ENTERPRISE

TECHNOLOGY Everyones talking

PLUS: Why consumer cloud computing is a ticking time bomb

CD SALES: Kenya KES 200 | Rwanda RWF 3,000 | Tanzania TZS 5,200 | Uganda UGX 5,000 | ISSUE 9

Cloud, but who keeps you from getting entangled?

A CRITICAL GUIDE on CLoUD CompUTInG In EAsT AfRICA
>services and products >Leading vendors >security challenges >Legal issues >Risk assessment

Going, going...gone digital

Creating new digital marketing opportunities

CLICKABLE LINKS VIRAL MARKET REACH DIRECT EMAILS

SELL MORE
OPPORTUNITIES FOR ADVERTISERS
Downloadable brochures for prospects to learn about your products Email inquiries to you directly from the magazine Live hyperlinks that lead prospects and clients directly to your site for increased traffic Viral marketing of your products through reader forwarding, collaboration and email to colleagues Greater market reach through exposure on multiple online platforms including Let prospects play audio and video of your company promotional videos Add interactive forms to collect customer feedback , receive contestant applications , give prospects more information Readable on smartphones

ENTERPRISE TECHNOLOGY DIGITAL| WWW.ICTCREATIVES.COM

Email: sales@ictcreatives.com

ISSUE 9 | 2012

10

DAVID FRATTURAALCATEL-LUCENT ON ADDRESSING CHALLENGES OF CLOUD COMpUTING IN EAST AFRICA

12 13

44

Q&A CLOUD COMpUTING FREQUENTLy ASKED QUESTIONS

GETTING STARTED: CLOUD ROI MODELER IN EXCEL

6 | VENDOR CLOUDSPHERE 8 | INSIGHT

5-STEp pROCESS TO CLOUD COMpUTING

20

RISK MITIGATION ON THE CLOUD

HOW TO USE ET DIGITAL MAGAZINE Search the PDF for a keyword or a topic of interest. You will be taken to all instances of that word. Get additional information by placing your mouse over a topic or word to see an active link that will take you to a website with more information when you click it Send email directly by clicking an email address in the magazine

14

ENTERpRISE SOLUTIONS

SmOkESCREENS IN THE CLOUD: SECURITY CHaLLENGES ---------------CLOUD POLICIES SCRUTINIzED -------------------------------

14

CONSUmER CLOUD COmPUTING: kILLER ToS

15 18

ENTERPRISE TECHNOLOGY
Managing Editor Joyce kyeyune Tonda

Copyright 2012 ICT Creatives. all Rights Reserved. No part of this publication may be reprinted or otherwise reproduced without ICT CREATIVES EXpRESSLy DISCLAIMS ALL WARRANTIES, WHETHER EXpRESS OR IMpLIED. IN NO EVENT SHALL ICT CREATIVES BE LIABLE FOR ANy DAMAGES OF ANy KIND ARISING FROM THE USE OF OR RELIANCE ON ANy INFORMATION pROVIDED IN THIS pUBLICATION. all correspondence to ICT Creatives, P. O. Box 30532, kampala, Uganda Tel: +256 414 266 423 Plot 4667, Ggaba Road, kampala permission from the editor.

Enterprise Technology offers technology services through its network of leading IT Consultants.

www.ictcreatives.com

publisher ICT Creatives Ltd

mob: +256 773 092 290 | +256 701 100 516 | +256 701 769 606 advertising Inquiries: sales@ictcreatives.com Subscriptions: subscribe@ictcreatives.com Twitter: http://twitter.com/technologyEa Social Media Editorial: jtonda@ictcreatives.com

Facebook: www.facebook.com/Enterprisetechnology LinkedIn: Enterprise Technology magazine

knowledge experts
Thomas Bbosa, CISSp, is an Information Systems Security Consultant and managing Partner with BitWork Consult Ltd (http://www.bitworkconsult.com) a leading East African IT security consulting firm, based in Kampala, Uganda. He is a certified Information Systems Security Professional (CISSP), with over 12 years experience in the IT industry. He has been involved in various roles of IT infrastructure management and support, Information systems Security management and solutions deployment.
tbbosa@bitworktech.com

