AT&T’s security breach was cause for serious concern for iPad users and was first reported at Gawker.
Since this story, there have been scores of articles prattling on about the “vulnerability of the Cloud”, “Cloud failures”, etc. Sensational headlines pay bills, granted, and while it’s important that security issues receive attention, I’d much rather look at this from a more holistic angle:
Why adopting Cloud solutions is unavoidable for companies who want to remain competitive?
How Cloud can be introduced into IT environments in a secure and highly available fashion?
Let’s be Swarovski-crystal clear here: This incident was a good thing, friends! At fault in the iPad incident was a poorly-secured back-end on AT&T’s side of the fence. As Gawker’s Ryan Tate accurately points out in his story,
“AT&T exposed a very large and valuable cache of email addresses, VIP and otherwise.”
That said, the pundits do have a point, which is that this incident has implications regarding security – in this particular instance with the underlying AT&T Cloud infrastructure powering the iPad. Responsibility for security with Cloud services is a critical one and falls on all parties involved: the device manufacturers, application developers, and service/infrastructure providers, who must provide and maintain a secure environment as well as immediately resolve all issues when discovered. Same goes for the end users. Thankfully in this case, only one person outside of Goatse Security (who were evidently behind the “attack”) was provided the list of 114,000 email addresses after having leaked the flaw to AT&T where it allegedly went unaddressed for almost a day. That person was Ryan Tate at Gawker, who broke the story. While white hat groups like these are sometimes criticized for their “alternative disclosure process”, they actually do more help than harm. The more ‘holes’ like this found, the more secure Cloud solutions will become available for all of us in the long run. I say “hats off” (sorry couldn’t help that one!) and keep up the good work.
So, should these security issues be taken seriously?
Should you hold off moving any of your company’s IT infrastructure to the Cloud as a result of incidents such as “iPadgate”?
Both consumers and small businesses alike have, en masse, placed their trust in Cloud-based solutions, much to the degree that services like GMail and GoToMeeting, for example, have become core to day-to-day life – both in personal and business settings. At the enterprise level, CIOs and CTOs worldwide are rapidly climbing aboard the Cloud train as well, deploying various solutions within their organizations. These highly scalable, on-demand solutions can help businesses to deploy additional infrastructure quickly with reduced capital costs and refreshed technology – often helping to optimize operating costs as well. The rate of adoption in the business community is increasing rapidly: Gartner forecasts that, by 2012, some one in five businesses will own no IT assets, and that by 2013 businesses will be spending some $150 billion on Cloud services.
Question is, how can businesses take advantage of high-level Cloud solutions right now and still retain some peace of mind relative to availability and security? Fairly easily, and in a just a few steps. Whether your organization is a startup or an established enterprise, Cloud solutions can play a key role in your IT organization. Risks related to security, control, and availability with Cloud services are not dissimilar from those in any IT environment, and can be mitigated through careful provider selection and sound planning. Here are a few steps that might be helpful in your adoption of these services:
First : Strategize. Plan. Then plan some more.
Devising a sound strategy and planning effectively is a sure first step to approaching and taking advantage of Cloud solutions for your business. The one thing you can’t afford to do is to get this stuff wrong. This is especially true if your company itself is a service provider of one form or another, as most businesses today are. It would only take one mishap – say, the inability to quickly test and release a patch to your popular online game, or having physicians who are unable to access their patients’ electronic medical records, etc. – to realize the importance of effective planning and smart Cloud provider selection. If you need a hand with strategy vetting the providers and options, don’t be afraid to ‘phone a friend’ – there are many IT consultants and brokerage firms out there fluent in Cloud who are objective and can be helpful from strategy through to implementation, often saving you both time and resources.
Planning for the deployment of Cloud services such as storage or rich content delivery is fairly straightforward, as the related services – Amazon’s S3 storage or EdgeCast’s Content Delivery Network (CDN) services, for example – are more or less plug-and-play and can be segregated from the rest of your infrastructure. Those services that include compute functions however (Cloud-based servers and related infrastructure) will take a bit more time and detail at the planning stage. Most businesses considering Cloud deployments of this type spend the necessary time to analyze existing and future needs around each of their main environments, which typically fall under:
- Quality Assurance (QA)
Evaluating Cloud services by IT discipline is smart, since there are many available options for compute power (CPU), memory, storage, and networking – and the build requirements within each environment will likely be varied. A good strategy should include a thorough understanding of the resources you currently have in place by spending the necessary time to evaluate the needs with each of your IT environments.
