by Orlando Scott-Cowley
We’ve only been in the New Year a few weeks and it’s quickly becoming clear that 2014 is the year of the cloud. Even the committed laggards or cloud refuseniks are being compelled to move some services into the cloud.
But you would expect us to say that of course. As in all things, there’s always another point of view to consider. One of our older posts on the value of the cloud received a challenging comment that warrants a response. This comment gave us all the opportunity to reconsider why a commitment to cloud services makes sense for customers of all kinds and sizes, even those within regulated industries.
Barriers to cloud adoption have been broken down – initial reticence regarding data ownership in the cloud has been met with credibility built by vendors
The comment challenged our stand on the cloud:
“…Regulation may require certain data controls/protections/audit trails which a Hosted product can’t provide and Exchange (Windows Server Standard plus Exchange software, backups, redundant power, etc.) remain cost prohibitive….”
Initially I was just going to post a response to the comment, but as it has been some time since the original post, I thought that it was worth bringing this discussion right to the top of our blog. Thank you John for taking the time to comment on the post – I hope this post acts as an update, a reassertion of our belief that the cloud is actually more and more an ideal solution specifically for companies of all sizes dealing with the additional pressures of regulatory control.
Most Mimecast customers face these issues. So why is the cloud the solution to their needs?
In the world of email, these industries have high demands on storing and accessing their data – they need sophisticated e-discovery capabilities, granular legal hold functionality, centralization of archives and rigorous compliance capabilities. They have a heavy security requirement too, of course.
The bottom line is that neither on-premise or cloud archiving solutions address these demands perfectly. But what is clear is that in terms of centralization of data, cost to the business, and time to implement, cloud has and will continue to be the better option. And it’s these powerful values which are driving business as a whole towards hosted services, including finance and legal.
As far back as 2011, data were beginning to emerge about this wholesale shift to cloud services. At that point, about one-fifth of companies had already moved their email archiving to cloud or hosted options, away from on-premise. In the same study a significant number of those maintaining capacity in-house had experienced failures in hardware and software implementations, and one third had lost emails – possibly as a result.
Also, remaining barriers have been broken down.
Initial reticence regarding data ownership in the cloud has given way to proof of credibility built by vendors providing well-trained engineers and experts available to support the service. These services offer parity with traditional options. For example, in the case of archiving, email should be stored in its original format mirrored to multiple locations. In addition, written into a vendor’s SLA should be a guarantee that the customer’s data will only be stored within appropriate jurisdictions, to ensure compliance with the regulations imposed in some sectors.
So to answer the original question, is the cloud always the solution? The answer is actually in a few cases it may not be for everyone. But as cloud services continue to mature, these exceptions will become few and far between.
by Orlando Scott-Cowley
Last month Israeli security forces imposed their right to examine your email at their border crossings; the initial panic was calmed by a clarification from the Israeli Attorney-General stating the specific circumstances for the search. Previously, in 2009, the United States imposed a right to search your electronic devices, and keep them for further examination, at border crossings too—without any suspicions of wrongdoing. Are these signs that our local data is no longer private when we travel?
State sponsored search of your devices, and data, now becomes the latest privacy worry for any international travellers; we’ve always been worried about malicious attempts to gain access to our data, or having our laptops stolen from airport security screening points, but now the case for travelling completely clean is made.
Many technology travellers I talk to have always maintained a set of clean equipment, which is only used on trips outside their native country. Before and after every trip their laptop, smartphone, and tablet get factory wiped and restored from a known good image. This is especially important when returning from a trip to ensure the platforms remain clean – those devices are also replaced more frequently than home devices, and are occasionally stripped to check for “extra hardware”.
Maybe; but more sensible than paranoid, as we’re in the days of state sponsored hacking such as Flame, Stuxnet and Duqu.
If you’re wondering how you manage to work in such a sterile environment – have a think about how the cloud supports your remote working now. Keeping your data on your local hard drive isn’t the necessity it once was; it seems quite antiquated to me.
Cloud services that allow you to store your data online mean you’re only ever a click away from that data, and given the ubiquity of Internet access these days, that’s never a problem. Of course data stored in the Cloud isn’t beyond the reach of search warrant of subpoena, but at least it’s not local on your device being carried through a border crossing.
Email inboxes should remain empty until you’re safely through a border crossing, and on a known and trusted network. Once you’ve downloaded your recent email remember to remove the account and wipe the device before you leave the country too; there’s no sense taking the precaution for inbound border crossing and forgetting about the outbound.
The same applies to file data, leave your files in the cloud and only access them when it’s safe. Don’t store anything locally unless you can securely wipe the hard drive after use.
From an enterprise IT perspective; CISOs and CIOs should educate their users on how to handle such incidents, and of course draw up a policy for international travellers. It does occur to me that your IT department can help, by disabling your access to ‘their’ services on your devices until you give them the go ahead once safely at your destination. Deleting your stored passwords on devices would also prevent the access of data not stored locally.
