OK, so we were digital long before 2002, but it was then that the amount of data stored digitally overtook that which was stored in an analog manner. A recent analysis of ‘all’ storage also showed that we now have enough capacity for 295 exabytes of information… which is about 404 billion CDs.
Of course how much if it is actually used is not presented – and neither is how much of it is repeated, i.e. the amount of unique data is probably just a fraction of that. Finding things you know exist becomes harder each day, and a good friend Adrian Seccombe has written a short post on just this problem… losing things in your digital pocket. For enterprises this particular problem is worse, with thousands of hours of productivity lost each year due to people looking for data they know exist but can’t find – and then trying to reproduce it.
Archiving with full-text indexing is one option – but that is often catching less and less information as more ‘digital pockets’ are used. Furthermore, the loss of an unsecured ‘pocket’ could now result in a £500K fine from the Information Commissioner’s Office (ICO). Data growth is inevitable, but as the legislation evolves to encompass new working practices (the cloud, consumerization of IT, social networking sites, …) so too will the risks. As ever, it is time to revisit policies around security and data management and check that they have moved with the times… and if not, make the change before they become a liability.
ENISA has recently produced a report as part of their cloud computing initiative which looks at Security and resilience in Governmental Clouds (gClouds). The report makes for interesting reading – if you happen to be a government, BUT it is also very useful to other organizations that are considering moving applications to the cloud.
It gives some good examples for carrying out a comparative risk assessment – figuring out which cloud is best for which applications / data. For example whether to use a private cloud or a public one, or a community (share with known others). This is an important step for everyone moving to a cloud solution, but often overlooked – or rather replaced with the simple ‘Cloud: Yes/No’ decision point. There is also an excellent list of resilience threats – all of which are pertinent to the private sector. Well worth a read…
The news last week was that EMC was closing its Atmos cloud storage service with immediate effect – you can keep using it for developmental purposes but that’s about all.
Why did it close? Industry analysts said that it never took off, and recent surveys show that it is still a way off becoming mainstream.
So… what if you have data in a cloud service provider and it decides to shut down the service? EMC isn’t the first to do this, and it won’t be the last – you do need a contingency plan. In this case, there is a grace period where you can get your data out – but, as a simple task, workout how much data you have and how much bandwidth and figure out how long it would take to get the information out. This is a simplistic view as everyone else will also be trying to get their data, so bandwidth is going to be under severe strain (the equivalent of a run on the banks…) Do you have enough local storage to hold it all and if you have data being processed by an application, then will you be able to get your hands on the application as well?
Let’s assume you did manage to get your data out, then how long will it take to get it reloaded onto another service provider’s cloud and get the application back up and running?
Business Continuity / Disaster Recovery needs to take into account outsourced (out-tasked) IT services and have contingency plans for service outages and shutdowns – planning should start now… after all there’s no time like the present.
So, you are using the cloud and all is going well. New upgrades to the software appear at regular intervals providing new functionality… all is going well. But what happens if something goes wrong? Twitter has just had such a problem, and it took down the service for many users. Who cares… it’s just Twitter?!?!? Well, quite a few companies have Twitter as a key part of their communication strategy these days, so when it’s down it does make a difference. However, the real issue here is the risk around upgrading cloud applications.
Obviously, the vendor doesn’t plan to make a mistake – but what if they do? What if it was your CRM system, or your ERP solution? In this particular instance, there were missing, late and/or duplicate entries… what would happen if this were your ERP system – could it handle the problems and more importantly would you know about it before the auditors!
Part of any risk analysis for the business needs to include the risks associated with 3rd party suppliers – and IT and data handlers are no exception. Service Level Agreements need to reflect these possibilities and potentially have clauses for reverting (quickly) to earlier versions, rather than bug-fixing on-the-fly to resolve issues. Now is the time to take a look at the contracts you have – and ask your supplier the questions… “What if an upgrade goes wrong?”
The keynotes and education program are looking as strong as ever and mobile seems to be the top topic. Since moving to Earls Court last year the space for the exhibitors is much improved – and with 300+ companies there, there will be plenty to think about. Security is as old as the hills, but there are new ways to approach old problems and as businesses turn to ‘the cloud’ and mobile devices proliferate (I wonder how many iPad’s will be stand draw prizes?) so new solutions need to be found.
