AWS Windows Azure and Google Apps Case Studies

Public Clouds Case Studies - AWS, Google App Engine, Windows Azure

Multi Choice Questions On C and C++
Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers
AWS Windows Azure and Google Apps Case Studies

Bankinter (Increase in Efficiency)

  • Spanish industrial bank through a joint venture by Banco de Santander and Bank of America
  • 60% of Bankinter transactions are performed through remote channels, and 46% of those through the Internet.
  • Use of Public Cloud

–      As an integral part of their credit-risk simulation application

–      Developing complex algorithms to simulate diverse scenarios in order to evaluate the financial health of                            their clients.

  • 400,000 simulations to get realistic results

–      average time-to-solution down from 23 hours to 20 minutes
Razorfish (Increase in Productivity)

  • Razorfish, a digital advertising and marketing firm, segments users and customers based on the collection and analysis of non-personally identifiable data from browsing sessions. Doing so requires applying data mining methods across historical click streams to identify effective segmentation and categorization algorithms and techniques.

–      High-cost SAN equipment for storage, a proprietary distributed log processing cluster of 30 servers, and                   several high-end SQL servers

–      $500,000 in additional hardware expenses for Peck season

–      Procurement time frame of about two months

–      Cloud Benefits

  • No upfront investment in hardware, no hardware procurement delay, and no additional operations staff was hired
  • Total cost of the infrastructure averages around $13,000 per month.
  • 500% increase in their return on ad spend from a similar campaign a year before

Japan Ministry of Economy, Trade and Industry —Consumer Site

  • Need to build an application to support a new government program targeting Japanese consumers in a short time.
  • Must be available to public via the Web and support potentially large and highly volatile transaction volumes

–      Built in only 3 weeks

–      40 million consumers expected to access site at peak times

–      Expected to support more than 20 million transactions …510,000 transactions first month

–      Has helped boost sales of flat panel TVs and refrigerators
Presidio Health (Compliance)

  • Appistry for software; GoGrid for platform
  • Homegrown apps. for physician performance management and point-of-service collections
  • No re-architecting of on-premises apps. facilitated by front-ending apps. with message broker
  • Transient data in cloud; sensitive permanent data in traditional database

–      PCI & HIPAA compliance

–      No unscheduled downtime

–      Flat costs for 50% more capacity
City of Carlsbad, California

  • The City of Carlsbad, California has 1,100 employees across 22 departments who work in 30 different facilities across the city.

–      When the City began the process of standardizing its IT infrastructure, officials decided to review options                   for migrating from an on-premise e-mail and collaboration system to one hosted in the cloud.

–      The City ended up selecting a cloud-based version of the Microsoft productivity suite, hosted in Microsoft’s                   data centers outside of Carlsbad. It was able to eliminate the costs of maintaining equipment, paying only                   monthly user fees for this new environment.

–      25 percent savings over the past year using the new off-site solution

–      Immediate benefits after the migration, including better access to e-mail from mobile devices and new,                   integrated instant messaging and web collaboration for meetings and video conferences.
JohnsonDiversey Public + Private

  • Legacy on-premise systems were clumsy. Sharing documentation and collaboration was painful.
  • Storage limitations created inefficiencies
  • Adopted Google apps – gmail replaced in-house e-mail and docs augments
  • Microsoft Office environment
  • Using Google sites for internal for simple team and project collaboration
  • Google app. engine used to build an internal talent review application
  • Oracle CRM On Demand used for remote sales force

–      Rapid rollout and adoption of applications across

  • 3 ½ month for complete total project — Google docs rollout over a weekend.

