption rates growing, the issues of
cloud governance and vendor performance are
becoming a real concern for businesses. Those
adopting hybrid infrastructures and using cloud
applications need to consider their overall IT
strategy in order to manage the services they
access in the cloud and to ensure that they are
both compliant and getting value for money.
It is understandable that cloud brings with it a host of new
concerns for managing the needs of end users and in particular
controlling the applications they
use for business. The ease at which
individuals can find, download and access
applications that satisfy their immediate
need is astounding and there are a host
of ‘quick apps’ available that offer a wide
range of productivity benefits, all you
need is internet access and a credit card.
The complexity of having both cloud
and on-premises solutions as part of
an IT infrastructure means that it can become even harder to
have visibility of exactly how software is licensed across an
organisation. This issue is further aggravated by the emergence
of consumerisation of IT trends like BYOA (Bring Your Own Apps)
which is increasingly becoming a compliance problem, especially
when employees begin to download unlicensed software onto
company devices.
Achieving a strong governance position is a real challenge as
organisations become reliant on an increasing number of suppliers
and service providers, each with their own SLAs and license
agreements. As a result, it is critical for businesses to maintain
a clear picture of what software they have, where they have it
and how they are using it in order to demonstrate good cloud
governance, maintain compliance and ensure their providers are
maintaining similar due diligence for their end of the bargain.
For example, one of Concorde’s clients recently considered
replacing their CRM system. They had a number of options –
an entirely new cloud-based solution or a traditional on-premises
platform. Cloud offers a great deal of
advantages around new ways of working,
including greater flexibility of business and
reduced costs through user based charging
rather than capital expenditure. The
client considered the risk to data security
increased, as users had the ability to access
data and systems on any device as well as
downloading data to any device.
However, opting for a traditional
on-premises platform brought its own risks, defining strict ways of
working; poor access to information and tightly controlled security
would make users source their own solutions in order to increase
their productivity. With a tranche of quick apps being available to
download, both data security and governance were completely
ignored and their users could download their application of choice
and input their client data within minutes.
Success or failure
in the ‘as a service’
environment brings
new challenges, difficult
decisions for finance
and greater complexity
for procurement and
contract negotiation.
The biggest single risk
to governance and
data security is the
host of ‘apps’ that offer
business applications and
productivity tools – all
your users need is internet
access and a credit card.
Call today to see how Concorde can help you deliver
clarity and control to your Hybrid IT Environment.
+44 (0) 1491 870 250
Building
Governance
‘as-a-service’ Environment
into the
Contact us today on
+44 (0)1491 870 250
or assist@concordesoftware.com
www.concordesolutions.com
CS050_advertB_v2.indd 1 24/11/2014 22:32
12. 12
C
loud computing is here to stay.
According to the latest CIF survey,
some 78 per cent of UK
organisations are now using at least one form
of cloud service and, perhaps more
remarkably, 11 per cent of British businesses
are now using four or more services. That’s
definitely a sign that it’s no longer a few test
sites that are being deployed.
The trend is ever upwards: this is the fifth
year of the survey and, since the first one in
2010, the growth has been 61.5 per cent: a
healthy growth indeed. That’s not to say that
cloud is taking over these organisations: the
CIF survey found that 85 per cent of
organisations still operate on-premise
datacentres, so most firms are looking for
a way for the systems to co-exist – the
hybrid model of IT.
There’s a structure to CIOs’ choice,
with certain services becoming an obvious fit
for cloud: web hosting, email, CRM, data
back-up and disaster recovery are prime
choices. Anything that involves any
confidential client data tends to be kept
well away.
That reflects a seeming paradox among
companies. Yes, there is greater acceptance
of the cloud and more businesses want to use
it, but such an attitude goes hand-in-hand
How to get the most out of
different cloud models
Public, private and hybrid cloud all have their own security challenges.
What are the options for the CIO?
Different cloud models
If you want total data security,
you can put all your data on a drive,
lock it in a safe and drop it at the bottom
of the sea.
CLOUD FOR BUSINESS www.cloudindustryforum.org
13. 13
with a distrust of cloud providers. According
to research published in September 2014, 70
per cent of businesses accused cloud
providers of failing to comply with laws and
regulations on data protection and privacy.
The survey, which was commissioned by
Netskope and The Ponemon Institute, also
found that businesses thought a data breach
was more likely when data was stored in the
cloud – 53 per cent of respondents said the
likelihood of a data breach increases due to
the cloud. But that’s not the worst of it.
The study also found that data breaches were
likely to be more expensive when
they involved the cloud.
This does seem to be unnecessary
paranoia though. There are certain items that
shouldn’t be placed in the cloud and there
are some regulated industries that do have
restrictions of what can and can’t be done in
the cloud (more of this in another article).
Mixing things up
In fact, there’s a rather unholy mix
dominating IT departments. On the one
hand, there is this heightened security but,
on the other, there’s been a change in
business culture. The CIO has to think like
a service provider and deliver services –
whether they are from public cloud or
private datacentres, according to HP
fellow Mateen Greenway.
Unfortunately, too often the CIO comes
from a culture where he or she has tried to
control what’s being offered, rather than
thinking about what the business wants,
Greenway adds. “The CIO has the reputation
of being the person who says no, but the
business is there to get the job done,” he says.
“That’s why we’re seeing the emergence of
shadow IT, because it’s the quickest way
to get the job done.”
Greenway sees a contrast between the
way that start-ups operate and the way that
enterprises work. “New companies behave
differently. They take the shadow IT route
and explore the public cloud option,” he says.
“It’s when they get bigger, they look to take
things more private because, for some
organisations, public cloud is not enough
even if you encrypt the data.”
