Security and IT from the Cloud
IT management and security personnel are likely to be among the last set of converts to cloud computing. IT is not likely to jump on the cloud early. It may be too close to home, or it may be that IT spends all of its time managing the cloud migration efforts for the rest of their company rather than investing time in its own cloud tools. IT should turn this around and lead the way to the cloud by using the latest cloud tools to learn the ins and outs while at the same time driving cloud vendors to make robust, secure tools that take full advantage of the cloud.
IT people know computers the best and they are the most qualified to drive the cloud forward. The same is true for security people in IT. If they drive cloud vendors to be secure and demand that they offer the features needed such as account control, strong passwords, data control, and other items, only then the necessary tools will become available.
Cloud applications in the IT-managed space require the use of local servers, making them only partial solutions as much of the "ease of use" promised by the cloud is not yet achieved. Other companies require local software, but they run it seamlessly, much like Adobe Flash runs local code, but the end user is not required to do any setup work, making these solutions true cloud applications. Most cloud-based management systems are more hybrid in nature. In the future, cloud-based applications will completely leverage the cloud, from ease of setup through full use of collective intelligence. While we're not there yet, the following are some vendors who are blazing the trail:
Qualys (www.qualys.com/) provides IT security and compliance delivered as a service. Qualys is an early innovator in the management space using the cloud. They require on-site hardware and store security assessment results in the cloud. Qualys does not leverage the use of collective intelligence and is therefore considered a partial cloud solution.
Immunet (www.immunet.com) provides a light-weight AV on-machine presence with full cloud-based look up for AV scans. Immunet is changing the AV paradigm. Large AV signature files are not copied to each computer; rather, the cloud is used to store the signatures and the computers go to the cloud for the data files. Given the rapid nature of AV file distribution, this is a good use of the cloud. Immunet also leverages the community nature of the cloud to provide real-time virus detections. Both the AV data file in the cloud and the leveraging of the community are indications of where the cloud is heading in the area of security management.
IT.Shavlik.Com (https://it.shavlik.com) is a site designed to do security and operations management from the cloud, including automated security problem remediation.
Spiceworks (www.spiceworks.com) scans and monitors networks for IT assets. It requires a local agent but its installation is seamless and has limited support for collective intelligence. It uses a hosted database, but beyond this, there is not a lot of cloud advancement with Spiceworks. Spiceworks and companies like them will innovate in the cloud, creating a new generation of security and management tools.
GoToManage (www.paglo.com) is a computer log-focused IT management system in the cloud. It requires on-premise software and does not make use of collective intelligence. It is similar to Spiceworks in that it does not advance any features unique to the cloud beyond data hosting. Similar to Spiceworks, GoToManage will evolve to use more cloud features.
BlueLock (www.bluelock.com) is an on-demand, pay-as-you-go virtual machine hosting service. It is a good example of a boutique firm designed to enable anyone to easily create a managed server in the cloud. There will be a large rise in the number of providers like BlueLock as VMware and other vendors enable a mass market of cloud providers with various initiates such as VMware's vCloud. (www.vmware.com/products/vcloud/).
LogMeIn (https://secure.logmein.com/US/home.aspx) manages computers from the cloud via remote access and troubleshooting.
There are also companies such as Right Scale (www.rightscale.com) designed to enable application deployment to the cloud. Such providers may or may not be cloud applications themselves, but they are key to hosting applications in the cloud and are likely to be very useful in private cloud creation. Use of solutions like this will increase as the cloud grows.
Other Widely used Cloud Applications
According to a survey by Pacific Crest, HR applications were the most popular cloud-based applications in 2009, with CRM cloud applications coming in second (www.pacificcrest-news.com/dspitz/Research/SaaS_Overview(BJB)_021610.pdf). The survey shows that in 2010, CRM is making a move to overtake the number one position. The survey also shows that 10 percent of CIOs are using the cloud for compliance/risk management. From a security perspective, this means that customer information is leaving the building and will continue to do so. From this, we can extrapolate the following: (1) IT needs to make sure that everything is secure and (2) if this information is allowed to go to the cloud, all other information will likely follow.
The following list shows some of the more popular cloud-based applications currently available. Most are focused on providing the convenience of Web-based software and use that as their main selling point over the traditional on-premise software with which they compete. These are the types of applications that can be expected to be in use at most companies, and all can be put into operation without any input or control from IT.
SuccessFactors (www.successfactors.com) Human Resources Management.
NetSuite (www.netsuite.com/portal/home.shtml) Business Software.
Concur (www.concur.com) Travel and Expense Management.
Amazon Web Services (http://aws.amazon.com) enables anyone with a credit card to create servers of all kinds in a matter of minutes. The servers are not managed by Amazon and by default there are no patch management capabilities. It is a bare-bones solution that is aimed at companies that want easy access to computers without add-on services. Amazon is leveraging its large server network to enable this service and it is a strong market leader. This is an example of the large back-end providers, and they will also grow in the future as demand for well-known brands increases for companies that have to justify where there data is residing. In the future, Amazon must provide management for its servers if it is to remain a leading cloud provider. Can a Web retailer make this transition? And if an organizational department stages a server on Amazon and there is a security breach, who owns the problem, the department or IT? This is a serious issue that IT must take control of in the future because the business requires it.