Gijs Opbroek is the managing director of Canopy IT Solutions (U) Limited, a young dynamic IT service provider. The company focuses on a-z IT installation projects, service and maintenance of IT equipment and (cloud) hosting services for enterprises and Non-governmental organizations. Gijs Opbroek studied Technology and Culture at maastricht University in the Netherlands and specialized in the effects of the digital divide between the North and the South. His practical technology knowledge is derived from years of hands on experience in both hardware and software developments. In his spare time, Gijs Opbroek likes to play mmO games, read up on technology developments, go sailing and play squash.
gijs@canopy.ug

Douglas Onyango is an IT Systems and Projects Consultant designing and implementing Systems and Network infrastructure solutions for over 8 years. He is an Internet Governance expert who has participated and spoken at various events and debates including I-Network events, Ug-IGF, EaIGF, and afriNIC. He is also involved in Critical Internet resource Policy Development and authors the Softlanding Policy at the afriNIC. Douglas is currently Chief Technical Officer at Lake Victoria IT & Bio-tech Park (LAVIT).
ondouglas@yahoo.com

Cover model: Jackie mukisa. OP models and Talent, kampala, Uganda

cloud computing east africa

LExICON

Cloud: a metaphor for the internet. Cloud computing or cloudsourcing refers to the practice of accessing computing resources like data storage and software applications directly from the internet instead of the traditional onsite access where computing resources are on the companys physical location. Cloud portability: The ability to port or move a companys cloud created data from one vendor to another.

private cloud: a company owned cloud where the company owns the servers and applications and it is solely for company usage.

Cloudware: Software used to manage cloud applications. public cloud: Hosted computing resources are shared by different companies and individuals.

Hybrid cloud: In this case companies access some resources from a public cloud while other resources perhaps sensitive data or critical processes are hosted on the privately owned cloud. Vertical cloud: a cloud service customized to serve a particular vertical-industry, for example telecommunications or transport. Cloud broker: a middleman who links cloud service users to appropriate cloud service providers.

Consumption based: a user is charged based on the amount consumed, for example amount of bandwidth used. Time based: Companies may be charged by the hour for example. pay per use: Vendors also allow users to pay when they log in on the cloud-per session.

CLOUD SERVICES PRICING MODELS

Subscription based: Users pay a monthly or annual fee and subscribe to use the cloud services.

ZUBEDI THE CTO

Abasalom, I dont have good news today...
....

Freemium: Free usage is provided but the customer pays for advanced features on the cloud.

Were going on the cloud to reduce costs

Which is goood....

But I fear flying...

RECOMMENDED READING
ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

>>The Four Myths of Cloud Computing >> Cloud Sourcing the Corporation >>Tailoring the cloud to suit business and application needs >>Public cloud vs Private cloud: Why not both? >>A Three-step Guide to Help SMBs Migrate to the Cloud
Thinking out cloud....be prepared for anything during implementation

Cloud solutions will be so entrenched by 2012 that 20 percent of businesses worldwide will own no IT assets.

Quoted

Gartner-Technology research firm

cloud computing east africa

NUMBERS*
57
Percentage of LinkedIn respondents who feel that the cloud offers more security for their data than they could provide using traditional methods of onsite data protection

60
Percentage of 3000 global CIOs who were interviewed who showed readiness to adopt cloud computing over the next 5 years

250
IT decision makers who said their major reason for going on the cloud was the need to respond quickly to business needs

88.77
Cloud value in dollars per person out of the global internet population

5
The number of times by which Software as a Service (SaaS) revenue will grow through to 2014 in comparison to traditional on-site packaged software.

While the adoption of cloud computing in the region is still slow due to concerns about vendor maturity and security risks, our study indicates that most companies plan to deploy some software-as-a-service applications in 2011-2012.
Deloitte 2011 East Africa Security Study

*Statistics are compiled from various online resoures

TESTED AND PROVEN VENDOR CLOUDSPHERE

PLATFORM AS A SERVICE (PaaS)

Microsoft Azure, Google App Engine, Red Hat Open Shift, Engine yard, Amazon Beanstalk, CloudFoundry

Infrastructure as a service In this instance you own your software but you dont invest in infrastructure like storage and climate controlled rooms. The IaaS vendor will provide all the hardware needed to get you going.

