Got a question? Click here to email it to the tutor. We'll publish the answer, so be sure to include your Internet Evolution Username so you get credit for the question.
Video TutorDavid Vellante
Video tutor David Vellante is an advocate for IT professionals, and a practitioner actively using social networks to foster collaboration and a sharing of free advisory knowledge. Mr. Vellante is also a former CEO, founder of three startups including The Wikibon Project, and is a former SVP of IDC's largest business.
Since cloud security is so complicated, how long do you think it will take before we really see a move to mission-critical cloud apps? Two years more? Three? Five?
First, here are my definitions of application classes.
Class 1: Development; file and print; small data marts, small-scale applications; database servers
Class 2: Medium-scale applications and database servers; data marts; small customer relationship management (CRM); small data warehouses; messaging (Exchange, etc.)
Class 3: Mission-critical applications; enterprise CRM; enterprise resource planning (ERP); large-scale online transaction processing (OLTP); large-scale database serve; large-scale messaging
Class 4: Large-scale applications requiring highest levels of availability, security, and recover-ability
Click here to see the attributes of those classes.
Classes 1 and 2 are going to the cloud today. Class 3 is very limited today -- I would say three to five years or more. Class 4 is 10 years away or more.
David, you say that the cloud, in effect, expands the boundaries of the data center, with multi-tenant arrangements within the cloud more vulnerable to external threats. How will specific, "sensitive"
verticals -- banking, healthcare, and others -- be persuaded to take advantage of the purported benefits of cloud security if the threatscape is in fact larger than something more partitioned and locked-down?
Thanks for the question, Amy. The answer is very carefully and slowly.
It will start with use cases where information risk is low; e.g., certain file shares, maybe test and dev work, or backup for non-sensitive data and perhaps some overflow capacity in limited cases. But I believe there's some "invention required" before such organizations are comfortable putting sensitive data in the cloud.
In Q10, you seem to be making the "Wal-Mart" argument in favor of clouds. But can all companies benefit from the security of the cloud and just drop all internal security products and personnel?
Should we assume that the cloud will only augment and assist the measures we have in place? Or should I be polishing my resume and preparing to relocate?
I see cloud computing as including the so-called private cloud, i.e., internal data center infrastructure. In my view, this infrastructure will evolve using cloud technologies that bring on-demand, pay-as-you-go models to the internal data center. I believe that internal security products and personnel will play a critical role in delivering cloud security -- particularly with respect to moving workloads off site and (importantly) bringing them back in-house.
So the answer to your (excellent) question is most definitely augmentation, with the understanding that the internal measures will evolve to leverage cloud-like security models for internal infrastructure. Examples include security templates being deployed in a virtualized shop (internal cloud) and the more rapid distribution of patches to virtual machines.
Your points cover the possibility of corrupted or deleted data being restored to a previously known, good point in time that does not jeopardize data that has been changed legitimately since that time. But what about the "real worst case scenario," in which hardware is lost, the program that generated the data in question is gone along with all the registry settings, and external links and DLLs that made it function are lost?
Most backup solutions make one full backup and never look back at those keys again. The data is still safe and sound. But without that, the application might as well be on the moon. I'm not suggesting that cloud security overlooks this event, but all backup solutions seem to ignore it. Or did I miss something?
It’s a question of RPO; recovery point objective.
Organizations with very stringent RPO requirements would make a full, synchronous replication of their data center, including the application. Further, organizations may even take the step of creating a third, asynchronous infrastructure in an effort to create a zero- or near-zero data loss environment.
Many trumpet increased availability as a reason to move to the cloud but what happens when your cloud provider is no longer available?Some companies are faced with this very question this week as storage provider, EMC announced its plan...
APIs and Insurable clouds. Having researched the acceleration of Web 2.0 technologies and business models, against the backdrop of the financial consequences of cyber risk, the future appears to be pointing toward a world of more open mobile...