The current thought seems to be that
information such as confidential customer
data can’t be put in the public cloud and
private cloud is the answer, but this is a little
bit too simplistic. One of the problems faced
by organisations is that many of them aren’t
aware of what they actually have. So the
tendency has been to treat everything as
highly secure and, instead, the starting
point should be to assess what data a
company holds.
Different cloud models
CLOUD FOR BUSINESS www.cloudindustryforum.org
The CIO has the reputation of
being the person who says no, but the
business is there to get the job done.
That’s why we’re seeing the emergence
of shadow IT, because it’s the quickest way
to get the job done.
✓ Organise your data in a taxonomy
according to its confidentiality
✓ Ensure you use 256-bit encryption at
rest and on the move
✓ Ensure that your organisation has a
clear security policy
✓ Ask the right questions of your cloud
service provider – is it
27001-compliant? Who has access to
your data?
Assume that if it’s not in the public
cloud it will be safe
Go for the cheapest cloud provider
– look at the levels of security
Shut end users out. There has to be a
mix of openness and security
DOS AND DON’TS
OF SECURING DATA
IN THE CLOUD
15. 15
HP QA
CLOUD FOR BUSINESS www.cloudindustryforum.org
What reassurances can you
provide CIOs who want to move
to the cloud?
Assurances on the use of HP Helion
OpenStack components for
enterprise use include the
portability of workloads. In addition,
there is the integration between
different cloud services using HP’s
CloudSystem Automation software
and strong solutions to meet
regulatory, security and privacy
requirements.
Within a hybrid environment,
is there a difference between the
way you look after data on-
premise and data in a cloud?
Yes. On-premise, the legal and
regulatory frameworks are clear.
For cloud services, the geographical
boundaries of the cloud and, in
some cases, support services needs
to be taken into account for
government and regulated
businesses.
Who should have responsibility
for data governance?
The business owner of the data is a
Peter Schofield, HP’s
cloud mobility director
of advisory services
We speak to Peter Schofield, cloud and mobility director of advisory services at
HP, about how cloud is changing the nature of business
Profile
Peter is the global portfolio lead for HP’s applications
transformation, cloud and integration. In this role Peter is
responsible for HP’s investments in cloud applications and for
the global and EMEA cloud applications portfolio and sales
enablement teams.
Peter is currently also leading HP’s Helion Professional
Services initiative for application transformation to cloud,
launched at HP Discover in Las Vegas.
Peter has experience in implementing major applications modernisation programmes in the
UK Government and financial services in the private sector .
HehasalsoworkedwithHP’sstrategicclientsandcarriedoutfinancialservicesandgovernment
strategy work, in addition to his role as EMEA consulting CTO during his 12 years with HP.
The business owner of the data is a
core part of the business. In my opinion,
this should never be delegated. But, it can
be assisted and enabled by the supporting
functions listed.
core part of the business. In
my opinion, this should never be
delegated. But, it can be assisted
and enabled by the supporting
functions listed.
What particular reassurances
can you offer to CIOs within
highly regulated industries?
HP has a range of hardened
enterprise-grade cloud services
tailored to meet regulatory needs
with military-spec security built-in,
while HP Enterprise Security
Services provides independent
validation and assurance for HP
and any other cloud offerings.
The rise of big data has meant
that data needs to be more
readily accessible from a variety
of different endpoints. How can
you marry accessibility with
security?
Big data can be aggregated for
consumption so that the
16. 16
core data remains highly secure
on-premise or in a private cloud.
Where data needs to be made more
accessible, existing
trusted authentication processes
and technologies should be used
to ensure the correct level of
security on the full range from
public through to private cloud.
Following on from that,
what preparations should
a CIO be making to prepare
for a culture where mobile
communication is the norm?
In many countries, mobile
communication is already the
norm.
Some government departments are
already switching to mobile as the
primary channel and
many enterprises are already
finding that ‘digital natives’ are
spurning traditional channels.
In addition to the well-trailed
technology enablement for
mobile communications and
managing the apps ecosystems
springing up, there are two key
areas that CIOs need to grasp
with the support of their
marketing colleagues.
These are focused on the
whole area of digital customer
experience and bringing service-
design thinking to the fore. Both of
these disciplines are aimed at
making digital services infinitely
much more attractive
and consumable by today’s
consumers, customers and citizens
whose expectations have been
fundamentally changed by
the new generation of business.
Do you see a difference in the
way that the public sector and
private sector handle data?
Interestingly, I see a huge
convergence between
commercial and public sector
organisations in the care needed
for data whether it be patient
healthcare records, the delivery of
digital content for a cinema chain
or the integration of risk and
regulatory data for a bank.
The issues and solutions are
increasingly the same.
Is there a difference in the way
that HP tackles security and
cloud security?
HP Enterprise Security
Services provides an integrated
set of security consulting and
management services.
These services are
underpinned by a network of
eight security operations
centres to effectively cover all
aspects of information security,
including issues related to cloud
computing.
HP QA
CLOUD FOR BUSINESS www.cloudindustryforum.org
I see a huge convergence
between commercial and public sector
organisations in the care needed for
data.
17. 17
HP Case study
CLOUD FOR BUSINESS www.cloudindustryforum.org
At-a-glance
Secure protection in a world
of complex threats
HP Vulnerability Management
Identify vulnerabilities and learn from gathered intelligence.
Get current state knowledge from constant assessment of
your IT systems’ vulnerabilities.
See your vulnerabilities
IT vulnerabilities can be tremendously
expensive to companies in terms of brand
and reputation damage, lost IP, fines, and
remediation costs.
In a large environment, it is always challenging
to validate that proper patches or correct
configuration settings have been applied. You
need regular vulnerability assessments of
computer systems, networks, or applications
for weaknesses, along with criticality
prioritization and remediation advices.
On the other hand, applying patches to avoid
vulnerabilities also can be tremendously
expensive due to the system downtime, testing,
and disruption inherent to the patching process.