INFRASTRUCTURE AS A SERVICE (IaaS)

Amazon Web Services, AT&T, CA Technologies, BlueLock, Enomaly, Eucalyptus Systems, Rackspace, Hp, GoGrid, NetApp Software as a service Service provider caters to the end users. They provide and maintain the resource requirement, infrastructure and software. The end user accesses the software by logging in via their browser.
ENTERPRISE TECHNOLOGY ISSUE 8 | 2012 7

platform as a service PaaS vendors provide tools and facilities to develop, test and deploy web applications without incurring hosting and hardware costs.

SOFTWARE AS A SERVICE (SaaS)

(Accounting, CRM, project Management, Sales, ecommerce, email) NetSuite, Rackspace, Google Apps, Salesforce, SoftLayer, WEBECS, Microsoft

insight

Does every cloud have a silver lining?

e-hashing efficiency, scalability, and reduced infrastructure costs is a great beginning on the benefits of Cloud Computing but it probably isnt enough to convince CTOs and other C-level executives that they need to offload the entire corporations laundry on an internet server owned by an obscure business whose only motivation is the profit.

The most important question being asked regarding Cloud Computing is whether it is safe or at the very least the minimum risk level. What if the companys data is leaked/sold to competitors? a worst case scenario may include a coordinated hacker attack on one single cloud services provider which would compromise all companies being hosted on that cloud. In 2011, for example, a massive data breach of 100 million Sony customers was executed via a server rented by hackers from major Cloud Computing services amazon Web Services raising fresh concerns about the security of internet based data and file storage. In the same year amazon Web Services itself suffered downtime twice in a year bringing to a standstill the operations of several businesses. Do all cloud service providers offer encryption to protect data (in an age where data/ information is every companys key asset) and if so, who manages the keys ? Who is liable in the event of data breaches? What are the legal implications?

In this 9th issue of Enterprise Technology were not going to gloss over the pertinent issues surrounding Cloud Computing, instead we are going to make a huge attempt to help companies assess the risks and plan exhaustively for Cloud Computing because in the near future computing really is going to become less about who has the biggest physical IT assets and more about who can offer the best service, products and execute tasks more efficiently. Companies will ultimately be forced to offload the excess, financially demanding non-core trophies and focus on leveraging the benefits of having the dorky stuff managed by gurus and getting back to good old customer service and huggable products. Indeed like Artificial Intelligence virtuoso, John McCarthy suggested in the early 60s, the era of computing served as a utility (like electricity or water) has clearly descended. All we need to discover now, is the silver lining on each cloud. JOYCE kYEYUNE TONDa maNaGING EDITOR jtonda@ictcreatives.com

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012 8

Missed a magazine issue? Download back issues online from www.ictcreatives.com

Interested in subscribing? Email: subscribe@ictcreatives.com Join us on www.facebook.com/enterprisetechnology to get weekly updates on our events, special offers and upcoming issues

ENTERPRISE TECHNOLOGY DIGITAL MAGAZINE ADVERTISING RATES

SIZE Full page (20.5 cm w x 26cm h) 2/3 page (13cm w x 26 cm h) portrait (20.5cm w x 17cm h) Landscape 1/2 page (10.25cm w x 26cm h) portrait (20.5cm w x 13cm h) Landscape 1/4 page (10.25cm w x 13cm h) CLASSIFIEDS ( 18cm w 7cm h) pRICE ($US)

2012 TOPIC LIST

Business applications Enterprise computing devices: Form factor and mobility Enterprise Social Tools QR Codes in Enterprise and Government Enterprise network and device security Future technology for the present Operating systems know what
ENTERPRISE TECHNOLOGY ISSUE 9 | 2012 9

350 300 275 200 50

SpECIAL SIZES Spread (2 facing pages) Inside Front cover Inside Back cover Outside Back cover 400 450 450 500

Data centre efficiencies Information management for competitive advantage IT human resource staffing-5Ws