–      Bandwidth consumption for messaging and collaboration reduced by 20%

–      Total investment pays back in 14 months. Reduced operating cost of email/collaboration environment by 70%

–      User satisfaction and use up more than 25
Author Solutions — Running the Business in the Cloud

  • Automate self-publishing workflow for authors and publishers
  • Integrate disparate back- and front-office systems into a complete solution
  • Created an end-to-end self publishing application using salesforce sites, force.com and Amazon services
  • Integrates with existing on-premises systems including crystal reports, Microsoft Dynamics, Great Plain

–      Developed application in significantly less time and for lower cost than that estimated for a traditional                   custom in-house application

–      Lower ongoing operational costs

–      50%-75% reduction in time and cost to modify workflow and add products
Domino’s Pizza finishes last piece of cloud computing move
Domino’s Pizza has completed a major move to cloud computing, aimed at freeing up internal resources. The company is using the hosted RackConnect service from supplier Rackspace for its applications and platforms.

Domino’s Pizza UK is moving its e-commerce site, online payment gateway, corporate e-mail and back-office systems into the cloud, with the aim of increasing scalability and saving money.

RackConnect will enable Domino’s to select which applications are placed where in the managed hosting infrastructure. For example, applications that require a high level of security, such as an internal e-mail system, can be hosted on dedicated physical hardware.

Domino’s will also be able to take advantage of the on-demand scalability the Rackspace cloud offers, for instance, developing new smartphone or tablet applications, or handling the demands of a digital marketing campaign.

Domino’s new hosted architecture is expected to go live this September.
References

 

Virtualization Security in Cloud Computing Part-I

Recent years have seen great advancements in both cloud computing and virtualization. On one hand there is the ability to pool various resources to provide software-as-a-service, infrastructure-as-a-service and platform-as-a-service. At its most basic, this is what describes cloud computing. On the other hand, we have virtual machines that provide agility, flexibility, and scalability to the cloud resources by allowing the vendors to copy, move, and manipulate their VMs at will. The term virtual machine essentially describes sharing the resources of one single physical computer into various computers within itself. VMware and virtual box are very commonly used virtual systems on desktops. Cloud computing effectively stands for many computers pretending to be one computing environment. Obviously, cloud computing would have many virtualized systems to maximize resources.

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Keeping this information in mind, we can now look into the security issues that arise within a cloud-computing scenario. As more and more organizations follow the “Into the Cloud” concept, malicious hackers keep finding ways to get their hands on valuable information by manipulating safeguards and breaching the security layers (if any) of cloud environments. One issue is that the cloud-computing scenario is not as transparent as it claims to be. The service user has no clue about how his information is processed and stored. In addition, the service user cannot directly control the flow of data/information storage and processing. The service provider usually is not aware of the details of the service running on his or her environment. Thus, possible attacks on the cloud-computing environment can be classified in to:

  1. Resource attacks: These kinds of attacks include manipulating the available resources into mounting a large-scale botnet attack. These kinds of attacks target either cloud providers or service providers.
  2. Data attacks: These kinds of attacks include unauthorized modification of sensitive data at nodes, or performing configuration changes to enable a sniffing attack via a specific device etc. These attacks are focused on cloud providers, service providers, and also on service users.
  3. Denial of Service attacks: The creation of a new virtual machine is not a difficult task, and thus, creating rogue VMs and allocating huge spaces for them can lead to a Denial of Service attack for service providers when they opt to create a new VM on the cloud. This kind of attack is generally called virtual machine sprawling.
  4. Backdoor: Another threat on a virtual environment empowered by cloud computing is the use of backdoor VMs that leak sensitive information and can destroy data privacy.
  5. Having virtual machines would indirectly allow anyone with access to the host disk files of the VM to take a snapshot or illegal copy of the whole System. This can lead to corporate espionage and piracy of legitimate products.

Virtualization Security in Cloud Computing Part-II

Virtualization Security in Cloud Computing Part-III

[Guest Blog]

Shathabheesha is a security researcher for InfoSec Institute. InfoSec Institute is an IT security certification company that offers popular VMware boot camp training.

