2010 in review

The stats helper monkeys at WordPress.com mulled over how this blog did in 2010, and here’s a high level summary of its overall blog health:

Healthy blog!

The Blog-Health-o-Meter™ reads This blog is doing awesome!.

Crunchy numbers

Featured image

A Boeing 747-400 passenger jet can hold 416 passengers. This blog was viewed about 4,400 times in 2010. That’s about 11 full 747s.

In 2010, there were 4 new posts, growing the total archive of this blog to 60 posts. There were 2 pictures uploaded, taking up a total of 175kb.

The busiest day of the year was March 24th with 68 views. The most popular post that day was Private Cloud Computing Reference Architecture .

Where did they come from?

The top referring sites in 2010 were twitter.com, lmodules.com, linkedin.com, cloud-computing.learningtree.com, and cloudenterprise.info.

Some visitors came searching, mostly for iaas, iaas paas saas, paas, cloud computing architecture, and hardware as a service.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

1

Private Cloud Computing Reference Architecture March 2010

2

(Cloud Computing contd..): IaaS, PaaS & SaaS April 2009
1 comment

3

Cloud Computing Reference Architecture January 2010
1 comment

4

Security, Risk & Compliance for Cloud Computing Model December 2009

5

Flirting with Cisco UCS (Unified Computing System) January 2010

Private Cloud Computing Reference Architecture

this post is a follow-up to my post on Jan 28th 2010 on cloud computing ref arch.

the change is around the compute part. in a private cloud, there may exist scenarios when virtualization may not be an option. for example – some legacy applications can only scale up and not scale out or require a dedicated hardware to run etc, or a particular OEM may not support a business critical environment in a virtualized environment (yes i know that you know which OEM am i talking about 😉 )in those cases, one needs physical server instances instead of virtual instances that are typically associated in a cloud environment.

however, these physical instances will still need the orchestration, metering and billing that one does for virtual instance. this architecture is modified to reflect such a requirement.

Private Cloud Reference Architecture

comments/criticism/feedback welcome!

Security Control Attestation for Cloud Computing Providers

While working on one of the  initiatives in the cloudsecurityalliance.org working groups, we had an interesting exchange of ideas on relevance of SAS 70 and similar certifications for cloud service providers. There were viewpoints that such certifications may not be sufficient & their usefulness debatable when it comes to cloud environment & various flavours it has to offer.

In this post, I preset my views on the subject

To understand how such certifications can help the Cloud service providers, we can look at the strategies various IT sourcing providers with global delivery models adopted when it came to providing assurance to their customers on Information Security & regulatory compliance.

In the early years of outsourcing, (around 2000 – 2004) there were lot of apprehensions expressed by potential customers around the state of Information Security, Risk Management & Regulatory Compliance when outsourcing to IT service providers, be it HP, IBM, CSC, EDS, HCL etc. The IT service providers knew that to get customers business, they need to provide a reasonable assurance on the state of Information Security to their customers.  In any outsourcing discussion that took place around that time, there used to be a huge focus on such topics.

What these providers then did was,  they adopted industry best practices and standards like ITIL and BS7799 (now ISO27001). Then they got an external body to audit and certify the state of these controls in their delivery centers (certifications like SAS 70 Type I&II to demonstrate the presence and effectiveness of the implemented controls). On top of that, some of these providers also allowed their customers to audit the security controls implemented at the provider’s delivery centers at random either by customer’s internal auditors or by customer external auditors.

Over time, the adoption of the industry standards combined with SAS reports and yes ‘right to audit’ did provide a reasonable assurance to the customers. Many of these providers have been successfully able to demonstrate the state of information security at their delivery centers to the existing and new customers and the business has been good.

Now, is it guaranteed that just because these providers have SAS 70 certifications, all is well at their centers? I don’t think anyone can guarantee a 100% secure environment.

I think the cloud computing market will evolve in a similar manner. It would require cloud computing providers to implement necessary controls, adopt standards, furnish recognized certifications as a proof of effectiveness of the controls. Without these certifications, these providers will find it tough (just like the IT outsource providers) to demonstrate effectiveness of the controls implemented by them.

Having said that, I also think that cloud computing service providers will also be required to let  customers the ‘right to audit’ on top of these certifications.Especially enterprise with enough business potential will be able to muscle their way with the providers.

I recently met a cloud computing provider and asked them about the right to audit and they said – they wont let customers audit their facilities and even refuse to divulge the location of their DC’s. I don’t see them winning too many favors with auditors with such an approach, especially those who are very particular about data sensitivity and regulatory compliance. These providers may continue to get the non-critical portion of the enterprise  IT environment. Unless reasonable and acceptable assurance around Information Security & regulatory compliance  is provided, the critical, sensitive corp apps are likely to stay within the enterprise DC probably in a private cloud kind of setup.