Note: Prices exclusive of VAT| Email sales@ictcreatives.com for long term booking discounts (4,000 readers in East Africa and beyond. )

executive discussion

DAVID FRATTURA

Senior Director of Strategy for Alcatel-Lucents Cloud Solutions

hat factors are driving the adoption of Cloud Computing in sub-Sahara Africa and more specifically East Africa? The cloud is transforming how global businesses and governments, including those in africa, access IT resources. It can help them control the costs of managing applications and using computing power and data storage to meet the needs of a growing general public and emerging economy. It supports multitenancy to make services more available, while also reducing hardware and software investment and the costs associated with programming, maintenance and training. Cloud is still in its infancy and as the world embraces the cloud, it is discovering not all clouds are equal. The public cloud, for instance, cannot guarantee end-toend speed, reliability and QoS. Thats because the data center operators control over performance ends at their doorstep and they are limited by their

centralized architectures. a new class of cloud is needed one that can deliver mission critical applications and content anywhere and at any time with guaranteed performance. This can be addressed by the Carrier Cloud. Alcatel-Lucent is the first to provide a clear vision for the Carrier Cloud, which combines the computing power and flexibility of the cloud with the high performance, reliability and security of communications networks to meet the demands of enterprises, governments and consumers. Service providers own the entire infrastructure over which cloud services travel so they can deliver highly available applications and services over wired and wireless networks. This connectivity makes cloud computing more assessable and affordable as a shared resource.

How does Alcatel Lucent cloud computing portfolio address the needs of the East Africa market?

Frattura is responsible for the development of solution strategies targeted at enable service providers to create differentiated services for the Cloud Computing market place. He has over 18 years of experience in networking technologies, ICT, the service provider and enterprise market place.

10

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

Alcatel-Lucent understands that only the network can make the cloud reliable and secure. Globally, service providers have become trusted partners of enterprises and government who can provide them with cloud services backed up by the same guaranteed SLAs they routinely deliver with business services.

In November 2011, alcatel-Lucent launched CloudBand as the path to the Carrier Cloud. It enables service providers to deliver a new class of cloud services to enterprises, governments and consumers that are highly reliable, secure and suitable for mission critical delivery. What specific challenges may companies in East Africa face regarding adoption of Cloud Computing and how does Alcatel Lucent address them? Performance, security, cost and ease of use are all inhibitors to cloud adoption today. a recent alcatel-Lucent global market study of 3,886 IT decision in Europe, middle East and Africa found that two in five reported either frequent or lengthy service outages. These obstacles must be addressed so enterprises and governments can trust putting their business critical services and content in the cloud.

such as agriculture, banking, communications, education, healthcare, transportation and more can be delivered in the most efficient way possible based on location, cloud node availability, system response time, network usage, and service level agreements. This

executive discussion

ALCATEL-LUCENT CLOUDBAND ELEMENTS The CloudBand management System, which delivers orchestration and optimization of services between the communications network and the cloud.

alcatel-Lucent understands that only the network can make the cloud reliable and secure. Globally, service providers have become trusted partners of enterprises and government who can provide them with cloud services backed up by the same guaranteed SLas they routinely deliver with business services. By helping service providers capitalize on this opportunity, we are removing the obstacles for entering the cloud, which will have a tremendous social and economic impact for all countries.

greatly minimizes the capital investment enterprises and governments have to make, as they only need to plug into a cloud node to access IT resources. This greater accessibility to the cloud also lowers the cost to train and educate the workforce and greater population.

The CloudBand Node, which provides the computing, storage and networking hardware and associated software to host a wide range of cloud services.

What are the unique benefits of using your cloud computing platform viz-a-viz competitors? alcatel-Lucents CloudBand solution is unique from other cloud offers by orchestrating and optimizing the services between the communications network and the cloud, while also providing computing, storage and networking hardware and associated software to host a wide range of cloud services. This capability can be expanded beyond the service providers network to help manage access to a wide array of public and private clouds. Services

11

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

Capturing the Cloud: Strategy for Service ProvidersAlcatel-Lucent

Enterprise Read:

v v

cloud computing Q&A

Frequently asked questions

Plenty of IT managers are pretty knowledgeable about cloud computing, but niggling questions remainthose ones that keep coming up again and again and surprisingly the answers arent always the same, depending on who you ask.

How is cloud computing different from outsourcing business processes?