For travellers the Cloud should now be as essential as your flight socks and money belt. As someone before me once said – “Don’t leave home without it”.
by Orlando Scott-Cowley
This weekend Evernote became the latest cloud vendor to have its systems breached; user data including passwords has been compromised. In case this is news to you, a quick recap – Evernote assured us that passwords were correctly hashed and salted unlike LinkedIn, who neglected to salt their passwords. Evernote didn’t tell us whether or not the salts were compromised too. The attack “follows a similar pattern” to others so we can assume some sort of long term APT style compromise.
There are a couple of interesting observations one can make as a result of this last hack.
The usual amount of your-data-in-the-cloud-is-not-secure media hysteria has been dished out; no doubt some Evernote users will be busy deleting their notes as a result, even though their contents are probably as interesting as the ingredients list on a bottle of water. Being an Evernote user (yes, I have reset my password) I can’t help but think this isn’t about data in the cloud, or about the cloud at all; this is more about a target. Evernote was the target in this instance, before them it has been LinkedIn, Facebook, Yahoo, RSA Security, New York Times, Iranian nuclear centrifuges, the list goes on. Once the target has been identified this sort of “coordinated attempt to access secure areas” is likely to succeed regardless of the data’s location. The data could be anywhere; in the cloud, a server on your LAN, one of your users’ laptops (Facebook), a mobile device, a filling cabinet (remember those) or even data left on someone’s desk – the attackers will use whatever means they need to compromise that data.
Secondly, if there is weak security protecting that data, again the location is unimportant. Putting the data in the cloud on a dedicated platform means, as in Evernote’s case, the breach can be monitored and contained by people who’s job it is to do that. There is very little one can do to contain the old school espionage attack that reads secure material from your desk or even from your rubbish bin.
Evernote did the right thing and alerted its users to the hack, emailing them to advise password resets. They did slip up slightly though, by providing a link in the same email that also suggests users should “Never click on ‘reset password’ requests in emails — instead go directly to the service”. But to be fair, this is the first time Evernote has had to deal with this threat.
What this sequence of events really means is that 2013 could be the year that cloud service providers will rebalance their priorities, so that preparedness for attacks will be as important as getting the latest app version out the door, and also that we as consumers realise the importance of our data regardless of where we leave it.
by Orlando Scott-Cowley
Too many Enterprise SaaS and Cloud vendors focus their efforts on marketing and spinning a good story to attract new customers, rather than spending time or money looking after those customers once they have signed on. Once the ink is dry on the contract ongoing service and support seems to be an afterthought.
According to newly released global research from The Enterprise Strategy Group (ESG), Enterprises value SaaS applications, particularly for email-management, but customers are facing significant service and support challenges plus a lack of ongoing aftercare from their SaaS vendors.
The “SaaS with a Face” report, which asked 248 global companies currently using SaaS-based e-mail management about their usage and service satisfaction, indicates the problem is so bad that of non-Mimecast SaaS customers 22% are looking for a new SaaS email management vendor.
Given some of the largest and most aggressively marketed vendors in the Cloud email management space are publically listed companies, it’s quite clear their drive to attract new customers is part of a shareholder-pleasing business plan. Ongoing aftercare and customer satisfaction seem not to be a concern to them.
If these vendors want to grow, they need to wise up about their customers’ expectations. Service and support is a vital addition to an Enterprise SaaS product offering; simply delivering a fancy Web 2.0 interface, or expecting your customers to fend for themselves on support forums is not enough. The ESG SaaS with a Face report identified that 66% of customers cited vendor support as an important vendor selection criteria, only 34% noted that they had actually achieved improved service and support compared to traditional software vendors. It would seem that well-known cloud vendors are letting their customers down.
The impact of bad service and support by SaaS email management vendors are wide and have a significant impact on their customers. When asked what service and support challenges customers faced with their SaaS email management vendor the list of problems indicates a severe lack of aftercare; for example 27% of non-Mimecast customers were not able to find the right person to solve their problem. A further 15% reported inexperienced support staff, while missed SLAs and long support wait times were reported by 18% and 17% respectively. Worryingly 12% of non-Mimecast customers cited that some problems were never resolved.
For a true Enterprise SaaS vendor, offering industry leading service and support is an essential part of the relationship we have with our customers. Unlike other SaaS and Cloud email management vendors who build their solutions by cobbling together a collection of acquired of OEMd products, Mimecast’s infrastructure is purpose built by our own team. This means we are not tied to 3rd parties for customer service and importantly can support our own customers in the high standards they expect.
This personal level of involvement by all our service, support, development and customer facing teams means the Mimecast difference, or out “SaaS with a face”, really shows; our customers rate our award-winning customer support highly and, as a result, report satisfaction well above the industry average – 85% of Mimecast customers have no plans to move to a different vendor.
To read the complete ESG SaaS with a face report, click here. We also hope you like our infographic, embedded in this post, which reflects the findings of the report.