Archive for September 2012
Engaging the Hybrid Cloud: Part 1: Security

By Paul Moxon, Senior Director, Product & Solutions Marketing

What is a “hybrid cloud”?

Is it 1) an environment where applications and processes exist both in the public and private cloud and on premise? Or is it 2) a combination public/private cloud without an on-premise component?

For the sake of this discussion, we’ll concede definition 1. Clarifying this concept is important because the vast majority of cloud-adopting organizations — which is to say the vast majority of organizations, period — are about to become hybrid-cloud-adopting organizations, and for good reason: they’re not ready to simply switch off their existing on-premise systems — legacy systems that already have significant business and operational value — and re-invent them in the cloud.

Let’s concretize this hybrid notion with a simple example of a business process nearly all organizations are familiar with: the HR onboarding process.

  1. 1. Onboarding begins. A cloud-based recruiting system like Taleo is used to identify a candidate. When the candidate is hired, the business process moves from the cloud-based recruiting system to the on-premise HR system.
  1. 2. Onboarding continues. The candidate is given systems access, login credentials, and an e-mail account. IT is cued to furnish the candidate with a laptop and other equipment. The office manager assigns the candidate an office space.
  1. 3. Onboarding concludes. HR moves the business process back to the cloud by using a cloud-based performance-management system like SumTotal, where new-hire details are updated.

Cloud. On-premise. Cloud again.

This isn’t some supposed future scenario. This hybridized process is happening now, throughout most organizations, and in many other departments besides HR. To ensure the success of those departments in a hybrid cloud environment, organizations should address three key issues: security, service level agreements (SLAs), and application integration.

Security

The move to the cloud does mean that security and data privacy — something that was previously your IT department’s concern — is now your cloud provider’s concern. Yet it doesn’t mean your organization is absolved from ensuring that the cloud provider is doing its part. You need to demand that the cloud provider is clear about how they secure and protect your customers’, partners’, and employees’ data — both when it’s stored in the cloud and when it’s transferred to and from your on-premise systems.

A cloud-based application in isolation is reason enough for insisting on a clear understanding of how your cloud provider stores your data. Imagine, then, how imperative a clear understanding becomes when that cloud-based application is no longer isolated but integrated into a hybrid cloud environment. It’s now transferring data out into the world — perhaps from an Amazon data center in Europe or the Pacific Northwest to your offices on the other side of the globe. Or perhaps it’s transferring data to your trading partner’s systems, where you have much less control over security and protection.

This spawns several questions you should ask your cloud provider:

  • • Is the data encrypted both when it’s in motion and at rest?
  • • If cloud-application access is via an application programming interface (API), is the security token secured and encrypted when it’s used in the API core?
  • • What’s the security token’s lifetime? Is it per-session or permanent?
  • • How easily could this security token be hijacked and reused?
  • • Is the security token tied to IP addresses?

Getting solid answers to important questions like these will ensure that the cloud part of your hybrid environment is always serving your business and never compromising the strength of its security profile.

(For Part 2, please click here.)

Thinking Outside the “Box”

By Bill Reeves, Sr. Director, Product & Solution Marketing (MFT), Axway

File-hosting service providers like Dropbox and Box have done an excellent job in the last few years providing prosumers — consumers who use products whose qualities are deemed above consumer-grade standards but below professional-grade standards — with an easy-to-use file-exchange solution that integrates nicely with their personal lives.

But what happens when those same prosumers, so comfortable with using these services to conveniently share gigabytes of home videos with family members across the country, decide to use that same technology to share sensitive data in their professional lives?

They subject the enterprise to a raft of considerations, including “Will these services scale?” and “Will they be able to reliably handle the volume planned for them and offer enterprise-grade functionality and security?”

Dropbox and Box offer premium services that tout “large shared quota, centralized admin and billing” and “scalable and customizable content management with comprehensive security and admin controls,” respectively, so it might come as no surprise that the answer to these questions in many use cases is a considered but unqualified “Yes.”

But will these services integrate seamlessly with the business and maintain the standards the IT organization demands?

In an age of Bring Your Own Device, it’s easy to see how well-meaning employees might arrive at the concept of Bring Your Own Service, especially when that service is easy-to-use, fast, cheap, and reliable.

But enterprise transactions demand more. Despite our users’ fondness of prosumer solutions and eagerness to be productive with them, mandates, regulations, and a host of other security considerations make these solutions the less-than-ideal choice. It’s up to the enterprise to harness the productive energies of their users by providing a solution every bit as robust and pleasant to use as a prosumer solution, yet capable of maintaining a security profile prosumer solutions could never hope to offer.