Recently in Security Category

A recent report by Forrester's Andrew Reichman titled Business Users Are Not Ready For Cloud Storage: Current And Planned Adoption Of Storage-As-A-Service Is Minimal For Now paints a picture for cloud storage adoption, that at first blush, is not encouraging.

He states:

In Forrester's Enterprise And SMB Hardware Survey, North America And Europe, Q3 2009 survey, we asked businesses about their interest in "hosted storage capacity" offerings. Interest was minimal at best. Forty-three percent of all respondents said that they were simply not interested, and another 43% said that they were interested but had no plans to move forward.

While it could be argued that as a cloud storage supplier, I am necessarily bullish about the ultimate prospects, I believe the data is actually quite good and clearly represents what we are experiencing in the marketplace.  Now, Mezeo is engaged with many service providers, as well as the early adopters in the enterprise space as they begin their evaluations.

When I look at enterprise cloud-storage adoption based on Everett Rogers' diffusion curve I see a pretty clear view of the typical market place approach to adoption of disruptive technologies:    

For new, emerging, and potentially disruptive technologies, we should look for what the next practices are, i.e. the practices of the innovators and early adopters. The survey reflects the typical technology adoption cycle and re enforces what we are experiencing in the market place.

11% of companies are taking the plunge - these are the early adopters and innovators.  The early majority (43%) is interested, and watching.  The late majority is not in the game, yet.

So we are on track. And to prove it, let's look at one of these enterprise-level innovators: General Electric.

According to IBM storage expert Tony Pearson, GE has implemented cloud-based backups and archive for GE Corp, NBC Universal and GE Asset Management divisions running at only 32 cents per GB/month, representing a 40-60 percent savings over their previous methods. This includes backups of their external Web sites, archives of their digital and production assets, RMAN backups including development/staging databases. They plan to add out-of-region compliance archive in 2010. They also plan to monetize their intellectual property by offering "CloudStorage Manager" as a software offering for others.

1. Security will continue to be a big issue for the cloud, and, unfortunately, there will be at least one event this next year that is disruptive to Cloud Storage adoption, be it data loss or unauthorized data access.  Security will be an even more important point of evaluation for the use of specific Cloud Storage service offerings. The “trusted service provider“  becomes a requirement when selecting a cloud offering.
   
   
2. Cloud Storage will be characterized by a single word, “more”!  More adoption, more cloud storage offerings by more IT service providers, more variation in cloud capabilities, and more worries and concerns about the cloud.
   
   
3. The intersection of enhanced mobile devices with better wireless bandwidth will be combined with Cloud Storage to create exciting new work/life blended digital life applications. The user experience is of paramount importance.
   
   
4. Cloud Storage will see extraordinary adoption as a solution for backup, archiving and for policy-based georeplication for disaster recovery.

As we enter 2010, I am going to focus on a series of articles to define the cloud storage opportunity and the business issues for the enterprise.  First, there are some "universal truths" that we need to better understand and define. 

The growth in unstructured data will continue, unabated.  We all know and understand that.  The issue is how to manage this phenomenon, while operating with the assumption that the growth will likely accelerate.  Since the growth is driving increased costs, the enterprise is on a continuous search to improve the way they can cost-effectively manage this growing data.  

Data may exist on removable media, on PCs and PDAs, on various servers within the organization, at data centers, at remote facilities, and potentially at various outsourced service providers.  The data may range from employee personal information (and even personal information from the employees associates) that is not associated with the needs of the business to non-confidential and confidential business information, some of which may be highly critical.  Disparate policies will need to be applied to the data ranging from no control to extreme control.   Of course, there will be the existence of  multiple versions of files adding to the total storage and further exacerbating the challenges of management.

There are many potential solutions to the problem as stated above, and most of them involve some sort of additional controls, policies and restrictions that control the proliferation of data and make it more orderly and secure.  These solutions are then combined with additional focus on reducing storage costs by staying aligned with new storage technology (which continues to reduce costs of storage), and the cycle repeats, endlessly.  In each cycle, trade-offs associated with costs, availability, security, access, restrictions occur, and rarely is there a "perfect" solution.

Is cloud storage a possible solution to the issues as surfaced above?  Is it a discontinuity, a departure, from the "business as usual" cycles associated with ongoing, incremental and continuous storage improvements when new technologies are introduced as they can be accommodated?  

Let's start with discussing cloud storage and its various capabilities.  Note that we are talking about a storage cloud that is housed at the enterprise data center, not a storage service provider.

