What if the auditor is scared?

With so many of my course takers working in the financial industry, I decided to dive a bit deeper into the secure cloud adoption process.

I want to figure out what the drivers of that process are, and where organizations run into obstacles in that process.

In the end, I want to produce an e-booklet or report or something. Right right now I am just documenting what I discover in the process.

I have already outlined the report. It includes chapters on topics such as:

  • What drives cloud adoption, and what are common cloud based applications?
  • Case studies in the financial industry.
  • Complications in the process.
  • Impact of the complications.
  • How companies are or can be addressing the complications.

After sketching the outline of the ebook, I reached out to former course attendants.

Scared auditors

One of them was an IT auditor at an insurance company. He gave me an explanation of the board level support that cloud adoption has, and an example of an external application that helps speed up car insurance claims processing.

As an important obstacle, he mentioned auditors (internal in this case) who are afraid of the cloud. And to add substance to that, he said “I am an auditor myself, and it is scary to see how much power I have…”

So maybe, we should figure out a way to help focus the auditors on the right risks. If not, they are going to stop all things cloud.

This matches with what another guy I talked to (who had been involved in an Office 365 adoption project) told me: “a big hurdle is to understand the real problems, instead of the imagined ones.”

These insights all go into the e-book I am writing. It is on the drivers and barriers to cloud adoption in the financial industry. Go to this page to learn more about it and about some of the other posts on this topic.

The Bionic Cloud Website

Make your website bionic: better, stronger, faster

Now thanks to cloud computing, you don’t have to spend 6 million dollars to make your web application better, stronger, faster than it was. In fact you can do all that and make it cheaper too!

In my new e-book/course/programme/teleseminar I will expose techniques and tools for modern web application hosting that you can use in your business.
[explanation of the ways in which your current hosting can be bad. here is where we qualify the audience]

[examples of approaches people have taken, and other hints at how this can be done]

[some common misconceptions about cloud computing: myth debunking]

etcetera, etcetera.

 

Eating an elephant, piece by piece

How to move an app to the cloud?

 

hybrid,

one on one.

replace.

Are you a risk to your customers?

In the past weeks I have been talking to a number of small software providers. Most software these days is no longer shipped (CD-ROMs are really oldskool, aren’t they?), but is delivered as a service over the internet.

These software providers are starting to realize that this means they are a SaaS provider. This also means that they have to do risk management like a cloud provider.

Among the companies I work with are an email/shopping cart provider and an e-learning provider.

With these companies I started by going through the CSA “Treacherous Twelve” list of top cloud risks. It does not matter much if you are a provider or a consumer, all risks can be relevant to both sides. The consumers have to protect themselves, and the providers have to enable them to do that.

In working with them I came across a number of interesting observations.

One guy stated: “only after reading through the Treacherous Twelve did I gain a more solid understanding of risks”.

Another guy said that he now started to understand how his security was essential to his customer’s security. In fact, being more explicit on what he did on risk management and security could actually be a selling point towards his customers.

He also said that the investors in his company would probably worry about this.

These companies start to realize that their customers are actually outsourcing some IT to them, and that these customers require some governance and risk management support. A simple case of that is that there is often some personal data of the customer’s employees or clients involved. If the provider messes up in managing that sensitive data, the customer gets burned.

At the same time, these software providers are often cloud consumers themselves, as they outsource their hosting and other services to other cloud providers. So the risk analysis cuts both ways.

Does some of this apply to your company? In that case you might want to look at the Treacherous Twelve study yourself. To dive deeper into that or if you need help, you might consider my cloud security training, which can also earn you the Certificate of Cloud Security Knowledge.

4 Key Differences Between a Virtual Private Server & a Private Cloud

Here is another post from one of our guest editors.

Some companies think virtual private servers and private clouds are the same thing, but these terms are not interchangeable. While the differences between virtual server hosting and private clouds might seem slim at first glance, it could mean all the difference in the world for businesses. Forbes predicts private clouds are going to end up being the next area of cloud computing focused on by businesses. Take a look at these key differences between VPS and private clouds, and for more info.

Cloud computing is actually about creating an IT supply chain. This is more fundamental than just an outsourced server.

Server Setup

A virtual private server is a single physical server, split up between a limited number of users. It is a similar hosting set-up to a shared server, where many user accounts are located on the same server. The main difference between these two server setups is that VPS accounts have fewer users per box, and the users get more control over their section of the server. Virtualization software divides the users from each other, although you’re not entirely isolated from being affected by other people on your server.

A private cloud uses distributed resources across multiple physical servers. The redundancy allows for a seamless transition to the other servers in a network in the event of a hardware failure or other issue. It’s similar to a RAID 5 hard drive setup. You see the resource as one server, but multiple systems are behind it.

Location

A major difference between a VPS and a private cloud is the location of the hardware. A virtual private server is generally hosted at an off-site, third-party web hosting provider. A private cloud is situated on site or at a data center you own. There are exceptions to this rule, however, as some cloud providers are offering hosted private clouds for users. These clouds use hardware that is solely for the use of that particular cloud and is not shared with other users.

Scalability

Cloud control panels are built with quick provisioning and deployment in mind. The process to get a new virtual server, database or other resource up and running typically takes only a few clicks through the administrative panel. A VPS requires you to upgrade your service manually, send in a support ticket to the provider, or call to get tech support to provide you with the resource needed, making a private cloud more convenient in this regard.