Since many vulnerabilities may pose minimal
or no risk to your particular IT environment, it
is important to judge carefully the relevance
and seriousness of vulnerabilities versus the
cost of patching.
Know the value
HP Vulnerability Management Services
provides capabilities for proactive and periodic
scanning of the corporate IT infrastructure
to discover vulnerabilities. It also provides
threat intelligence information correlated and
focused on your critical technologies.
This enables you to stay a step ahead of hackers
and make sure your critical infrastructure is
patched and protected. At the same time, you
avoid the effort and cost of emergency
remediation for vulnerabilities that are less
important or even irrelevant to your specific
IT environment.
Realize the benefits
• Risk-prioritized approach to managing
vulnerabilities
• Threat intelligence and insight focused on
your corporate IT infrastructure
• Cost-effective approach to meet regulatory
compliance requirements
• On-demand access to service without capital
expenditures
Insights
• You need to protect and
defend your IT systems.
• An integrated approach
is necessary.
• HP Vulnerability Management
Services can help.
19. 19
W
hile there have been huge
advances in the take-up of
cloud thus far, certain
industries have been reluctant to commit.
Organisations in the finance, insurance,
pharmaceutical sectors or any industry that is
subject to a certain degree of regulatory
control, have been loath to put too many
assets into the cloud.
Compliance regulators have laid down a
lot of demands on enterprises, who are forced
to jump through multiple regulatory hoops.
Although there have been some exceptions
to this - a couple of banks in Australia, for
example, have been moving sections of their
infrastructure (and, in one case, the entire
IT set-up) to Amazon - it’s fair to say that
highly regulated industries have historically
been suspicious of the cloud.
It has been very difficult for these
industries to embrace cloud as not every
service provider is very transparent as to how
data is protected, according to Mark
Thomas, solutions architect at Databarracks.
“That’s not to say it can’t be done. Regulatory
bodies can set guidelines to follow and credit
card regulatory body, the PCI, does this
well,” he says.
“The PCI has been doing this a lot. And
Regulated industries can
benefit from cloud computing
The idea cloud can’t be used by regulated industries doesn’t stand up to scrutiny.
Indeed, there are many ways in which the technology can be deployed...
Regulated industries
The laws are lagging behind what’s
happening in the industry. Politicians are
not very good at keeping up to date. They
don’t realise that the world doesn’t pay
attention to lines drawn on a map.
CLOUD FOR BUSINESS www.cloudindustryforum.org
20. 20
you can meet PCI, as long as you follow best
practice,” he adds.
PCI is just one example of a guideline
that can be followed by a company going
down the cloud route. Not all regulatory
bodies are so open-minded, however. But
this should not be a barrier; thousands of
companies are moving to some form of cloud
computing and there are advantages for
financial institutions to move to the cloud
too.
That includes all the usual benefits
(greater flexibility, cheaper software, easier
disaster recovery and so on) but also the
ability to modernise their infrastructures.
This is particularly problematic for banks,
many of which are built on legacy IT.
Old-fashioned and out of date?
Quocirca analyst Clive Longbottom says
that the main issue with regulatory bodies is
that they’re based on old-fashioned
technologies. “Compliance standards are
based on physical paper,” he says. “BASEL
and DCA, for example, are still very much
based on paper and are yet to take on board
electronic delivery.”
Politicians have been slow to react to
global changes, which has exacerbated the
problem, according to Longbottom. “The
laws are lagging behind what’s happening in
the industry,” he says. “Politicians are not
very good at keeping up to date. They don’t
realise that the world doesn’t pay attention to
lines drawn on a map.”
According to Longbottom, there’s one
exception to this. “The only regulatory body
that I’ve seen that really takes cloud on board
is the Capital Requirement Directive with its
external reporting markup language,” he
says, stressing it stands alone amidst a herd
of paper-based dinosaurs.
But this idea of slow-moving regulatory
bodies is not a fair one, according to Marc
Vael, chairman of the cloud computing task
force with IT auditing body ISACA.
“Maybe it’s true [of some], but I don’t think
it’s true of other bodies,” he says. “Yes, the
financial regulators are a little behind, but
they’re aware of digital and are investing in
digitisation.”
So, if the regulatory bodies are doing
their best to catch up with the 21st century
how should CIOs work with them? Vael
says that the first thing that CIOs should be
doing is asking the same questions of
providers as they would of their own
company. But, most of all, he says, CIOs
should not treat all cloud providers as the
same. “There’s a huge difference between the
global players, then the marketing people
who changed everything to the cloud and
small and niche players,” he says.
Vael points out that much of the
discussion on cloud focuses on the major
providers, but it doesn’t have to be that way.
“Everyone’s staring at the big ones, but
they’re not the only ones,” he says, pointing
out that where he is based, in Belgium, he
has other choices. “There are four big
Regulated industries
CLOUD FOR BUSINESS www.cloudindustryforum.org
One of the ways in which regulated
industries can explore cloud safely is the
community cloud option, a multi-tenant
cloud infrastructure providing cloud
services to organisations with similar
requirements and shared objectives.
For example, it may be the best-fit for
utility companies, for public sector
groups with shared interests or among
banks. By combining resources, the
members of the community cloud will
benefit from sharing compute power,
software and storage, using economies
of scale to drive costs down.
There will be some data held in private
datacentres, as companies will be
unwilling to share everything with close
competitors, but not all data is that
confidential and the community cloud
could provide a way forward.
There are difficulties with the concept
though. Security, obviously, but there are
also issues with software licences,
allocation of costs and data governance
(among others). That said, the concept of
the community cloud is clearly an option
for some. In time, we can expect to see
certain service providers specialising in
particular sectors, offering a customised
service.
We’re some way from community clouds
becoming mainstream, but they do offer
a further option to regulated sectors.