(1) First, centralize the storage problem:

Cloud Storage addresses the necessary size and scale of unstructured data growth in the enterprise.  Generally, highly scalable file systems, including newer object based systems, provide the ability to manage incredibly large numbers of objects (objects of all sizes) in an efficient fashion.  This is combined with low cost commodity storage devices and servers.  Then a centralized storage pool is ready for use.  It is generally easy to add additional storage to this pool, and both backup and disaster recovery schemes are in place.  So, the first well known method of problem solving that cloud storage utilizes is "centralization."  Let's get a solution in place that we know can scale to the size of the data needs of the enterprise.
 
(2) Second, make it easy to use:

You can't use it if you can't get it, and this is where the topic of "thin provisioning" emerges.  Thin provisioning just means that it is easy to get a storage account (whether I am an individual user or an application / server) and I can get it quickly, no matter how much I need (in theory).  Further, as my storage needs increase, it is easy to get more - quickly.  There are issues like accounting for storage; managing growth and billing for it that also surround the notion of thin provisioning. 

Access is another big topic that surrounds ease of use. The enterprise has multiple needs here.  Legacy applications, utilizing file access methods like CIFS or NFS, will want to utilize the storage cloud.  New applications, written to REST Web services APIs, will also want to coexist.   Finally, individual users will want access from all their device types, including PCs (Windows and Mac, Linux), the Web, and PDAs.  All of this access manifests itself in interesting ways, including identity management of the credentials associated with using the service, bandwidth requirements for accessing the service from many diverse locations, and geo location of data (i.e., if you have several locations where the cloud data is kept, how do you decide which location to use?).

(3) Third, sync your files to the cloud:

Now that you have cloud storage, you ought to think about backup and sync to the cloud.  These two applications are different but somewhat linked.  Sync to the cloud can be used for both cloud loading (getting the data from the device to the cloud, in a background way so that the latency will not be a problem) as well as keeping a current copy in the cloud, but using the local copy on your device (the best of both worlds).  Since your most current copy is in the cloud, it is your backup copy.  Sync is also a solution for keeping files "sychronized" between devices and the cloud, so you always have an authoritative source of your file stored in the cloud.  Of course, all this is based on having cloud access from any device, anywhere (see number two, above).

(4) Fourth, create new, higher impact applications with programmable storage:

Programmable (using http, SOAP or REST APIs) access to storage is the next big revolution in storage.  Tagging, sharing, collaboration, easy search, easy and secure access and multiple views make creating new, high impact applications easier than before.  Take advantage of new functionality that is easily delivered.  Create applications that rely on your data and data that is external to the enterprise.  Develop these applications quickly and at lower cost.  If all you want is cheaper storage, you may be able to get by without a cloud, but without this capability you are missing the revolution that is upon us.

(5) Fifth, secure your cloud:

In my own survey of the industry, security is the major issue on the minds of the IT department evaluating cloud storage for the enterprise.  Several different aspects of security come into play.  Many of these issues are most often associated with using a multi-tenant storage cloud from a storage service provider. Nevertheless, four major security issues prevail before we even begin to consider the issues of going to the cloud at a service provider.

The four issues are:  physical security, unauthorized access, data loss (disaster or device failure related) and bit rot (a subset of data loss, granted).   All of these issues are no different than what you face with your traditional shared storage solutions and most of the solutions are similar.  Your current IT physical security solutions apply to an enterprise hosted cloud.   The identity management policies and practices associated with creating and maintaining account credentials address unauthorized access, just as they do with your current data management practices. Encryption can provide additional protection from unauthorized access. As a matter of fact, the security issues are already in play with your current storage methodology, so nothing new here, unless you move to a service provider hosted cloud (more on this later).

(6) Sixth, lower the cost of storage:

Cloud storage delivers the benefits as discussed in items one through four above, while requiring similar security to current storage activities.  How does it address costs?  First, cloud storage solutions generally allow for using commodity hardware, very scalable file systems, and highly automated provisioning and management solutions.  So, the hardware price equation of differentiation and premium pricing is disrupted.  True, the software doesn't come cheap, but remember that the public cloud storage services are "making the market" and the combination of commodity hardware, environmentals, and enabling software (file system, management and middleware from one or more suppliers) is meeting the external marketplace pricing.  Here is a simple model you should use (all figures expressed in cents/GB/Mo):

Commodity Hardware depreciation                                      $  .02
Environmentals  (data center, power and cooling)                     .02
Management (primarily people resources)                                .02
Enabling Software                                                                  .03 
Other                                                                                    .01                           

Total costs:                                                                      $  .10 (10 cents/GB/Month)

This represents a significant saving for a solution that provides all the capabilities that cloud storage delivers.  What's the catch?  Well, not every type of application and use case for unstructured data is ideally served by cloud storage.  However, many are, and the exceptions should be dealt with as one offs.  The real catch is not taking advantage of this new technology, and all the opportunities it offers, for lowering cost while delivering improved capabilities to end users and applications around the enterprise.