References:

Lombardi F, Di Pietro R – Secure virtualization for cloud computing, 2010

LDAP and Cloud: http://www.websense.com/content/support/library/web/hosted/admin_guide/ldap_directories.aspx

Extending LDAP to cloud: http://enstratus.typepad.com/blog/2011/11/extend-ldap-ad-into-your-cloud-management.html

SAS 70 and Cloud Computing

The Statement on Auditing Standards No. 70 (SAS 70) has become the ubiquitous auditing report by which all cloud computing service providers are judged.  So how did this financial auditing report become the standard by which we examine cloud service providers?  How much can we trust this report as a true representation of the security controls in place?

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

SAS 70 was originally titled “Reports on the Processing of Transactions by Service Organizations” but was changed by Statement on Auditing Standards No. 88 to “Service Organizations”. The guidance contained in SAS 70 is effective for all service auditors’ reports dated after March 31, 1993.

There are two types of service auditor reports.

Type I Type II
v      Reports on controls placed in operation (as of a point in time)v      Looks at the design of controls- not operating effectivenessv      Considered for information purposes onlyv      Not considered a significant use for purposes of reliance by user auditors/organizationsv      Most often performed only in the first year a client has a SAS 70 v      Reports on controls placed in operation and tests of operating effectiveness(for a period of time, generally not less than 6 months)v      Differentiating factor: Includes Tests of Operating Effectivenessv      More comprehensivev      Requires more internal and external effortv      Identifies instances of non-compliancev      More emphasis on evidential matter

The rise of cloud computing pushed companies to search for a method to validate these new types of services.  Publicly traded companies that had to be compliant with SOX were already familiar with the SAS 70.  It was a natural evolution to adapt the report to auditing cloud computing service providers even though it was not originally intended for this purpose. Amazon Web Services & SAS70 Type II audit procedures

Amazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure.

AWS’ SAS70 Type II Control Objectives

Security Organization Controls provide reasonable assurance that there is a clear information security policy that is communicated throughout the organization to users.
Amazon Employee Lifecycle Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis to reduce the risk of unauthorized / inappropriate access.
Logical Security Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers.
Secure Data Handling Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately
Physical Security Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel.
Environmental Safeguards Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities.
Change Management Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Data Integrity, Availability and Redundancy Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.
Incident Handling Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved in a timely manner.

Limitations of SAS 70 Ø      It is not as robust as other security frameworks, such as ISO 27000 or the NIST 800 series. Ø      ISO 27000 or the NIST 800 series take a broader approach to information security by reviewing the entire program from a risk management perspective.  In contrast, the SAS 70 is focused primarily on security controls and procedures surrounding the data center and financial implications. Ø      The SAS 70 report can be misleading to the casual observer as it only focuses on controls and procedures that are agreed upon before the audit by the auditor and the company being audited. Cloud & SAS 70 The Type I report only requires the auditor to make an opinion on the effectiveness of the controls in place at the time of the audit.  The Type II report takes this a step further by requiring the auditor to test the controls as well as document his opinion on their effectiveness. The SAS 70 report is focused on accurate financial reporting so the auditors involved are typically from CPA firms.  A CPA firm possesses the education, training and experience to audit financial controls and may even have insight into other types of controls.  However, the question becomes should a CPA be validating information security controls?  If the auditor does not possess expertise in information security, it will be very difficult to provide much insight into the effectiveness of the controls.  There will be technical areas that will get overlooked just as a CISSP would not recognize inaccuracies in a financial audit. Of the many regulations touching upon information technology with which organizations must comply, few were written with Cloud Computing in mind. Auditors and assessors may not be familiar with Cloud Computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to recognize:

Ø      Regulatory applicability for the use of a given cloud service Ø      Division of compliance responsibilities between cloud provider and cloud customer Ø      Cloud provider’s ability to produce evidence needed for compliance Ø      Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor

Should an organization interested in purchasing cloud related services even bother requesting this report from a prospective provider?  The SAS 70 can still be useful if the provider has tested more than the minimum number of controls; however, a vendor that provides a SAS 70 will most likely only be focused on areas of strength.  A vendor that does not provide a SAS 70 may or may not be serious about information security and protecting your data. Recommendations are Right to Audit clause, involvement of Legal Personnel and Cloud Aware Auditors, Compliance to ISO/IEC 27001/27002,SAS 70 Type II, Evidence of Compliance, Identification of impact of Regulations on Infrastructure, Policy & Procedures, Information Security Reference: http://en.wikipedia.org/wiki/Statement_on_Auditing_Standards_No._70:_Service_Organizations http://searchcloudsecurity.techtarget.com/tip/The-SAS-70-report-and-cloud-service-providers?asrc=EM_EDA_13410271 http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf Related articles

Cloud Governance

Cloud Governance
Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Governance • Governance is about deciding and prioritizing what things to do, while Management is about how to do them in an optimal manner. • Corporate governance: set of processes, customs, policies, laws, and institutions affecting the way a corporation is directed, administered or controlled. • IT Governance: Subset discipline of Corporate Governance focused on information technology • Cloud governance: Subset discipline of IT Governance which involves applying policies to the use of cloud services.

IT Governance of Cloud Computing• For Cloud Computing to be effectively used by enterprises, Convergence, Governance and Standardization are required in the following areas and for the reasons described below: – Security – Interoperability: DMTF – Interoperable Clouds – Portability – Metering and Billing – Provisioning , Performance and Scalability

Use Cases & Cloud Governance Hosted HR module in ERP capability to Support Expanded Sales and Marketing Efforts PaaS to Build Custom Business Application / Service Utilization of Datacenter Resources and Server Consolidation Basic IT Infrastructure to drive Business ModelScaling a Custom-built Application for universal use by the Industry To Integrate Internal Private Cloud With Public CSPs / Private Data Cloud Supported by a Public Cloud Resources Distributed Data Model for a Real-time, Event-driven Architecture Business Model Integrate Business Offices to Enable Sharing and Collaboration

Tutorial- Application Development on Force.com from 30 day Free Trial

Application Development on Force.com

Force.com is a cloud computing platform as a service offering from Salesforce, the first of its kind allowing developers to build multi-tenant applications that are hosted on their servers as a service.

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Features of force.com

The multitenant architecture of Force.com consists of the following features:

•Shared infrastructure. Every customer (or tenant) of Force.com shares the same infrastructure. You are assigned a logical environment within the Force.com infrastructure.

•Single version There is only one version of the Force.com platform in production. The same platform is used to deliver applications of all sizes and shapes, used by 1 to 100,000 users.

•Continuous, zero-cost improvements When Force.com is upgraded to include new features or bug fixes, the upgrade is enabled in every customer’s logical environment with zero to minimal effort required.

•Infrastructure Explosure Force.com is targeted toward corporate application developers and independent software vendors. Unlike the other PaaS offerings, it does not expose developers directly to its own infrastructure

•Integration with other Technologies: FORCE.com integrates with other technologies using open standards such as SOAP and REST, the programming languages and metadata representations used to build applications are proprietary to Force.com.

•Relational Database
–To store and manage the business data. Data is stores in the objects.
•Application Services
–logging, transaction processing, validation
•Declarative Meta-Data
–Customized configured simple XML and documented schema’s
•Programming Languages
–Apex
force.com
force.com - Infrastructure, Application and Operational Services
The layers of technologies and services make up the platform.
force.com - Application Architecture
force.com - How it works?

force.com – How it works?

Note:
30 day free trial doesn’t provide Workflow support else we can create full featured application. In Trial, we can create a Visualforce page but cannot enable Sites for our organization nor register our Force.com domain name and expose the Visualforce page we created as a public product catalog on the Web.

Workflow Support is available in Force.com One App: Start with one custom app- for your organization only.

force.com - 30 day Free Trial

force.com – 30 day Free Trial

Related articles