THE COMMUNITY
CLOUD OPTION
domestic providers in Belgium who say that
data is going to stay in Belgium and is not
going to go anywhere else,” he adds.
That provides a choice, one that is
replicated in other countries, according to
Vael. Customers should look to domestic
models, ones which provide an outlet that
may have more of a focus on privacy,” he
suggests.
There certainly seems to be a clash
between service providers, national
regulators and, in Europe, the EU. At
present, governments are lagging behind,
according to Longbottom. “National and
regional laws are trailing what’s happening
in technology. For example, Germany says
21. 14 CLOUD SECURITY
information on German citizens can’t be
held outside German borders – I’m not sure
that it’s enforceable,” he says.
“That’s before we mention the question of
where the data’s being distributed. It’s no
longer subject just to national regulation, but
could be held on a variety of different
appliances around the world.”
Private: Do not enter
There are also other forces at play. While a
company has to follow guidelines laid down
by an industry regulator, there are other
bodies involved, namely privacy bodies.
“Privacy is important too. Personal
identification information (PII) is regulated
by industry regulators and privacy
regulators,” Vael adds. This is yet another
issue to throw into the mix.
There’s also the ever-shifting pattern of
regulation. Rules that were once sacrosanct
are now being reworked. “Healthcare data
used to be held within the hospital, now it’s
within the borders of the country,” adds
Vael, who calls for an approach towards
privacy that would be immediately effective
in all countries in the EU. He points out
some of the drawbacks: “It won’t help
companies who are global and companies
outside the EU see that as a trade barrier,” he
says, adding he believes such challenges can
be overcome.
It’s not just about national or EU
regulation though, according to Vael. Firms
should be asking cloud service providers
whether they follow ISAE 3472, he suggests.
“This is an international standard of audit –
replacing SAS79,” Vael says. “It’s a mark to a
customer that I’m guaranteed to follow all
the rules and saves them having to check
everything – otherwise it’s a big task to get
that done.”
But details about the standard are not
easily found. And, as Vael points out: “Other
people - the bad guys - would really like
that information.”
There’s nothing wrong with any industry
– even a regulated one – exploring the
potential of cloud. There are the usual
questions to ask, ones you would ask any
provider, but there are also other areas to
explore. These are based on auditing
standards and ensuring you know where your
data is at all times. It’s important not to treat
all cloud providers the same – some will
provide detailed information about where
data is being held, some won’t.
It’s also important not to treat all data the
same: sensitive customer information cannot
be treated in the same way as system data.
And there shouldn’t be too much pressure
placed on the service provider. “Not all the
emphasis should be on the service provider,”
Thomas says.
“The customer has to do as much digging
and analyse what it has in its environment.”
www.cloudindustryforum.org
Regulated industries
Disaster Recovery
as a Service
ULTRA SECURE PEACE OF MIND
Databarracks has been providing
the most secure cloud services in
the UK for 10 years.
Since launching one of the
world’s first managed backup
services in 2003, we’ve been
bringing unbeatable
performance and resilience to
mission critical data with our
disaster recovery and
infrastructure services.
Housed 30 metres below ground
in ex-military nuclear bunkers,
our DRaaS platform was recently
benchmarked as running 1,702%
faster than a leading competitor.
That means faster recoveries,
better testing and guaranteed
availability when you need it
most.
This is all backed up by
unparalleled support. Our
hand-picked engineers are
dedicated to keeping your public
and private clouds running in
perfect harmony, 24/7/365.
Consistent performance,
constantly supported.
To find our more visit us online
at www.databarracks.com or
call 0800 033 66 33
Not all the emphasis should be on the
service provider. The customer has to do
as much digging and analyse what it has in
its environment.
22. 22
Databarracks QA
CLOUD FOR BUSINESS www.cloudindustryforum.org
What reassurances can you provide
CIOs who want to move to the cloud
and are concerned about the
regulatory environment?
They are not on their own. This is a very
common concern. I would suggest that
they engage with their regulators. If
there is not any specific guidance
published on the use of cloud services,
ask why.
There are different types of regulators
with different approaches to how they
govern. Payment card regulations for
instance are very prescriptive – you
know exactly what needs to be done to be
compliant. Industry-specific regulations
are often less specific and more like
guidelines for the use of cloud computing. It
is that sort of regulatory environment
that can cause the most difficulties,
because there is a lack of clarity.
If you have a good understanding of
your regulatory environment, there is a
lot that can be transferred from on-
premise computing to cloud services.
Access, encryption and data retention
are all issues that can be tackled in
similar ways. If regulators are not clear
about how to address cloud-specific
issues like location of datacentres and
multi-tenancy then push them for
clarification.
Peter Groucutt, managing
director, Databarracks
We discuss cloud security concerns and why businesses needn’t worry so much
with Peter Groucutt, managing director of Databaracks
How aware are CIOs of where their
data is stored?
Very aware….mostly. Major IT decisions
and infrastructure moves will be very
well scrutinised. If a business wants to
move all of their systems to an IaaS
provider, those projects will involve not
just the CIO, but the IT team, legal and
compliance departments and probably
the board.
The problem for CIOs is what we are
now calling ‘Shadow IT.’ These are the
smaller projects that aren’t authorised
and approved by the IT department.
As more technology products target
‘line-of-business’ owners rather than the
IT department, it is a trend that is likely
to continue. Often the first time that IT
will hear about these projects is after the
purchase when someone wants to
integrate the service with another
system and needs some help.
This issue is fixed by communication
and by making sure that departments
actually engage with the IT team rather
than work around them.
The better CIOs are the ones who are
thought of as enablers by the rest of the
business, not just compliance-fiends
who are defending their empires.
Within a hybrid environment, is there
a difference between the way you look
after data on-premise and data in a
cloud?