My next post will discuss hybrid, private and public cloud storage offerings, and where savings and security can drive significant benefits for enterprises who take advantage of the cloud storage offerings of service providers.

CloudStorageStrategy.com welcomes OpSource CEO Treb Ryan for an in-depth interview on cloud computing, from the perspective of the service provider.

NOTE: OpSource is a customer of Mezeo Software, the underwriter of this blog.

What are the opportunities you see in the cloud computing space, both for OpSource and your customers, and what impact has the downturn had on this?

It's interesting, but when people talk about cloud computing, they immediately go to the downturn and pricing - and cost being the big driver.  There's no question that cloud computing is cost effective, and it's accelerating adoption many times over, but what we're really seeing is something much more fundamental - a generation of users who are entering the workforce who've been using cloud computing all along; they've grown up on the Internet, and their interface to technology has always been through the Internet. 

As a result, this "Cloud Generation" has clear expectations of how technology should work:

1) it should be immediately available,
2) you do a search and get going,
3) it should be very flexible,
4) you should have ubiquitous access - anytime, anywhere,
5) sharing and collaboration - the expectation to collaborate and share anything they are working on.

This is not a generation which distinguishes between work data and home data - like my generation did. They've grown up with the concept of APIs and communities that grow around them; for instance, we see programmers who have grown up with Google and Facebook APIs, and now they expect that kind of thing in their work applications as well. So they're coming into the workforce and driving change in the workplace. They see technologies like client-server applications or hard-coded storage arrays pretty much the same way my generation saw green screens, mainframes, and mini-computers - as dated, inflexible, technology - hard to use, without nearly the power of cloud-based systems. So they have the day-to-day experience of the "consumer cloud" which they're now driving into business applications as well. 

To the Cloud Generation of programmers this means anything they can interact with on the Cloud they can program to through APIs. The idea of infrastructure being an item that can be addressed as part of the application, instead of something the application lays on top of, is a radical concept.  It has allowed not only for innovative applications, but also for true elastic computing making the Cloud environment even more flexible.



Great Cloud offerings have great communities around them. This is the aspect of Cloud computing that is so often missed - and even scoffed at - by the IT folks who think it's all about virtualization. One of the biggest gripes about Cloud computing is that support is done by the Community and not the vendor. While most will agree that far more proactive vendor support is necessary for Cloud computing, Community support is just as critical. For questions of configuration and usage tricks, the Community is a far better source of information than some call center employee with limited access. Often the Community devises more innovative solutions than the vendor ever could. And in addition to support, the Community can create third-party add-ins that make the Cloud even more useful.

The downturn has accelerated adoption from the top down as well.

We're seeing executives who have become enamored with this idea of the cloud - because of the ability to turn capital expenditures into operational expenses - and are pushing cloud computing into their organizations.  The CEO of one of our customers went so far as to tell his technical people - "now can you finally start using the cloud so I can get the board off my back?"

So, for different reasons, we have both top-down and grass-roots support for cloud-based applications, which makes this very interesting to say the least.

Which customer segments do you see leading the way in adoption?

Obviously, our traditional focus has been on ISVs and start-ups coming into Software-as-a-Service, business applications in the cloud, and we're seeing continued adoption of cloud infrastructure by those segments, but what has been interesting is that now that we offer the ability for any company to buy and use cloud infrastructure for any type of application, we're seeing a much broader spread of usage and adoption. Beyond the enterprise we also see widespread adoption by systems integrators, consultants, and VARs - upto 40% of our customer base - all without us targeting that segment at all.

How does OpSource differentiate its cloud offerings from other service providers?

We offer the best of the public cloud, combined with enterpise security and compliance, performance guarantees, and enterprise controls.

For instance, we offer:

• easy online sign-up & purchase with infrastructure provisioning in minutes
• pay by the hour and only for what you use, with no commitment (or purchase a monthly plan for a discount)
• a rich online community to share and collaborate with peers; get third party add-ins, images and configurations
• a web interface plus complete set of APIs

On the straight cloud, we provide a lot of the more robust, enterprise tools than you see from more consumer-based providers like Amazon, for example.

We focus on three different areas:

1) Security and Compliance: we provide a much more secure environment, because Opsource provides every customer with a Virtual Private Cloud within the public Cloud, allowing them to determine their own degree of public Internet connectivity. We also provide:

• Unique customizable security for firewalls
• VPN administration of all servers
• Unique username/password for each administrator
• Audit logs of all environmental changes
• SAS 70 audited
• 100% uptime SLA

2) Performance: we offer a multi-tier architecture with guaranteed latency in-between systems, sub-millisecond access time, industry standard technology, like VMware, instead of open-source, because that's where enterprise is comfortable.  Our 24/7 suppot also makes a diffence.

