Understanding the Cloud: Technology, Privacy, Security, Collaboration and Cost Savings

Introduction

The Cloud simply represents the next generation of services through online computer clustering and resource sharing, and yes, it really is more of a buzz word than anything else as Cloud solutions existed before the term did. But the term is a bit misleading as many use it at different levels. One may say “it’s on the cloud” another may say “it’s a cloud solution” and yet another may say “create your own private cloud!” So many different representations cause confusion equally among businesses and individuals.

The Cloud is a fad term. I want to make that clear. It doesn’t really mean anything other than “an online clustered service”. But this is so generic in nature it could apply to most anything; and it does. Cloud Services have been with us for a long time (e.g. Salesforce). The tech buzz terminology is simply applying a catchphrase that informs people “this is a multi-clustered online redundant system of sharing with an interface.”

To simplify things, let’s look at presenting the Cloud as it relates to a specific company or product. In most cases, it represents a service (or services) through clustered groups of computers which operate together in a bound and shared capacity, often with a custom framework and infrastructure including prebuilt software solutions which are accessible through specialized interfaces while touting security, privacy, speed, storage and cost savings. It’s a living breathing infrastructure and it’s nothing new. What’s new is how it’s being packaged and offered to businesses and individuals as an accessible “platform” one can use and access with just a few clicks.

Let’s take a look at three well known and publicized Cloud systems.

Amazon’s Web Services (AWS) is a combination set of Cloud services and platform where the company has a living breathing infrastructure of servers offering a number of services through their custom-built framework. This includes hosting, data storage, e-commerce solutions and much more. There are so many services that Amazon technically has Clouds within Clouds. However all services are offered through the same core entry point of AWS encapsulation.

Microsoft Azure is a Cloud platform and used by developers to create, publish and host custom solutions. For example, there is no S3 equivalent for Azure by Microsoft, nor does Microsoft offer e-commerce solutions through Azure because it is a framework, not a set of Services. A company has to build their own products and then use the Azure infrastructure to host and deliver the solution. It’s really not that different from a company hosting their website and with GoDaddy. As with most new infrastructures, it probably won’t be long before a leading-edge e-commerce company happens to build the next generation e-commerce solution (similar to AWS e-commerce solutions) which just happens to operate on the Azure Cloud Infrastructure.

Google has been operating Cloud services for some time in the form of Google Docs & Calendar, and they recently launched the Google Cloud Connect system (which is covered below). However unlike AWS and Azure, to my knowledge they have not yet produced a viable infrastructure allowing true Cloud customization for their services, but don’t worry – they will, especially as they work to refine their Chromium Operating System.

All major companies are embracing “The Cloud”

Windows 8 upcoming release is “designed with the cloud in mind” and the Windows 8 Server will feature built-in cloud support which will allow people to set up their own “personal clouds” at home on their own hardware if they desire. Google already offers Cloud solutions and has many more planned. Amazon is connecting all of their major services within the AWS Cloud. Microsoft has launched Azure. And Apple is launching iCloud this fall, which they claim “stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices – automatically. It’s the easiest way to manage your content. Because now you don’t have to.”

This means every major company that is leading the technology revolution is not only embracing the Cloud, all future operating systems are all slated to be Cloud enabled which means just a few years from now, everyone will be hooked into the Cloud in one capacity or another, perhaps without even realizing it.

Understanding the Basics of the Cloud

An easy way to understand any Cloud system is that it has two layers. The first is Hardware layer and the second is the Software layer. The Hardware layer provides computation power, hardline network access and storage. The Software layer provides interface, execution and data access. It’s that simple. Within this infrastructure most companies utilize virtual machines as well; encapsulating a set of resources (CPU/RAM/Storage) with software to better manage load.

Hosting companies like GoDaddy have been doing this for years; taking a set of hardware and breaking it into a number of smaller “virtual representations” of the hardware, allowing for common practices such as shared hosting. This is what allows a customer to host their website on a shared server with others while not having any awareness or connection with the other virtual machines. It’s all about delegating hard resources.

Cloud infrastructures are pretty simple to understand, as are Virtual Machines. While the two layer approach is the most basic breakdown, the more standard presentation of the Cloud is that of Application, Platform and Infrastructure. Applications are software, as is the Platform – but the Platform is designed to interface with the specific hardware infrastructure, so it operates as the “middle tier” that bridges the software and hardware layers together.

What makes Cloud solutions complex is the deployment, resource use, management and overall integration of the platforms and solutions while guaranteeing access, processing power, redundant storage, security, privacy and uptime. For example, while Azure has a great deployment infrastructure, developing an enterprise solution to be deployed via Azure, along with full database replication and bug-free functionality is a monumental task for any company, especially as it relates to managing live solutions catering services to millions of users.

Privacy

This is one of the most controversial and important aspects of any Cloud service. First, one must understand the fundamentals of exactly what privacy issues exist and secondly whether or not the company / infrastructure can be “trusted”.