There can be. For some people that is
the point of having a hybrid cloud,
keeping sensitive systems on premise
and pushing less sensitive data out into
the cloud.
On the other hand, one of the other
key reasons businesses use hybrid cloud
is that they can use it for ‘cloud
bursting.’ This can be sensible if you
usually have very stable resource
consumption, then periods when you
Profile
Peter has a history in understanding and mitigating risk,
having spent many years working in risk management
roles within the banking sector – particularly developing
applications to monitor value-at-risk across the banks’
treasury and hedged products. In 2000, Peter combined his
skills in application development with his love of sailing to
set up his own company building ship monitoring and
harbour management software, integrating search and
rescue using GPS and Radar. Peter has been the managing director of Databarracks for the
past 12 years, growing it from one of the first online backup companies in 2002 to one of
the UK’s leading cloud service providers.
One of the other key reasons
businesses use hybrid cloud is that they
can use it for ‘cloud bursting.’ This can
be sensible if you usually have very stable
resource consumption, then periods when
you need to scale up.
23. 23
need to scale up.
For those use cases, you actually want
exactly the same data management for
your on premise systems as in the cloud.
The best platforms in those instances
are the ones that allow for good
integration to keep the process simple.
Who should have responsibility
for data governance?
A combination of people. This is really
about responsibility and accountability.
In organisations large enough to have a
CIO or a CSO then, yes, this obviously
becomes something they would have
overall accountability for. However, they
won’t have the direct interaction
with systems to make plans a reality, so a
lot of responsibility is pushed down to
the systems teams to make sure it is
enacted.
This also depends on the type of
organisation and the regulations you
need to comply with. Individual
departments will have responsibility for
certain regulations. The Data Protection
Act is concerned with personal data so
there needs to be an element of
ownership from marketing departments
and the accounts department will
primarily be responsible for HMRC
compliance.
What particular reassurances can you
offer CIOs within highly regulated
industries?
The most highly regulated industries like
finance, healthcare and legal actually
tend to be very well informed.
Often we find that regulation isn’t
actually preventing uptake of cloud
services. In some cases, it is just a case of
not wanting to be the first to stick their
neck out and use a service no-one else is.
It is a case of waiting and watching
the early adopters. Once these first
companies have taken the risk - and
then reported the benefits - it is easy for
others to start using cloud services.
Vendors can provide assurances about
data security in the form of accreditations.
Vendors can also be transparent about
their infrastructure and processes.
Again, it tends to show potential
customers the service providers invest
far more in security than customers can.
The lesson we have learned taking
‘online’ or ‘cloud’ backup to market over
the last 12 years is that, ultimately, the
best reassurance won’t come from the
service providers. Such reassurance will
come from other businesses in the same
industry with similar compliance
challenges who are willing to share their
success stories.
Do you see a difference in the way that
the public sector and private sector
handle data?
Yes. Public sector data management is
changing. They are moving from seven
classifications in the ‘Business Impact
Level’ system of data down to just three.
Data would be classified IL0, IL1, up to
IL6. Now it is just ‘Official’, ‘Secret’ and
‘Top Secret’.
It is a slight oversimplification but, in
the private sector, businesses often have
just two broad categories of data. Their
‘compliance data’ and ‘everything else’.
They manage the ‘everything else’
according to their own principles but
keep it separate from ‘compliance data’
because they know they have to follow
specific rules for that data.
The problem for the public sector is
that firms often have a mix of different
classifications of data all together. This
means they have to manage all the data
at the highest level of security. The
changes in public sector data
classification mean that now the
majority of that data is at the lower level.
This makes it far easier to manage that
data and to use cloud services through
G-Cloud.
In terms of procuring cloud services,
this actually makes the public sector
more like the private sector When
G-Cloud started, public sector buyers
could just pick a supplier based on a
security level, for example an IL2 backup
service.
G-Cloud buyers now have far more
freedom of choice, but they also have the
responsibility for choosing a service
suitable for their needs.
Is there a difference in the way that
Databarracks tackles security and
cloud security?
No. We have technically always been a
cloud service provider, even before we all
used the term ‘cloud’. Since we began in
2003, we have always provided multi-
tenant services over the internet. For us
‘cloud security’ is ‘security’.
Do you think legal requirements
and regulatory issues are a barrier
to cloud adoption?
They can be. How regulation
impacts the adoption of cloud
depends on the specifics of the
regulator. If the responsibility is
pushed onto users of those services,
like for instance how the Solicitors
Regulation Authority (SRA) governs,
then users are free to make their own
decisions.
I think most organisations prefer
this method of governance to overly
specific and prescriptive guidance.
Databarracks QA
CLOUD FOR BUSINESS www.cloudindustryforum.org
The lesson we have learned taking
‘online’ or ‘cloud’ backup to market over
the last 12 years is that, ultimately, the best
reassurance won’t come from the service
providers. Such reassurance will come from
other businesses in the same industry with
similar compliance challenges who are
willing to share their success stories.
24. 24
Databarracks
CLOUD FOR BUSINESS www.cloudindustryforum.orgwww.databarracks.com
Data Health Check
The Databarracks annual Data Health Check surveys
hundreds of IT professionals across 19 different fields
to capture a snapshot of the way businesses use and
think about IT. Here are the highlights from 2014.
Key findings
Survey reSultS
1.
49%
of organisations
do not distinguish
between old and
new data
48%
of organisations
have not tested their
disaster recovery plan
in the last 12 months
18%
“Human error” was
the 3rd largest
cause of data loss
large organisations Small organisations
22% listed ‘human error’ as the main
cause of data loss over the last 12
months ...
... compared to just 6% listed human
error as main cause of data loss
10% of larger organisations lost data
as a direct consequence of an external
security breach ...
... compared to just 1% of small
organisations and 7% of mid-size
organisations
Only 3% of large organisations have no
data retention policy ...