3) Control: today's cloud environment are single user environments, one user name and password, which is fine for individuals, but not so useful for the enterprise. We offer the ability to provision multiple users, do things like cross departmental billing, execute policy based control - which user can do what - and finally link all that back though an API to your existing management systems. So you can control how your users use the cloud same as you do your corporate datacenter.

So do you see any links into these large companies where they need to use ITIL for systems management?

Absolutely. OpSource has always focused on compliance as a major issue for our SaaS customers, eveything from SAS 70, PCI to European Safe Harbor, and even industry-specific ones like HIPAA, or government-specific certification, but in the cloud, we think about sophisticated  management techniques like federated authority and single sign-ons, and things like ITIL - while it's still in its infancy, it's shocking that most providers don't even have the ability to give their customers the critical capability to have more than one person manage the cloud for them - because they have a single user accounts. So while you can institute more sophisticated IT governance regimes like ITIL with the OpSource cloud, we give IT the capability to manage who does what, and track who did what, even if they aren't ready for something like ITIL.

So IT gets to do their own provisioning?   
  
Yes. So you want to know who provisioned what, how much it costs, and we give them that visibility instantly across their entire user community.  That way there are no surprises or charges they aren't aware of. It sort of reminds me of the controls I had to put in to alert me to my daughter's texting costs - so I'm aware of the charges before they get out of hand! I just blogged about this issue.

That's why you say that OpSource is what Amazon wants to be when it grows up... 

Absolutely.

And that's how you respond to cloud critics - the ones that say that the Cloud is not yet ready for the enterprise.

There are large parts of the cloud that are not yet ready for the enterprise. The cloud is still young, and it would be like asking that first 286 PC to run all of your corporate financials. However, a lot of these issues around enterprise adoption like security and compliance have been addressed, and are being taken care of, so as the cloud becomes more robust, we'll see increased adoption. We're seeing enterprise-level capabilities come to market that did not even exist six months ago.

We have just signed a partnership agreement under which OpSource will resell Gomez's Web performance management solution to our enterprise customers as well as use it to validate and monitor our own cloud performance service level agreements (SLAs). Through this partnership, we'll bring powerful performance monitoring to cloud computing, making it easier and more compelling than ever for enterprises to justify bringing their applications to the cloud.

Do you see infrastructure elements like storage growing now?

For true, full use of the cloud, we have to have the ability to access storage, go though the APIs to get to it, and give our customers a range of storage solutions, including cloud storage based on the specific application or need. We're giving our customers the widest range of choices.

What about agile programming? I heard you use agile methods to improve the customer experience.

Agile programming methods have helped us with not only development, but compliance and security as well. We talk to our customers to see how they are using our cloud offerings though our community, and we learn what's important to them.

We also test our offerings by having two programmers work on the same keyboard - literally  - one with the user story - so they can make sure that the customer is getting the exact functionality they need.

It's agile customer service.

Can you tell us a bit about your enthusiasm for composite applications (corporate mashups) and how they help your platform?

Of all the phenomenon in the cloud, we see the need for anytime-anywhere access and the idea that anything I can interact with I should also be able to program to.  So when Facebook enthusiasts start working in the enteprise, they bring their enthusiasm for integration as well.

So we see things in the cloud like direct access to the infrastructure as part of the application, which allows for all sorts of flexibility and robust usage.

We see real-time reporting applications of every kind you can imagine.  I myself am addicted to checking on everything that's coming out of our billing and customer systems tied into our Salesforce tabs.  So I'm always checking on the business in real-time via my iPhone.

I say this a lot, but integrating SaaS is a huge issue for today's enterprise. OpSource Connect can help SaaS companies -- of any size -- overcome integration hurdles and break out of the SaaS-only box. This speeds up adoption of SaaS in larger enterprise environments, opening the door for on-demand companies to cultivate business with large systems integrators. Plus, I'd say we're the only company providing Web operations from the ground up, addressing operational infrastructure, application management, and business operations. Today, integrations are expensive and one-to-one. For instance, while you can currently integrate your application with Google Maps as a composite application, OpSource Connect lets you integrate your app with many others, using just one platform. You can integrate your application with, for example, SAP, salesforce.com, Intuit QuickBooks, NetSuite, and a host of other SaaS and legacy applications. 

Everything is much more dynamic today, and programmers expect that. 

