Are you a risk to your customers?

In the past weeks I have been talking to a number of small software providers. Most software these days is no longer shipped (CD-ROMs are really oldskool, aren’t they?), but is delivered as a service over the internet.

These software providers are starting to realize that this means they are a SaaS provider. This also means that they have to do risk management like a cloud provider.

Among the companies I work with are an email/shopping cart provider and an e-learning provider.

With these companies I started by going through the CSA “Treacherous Twelve” list of top cloud risks. It does not matter much if you are a provider or a consumer, all risks can be relevant to both sides. The consumers have to protect themselves, and the providers have to enable them to do that.

In working with them I came across a number of interesting observations.

One guy stated: “only after reading through the Treacherous Twelve did I gain a more solid understanding of risks”.

Another guy said that he now started to understand how his security was essential to his customer’s security. In fact, being more explicit on what he did on risk management and security could actually be a selling point towards his customers.

He also said that the investors in his company would probably worry about this.

These companies start to realize that their customers are actually outsourcing some IT to them, and that these customers require some governance and risk management support. A simple case of that is that there is often some personal data of the customer’s employees or clients involved. If the provider messes up in managing that sensitive data, the customer gets burned.

At the same time, these software providers are often cloud consumers themselves, as they outsource their hosting and other services to other cloud providers. So the risk analysis cuts both ways.

Does some of this apply to your company? In that case you might want to look at the Treacherous Twelve study yourself. To dive deeper into that or if you need help, you might consider my cloud security training, which can also earn you the Certificate of Cloud Security Knowledge.

4 Key Differences Between a Virtual Private Server & a Private Cloud

Here is another post from one of our guest editors.

Some companies think virtual private servers and private clouds are the same thing, but these terms are not interchangeable. While the differences between virtual server hosting and private clouds might seem slim at first glance, it could mean all the difference in the world for businesses. Forbes predicts private clouds are going to end up being the next area of cloud computing focused on by businesses. Take a look at these key differences between VPS and private clouds, and for more info.

Server Setup

A virtual private server is a single physical server, split up between a limited number of users. It is a similar hosting set-up to a shared server, where many user accounts are located on the same server. The main difference between these two server setups is that VPS accounts have fewer users per box, and the users get more control over their section of the server. Virtualization software divides the users from each other, although you’re not entirely isolated from being affected by other people on your server.

A private cloud uses distributed resources across multiple physical servers. The redundancy allows for a seamless transition to the other servers in a network in the event of a hardware failure or other issue. It’s similar to a RAID 5 hard drive setup. You see the resource as one server, but multiple systems are behind it.


A major difference between a VPS and a private cloud is the location of the hardware. A virtual private server is generally hosted at an off-site, third-party web hosting provider. A private cloud is situated on site or at a data center you own. There are exceptions to this rule, however, as some cloud providers are offering hosted private clouds for users. These clouds use hardware that is solely for the use of that particular cloud and is not shared with other users.


Cloud control panels are built with quick provisioning and deployment in mind. The process to get a new virtual server, database or other resource up and running typically takes only a few clicks through the administrative panel. A VPS requires you to upgrade your service manually, send in a support ticket to the provider, or call to get tech support to provide you with the resource needed, making a private cloud more convenient in this regard.


A private cloud is rather expensive in terms of hardware, as you have to shoulder the cost of the hardware, installation, set-up, and maintenance. This is lowered somewhat if you go with a hosted private cloud, but you don’t have the same level of control on a hosted cloud as you do with your own, on-site option. A virtual private server is vastly less expensive and even cheaper than dedicated server hosting. If cost is an issue, the VPS wins out every time.

Need to know more? Click here on which cloud is right for you?

VMware lends credibility to Cloud Essentials training

Even though VMware has a big educational program itself, it has aligned with the Cloud Credential Council on a number of vendor neutral cloud courses. The independent certification of skills sets is cited as a distinct advantage.

Certified cloud courses currently include Cloud Essentials and Virtualization Essentials, which are also marketed together as Cloud Technology Associate.

Read more about the announcements:

VMware, CCC Team to Expand Courses, Extend Certifications to New Geos


If only your own data warehouse was this secure

Dr. Werner Vogels, CTO of Amazon (not just Amazon Web Services), unveils some interesting information on RedShift, Amazon’s service for data-warehouses on demand. Its petabyte performance envelop and on-demand pricing are awesome enough, but here I would like to point out some of the security features of the service.

These ranges from physical controls to staff monitoring to multiple firewalls to hardware encryption. The blog post contains quite a bit more information. The controls are also audited. Unfortunately, these lists are not publicly available, though I have seen similar extensive statements from other providers.

If you think you can do better, you should consider starting your own cloud provider!

Cloud vendors fixation on price is costing them business

Cloud computing is cheap, right?

No, not really. Obviously it can be if you are a small user, and your capital outlay will off course be lower. But in a  lot of cases I see, the total run cost is comparable to on-premises solutions.

Yet even though cloud vendors still play the price card, cloud buyers see things differently, a small survey conducted at Cloud Connect recently suggests. Here is a summary slide of the findings.