Whenever you manage your data on or through another company’s infrastructure, you open yourself to risk. Good questions to consider are:

  1. What risks are you already taking (and not realizing);
  2. What would happen if someone did intercept your data or hack your account, thus acquiring and/or destroying your data; and
  3. How confidential is your data?

If you use any outside web mail client you’re already running and hosting your Email on another company’s system. Using Google Documents? They have copies of everything. And make no mistake, they can access and use the documents any way they want – all without you even knowing. Do they and will they? Not really and probably not. These are the fundamental checks and balances of reality. Don’t be paranoid, be smart. Google is in the business of providing services, not stealing people’s data.

Let’s consider a different scenario. What if you are a high profile individual working on state of the art technology to be competitive with Google, do you use their services to store your documentation? Of course not. Why? Because such a situation may be one of the few occasions somebody who works for Google just might decide to access your files. Anyone who thinks Google or any other company will never engage in any form of abuse is simply naive. Remember, it’s not the companies themselves who engage in abuse, but individuals within the company, and every major company has its bad people.

Rule of thumb! If your private data is so sensitive that you cannot risk it being stolen for any reason at all, don’t put it on the internet or in the hands of another. Ever.

Security & Compliance

Security is one of the biggest issues when it comes to using any outside system for personal or business purposes, and for large companies, Compliance standards can be critically important, especially if the data must meet specific criteria as defined by the law. Many cloud service providers obtain specific compliance types in order to act as a certified provider to their clients. Below are three of the common compliance standards everyone should be aware of.

SAS 70

Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor’s examination performed in accordance with SAS No. 70 (also commonly referred to as a “SAS 70 Audit”) is widely recognized, because it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today’s global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting.

Many sites have the little “SAS70 type II certified” stamp on their site, like www.attask.com.

ISO/IEC 27001

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

Safe Harbor

In response to the European Commission Directive on Data Protection that could interrupt transfers of personal information from Europe to countries whose privacy practices are not deemed “adequate,” the U.S. Department of Commerce and the European Commission have developed a “safe harbor” framework that will allow U.S. organizations to satisfy the European Directive’s requirements and ensure that personal data flows to the United States are not interrupted. On July 27, 2000, the European Commission issued its decision in accordance with Article 25.6 of the Directive that the Safe Harbor Privacy Principles provide adequate protection.  The safe harbor framework bridges the differences between the EU and U.S. approaches to privacy protection and ensures adequate protection for EU citizen’s personal information. (more)

Amazon discusses their security features here.

Microsoft Azure presents their security features here.

Google hasn’t really released any security standards related to Google Docs (i.e. they don’t define compliance, and follow standard SSL mechanisms), but one company has stepped up and created a Google Docs security infrastructure called CloudLock, which may be of interest to businesses which want to use Google Docs as a living file and vault repository: http://www.cloudlock.com/

Hardware and Transport

Hardware for Cloud services are generally hosted inside data centers which have multiple layers of physical security which includes 24/7 video monitoring and biometric access. This is a level of security above and beyond what most small and medium sized companies are capable of installing to protect their own systems. In other words, the security risk to the physical servers is minimal.

The real security risk generally lies with the transport and access points on the client’s end. This is why it’s critical for any company utilizing any off-site cloud, storage or hosting solutions to have a proper security audit conducted by a professional in the field.

Want to learn more? Leah Gabriel Nurik wrote a nice slide overview on ChannelInsider regarding Security Concerns over the Public Cloud.

Encryption

Those who are familiar with Encryption can properly use it to protect their sensitive data and still utilize cloud storage systems without much concern regarding the hosting company being able to do anything negative with the files, however it is one thing for a private individual with a single key to encrypt their files prior to using an off-site storage system (like Amazon S3) vs. a multi-million dollar company utilizing dozens or even hundreds of keys related to hosting credit card information, confidential documents, and even Top Secret or government-related materials which require a specific level of protection by law.

For Personal Use

The Windows 7 Encryption File System (EFS) works just fine for personal use. Note this is tied to a single user key (which must be protected at all times) and should only be used for backing up and restoring data. Once this data is secured, you can copy it to most any cloud-based storage mechanism. If you want to read up on the EFS, here’s a good starting point.

For Business Use

Above and beyond the previously covered compliance, one key thing to remember with public cloud solutions is service providers generally have multiple data centers spread throughout worldwide regions. This means data may be moved without the customer’s knowledge. This is where more customized solutions come into play and one must look at policy oriented key management paired with regional server authentication while conforming to identity-based validation for business solutions.

Ashvin Kamaraju at TechNewsWorld wrote a good article on Cloud Encryption that’s worth reading.

There are also cloud-based encryption solutions which companies can look into, such as Trend Micro’s SecureCloud and Deep Security.

Obviously any business looking to embrace encryption within a Cloud solution should have an expert in this area to make the proper decisions as encryption for medium and large companies can quickly become a complex and critical issue.