Understanding your existing financial exposure and budget for Cloud solutions during this stage is also important. Some questions to consider:
- Hardware: What is the current value of existing hardware per environment, and how close are you to needing hardware refresh? What are the capital costs associated with such a refresh?
- Network: What are the current monthly costs for networking/IP bandwidth, per environment?
- Labor: What are the current human resource costs associated with operating each environment (operations, monitoring, support, etc.)?
- Roadmap: What are the hardware, infrastructure, performance, and human resource requirements, per environment, over the next 18-24 months needed to support growth demands?
From these and similar questions, you should be able to arrive at total monthly operating costs – both for your current environment and at scale. (Consultants can be helpful here as well, many times providing that second set of objective “eyes”.) With your Cloud approach now defined, you’ll likely see immediate capital and operating cost reductions, the ability to quickly scale infrastructure commensurate with usage and growth, and the ability to reallocate human resources to support more business-critical IT functions. Still with me? Alrighty then…on to finding and selecting the right providers.
Next : Thou shalt do thy homework.
There might be as many shops hawking Cloud services today as there were candy and toy shops selling Beanie Babies many years back…craziness! As you step through your due diligence with potential providers, beware the Cloud pricing that sounds too good to be true…because, as the adage dictates, it probably is. When you dig below that wow-this-provider-is-30%-cheaper-than-the-others! pricing, don’t be too surprised at what you’ll likely find. The provider in question might indeed have some of the shiny bells and whistles you’re after, but perhaps only one datacenter…so if the ground opens up during an earthquake and swallows it whole, or a tornado carries it away Dorothy-and-Toto-style, well…don’t say I didn’t warn you. Other low-cost leaders tend to lure you in with great pricing, but have limited resources on hand (meaning they’ll need to go out and buy those Bugatti Veyron-grade servers you’re after and will charge huge setup fees accordingly). Also, ensure your provider-to-be is well-certified and maintains full regulatory compliance (typically SAS-70 Type II at a minimum) with your organization. So, let’s move those “life on the B/C/D-list” providers right into the rubbish bin, shall we? Right. So now we’re left with the few real players – names you’ll likely recognize: Amazon, Google, Joyent, Microsoft, Rackspace, Rightscale, Terremark. (These are but a few of the many A-list providers available.) Spend time with each prospective provider; ask tough questions, ensuring the selected provider has ridiculously good support, lots of IP bandwidth options, and security features that exceed your own requirements. Take a good, hard look at the providers’ pricing, negotiating wherever possible and comparing to your existing cost structure. When it comes to final selection time, take a well-organized approach to this as well. My colleague Matt Carmen recently broke down in detail the process of selecting the right outsourced IT provider, which I would recommend checking out.
Finally : A phased approach.
Now that you’ve got a good head for the Cloud services and options that will best suit your business, it’s time to get tactical. A best practice when approaching any Cloud solution is to pilot, evaluate, then implement in phases. Select which of your IT environments will work best for a pilot. The pilot should be brief, but long enough to provide a thorough evaluation…30-45 days is usually enough time. We’re still on the leading edge of what Cloud can provide, and solutions are constantly evolving. Providing feedback during a pilot period is key – try to break the solution and be as granular as possible with your providers as to how their service can be improved. The good providers will work with you and incorporate your feedback into their services…and everyone wins.
Post a successful pilot, make the move into a full launch window with the same, sure-footed project management aplomb as you might with releasing a new product to your customers. You’ll find here again that the provider(s) you’ve selected will work hand-in-hand with your team, ensuring a smooth transition and quickly addressing any issues.
Now that wasn’t so bad, was it? Your organization is now among a rapidly growing number of businesses who have embraced Cloud solutions and whose IT organizations have realized increased availability, efficiency, and productivity as a result. Once you’ve got one environment successfully ported and humming right along, you’ll likely see the benefits of deploying the rest of your environments in similar fashion.
Stir. Repeat. Enjoy.