... compared to 23% of small
organisations
vs
How did small and large organisations compare in this survey?
BACKuP And dAtA retention
25. 25
Databarracks
CLOUD FOR BUSINESS www.cloudindustryforum.org
9% of Consumer, Retail and
Leisure businesses experienced
data loss because of human error,
compared to 23% in Technology and
29% in Finance.
On the other hand, as one of the
most tightly regulated industries,
none of the financial organisations
surveyed reported experiencing
data loss as a consequence of an
internal security breach (such as
employee theft).
What is your data retention policy?
Which factors do you consider to be most important when selecting a
cloud provider?
2. tHe StAte oF Cloud CoMPutinG
5%
11%
18%
18%
49%
I don’t
know
We don’t
have one
We have an
internally
set policy
We keep
all data
forever
We keep
data for a
period
specified for
regulatory
compliance
62%
38%
33%
21%
19%
18%
13%
10%
5%
11%
17%
Security
Functionalityofservice
Reputation
StandardofSLA(service
level agreement)
Hardware
Datacentres
Sizeofcom
pa
ny
Location
o
f cloud service provide
rHQ
Other
Hypervisor
Locationofhosti
ng
The majority of respondents
from every industry rated security
as the most important quality when
selecting a cloud provider.
However, those who had adopted
fewer cloud services tended to rate
security more highly, indicating a
disparity between expectation and
reality.
Percentage of respondents who
rate security highly:
78%
48%
74%
49%
Small
organisations
Large
organisations
Respondents
who’ve adopted 1
or 0 cloud services
Respondents
who’ve adopted 2+
cloud services
Medium
organisations
59%
36%
26. 26
Databarracks
CLOUD FOR BUSINESS www.cloudindustryforum.org
www.databarracks.com
3. CoMPliAnCe And dAtA SeCurity
Of the 106 respondents who
reported they had not reviewed
their security policies in the last
year, an astounding 21 chose not to
despite having experienced
significant cyber-attacks in the last
12 months. CryptoLocker,
Heartbleed and Keyloggers were the
most common cyber threats
experienced.
Respondents that have been affected by cyber threats in the last 12
months:
Have you reviewed your security policies in the last 12 months in response
to a cyber-threat?
yes, we have reviewed our security
policies:
32%
29%
26%
13%
yes, we have
reviewed our
security policies
and made no
changes
no, we have
not reviewed
our security
policies
i don’t know
yes, we have
reviewed our
security policies
and have made
changes
Small
organisations
48%
Medium
organisations
70%
Large
organisations
63%
39%
Industrial
37%
Consumer,
Retail
Leisure
42%
Finance
46%
Public
Services
30%
Technology
30%
Professional
Services
Want to know more?
Download the full report at
info.databarracks.com/DataHealthCheck2014.html
or take a look the interactive infographic at
datahealthcheck.databarracks.com
27. 27
A
formal information security policy
is not an optional item for your
business. Yet, when your company
migrates to the cloud, in any capacity from
data storage through to application delivery,
it’s often mistakenly accepted that the
existing policy will cover this new ground.
Many say that data is data wherever it is
stored and the same security policies should
apply. While there is some logic to this, it’s
rather flawed and has the potential to leave
your enterprise exposed to unnecessary risk.
An information security policy needs to be a
dynamic thing that changes to meet the
security demands of the enterprise, and the
data it deals with, as new technologies
become part of the business landscape.
When it comes to the cloud, the single
biggest benefit of having a relevant policy is
that the process of creating it requires
in-depth thought about what security in the
cloud really means to your business and to
your data. This necessity to think out loud, to
determine a structured response to your needs
from top to bottom, is often an eye-opener for
the entire team working on it.
Making the commitment
to your data
Writing such a document for the cloud is
actually little different from any other
security policy. It’s just a formal commitment
to protect all the data your business uses,
which then necessitates a strategy to
determine the levels of required protection
and the process needed to both achieve and
maintain that.
Delegating this policy building process to
a third party such as, for example, your cloud
service provider is security suicide. Your
cloud security policy, like your broader data
security policy, must be your responsibility.
To be sustainable and effective it has to be
written from the ground up, and contain
input from the top down.
Whether that means the director of a
small business working with an external
consultant or the board working with the IT,
legal and HR departments will depend
entirely upon the size and structure (and to
some degree the market sector) of your
organisation. However, there are some
constants which remain no matter how big
or small the business, or what sector you are
working in.
No policy document is an island
Your cloud security policy should form a
coherent part of your organisation’s Written
Information Security Programme (WISP).
So, while it has to be able to stand tall in
addressing the specific needs of data security
within the cloud environment, it cannot be
totally separate from - and at odds with - the
data security policies that are in place
elsewhere. A WISP should be seen as a
collection of policy documents that provide
the steps needed to enforce the security
measures they demand. Be aware of this
need to co-exist from the get-go.
Don’t reinvent the wheel
Although your existing data security policy
isn’t going to be a shoo-in to a cloud-based
document, parts of it will fit without too
much adaptation. Don’t be afraid to re-use
them if they are fit for purpose. Existing
policies are there for a reason, and if it can
apply to cloudy data then apply it. Equally,
look to what others have done and draw from
How to draw up a comprehensive
cloud security policy
What should your first steps be when formulating a security policy for cloud use? Davey
Winder has been talking to the experts about this very subject. Read on to find out more...
Cloud security policy
A policy
which has no legal
standing is as good
as useless.
CLOUD FOR BUSINESS www.cloudindustryforum.org
28. 28
that; ask affiliates or peers within your
market sector who have migrated to the
cloud for their thoughts, and draw on their
experience when it comes to considering
your own policy.
Understand your needs before
you start writing policies to
address them
This might sound obvious, but putting the
cart before the horse is not as uncommon as
you might imagine.