IP, Trade Secrets & Control

When you use an off-site provider to store your data, you lose control. It’s that simple. This is why encryption is critical even for an individual home user, because when you encrypt and protect your data, the possibility of anyone who “acquires” your files outside of your secured interface will find it nearly impossible to do anything with the files.

One must take very special consideration when it comes to Intellectual Property (IP) and Trade Secrets. As mentioned above, does one really think placing a non-encrypted file which documents how a company is going to make Google Docs obsolete on Google’s Doc platform is a smart idea?

People do this all the time – fail to apply common sense management to their ideas and property. Your property belongs to you. Use your head when placing your property in the hands of another. Protect yourself. This doesn’t mean be paranoid regarding storing your files off-site or in a cloud solution – simply be smart.

Collaboration

Online Collaboration is a huge focus right now. One can see this with Google’s Cloud Connect service, which I think they should have named Google Collaboration. This shows even Google is jumping on the buzz word bandwagon when in a few short years the term Cloud will be as generic as Internet. It won’t mean anything other than “online” as most online solutions will be cloud-based in one fashion or another.

Many companies have built numerous collaborative solutions which are presented as Cloud Solutions. Below is a list of some of them which I recommend readers check out:

  1. AtTask – Total workspace management (projects, reports, resources)
  2. Central Desktop – Manage workspaces, people, projects, documents and processes
  3. Atlassian Confluence – Enterprise collaboration with the tagline “less email. Fewer meetings. Better results.”
  4. Cisco WebEx Connect – Online collaboration via video, audio, IM, etc.
  5. Zoho – A large number of solutions categorized into collaboration, business and productivity. Chat, docs, meetings, people, CRM, inoices, planners, calendars and more.
  6. HyperOffice – Another company workspace which includes Email, calendar, task manager, online document & contact management.
  7. Salesforce Chatter – General office collaboration (profiles, groups, file sharing, analytics, feeds, notifications, security, etc)
  8. SocialText – Social networking, blogging, wiki workspaces, mobile, integration, etc.
  9. Microsoft Sharepoint – Another enterprise collaboration solution, very common among Microsoft companies.
  10. Basecamp – Project management with file storage, events, messages, etc.

As you can see, Cloud-based collaboration services are very popular.

Cost Savings

One big question remains: are Cloud Services even a money-saving solution for large-scale businesses? Microsoft has done a great job of creating Pricing and TCO (Total Cost of Ownership) Calculators. With these tools you can price out the costs involved in hosting via Azure and also run a cost analysis on using Azure vs. owning your own hardware, paying for your own bandwidth, etc.

In reviewing online data, it seems the agreed standard for Cloud use and cost savings is right around the 60% mark and the most common barrier in embracing Cloud services is simple resistance to change.

Another consideration is figuring in cost savings related to existing technology (porting) and new technology (designed from scratch to be on the Cloud). I don’t think there is any question new products specifically designed for Cloud deployment will entice large-scale savings in a much broader capacity than their legacy counterparts, especially for small and medium sized companies.

Final Thoughts

While the Cloud is just another step in the evolution of online computing it’s a very important one to understand as there are both great benefits and risks involved. This is common for each step associated with the growth of technology. But one thing is certain, those who understand with clarity exactly what the technology is and how to use it wisely will be in a much better position to benefit from it.

There so many exceptional Cloud solutions already available (and many more planned) for individuals it can be overwhelming. If you use Microsoft, Apple or Google products, you (and your business) will end up in the Cloud one way or another as the infrastructure will become the next technical standard as both individuals and companies embrace both current and future leading-edge services.

But remember, there is wisdom in using a combination of different solutions for both hosting and protecting your important data. For individuals, this could be in the form of a local encrypted backup on a fire-safe locked drive in addition to your S3 backup, and for businesses, this could be hosting customer credit card data on one company’s infrastructure and products data with another company.

I personally recommend embracing the Cloud services which are already available. Use the trials to try them out, look at the platforms for development (e.g. Microsoft Azure) and the services for handling your business needs – but always do your homework. Find out what security and compliance systems the services use, determine (with common sense) what should be part of the Cloud and what should be kept strictly under you or your company’s control. If you do have a company and don’t have an expert in IT who can help with these decisions, get one as soon as possible. Do not engage in any actions which could jeopardize your company or its valuable assets unless you have somebody who can help make the decisions and solve problems when they come up.

The future of what is being presented today as The Cloud is exciting. More and more online connected services and systems will become available, empowering those who embrace them to operate more efficiently and with less cost and overhead. And the greatest thing about Cloud services is they are perpetually evolving. You will see updates on a regular basis as the services feel more like a living product, taking us further and further away from deployed builds which require hoops to be jumped through in order to update.

The future of what we know as the Cloud today is an always available living breathing set of services and even operating systems which are always at our fingertips and allow us to work more efficiently and productively. Soon, we will forget what it was like to be without them.