The announcement that Salesforce is integrating directly with cloud-storage Box.net is the tip of the iceberg when it comes to the future of the cloud:

Techcrunch explains what Box.net is thinking:

CEO Aaron Levie says that this is the first step in Box.net's plan to give businesses a secure way to share their files across multiple services on the web. He says that many of the cloud services geared toward the enterprise don't work well together -- oftentimes you'll have to reupload the same content to multiple sites to share or edit it. Box.net wants to help unify these services by serving as the central hub for your uploaded files, which you can then access from these other web-based services. Levie hints that we'll be seeing more integrations with other services in the near future.

What we are witnessing is the future of enterprise IT infrastructure. We have been talking about programmatic access through RESTful APIs for some time now.  This move by Saleforce is an evolutionary step in how enterprise IT will manage its IT infrastructure - it will be a cross-cloud platform, with applications and open access to the storage cloud of your choice.

Security is not an issue, and the future is about cross-cloud collaboration.

Phil Wainewright says that Box.net wants to be the "Switzerland of Data" - he's right and wrong.  Cloud Storage, provided by the various service providers are going to be the "switzerland of data storage."  Vendor lock-in is going by the wayside.

ReadWrite is spot on when they say that "you can start to see how platforms will evolve into service networks - where enterprise users may subscribe and get access to applications that they pay for on a per use basis."

The biggest threat then, is to traditional software vendors, and applications like Sharepoint.  We will see heated debates on this very topic in the days and weeks ahead.

A recent paper from Deloitte titled CFO Insights: Heading for the Clouds raises some very good points from the perspective of the CFO. It's worth a quick read.

In essence, the case is made that Cloud computing presents a significant opportunity because it allow companies to reduce the capital costs of information technology. It allows companies to convert the cost of computing from capital expenditures to primarily an operating expense. The author emphasizes that since the IT budget is often one of the largest expenses a company incurs, CFOs should ask their CIOs how they plan to leverage cloud computing to reduce costs and increase service responsiveness. In my view this is clearly a critical issue for CFOs looking to improve their financial results in a down economy.

Here are a few questions CFOs should ask:

• Is there a strategy to use cloud computing as part of the IT services mix? Companies need to take a "business service management" approach - only in reverse.  That is to say, they map out their "mission critical business processes" and leave them alone! Instead, they look to outsource non-critical IT tasks to cloud computing service providers who are better equipped to execute them, which frees up the internal IT organization to focus on business critical processes.

• What areas create the greatest opportunities for savings now? Today, cloud services for data storage and occasional high performance computing capabilities may be a good starting point. Clearly, data storage is one such area, especially storage of non-critical data - email, office aps, images, videos, etc.

• What applications will be migrated to the cloud? For small and medium-sized companies, enterprise applications such as customer relationship management (Salesforce) and accounting (Netsuite) are already moving to the cloud.

What about security, reliability, and lock-in?  These are the three issues most of us worry about with cloud deployments.  The article says that the level of computer security, data privacy practices and the expertise of major cloud service providers are likely to be greater than those provided by an in-house IT staff and systems.

And of course, you've got to check your service providers' SLAs, their backup and recovery policies. Here are SLAs from Amazon S3 and Softlayer, for example.

Bottom line? CFOs must embrace the Cloud if they are looking to improve performance.

We've discussed ITIL and Cloud Computing and the role of trust as a differentiator for service providers. Yes, we see the evidence that IT Hosting companies and managed service providers are closer to their customers and we see that their differentiation is their commitment to serving the customer.

But Amazon, Google, and Microsoft aren't going away. As they pressure customers to make the switch to the cloud, traditional service providers must find new ways to compete. Step one, of course, is providing alternatives - cloud services, like storage for example.  Step two is to highlight their customer commitment - the relationships they already have and defend this "advantage" by becoming even more responsive. 

So how do you build trust? According to Stephen Covey Jr. trust is built through behavior. His work has identified 13 behaviors which build trust:

1. Talk Straight
2. Demonstrate Respect
3. Create Transparency
4. Right Wrongs
5. Show Loyalty
6. Deliver Results
7. Get Better
8. Confront Reality
9. Clarify Expectations
10. Practice Accountability
11. Listen First
12. Keep Commitments
13. Extend Trust

But how do these behaviors translate to a cloud service delivery model? 

To answer this question, I dug up an old model for assessing service quality - SERVQUAL -  which was introduced to the world of service and retail back in 1988 (those were the days before ITIL).  SERVQUAL has its share of detractors, but even recent research reminds us that it is still a useful model.  In particular, I'm interested in how it can be used to help service providers improve and extend their intangible advantages over the more impersonal big shops.