Fundamentally, cloud computing is a form of outsourcing because what you are doing is allowing a third party to take over a specific aspect of your business operations however the key difference is that cloud computing keeps you, the company in control. For example if you use a SaaS provider your employees are still the ones doing the work except that the software or infrastructure they are using has been outsourced/ rented from a third party. With outsourcing you are shifting the entire work tasks to a third partyall you want is to see the end result.

Is the role of the IT manager going to be redefined as companies adopt cloud computing?

The IT managers role will be expanded and yes a new set of skills will be required-ability to measure and assess risk of clouding; strong knowledge about the strengths and weaknesses of the most reliable vendors; backup plan B skills in the event that the worst case scenario actually happens. The IT manager is increasingly less technical and more strategic.

12

While the difference between the private cloud (solely owned for single use by the company) and the public cloud (third party owned with multitenancy) is clear cut, companies may be tempted to Which flavour? believe that the private cloud is inherently Public cloud Vs. more secure because the company maintains Private cloud a degree of control over it. However in actual implementation with the public cloud because there aare more users vendors can afford to commit significantly more security resources and top notch security personnel due to economies of scale. Private clouds on the other hand may not have large industrial security resources to safeguard them. Secondly, public clouds have been matured through numerous hack attacks and so the vendor recognizes patterns, unusual activity and is generally more alert to attacks. The best option if security is of dire importance is to go with a virtual private cloud provided through a public cloud using a virtual private network.

Should I choose a public cloud or a private cloud?

Should cost be the main criteria when selecting a cloud services vendor?

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

Companies may not want to commit significant reources when migrating to the cloud and so cost may become a key determinant of vendor, however there is a major fallacy in this. Cloud services vendors vary widely in terms of the resources they provide for example memory, speed, features, customer care, security, problem resolution, bandwidth and any number of metrics. Since the industry does not yet have a standard unit of measurement, companies that are planning for the cloud can only compare by analysing which vendor provides more value for a particular SaaS for example. Essentially not all costs are equal.

cloud computing resources

Getting started with cloud computing

GARTNER RECOMMENDS A FIVE STAGE PROCESS

Build the business case

Develop the strategy

Assess the readiness

Pilot or prototype

Gain approval

DOWNLOAD THE 2012 Information Week Cloud ROI Modeler

The ROI modeler is an Excel document supplement that comes pre-loaded with data to guide companies that are considering shifting from the in-house IT services model to cloud computing. Data can be modified to suit the companys needs. The modeler is not intended to be a catch all rather it provides general guidelines that can be tailored appropriately.

Our solutions
Information Security Awareness Training

CONSULT
BitWork Consult Ltd Plot 135, UMA show Ground -Lugogo Kampala, Uganda Tel: (+256) 414 579099 / 0782480878 Fax: (+256) 414-289218 e-mail: info@bitworkconsult.com Web: www.bitworkconsult.com

Information Security Incident management IT Audits & Compliance Management Information Security policy development ISO 27001 ICT Projects Management

loud computing has taken great flight in recent years with companies across the world applauding the cost reduction and efficiency that it brings. as much as that might be true, the abstract nature of the cloud brings along a new set of security risks that users must look at before leveraging its benefits.

14

The definition of the cloud most likely comes from the image of a cloud that was commonly used for the Internet. So cloud computing basically means doing all or BEFORE yOU LAUNCH: QUESTIONS TO ASK yOUR CLOUD most of the computing HOSTING pROVIDER in the Internet without Level of encryption used to safeguard your valuable data relying on physical Issues regarding software updates and ensuring that staff resources. This in itself dont suddenly gain access privileges theyre not supposed to. creates one of the Location of stored data the data is kept and details of data security challenges that protection laws in the relevant jurisdictions. cloud computing has Third party relationships with the company and sharing of to overcome. Where in data the old days companies Password policies; how they are created, protected and had their own in-house changed. data storage solutions and dedicated staff to monitor it, that same lot of security breaches do not originate from data in the cloud could be exposed to more defects in the IT technology, but are generated than just your employees. This is because by negligence or ignorance of use of security cloud hosting companies try to maximize protocols by employees. In order to minimize their server and storage solutions, and so the risk here, ensure that your companys IT more customers will use the same physical infrastructure to access and control their data. department develops a security protocol and your staff is adequately trained and aware Consequently where companies used to have of this protocol and its existence. Using the limited need for data encryption, in the cloud protocol in daily practice often comes down data encryption is essential if one wants to to regularly changing your access passwords, safeguard vital company information from making sure you are logging or locking your unauthorized people. terminal if you leave your desk, blocking of as much as you are able to encrypt your USB ports and internet access in order to data with your cloud hosting provider, the avoid downloading malicious software that fact remains that your data is in somebody might infect your network. elses hands. Therefore, companies have to as much as malicious software might affect ensure they know who is able to access their