You need to determine how you will be
using the cloud; will it be for data or
applications, or maybe a combination of the
two? This determination will then allow
you to focus on which criteria are required
in terms of security policy. It’s that
‘thinking out loud’ process mentioned
earlier in action.
For example, when looking at data
handling in the cloud from a policy
perspective, you will first need to think
about how you classify data and how that
determines which data is considered
‘cloudable’ by your policy. If you don’t
already have a data classification policy then
you will need to create one, and the processes
required to put that into place.
Your cloud security policy
should be readily accessible
Your policy must be both available to and
understood by all your employees. No
exceptions. You should also bear this in mind
when writing the policy in the first place.
What’s more, if you want to keep training
costs down, it’s best to avoid over-
complication and technical
complexity. The best security policy will be
one that is clear and concise. Don’t be
afraid to state the obvious, as that way
nobody can claim to have missed the point.
Every cloud security policy should start
with a definition of intent, which clearly
outlines the whole point of the policy. For
most organisations, this is likely to be ‘to
mitigate the risk to data when using
cloud-based services’.
Include worst case scenarios
as well as rose-tinted best
practice specs
Your policy should not just be about
protection, but also about reaction too.
Consider how any cloud data breach would
be dealt with, including logging and
reporting processes, forensic functions and
cloud provider cooperation.
There are also disaster recovery issues to be
considered. You must ensure continuity of
operations and not forget ‘end of life’
procedures relating to data transfer and
secure wiping if you wish to change cloud
providers at any point.
Finally, always involve
your legal department
If you don’t have an in-house legal team
you should instruct a suitably qualified
lawyer. A policy which has no legal
standing is as good as useless.
This point is particularly pertinent when
it comes to the cloud, not least as subjects
such as physical location of data storage and
transit can have legal implications upon
privacy and security compliance issues.
Cloud security policy
CLOUD FOR BUSINESS www.cloudindustryforum.org
The single biggest benefit of having
a relevant policy is that the process of
creating it requires in-depth thought about
what security in the cloud really means to
your business and to your data.
One policy should take pride of place:
make it mandatory that non-supported
devices cannot be used to access or
store corporate data. And that means
being wary about consumer (i.e.
non-business) devices.
Your security policy should also
address the fact that, if the device has
access to corporate information, then
company policy applies. If it can access
the corporate network via VPN, then it’s
part of the same network and subject
to the same rules.
Use a real-time approach to malware
detection to ensure that any threats are
detected in the shortest possible time.
Access to non-business cloud
services should be carefully monitored
and controlled. Why are employees
doing this? Ascertain what they’re
using it for and offer secure
alternatives.
Ensure that devices and cloud-based
applications adhere to any appropriate
regulatory compliance schemes.
DEVELOPING A
BYOD-FRIENDLY
SECURITY POLICY
29. 29
I
n the past couple of years, companies
have been waking up to the idea that
the data they hold can bring commercial
success. We’re now seeing companies looking
to assess social media feeds and video in an
attempt to become better informed about their
customers.
It’s here that cloud comes into being. It
provides businesses with faster analytics,
which leads to greater agility. In a
competitive market, having such flexibility
could lead to real business advantage.
However, there’s still some resistance to
this. A US survey from analyst firm
Forrester Research, published earlier this
year, found that about a third of companies had
no plans to move BI systems to the cloud at any
point. It’s true though that this means about
two-thirds have either done so already or are
about to move. Because cloud offers fantastic
advantages for companies wanting advanced
analytics, it was only to be expected that such
large numbers would opt for the benefits that it
could bring.
The European ethos is somewhat
different. The need for privacy is more deeply
ingrained and this goes hand-in-hand with
concerns. The Forrester survey was a stark
reminder of the difference: so concerned are
Europeans about cloud security, there would
have been far fewer companies if Forrester
had carried out a similar piece of research over
this side of the pond.
This is because there is much more
concern about the perceived lack of security
about cloud. Service providers can talk up
their credentials as secure providers but it’s
often to little avail.
Couple this with an almost philosophical
belief that all data should be held securely,
regardless of its importance and level of
confidentiality, and you can see some of the
difficulties in using cloud within Europe.
And there lies the problem for companies.
To make best use of the data, there needs to
be a degree of openness and an ability to
share, but many businesses are reluctant to
make the move – often the barriers are
cultural rather than technical.
Some companies do get it though.
According to Radek Dymacz, Databarracks’
head of RD, there are two different
approaches to openness and sharing: modern
IT and old-school enterprises. “The
old-school enterprises have struggled because
they have data management baggage,” he
says. “They tend to keep more data private
than is actually necessary. Their challenge is
to rethink what they classify as private to just
not shareable information,” he says.
Modern enterprises don’t have the same
problem, according to Dymacz. “That’s
because they exist in the era of data sharing,”
he adds. “I would say that these organisations
have a much smaller proportion of their data
overall that they consider to be private, but
they also have a good grasp of the distinction
over what can be shared,” he adds.
“They also tend to have a better grasp over
Concerns over customer data
still holding businesses back
Businesses are beginning to make the most of their data, but they to need to
ensure security issues are sorted out first...
Customer data concerns
CLOUD FOR BUSINESS www.cloudindustryforum.org
The old-school enterprises have
struggled because they have data
management baggage. They tend to
keep more data private than is actually
necessary. Their challenge is to rethink
what they classify as private to just not
shareable information.
30. 30
the methods to share data effectively. These
are the organisations who understand how
important speed of access to data is.”
Private vs public
Many companies do not have a sufficiently
granular taxonomy for dealing with
information and are inclined to treat all data
as private. This has led to companies
spending more on security than they need to
and also leads to the idea that the cloud is
the only place to put confidential data.
That’s not necessarily true but is widely
accepted as the case.
It’s time to think again. What’s needed,
suggests Dymacz, is to re-evaluate what private
data actually means.