Over the years, the SERVQUAL instrument has been a popular methodology used to measure consumers' perceptions of service quality. Its five generic dimensions or factors are still valid:

(1) Tangibles: physical facilities, equipment and appearance of personnel.
(2) Reliability: the ability to perform the promised service dependably and accurately.
(3) Responsiveness: willingness to help customers and provide prompt service.
(4) Assurance: includes competence, courtesy, credibility and security; the knowledge and courtesy of employees and their ability to inspire trust and confidence.
(5) Empathy: includes access, communication, understanding the customer; caring and
individualized attention that the firm provides to its customers.

None of these dimensions will change in the cloud, with the exception that some of these dimensions are now virtual and must be proven online (customer support, for example) or through superior automation of work processes.

Let's also analyze the SERVQUAL "gap model," as it was called, and see how it applies to service delivery in the cloud:

Let's look at the meaning of each "gap" - the possible breakdown areas in service delivery:

Gap 1: Customers' expectations versus management perceptions: caused by the lack of a marketing research orientation, inadequate upward communication and too many layers of management.

Gap 2: Management perceptions versus service specifications: caused by an inadequate commitment to service quality, a perception of unfeasibility, inadequate task standardization and an absence of goal setting.

Gap 3: Service specifications versus service delivery: caused by role ambiguity and conflict, poor employee-job fit and poor technology-job fit, inappropriate supervisory control systems, lack of perceived control and lack of teamwork.

Gap 4: Service delivery versus external communication: caused by inadequate horizontal communications and propensity to over-promise.

Gap 5: The discrepancy between customer expectations and their perceptions of the service delivered: caused by the influences exerted from the customer side and the shortfalls (gaps) on the part of the service provider. In this case, customer expectations are influenced by the extent of personal needs, word of mouth recommendation and past service experiences.

Gap 6: The discrepancy between customer expectations and employees' perceptions: caused by the differences in the understanding of customer expectations by front-line service providers.

Gap 7: The discrepancy between employee's perceptions and management perceptions: caused by the differences in the understanding of customer expectations between managers and service providers.

Three of these gaps are directly connected external customers: Gap 1, Gap 5 and Gap 6.  Service providers will find their optimal "trust-building" opportunities here.  Apply Covey's 13 behaviors to each one of these gaps to build on your commitment to your customers.

Amazon, Google, and Microsoft aren't building a high-touch responsive model for their cloud services. But you, the service-provider, already have a high-touch relationship. Your cloud-based SLAs must reflect this advantage. The security issue is just a small part of this reality.

Service providers who dedicate themselves to closing the gaps will succeed in this new world.

The quest for quality service didn't start yesterday. I highly recommend that service providers give Delivering quality service: balancing customer perceptions and expectations by Valarie A. Zeithaml, A. Parasuraman, Leonard L. Berry, a second look.

Articles and blog posts associated with security and cloud computing are a daily occurrence, unless some well-publicized breach occurs in the cloud.  At that point the number of commentaries and discussions will increase exponentially, and then, over the following week, return to normal frequency.  I decided to focus on security as it relates to cloud storage, to see if something really new and different is occurring, and if overall changes need to be contemplated, as it comes to classic data security activities.  When I focused in this way, I quickly discovered that not much has changed, and security of data in the cloud is highly dependent on the same precautions and understandings as security of your data in a private data center.

In this recent article, it was suggested that files of one owner residing on a physical device with the files of others could somehow result in unauthorized access. It could, and the answer to this and a myriad of concerns fits within traditional approaches and understandings of security.   For example, Mezeo encrypts all files prior to storage.  So, even if you somehow got access to another's file, it would do you no good.  My point is that the cloud introduces a few additional complications, but it is not a problem that the current level of speculation seems to portray it as.  An extension to typical security practices, diligence, effective execution and audit of your current practices is what is required.

With this underlying theme, we look at how best we can ensure the security of the data in the cloud. Let's look at five areas that you should consider in regards to storing data in the cloud.

1. Physical Security: First, understand some things about the data center that is hosting the cloud where your data is stored:

• Is the data center physically secure? 
  
• What about it's ability to withstand power outages? 
  
• For how long? 
  
• Are there multiple, independent (on different grids) electrical power paths? 
  
• How are communications facilities enabled and where does the fiber enter the facility?
  
• How many communications providers have a POP (point of presence) at the facility? 
  
• How is the data center certified (SAS 70 Type II)?  

World class data centers are expensive, and they are also well understood.  What is the tier rating of the data center? (Tier IV is best). Make sure you do business with a cloud storage service provider who makes use of such facilities.