Loopholes are not that obvious- plug them before you go cloud computing
Gijs Opbroek

Smokescreens in the cloud: Security challenges

data at the cloud hosting providers location. Which employee has what rights and how does the host ensure that their access policies guarantee your data security? Obviously, the fewer the number of people that can access your data the better it is for your company. This brings me to a much overlooked security challenge that is both present in the everyday computerized world as it is while using cloud facilities: access rights and policies within your company. It is not a hidden fact that a your local or cloud environment, there is another security challenge that might affect it even more: third parties that interact with your cloud hosting provider without your knowledge. For example, there are many software developers out there that develop programs or updates for the cloud environment to function properly. This in itself is obviously not a bad thing. The problem is that these updates and programs might unintentionally carry with them loopholes for hackers to access your data. after the updates are run, it could also cause unintended access right changes for your employees. This could lead to sensitive data being accessed by the wrong people or people without the proper authorization. It is important therefore that you check with your cloud hosting provider what measures they are taking to ensure that software updates and programs from third parties are tested and checked before implemented.

enterprise solutions

all of the above security challenges have to do with actual data protection on site, through the network or via the internet. One more challenge lies in a breaking discussion in regards to jurisdiction. Data that might be secure in one country may not be secure in another. In many cases though, users of cloud services dont know where their information is held. Currently in the process of trying to harmonize the data laws of its member states, the EU favors very strict protection of privacy, while in america laws such as the US Patriot act invest government and other agencies with virtually limitless powers to access information including that belonging to companies. It is therefore important that companies check where their data will be stored and are aware of the laws of that country and what it potentially can do with your data.

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

enterprise solutions

Consumer cloud computing: Killer ToS

Questionable terms and conditions are increasingly included in the terms of service of cloud service providers and users are giving up key rights when they hurriedly tick I agree. Like a time bomb waiting to explode, consumers are not aware that the newest currency is data- your data. In the future the companies that can collect the most, will indvertenly have you eating out of their palms-at a price.
Cloud based file storage: DropBox By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royaltyfree, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service.

Internet Browser: Mozilla Firefox Sync You understand and agree that mozilla, in performing the required technical steps to provide the Services, may (i) transmit or distribute your User Data over various public networks and in various media; and (ii) make such changes to User Data as are necessary to conform and adapt that User Data to the technical requirements of connecting networks, devices, services or media. Email and search: Google You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.

Social media: Facebook We strive to create a global community with consistent standards for everyone, but we also strive to respect local laws. The following provisions apply to users outside the United States: You consent to having your personal data transferred to and processed in the United States.

15

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

professional networking: LinkedIn additionally, you grant LinkedIn a nonexclusive, irrevocable, worldwide, perpetual, unlimited, assignable, sublicenseable, fully paid up and royaltyfree right to us to copy, prepare derivative works of, improve, distribute, publish, remove, retain, add, process, analyze, use and commercialize, in any way now known or in the future discovered, any information you provide, directly or indirectly to LinkedIn, including, but not limited to, any user generated content, ideas, concepts, techniques or data to the services, you submit to LinkedIn, without any further consent, notice and/ or compensation to you or to any third parties.