See you there.
Yesterday at the European Cyber Security Awareness Day event in Brussels the Business Software Alliance (BSA) released some interesting research. They found that people in Germany, France, Poland, Spain, and the UK are confused over where their online data is stored.
About one in five citizens admitted to being unaware of whether their personal data is being held ‘in the cloud’, and 60% said they didn’t know what ‘in the cloud’ means.
When it comes to who should take responsibility for protecting online data, respondents were confused, with more than a quarter expressing a belief that a combination of stakeholders including government, businesses, technology companies, and consumers should be responsible for securing data held ‘in the cloud.’ The BSA says that this suggests that there may be a need for better coordination between government, businesses, and users and better education on cyber risks and best practices.
Coordination between government and business can go a long way in fighting cybercrime and protecting online data. Sound cyber security policies and technologies that protect the online environment are crucial but education can’t be overlooked. Users need to be made aware of online risks and know how to spot and protect themselves against malicious activity. I believe that better education is key to good cyber security.
The 5th International Cloud Expo is happening at the Jacob Javits Convention Center, New York (April 19-21) and as a reader of this blog you can get a discounted ticket!
The procedure is:
1. Go to the special registration page for this offer: https://www3.sys-con.com/cloud0410/registernew.cfm?a1=gold
2. Enter the coupon code VIPBloggerGuest [case sensitive]
3. The price will re-set from $1950 to $300 and they can then complete the brief registration process for full access to all sessions, all days, all tracks (Luncheon is NOT included.)
So, there you go – a bargain, especially if you happen to be in New York! Please note, lunch isn’t included in the offer… but there looks to be lots of great sessions to get your teeth into.
The Jericho Forum has just released it’s Self-Assessment Scheme (SAS) which will help both vendors and customers check the effectiveness of an IT security product – and that it will be properly installed and deployed.
The way this is done is relatively simple – with eleven thought provoking questions based on the downloadable template which will help match requirements to product (or service) offered. The template describes best practice as well as what is acceptable.
The Jericho Forum, part of The Open Group, is made up of experts from all areas, customers, vendors and independent consultants all working together. It has led the way in creating a practical approach to securing the new ways in which business is done, with the de-perimiterization of business models being the focal point back in 2004. Cloud computing has been the focus of the group for the past 18+ months and the SAS template is the latest deliverable. Take a look – it doesn’t take long to read, and it will give you some thoughts on what you should be asking in this new cloudy world.
The weather may still be cold in London, but San Francisco has been hot this week, especially for the security industry. The USA RSA Conference is one of the premier security events, educating and connecting security professionals from around the world.
Symantec’s CEO Enrique Salem took the stage earlier in the week as one of the keynote speakers.
He discussed the information economy, and how this decade will change the way we think about it. The two major trends Enrique thinks will change the information economy significantly are the adoption of cloud computing and the explosion of digital devices. Along with the rise of social media, these trends make a trio that are linked and will accelerate the need for an information-centric approach to security.
All three rely on trust, and that trust requires security, privacy and compliance measures in place so that information can be accessible by the right people, on any device and from any place in order for the information economy to reach its full potential.
I found this really interesting. Enrique said that security is not only about putting up higher walls around information or locking down devices, it is about delivering solutions that provide trust and confidence. And he also spoke about how it is an opportunity for the security industry to enable, nurture and navigate through this future of the information economy.
It would be great to know what you are you doing in your organisation to securely allow information to flow freely between the right people. What has changed over the past five years and what predictions do you have for the next five?
An interesting report was published this week by Information Age and concerning IT strategies in 2009 (a hard year for most !). The report found that most effective IT strategies of the year to be:
1. Support mobile working
2. Server virtualisation
3. Unified IP network architectures
Certainly good news for the Hypervisors..
The least effective strategies were deemed to be:
1. Reduce IT staff costs
2. Outsourcing the IT organisation
3. Offshore development
That should raise a few eyebrows !