2. Data encryption: Encryption is a key technology for data security.  Understand data in motion and data at rest encryption.  Remember, security can range from simple (easy to manage, low cost and quite frankly, not very secure) all the way to highly secure (very complex, expensive to manage, and quite limiting in terms of access).  You and the provider of your Cloud Storage solution have many decisions and options to consider.  For example, do the Web services APIs that you use to access the cloud, either programmatically, or with clients written to those APIs, provide SSL encryption for access, this is generally considered to be a standard.  Once the object arrives at the cloud, it is decrypted, and stored.  Is there an option to encrypt it prior to storing?  Do you want to worry about encryption before you upload the file for cloud storage or do you prefer that the cloud storage service  automatically do it for you? These are options, understand your cloud storage solution and make your decisions based on desired levels of security.

3. Access Controls: Authentication and identity management is more important than ever.  And, it is not really all that different.  What level of enforcement of password strength and change frequency does the service provider invoke? What is the recovery methodology for password and account name?  How are passwords delivered to users upon a change?  What about logs and the ability to audit access?  This is not all that different from how you secure your internal systems and data, and it works the same way, if you use strong passwords, changed frequently, with typical IT security processes, you will protect that element of access.

4. Service Level Agreements (SLA): What kind of service commitment is your provider willing to offer you? Are they going to be up 99.9% of the time or 99.99% of the time? And how does that difference impact your ability to conduct your business? What is the backup strategy that your cloud provider uses, and does it include alternative site replication?  Do they use one at all, or is backup something you have to provide for?  Is there any SLA associated with backup, archive, or preservation of data.  If your account becomes inactive (say you don't pay your bill), do they keep your data?  For how long?  Once again, realize that there are different services, with different features, at different costs, and you get what you pay for.

5. Trusted Service Provider: The trusted service provider is a critical link.  Unlike your in-house IT department, you are now putting your trust in a 3rd party.  You must feel confident that they will do what they say they will do.  Can they demonstrate that the safeguards they claim are indeed delivered?  What is their record?  Do you have a successful business relationship with them already, and if not, do you know of others who do?  Remember, are they in business to serve business, or is it simply another service that they offer, focused first on cost per gigabyte, versus service and support.  This is where many IT service providers have made their living, providing world class service and support, along with effective, efficient, low cost infrastructure.

So what has really changed? More than anything it is a heightened awareness of the need for security.  Security is delivered on a sliding scale, and the result you achieve is based on well understood principles.

Of equal interest are the legal implications associated with hosting your data at service providers.  You can extend the notion of security to access by various government entities, depending on where your data is hosted.  While the focus of this post has been associated with preventing unauthorized access, this is yet another consideration associated with where your data is stored. 

Sure, cloud storage requires that you add some additional and/or different considerations to your evaluation and monitoring process, like understanding your service provider versus your own IT department.  The IT Service Providers know and understand the importance of this. Most will step up and ensure that they deliver excellent service to you and become your long term Trusted Partners. Those that don't will fall by the wayside.

One of the interesting side effects of the rapid adoption of Cloud Computing by the enterprise is the impact this adoption will have on the design and delivery of IT service processes.

In his article Assessing cloud providers, Frank Ohlhorst reminds us that "moving to the cloud is primarily a business decision" dependent on the metrics of ROI (Return On Investment), performance, sustainability and suitability to task.

Managers, writes Ohlhorst, must be prepared to do the following:

- audit the target applications and business processes impacted to create a cost-benefit-risk analysis that compares a traditional client/server solution to a cloud-based solution.
- audit the cloud services provider, including an assessment of geographic redundancy, packet transport performance, latency and service guarantees.
- audit the business's own ISPs, including performance at connecting points, failover capabilities and guaranteed throughput rates to and from the cloud services provider.
- monitor and frequently evaluate service and performance elements.

Thus, Ohlhorst tells us, "one of the first steps for choosing a cloud service provider is to evaluate the level of service offered and the guarantees behind that service." His view is that the Service Level Agreements (SLAs) must be scrutinized under three specific lenses: data protection, continuity and costs.

While this is a traditional IT view, and seems quite logical, we disagree with his suggestion that IT Managers can turn to the Keynote Internet Testing Environment (KITE) and Internet Health Report to measure performance.

Why? Because these are uptime measures, not measures of service performance.

If you're familiar with ITIL V.3, you'll recognize this service model overview:



In the ITIL world, service management can be broken into the following components:

- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement

Traditional IT systems management thinking leads us to associate systems availability with service availability, so that if a network component is running normally, we assume that the services running across that network component are also running normally.

This is largely the view being taken by the traditional systems management companies. It is what we are seeing in announcements like this one from BMC Software and Amazon.com.