Cloud Connect Enterprise Cloud Adoption Survey

To me this suggests that cloud vendors could use some education and training in articulating the business value of their propositions to their customers. This will allow them to close more deals at higher values.


IT consolidation is just another word for private SaaS

When a well known bottler of soft drinks in Europe looked at its IT portfolio it noticed that it had separate ERP systems installed in each of the countries where it had operations. That was a major step ahead at the time. Now it turned into a drag. Upgrading all those systems to the next version was a real pain in the neck. The upgrade project had to be repeated multiple times across the entire continent.

This was when they realized that there could be business case in consolidating those systems. Instead of doing twenty separate upgrade projects, it was cheaper to spend all that money on one upgrade project and a better international network infrastructure.

In other words, they had to turn that ERP system into an internal cloud, a private SaaS cloud so to say.

Let’s review the essential cloud characteristics to see to what extend this is a cloud? NIST lists these as:  On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, and Measured Service.

The obvious characteristics are ‘broad network access’, which permits the entire ERP system to be accessed by all group companies. Resource pooling is an important cost driver in the business case, based on a reduced number of servers and support groups, and maybe software licenses. Rapid elasticity is a characteristic relevant to the operating companies, each of which can grow and shrink its ERP usage now much more flexibly than when it had its own system. From the perspective of the group however, the ERP system is not very elastic. Measured service, finally, could apply to operating companies if they are cross-charged for their usage. This can be done in a number of ways, each with different implications.

This brings us to more business benefits. Depending on the cross charging model, this might make it a lot more viable to start a new operating company, as it would have IT costs that grow with its business rather than being an initial investment.  Broad network access and resource pooling might bring additional business benefits if this allows logistics to be optimized across the entire operating region.

Finally the risks. Obviously the international connectivity becomes an important new source of hazard, whether it is a dedicated network or the internet is used. For the central IT, servers, application and support, the stakes are raised a lot higher. A failure of the application affects not just one company but the entire group. On the application management level, the structure and quality of the data now has to be coordinated over a lot more companies. Individual bespoke adaptations will be a lot harder. Even corporate structure may need adapting, as there will be a much more formal relation between group IT and the operating companies. Formal service level agreements probably need to be in place.

So, when you are consolidating IT, it might make sense to apply the lessons that are being learned in cloud computing.

If you want to learn more, visit my list of cloud computing courses and other resources.

Is CompTIA Cloud Essentials the right course for you?

Is Cloud Essentials the right course for you?

Many people ask me this question, so I have compiled a brief list of questions to help you in answering it.

Here is a list of the questions that you should be able to answer after the Cloud Essentials course. If you think you know the answer already, this course may be too basic for you. See further down for an overview of the knowledge that the course assumes you already have.

You will learn to answer the following questions:

  1. Which are characteristics of cloud computing?
  2. How does cloud computing lead to business value?
  3. What is the difference between cloud computing and virtualization?
  4. What is the effect of cloud computing on the balance sheet?
  5. Which type of business will probably not benefit from cloud computing?
  6. What information is essential to know before starting a virtual machine?
  7. What do we call the amount of data that can be transferred across a network link in a given time?
  8. What is the main criterion for selecting applications for a cloud pilot?
  9. Which assets are at risk if a cloud provider goes out of business?
  10. Why does traditional IT cost accounting not fit very well with cloud computing?
  11. The EU data protection directive requires data on EU citizens to be stored in Europe. True or false?

Here is some basic knowledge that is a prerequisite for successfully following the Cloud Essentials course. If this sounds trivial, you are good to proceed.

  1. You can give examples of computer hardware
  2. You know that E-mail, word processing, ERM and CRM are computer applications
  3. You can name some different web browsers
  4. You know that Windows and Linux are operating systems
  5. You know the difference between a website and a server
  6. You can describe what a software developer does
  7. You have some experience in using the internet
  8. You understand the basic difference between a processor, hard-disk storage and the network
  9. You have used computers in your work
  10. You can describe some of the tasks of an IT department

Remove barriers to the adoption of virtualization

Virtualization technology has great promises for IT applications to run better, faster, cheaper, and more flexible. But that won’t happen by just buying the latest and greatest product.

Today’s digital infrastructures consists of dozens or even hundreds of servers, Terabytes if not Petabytes of storage spread over multiple storage arrays, and potentially thousands of desktops, laptops, tablets and other devices. These infrastructures serve thousands of users with hundreds of different applications. They are supported by operational teams that are typically grouped by technical ‘silo’: server, network, storage, etc.

Managing these digital infrastructures properly while keeping agility up and costs down is a major challenge for IT departments.

This challenge leads to high cost, inflexible service, long lead times for projects and overworked support departments.

Who is going to help you get out of that mess? Vendors? Consultants?

Sure, vendors understand technology, but mostly their own technology. And there are probably no vendors that have a full suite of software that is a good fit for your situation. And how would you know? Infrastructure solutions are notorious for solving problems only partly. Look at how many versions Microsoft Windows had to go through before it was good enough for production use. Even today, an efficient Windows based IT platform needs a lot of add-on software to make it manageable. While all of that technology may be a smart solution in the space it was designed for, chances are high that it either falls short of what your organization needs, or is too expensive or cumbersome to manage.