Internet supported devices: Apple Except for material we may license to you, apple does not claim ownership of the materials and/or Content you submit or make available on the Service. However, by submitting or posting such Content on areas of the Service that are accessible by the public, you grant apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available.

ng ti r y ta log ps no um ch j e t ca ri Af st Ea
Kampala, Uganda September 2012
HOSTED BY ENTERPRISE TECHNOLOGY Tel: +256-701 769 606 Email: potoa@ictcreatives.com www.ictcreatives.com

al onals m ion ssi osiu eg fe R ro mp P y Sy ng log ou no Y h ec T

Featuring worldwide motivational speaker on Leadership, Danny Pearson, CEO of 100 Black Men
www.100blackmen.org

enterprise solutions

CLOUD POLICIES SCRUITINIZED

loud computing as defined by the US National Institute of Standards and Technology (NIST) is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud computing has become popular because enterprises are constantly looking to cut costs by outsourcing storage, software (as a service) from third parties, allowing them to concentrate on their core business activities. With cloud computing, enterprises save on setting up their own IT infrastructure which would otherwise be costly in terms of initial investment on hardware and software, as well as continued maintenance and human resource costs. according to a 2008 Gartner report on cloud security, enterprises require new skill sets in order to handle the challenges of cloud security. This is because cloud computing currently has no specific standards for security or data privacy. Cloud service providers need to address the following: Thomas Bbosa

The lack of standards in cloud computing has necessitated that companies develop their own vendor checklists to ensure data safety and business continuity.
Regulatory compliance: How do you reconcile the regulatory compliance issues regarding data in a totally different country or location? How about data logs, events and monitoring options for your data; does the provider allow for audit trails which could be a regulatory requirement for your organization?

what is done to segregate data at rest.

Legal issues: Who is liable in case of a data breach? How does the legal framework in the country where your cloud provider is based operate, compared to your own country? What contracts have you signed and what issues have you covered/discussed with the provider in case of legal disputes? Do you know exactly where you data is stored? are you aware of the conflicting regulations on data and privacy? Have you asked your provider all the right questions? Data safety: Is your data safe in the cloud? How about the problems of Manin-the-middle attacks and Trojans, for data moving to and from the cloud. What are the encryption options offered by the provider? another important question to ask is; who is responsible for the encryption /decryption keys? also you will find that cloud providers work with several other third parties, who might have access to your data. Have you had all these concerns addressed by your provider? Data separation / segregation: Your provider could be hosting your data along with several other clients (multitenancy). Have you been given verifiable assurance that this data is segregated and separated from the data of the providers other clients? according to the Gartner 2008 report, its a good practice to find out

Business continuity: What is the acceptable cloud service down time that you have agreed with your provider? Do these downtimes compare well with your organization acceptable down time policy? are there are any penalties/ compensations for downtime, which could lead to business loss? What measures are in place to ensure business continuity and availability of your data / services that are hosted on their cloud infrastructure in case of disaster? Does your provider have options for data replication across multiple sites? How easy is data restoration in case the need arises?

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

18

Access control / user authentication: How is the access control managed by your cloud service provider? To be more specific, do you have options for role based access to resources in the cloud,? How is the process of password management handled? How does that compare to your organizations Information security policy on access control?

Cloud services providers have increased their efforts in addressing some of the most pressing issues with cloud security. In response to cloud security challenges, an umbrella non-profit organization called the Cloud Security Alliance (CSA) was formed, some of its members include: microsoft, Google, Verizon, Intel, mcafee, amazon, Dell, HP, among others, its mission being To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

-Cloud Security alliance available for download at http://www.cloudsecurityalliance.org/ guidance/csaguide.v2.1.pdf

Security Guidance for Critical Areas of Focus in Cloud Computing

Sometimes you have to dig deep to find a good thing.

Step 1. Download a free QR code reader on to your phone (Hint: Google it) Step 2. Use the QR code reader installed on your phone to scan the code above. Step 3. Revel in your new found treasure

enterprise solutions

RISK MITIGATION ON THE CLOUD

Everyones talking about migrating to the cloud, but the level of risk is not the same for all companies-for some the entire business is at stake if risks are not properly assessed.

Douglas Onyango

he cloud question is increasingly becoming less about if a corporation will embrace cloud computing as more boardroom discussions centre on how and when a corporation will leverage cloud computing .The proponents have advanced agility of service provisioning, cost reduction, rapid elasticity among other as reasons to adopt the model. The not so inclined on the other hand argue control and privacy, performance, vendor lock-in transparency and a myriad of other reasons for not adopting the technology. In the end, this back and forth can be credited for some of the volumes of discussion on the subject which has helped bring a number of issues to the fore.