Cost

A private cloud is rather expensive in terms of hardware, as you have to shoulder the cost of the hardware, installation, set-up, and maintenance. This is lowered somewhat if you go with a hosted private cloud, but you don’t have the same level of control on a hosted cloud as you do with your own, on-site option. A virtual private server is vastly less expensive and even cheaper than dedicated server hosting. If cost is an issue, the VPS wins out every time.

Need to know more? Click here on which cloud is right for you?

VMware lends credibility to Cloud Essentials training

Even though VMware has a big educational program itself, it has aligned with the Cloud Credential Council on a number of vendor neutral cloud courses. The independent certification of skills sets is cited as a distinct advantage.

Certified cloud courses currently include Cloud Essentials and Virtualization Essentials, which are also marketed together as Cloud Technology Associate.

Read more about the announcements: http://www.marketwatch.com/story/vmware-expands-availability-of-cloud-credential-council-certification-course-offerings-to-australia-and-new-zealand-2013-05-28

VMware, CCC Team to Expand Courses, Extend Certifications to New Geos

 

If only your own data warehouse was this secure

Dr. Werner Vogels, CTO of Amazon (not just Amazon Web Services), unveils some interesting information on RedShift, Amazon’s service for data-warehouses on demand. Its petabyte performance envelop and on-demand pricing are awesome enough, but here I would like to point out some of the security features of the service.

These ranges from physical controls to staff monitoring to multiple firewalls to hardware encryption. The blog post contains quite a bit more information. The controls are also audited. Unfortunately, these lists are not publicly available, though I have seen similar extensive statements from other providers.

If you think you can do better, you should consider starting your own cloud provider!

6 signs of cloudwashing

I only refer to other blogs occasionally, in particular if they have a commercial goal.

But this one is interesting enough: an infographic showing you 6 signs of cloudwashing.

See http://blog.workbooks.com/blog/bid/286046/watch-out-for-fake-cloud-infographic (at the end there is a request for sign-up, none is required).

More and more companies are blatantly recycling old IT solutions as cloud solutions. While such evolution may be genuine (we actually have a course on the steps you need to take in this), more often than not the marketing is the only innovation.

An example sign is: ‘“Cloud CRM software” is installed on your server or laptops’. 

You would not believe this actually happens, but apparently it does. Go Google.

If you are a cloud provider (or aspire to be), you can take this as an example for your own marketing.

If you want to learn more on how to positions yourself as a good cloud provider you might want to check out my Cloud Essentials course.

Cloud vendors fixation on price is costing them business

Cloud computing is cheap, right?

No, not really. Obviously it can be if you are a small user, and your capital outlay will off course be lower. But in a  lot of cases I see, the total run cost is comparable to on-premises solutions.

Yet even though cloud vendors still play the price card, cloud buyers see things differently, a small survey conducted at Cloud Connect recently suggests. Here is a summary slide of the findings.

Cloud Connect Enterprise Cloud Adoption Survey

To me this suggests that cloud vendors could use some education and training in articulating the business value of their propositions to their customers. This will allow them to close more deals at higher values.

 

IT consolidation is just another word for private SaaS

When a well known bottler of soft drinks in Europe looked at its IT portfolio it noticed that it had separate ERP systems installed in each of the countries where it had operations. That was a major step ahead at the time. Now it turned into a drag. Upgrading all those systems to the next version was a real pain in the neck. The upgrade project had to be repeated multiple times across the entire continent.

This was when they realized that there could be business case in consolidating those systems. Instead of doing twenty separate upgrade projects, it was cheaper to spend all that money on one upgrade project and a better international network infrastructure.

In other words, they had to turn that ERP system into an internal cloud, a private SaaS cloud so to say.

Let’s review the essential cloud characteristics to see to what extend this is a cloud? NIST lists these as:  On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, and Measured Service.

The obvious characteristics are ‘broad network access’, which permits the entire ERP system to be accessed by all group companies. Resource pooling is an important cost driver in the business case, based on a reduced number of servers and support groups, and maybe software licenses. Rapid elasticity is a characteristic relevant to the operating companies, each of which can grow and shrink its ERP usage now much more flexibly than when it had its own system. From the perspective of the group however, the ERP system is not very elastic. Measured service, finally, could apply to operating companies if they are cross-charged for their usage. This can be done in a number of ways, each with different implications.

This brings us to more business benefits. Depending on the cross charging model, this might make it a lot more viable to start a new operating company, as it would have IT costs that grow with its business rather than being an initial investment.  Broad network access and resource pooling might bring additional business benefits if this allows logistics to be optimized across the entire operating region.

Finally the risks. Obviously the international connectivity becomes an important new source of hazard, whether it is a dedicated network or the internet is used. For the central IT, servers, application and support, the stakes are raised a lot higher. A failure of the application affects not just one company but the entire group. On the application management level, the structure and quality of the data now has to be coordinated over a lot more companies. Individual bespoke adaptations will be a lot harder. Even corporate structure may need adapting, as there will be a much more formal relation between group IT and the operating companies. Formal service level agreements probably need to be in place.

So, when you are consolidating IT, it might make sense to apply the lessons that are being learned in cloud computing.

If you want to learn more, visit my list of cloud computing courses and other resources.