Let’s face it. The basic technology that is used to run IT on these days is based on PCs. Single user, single box devices, running a few applications only. Only gradually has technology been added to be able to manage thousands of these to be used as a flexible set of resources capable of being adapted quickly to changing requirements.

Most of this technology is grouped under the name of ‘virtualization technology ‘. But we now have server virtualization, storage virtualization, desktop virtualization, network virtualization, application virtualization and more. All of which is introduced to compensate some characteristic of PC technology and make it more usable for large scale IT deployment.

Now what about bringing in some expensive consultants to shed some light on your IT? Let’s assume, for the sake of argument, that they are good, knowledgeable, and vendor independent. That still does not solve the problem that the internal IT department is often siloed in traditional IT disciplines. Virtualization is about new ways of consolidating IT to make it more flexible and resilient. For example, using a combination of server virtualization and storage virtualization the risk of server crashes can largely be eliminated. Getting that to work requires IT teams to work together across silos. Getting them to work together requires that they have a common understanding of virtualization’s potential as well as the new risks.

This is the challenge that the Virtualization Essentials course was designed for. It enables senior IT specialists, architects and service managers (to name just the core jobs) to work together on the successful and profitable adoption of virtualization.

The Virtualization Essentials course is a 2-day, interactive, classsroom-based learning experience. The course provides a balanced curriculum and addresses the business perspective, the technical organization, and operating and governing virtualization. The course enables participants to successfully complete the associated Foundation exam.

For more information on the contents of the course, visit

You can rely on me to deliver this learning experience. I am one of the most experienced vendor neutral cloud trainers in the world, and I have trained over 100 individuals, and more than 40 candidate cloud trainers. Visit my LinkedIN page for independent proof.


Cloud in the Gulf region

What a ride it has been over the past weeks! I delivered a cloud training almost every week, cloud security as well as cloud essentials. I was out of the office a lot: locations in the Netherlands, France and Dubai. And as I write this I am at the Vienna airport after an interesting EuroCMG meeting, where I got to present on cloud costing.

In Dubai I was at the Gitex conference, the largest IT exhibition and trade show in the region, which welcomed 145.000 visitors last year. After the cloud conference that was part of it I got to do a one day Cloud Security (CCSK) workshop. The organizers sold out the 50 seat room. It was the largest class I ever did.

The questions these people had were generally about how to get into the cloud, though for some getting into the cloud was equivalent to putting their servers in somebody else’s data centers  Apparently there is little experience here with outsourcing in general, even if only for housing.

In comparison to other regions I find the concern about network connectivity relatively high. That makes sense, as the Gulf region is fairly far away from most of the important data center locations in the world (think Amazon), and the world’s biggest internet pipes radiate out of north-America, spanning the big oceans, opposite of this region.

To my courses and presentations now come people that have a basic understanding of cloud computing. This makes part of my job easier. Nevertheless, people do not always interpret the basic cloud definitions correctly.

Advancing cloud awareness means I will be doing some planning on the next line of courses and workshops. Topics include: how do I figure out what applications my company is running in the cloud, and have these conform to whatever policies I might have.  Another cry for help I hear at times is: “My CEO has defined a ‘cloud first’ strategy, it is now my job to implement that policy and I am clueless as to where to start.”

The current status of cloud knowledge is also such that I have decided to re-target my mailing list. Rather than catering for people who want a basic introduction to cloud computing, I will focus on people who want to apply that basic knowledge to their own business. For people that have passed cloud certifications I have other plans. Stay tuned.

Three steps to a private cloud

So you want to run a private cloud? Here are a few steps to take for you to make this a success.

The first step is to answer the question: why? Which business benefits of cloud computing are you after and why can’t you use public cloud solutions to fulfill them?

If you want to set up a private cloud to keep your existing system admins busy, you need to think again. Private cloud is a lot harder then it seems, especially if you want to do it right. You will need to invest in your IT staff.

The two main reasons for operating a private cloud infrastructure solely for your organization are capacity guarantees and security/compliance.

On top of that you are likely to want the business advantages that stem from public clouds’ essential characteristics: broad network access, rapid elasticity, measured service, on-demand self-service and resource pooling. Even though you won’t pool resources with other organizations, if you don’t share resources over business units and projects, there will be little benefit.

Once you know these expected benefits and characteristics you can move to phase two. You translate these into the features of your private cloud, and you need to figure out what processes and tooling you need.

You probably want metering and chargeback, automated configuration and self-service provisioning. These do not come with your basic VMware license. They require separate software, and processes to run them across projects and applications. Next, think of the skilled staff necessary for its set up and operation.

All of this is not trivial to do. Take for example security. Traditional security measures based on segmented networks and fixed firewalls no longer apply. And you are creating a new and very sensitive role: the private cloud administrator with top level root access.

Then in the third phase, you can start to move your applications to your private cloud. This is where your benefits are going to be. But expect a bumpy ride, not all applications move easily to the cloud.

If you need more detailed inside into private cloud, you can consider my Virtualization Essentials course, which covers server, storage and application virtualization and more.