“By old standards, contracts are private
information, but if your company pricing is
transparent and you have nothing to hide is the
contract really private information?” he says.
“The only way to manage the sharing vs
privacy issue is to be able to understand your
data so you can make informed decisions. For
instance, if you know exactly what your private
data is, you can do things to secure it like
encryption-at-rest, which is something we
don’t see enough organisations doing.”
Companies have a very traditional
approach to data management, according to
Dymacz. “Businesses usually have a good
grasp on their structured data systems. They
will have security policies in place for their
finance and their CRM systems,” he says.
“There is usually good management of a
small set of other documents like HR records and
internal company reports. The big challenge is
everything else. Businesses have masses of file
data that they don’t know how to classify.”
There are other issues too. Richard
Archdeacon from the HP Enterprise Service
CTO Office says that just storing data in the
cloud is not enough. “You then have to look
at the whole lifecycle. How will it be stored?
Will it have encrypted links? What’s the
recovery method? What happens if we move
provider – will it be destroyed?” he says.
“[And what about] auditing? Are they
open to audit? It’s not just technical, it’s
physical security too.”
Dymacz says that the traditional set-up
does cause difficulties. “The problem most
businesses have is that their data sits in silos.
The ability to delete a specific customer’s
data or to provide all of the data on a customer
back to them depends on their ability to get the
data from several sources,” he states.
“From our conversations we know that
businesses aren’t confident that they can
remove all customer data if they get that
request. They can do it very easily for some
systems but they can’t be sure they have
removed it from everywhere.”
Need to know?
There’s a good deal of debate at the moment
about what’s meant by personal privacy and
what companies can know about their
customers. Google has built its business on
knowing as much as possible about its users
but, as the company found out lately,
Europeans take privacy very seriously –
hence the right to be forgotten ruling.
Can there be a fair balance between
personal privacy and a company’s right to
know about its customers? Databarracks’
Dymacz isn’t sure. “I would say ‘yes’ and ‘no’.
For there to be a fair balance, there needs to
be a good understanding about what data a
company holds about you and how you can
actually manage and influence that,” he says.
Databarracks itself has developed a new
product to help manage unstructured data.
Dymacz describes the thinking behind it:
“Kazoup (see boxout) was created firstly to
solve data storage issues. When we spoke to
businesses about their backups, it was clear that
very few had a good understanding of their
unstructured data.
“Services like backup and disaster recovery
are charged based upon volumes of data. We
would ask a company how much data they had
to give them a quote and they often wouldn’t
know. They would know how much email data
they had or how large their databases were
because structured data is easier to manage, but
not the unstructured, file data.”
More companies will explore ways to look
at both structured and unstructured data and
cloud is going to play a big part in this. There
are many steps to take first, both in terms of
improving the infrastructure and handling
the data, but the rewards will be massive.
Customer data concerns
CLOUD FOR BUSINESS www.cloudindustryforum.org
The problem most businesses have
is that their data sits in silos. The ability
to delete a specific customer’s data or to
provide all of the data on a customer back
to them depends on their ability to get the
data from several sources.
Radek Dymacz describes the technology:
“Companies would have X TBs of data, but
would usually tell us most of it is rubbish.
Kazoup scans a business’ file data so you can
see what you have and then put policies in
place to manage it better.
It uses metadata to set up policies to
archive or delete older data and sort it into
categories.
We created the product because businesses
were constantly asking for a tool to help
understand their data.
We found larger organisations would have
some of the enterprise (expensive) tools for file
analysis or search and the smaller
organisations were just using some simple
freeware that didn’t have enough
functionality.
We think these issues are going to increase
in importance as data continues to grow and
as businesses havemoreregulationstocomply
withliketheDataProtectionDirective.”
ALL ABOUT KAZOUP
31. 31
T
here used to be a clear split between
the technology you used at home
and your technology at work. In the
office, you had access to a powerful desktop,
wide-reaching business software and fast
connections, while at home, you had some
simple programs running on a cheap PC
using a dial-up modem.
That’s the way that things were because
there was no need for it to be otherwise. The
notion that home technology was more
powerful than commercial offerings would
have been deemed nonsense. In the last
decade, however, all that has changed. There
wasn’t a single revolution that changed this
but many smaller steps: the provision of
broadband to homes (especially when
accompanied by an upgrade to fibre); the
development of the smartphone market and,
connected to this, the decision by Apple to
see mobile phones as a means of
disseminating applications. Put that all
together and you have the perfect storm for a
revolution in how devices are viewed and
used.
There’s been an about-turn though as the
sexy devices are now in employees’ pockets
and not on their desktops. What has this
meant for the CIO? The former gatekeeper
for company technology is now relegated to a
bit-part role as companies look to adopt
bring your own device (BYOD) strategies.
This change has massive implications for
the way that a business operates, with CIOs
having to completely rethink all aspects of
their IT infrastructure.
BYOD vs cloud
One of the first things to look at is whether a
move to BYOD means a move to cloud. In
some ways, says Richard Archdeacon from
the HP Enterprise Service CTO office, there
are similarities. “Look at the drivers for the
move to cloud,” he says. “It’s driven by a need
for greater flexibility and better
management.” He adds that BYOD has
brought a similar level of flexibility to the
part.
The 451 Group security analyst Javvad
Malik also sees advantages of moving to the
cloud. “Cloud providers are often in ideal
positions to offer BYOD-specific features,
and many have. Though a large market exists
as ‘middlemen’ to provide BYOD features
in what I like to call ‘missing feature’
Does BYOD mean bring your
own disaster?
BYOD could be a recipe for disaster as the IT department relaxes control, but it
doesn’t need to be a big problem…
BYOD: Bring Your Own Disaster?
CLOUD FOR BUSINESS www.cloudindustryforum.org