Perhaps as a result of the media buzz on cloud computing you have been tasked with preparing a risk assessment analysis before adoption or maybe your company has already embraced the trend and is only looking for information on how to manage the future risk. This discussion will provide a guide to measuring the risk and offer some mitigation strategies mostly borrowing from other audit and compliance standards like the National Institute of Standards and Technology (U.S), et al, since some companies usually have rigorous and stringent requirements like these for their information systems.

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012 20

20

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

enterprise solutions
Risk: Data loss The cloud puts a corporations resources (hardware, software and data) in the hands of external vendors which implies a level of risk. During a recent audit, I recommended consolidation of communication and finance systems in the cloud for a petroleum multinational they immediately asked how they could guarantee the safety of their data with a third party. MAJOR RISKS AND MITIGATION STRATEGIES: Risk: Tedious Data Recovery I think no one appreciates the weight of murphys law more than an IT executive. With even the best planning, disks will crash or just refuse to function one morning, leaving you with big service disruptions that sometimes could even end a business. Mitigation: In these cases, the existence of a policy that covers redundancy, backups and retention, can be a breath of fresh air. Control areas 3.1 of PCI DSS v2.0, and NIST SP800-53 R3 CP-2 are two policies you can use to judge your service provider. Risk: Service Availability I think this risk by far has the highest probability of occurring for a consumer of cloud services; be it Paas or Saas. In my experience, this high level or risk stems from the clients ignorance of the scope of work of the service provider rather than anything else, as Cloud Service providers usually have huge reservoirs of network and system resources. If you outsource a service, its always your business to ensure you are able to access the services provider this means a working internet connection every time you want to connect to your service or infrastructure.

Mitigation: The solutions here is to ensure that your cloud computing provider has at the least the controls in place to minimize these kind of incidents. The Controls CA-2, AC-4, AC-16 (NIST ) deal with Data ownership, classification, handling, labeling and security. Ensuring your service provider covers these areas will greatly reduce the risk of you losing data and also mitigate the effect to your business should the inevitable happen.

Risk: Breach of privacy Because physical infrastructure is shared between multiple clients and the fact that a third party (Service Provider), has comparable or sometimes more accesses to your systems and data, the risk of a breach of your privacy is high and could actually be a disincentive for would be adopters. Mitigation: Techniques like separation of user directories, and granular access controls implementations by the service provider can definitely go a long way in lowering the probability and the minimizing damage to your business in the event of a breach. Encryption and proper key management can also play an important role in lowering the risk. Control areas DS11.6 & DS5.4 (CoBIT) that govern data leakage and user access restriction are examples of control objectives that a company can use to qualify their service provider.

Risk: Regulatory Compliance For some regulated sectors like banks, failure to meet regulatory compliancy is as big a risk as any other on this list as a corporation risks having their license revoked or worse still a lawsuit from clients who might object to their data being stored/transmitted in certain jurisdictions. Mitigation: If you have checked for compliance in the points above, chances are you have covered a lot of ground already in meeting compliance requirements by most standards bodies. a lot of IT systems and data related standards bodies will work with PCI, ISO, NIST and CoBIt standards which we have included in our discussion.

21

ENTERPRISE TECHNOLOGY ISSUE 9 | 2012

For some businesses, being selective about the data you send to the cloud could be another very viable risk management option as you can measure the risks associated with certain data types and decide what can go to the cloud and what should not.

Mitigation: Understanding your bandwidth requirement is important here, as you may find a cloud based application underperforming because the end user has less than ideal bandwith. also a redundant link to the internet is something that every corporation that wants to use the cloud should invest in as without an always-on connection, you are unable to utilize a service that you have already paid for and which maybe the core of your business. If you want to check your service provider then benchmarking with NIST SP80053 R3 CP-1 to ensure you have the right service provider.

Cloud Computing Security Risk Assessment By European Network and Information Security Agency (ENISA) comprised of academia,government, industry and government experts

COMING SOON TO A SCREEN NEAR YOU

WWW.ICTCREATIVES.COM