Cloud Computing Reference Architecture

my first attempt at defining a reference architecture for cloud computing. will appreciate any feedback…good/bad/ugly :-). based on the feedback and the discussions i am hoping it will evolve positively.

i will also make an attempt to map offerings from the likes of AWS, Microsoft on the architecture going forward. will also try to map offerings under VCE intiative into the same for private cloud implementations.

Cloud Computing Ref Arch V1

Flirting with Cisco UCS (Unified Computing System)

i recently got an opportunity to work for a customer’s DC consolidation requirement where we Cisco’s UCS was explored as an option.

this is a tagholder for the post 🙂 – i will post my analysis along with some numbers to present my experience with Cisco UCS soon.

Cloud Security Alliance Guidance Document v2

CSA has released the version 2 of cloud security guidance document. it is available at –  http://www.cloudsecurityalliance.org/csaguide.pdf

it was privilege working with so many of my peers located in different parts of the world. it is actually amazing that so many of us could collaborate and work collectively on this initiative.

Security, Risk & Compliance for Cloud Computing Model

IT has long struggled with the issue of securing the information and the underlying assets in tradition IT environments. There have been debates around how much security is enough. Over a period of time, various models have evolved to enable an enterprise get a grip over the information security issue. Most approaches encourage taking a risk based approach to measure adequacy of existing controls & identify areas of improvement to bring the risk to an optimum risk level.

Now, with the evolution & popularity of Cloud computing model in the recent time, it has added new dimensions to the concept of information security. There is a lot of discussion is taking place within the IT industry but there is still a haze around the security, risk & compliance issues. I believe that with time, a clearer picture is likely to emerge as Cloud service providers realize the importance to address concerns around information security and emergence & adoption of standards.

In my opinion, key issues around security, risk & compliance in Cloud computing model are:-

Governance – one of the concerns customers have expressed is the loss of governance over the service that is now provided in the Cloud. The control now resides with the Cloud service provider on issues like location of data, implementation of security controls and their functioning etc. This lack of overall control and hence over some of the topics that can potentially impact security, risk & compliance issues is a serious concern for the organizations exploring the use of Cloud based services.

Access Control – how do you control the access to the information residing in the Cloud? While models are emerging to control the end user access like OpenID etc, one of the key issues is around control access for the privileged users like administrators.

Data location within Cloud – this is another important concern since it has lot of regulatory & compliance issues. The location of data residing in Cloud also has implications on legal jurisdiction and implications of regional/country specific data privacy requirements.

For example – some of my customers especially in non-US geography have specifically expressed concerns around the implication of US patriot act on the Cloud computing services.

Securing Data at Rest – how secure is the information residing on the Cloud in a shared environment? Information segregation and encryption are key topics that are being discussed to address concerns around information assets in the Cloud.

Regulatory compliance – Organization do need to understand that while the responsibility of security the underlying assets may rest with the Cloud services providers, the responsibility & accountability to secure the information still rests with the enterprise. Traditional IT organizations are faced with lot of audit (internal & external) & security certifications like ISO27001/SAS 70 etc to demonstrate an acceptable level of presence & effectiveness of security controls. Similarly there will be a need for the Cloud service providers to accommodate their customers internal & external audit requirements along with an acceptable demonstration of presence of security controls within the Cloud services offered by them.

Incident Response & Forensics – another important point of concern is around support during incident response and forensics. Due to the shared nature of the Cloud based services and the fact that the service provider can host the data in any of the data centres, establishing log/audit trails to enable Incident Response and to support forensics can be a challenging task.

Organizations are realizing that when using a Cloud computing services, there is a limit to the security controls that can be implemented and enforced. One needs to rely on the controls that are implemented by the Cloud service provider and trust these controls are adequate and working the way they Ire designed. Similarly, there is also a limitation on how much audit information can be generated, collected in a tamper-proof format, retained and if that is adequate to satisfy an organizations audit requirements.

I believe that while enterprise will continue to use public Clouds, the IT spend on setting up private Clouds will increase over a period of time. Public Cloud services will be used to host non-critical services by the organizations while they will use the Cloud computing model within their organizational boundaries to benefit from the concept of Cloud computing while ensuring security, risk & compliance issues are within their control. I are most likely to see emergence of industry standards and also some guidance movement by government bodies on the topics of security, risk and compliance for Cloud services.

references:- http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport; twitter feeds on cloud