But the cloud service model is different, and - while it's great to see BMC extending its enterprise systems management platforms to incorporate Cloud infrastructure - Cloud computing brings about a different measure for service performance, best exemplified by a new breed of cloud computing management vendors like Nimsoft. Their view is as follows:

The "pay-as-you-go" nature of cloud computing breaks the link between component and service performance: typically, organizations pay for capacity or throughput, rather than specific components. Plus, the highly dynamic nature of the computing infrastructure that exists in the cloud makes traditional CMDB (or simple list) based systems management virtually impossible to implement. All the traditional server and network reporting that shows 99.999 up-time will become secondary and probably irrelevant for future service level management and reporting. What this means is that synthetic transaction monitoring--that is, generating, monitoring, and reporting on simulated service requests--will be of paramount importance.

This perspective puts an interesting twist on ITIL's IT Service Management model. Since there is no way to predict which cloud computing infrastructure components are accessible at any point in time, service delivery processes in the enterprise - and SLAs from cloud computing service providers - need to be all about service reliability rather than component reliability.  This is a paradigm shift. 

As we have written previously, cloud computing is unleashing the potential of SOA (Service Oriented Architecture) applications.  In a world of SOA applications running on Cloud infrastructure, the concepts of IT service delivery in the enterprise and SLAs from service providers will rest upon services and processes that can run on any infrastructure components within the cloud.  The notion of using discrete infrastructure components as the basis for measuring service quality goes away.  This is the philosophy of the new breed of cloud systems management providers: the focus of availability and performance measurement moves toward measuring the user experience.

And, as this transition comes about, what happens to CMDB-based systems management? How do we think about the CMDB when the management of these infrastructure parts is abstracted even further away from application peformance?  Does anyone see a new "cloud edition" of ITIL service delivery on the horizon?

Once again, there is an opportunity here for service providers to seize the initiative.

The current issue of InfoStor contains an article by Jeff Boles, "Use Cases Make the Case for Cloud Storage," in which he provides some key examples illustrating why we at CloudStorageStrategy.com believe certain key principles will shape the future of the cloud storage industry and cloud computing more generally.

Specifically, the article highlights three things:

• Cloud storage will bring disruptive change to several large market niches.
• Cloud storage adoption will be evolutionary, starting with archival and long-term storage.
• Relationships, account management and custom solutions are still important in selling solutions to the business market.
  

Disruptive change. As we have discussed before, cloud storage brings game-changing pricing and service capabilities that will disrupt entire industries. Specific industries such as disaster recovery, data protection and recovery, records management, and other data services will be changed, as pricing and service delivery models are completely overturned. For the most part, customers and service providers will find the new pricing models liberating, as services that have been affordable to a few businesses will become relevant to a much larger segment of the market. Jeff provides examples of new services being launched by Iron Mountain. Whether or not Iron Mountain is successful in navigating the disruption that cloud storage will surely bring to its records management, data protection and recovery business, these moves by Iron Mountain are at least reflective of a corporate recognition that disruptive change is underway. Many new entrants are pursuing this market with innovative solutions and aggressive business models. The future of this market segment, and many other segments such as disaster recovery, will be interesting to observe.

Evolutionary change. Cloud storage will change the storage market, but it will change different segments of the storage market on different timescales. Jeff has it right in saying that file archiving and other forms of long-term storage will be the use cases that drive adoption of cloud storage solutions in the early going. At the other end of the spectrum, database storage will be among the last types of storage to move to the cloud. In setting expectations about the adoption rate of cloud storage, we need to keep in mind that use cases will drive the adoption rate. Legacy storage systems will remain in use, and will continue to be upgraded, for a long time for many use cases. Success for cloud storage solutions isn't so much about displacing all legacy storage systems; it is more about improving price/performance of certain existing use cases, as well as creating new use cases.

Solution selling. The "cloud" moniker tends to be associated with Web-based and credit card sales models. "Cloud" is independent of sales model. In the case of storage, cloud storage implies Web services API access and Web-scale multi-tenant architecture. While there are consumer-oriented solutions for cloud storage, the commercial market will embrace cloud storage. As Jeff points out, business customers demand security, portability, performance, availability and access - all within the context of their business applications and their IT governance policies. One-size-fits-all cloud storage solutions, such as Amazon S3, will certainly continue to have their place in the world, but cloud storage proponents need to recognize that an equally large market opportunity exists for those who can integrate high-impact business solutions on a cloud storage platform. Ultimately we will see a large number of mature service provider solutions that are customizable for mid-tier and enterprise customers, and configurable for the small business market. These service providers will spearhead the disruptive and evolutionary change as they drive adoption of cloud storage solutions.