All posts tagged Cloud

By on May 9, 2013

Have Cloud Data, will (can) Travel

passport stampLast month Israeli security forces imposed their right to examine your email at their border crossings; the initial panic was calmed by a clarification from the Israeli Attorney-General stating the specific circumstances for the search. Previously, in 2009, the United States imposed a right to search your electronic devices, and keep them for further examination, at border crossings too—without any suspicions of wrongdoing. Are these signs that our local data is no longer private when we travel?

State sponsored search of your devices, and data, now becomes the latest privacy worry for any international travellers; we’ve always been worried about malicious attempts to gain access to our data, or having our laptops stolen from airport security screening points, but now the case for travelling completely clean is made.

Many technology travellers I talk to have always maintained a set of clean equipment, which is only used on trips outside their native country. Before and after every trip their laptop, smartphone, and tablet get factory wiped and restored from a known good image. This is especially important when returning from a trip to ensure the platforms remain clean – those devices are also replaced more frequently than home devices, and are occasionally stripped to check for “extra hardware”.

Paranoid?

Maybe; but more sensible than paranoid, as we’re in the days of state sponsored hacking such as Flame, Stuxnet and Duqu.

If you’re wondering how you manage to work in such a sterile environment – have a think about how the cloud supports your remote working now. Keeping your data on your local hard drive isn’t the necessity it once was; it seems quite antiquated to me.

Cloud services that allow you to store your data online mean you’re only ever a click away from that data, and given the ubiquity of Internet access these days, that’s never a problem. Of course data stored in the Cloud isn’t beyond the reach of search warrant of subpoena, but at least it’s not local on your device being carried through a border crossing.

Email inboxes should remain empty until you’re safely through a border crossing, and on a known and trusted network. Once you’ve downloaded your recent email remember to remove the account and wipe the device before you leave the country too; there’s no sense taking the precaution for inbound border crossing and forgetting about the outbound.

The same applies to file data, leave your files in the cloud and only access them when it’s safe. Don’t store anything locally unless you can securely wipe the hard drive after use.

From an enterprise IT perspective; CISOs and CIOs should educate their users on how to handle such incidents, and of course draw up a policy for international travellers. It does occur to me that your IT department can help, by disabling your access to ‘their’ services on your devices until you give them the go ahead once safely at your destination. Deleting your stored passwords on devices would also prevent the access of data not stored locally.

For travellers the Cloud should now be as essential as your flight socks and money belt. As someone before me once said – “Don’t leave home without it”.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

,

By on March 4, 2013

The Evernote Hack – After the Panic

Evernote emailThis weekend Evernote became the latest cloud vendor to have its systems breached; user data including passwords has been compromised. In case this is news to you, a quick recap – Evernote assured us that passwords were correctly hashed and salted unlike LinkedIn, who neglected to salt their passwords. Evernote didn’t tell us whether or not the salts were compromised too. The attack “follows a similar pattern” to others so we can assume some sort of long term APT style compromise.

There are a couple of interesting observations one can make as a result of this last hack.

The usual amount of your-data-in-the-cloud-is-not-secure media hysteria has been dished out; no doubt some Evernote users will be busy deleting their notes as a result, even though their contents are probably as interesting as the ingredients list on a bottle of water. Being an Evernote user (yes, I have reset my password) I can’t help but think this isn’t about data in the cloud, or about the cloud at all; this is more about a target. Evernote was the target in this instance, before them it has been LinkedIn, Facebook, Yahoo, RSA Security, New York Times, Iranian nuclear centrifuges, the list goes on. Once the target has been identified this sort of “coordinated attempt to access secure areas” is likely to succeed regardless of the data’s location. The data could be anywhere; in the cloud, a server on your LAN, one of your users’ laptops (Facebook), a mobile device, a filling cabinet (remember those) or even data left on someone’s desk – the attackers will use whatever means they need to compromise that data.

Secondly, if there is weak security protecting that data, again the location is unimportant. Putting the data in the cloud on a dedicated platform means, as in Evernote’s case, the breach can be monitored and contained by people who’s job it is to do that. There is very little one can do to contain the old school espionage attack that reads secure material from your desk or even from your rubbish bin.

Evernote did the right thing and alerted its users to the hack, emailing them to advise password resets. They did slip up slightly though, by providing a link in the same email that also suggests users should “Never click on ‘reset password’ requests in emails — instead go directly to the service”. But to be fair, this is the first time Evernote has had to deal with this threat.

What this sequence of events really means is that 2013 could be the year that cloud service providers will rebalance their priorities, so that preparedness for attacks will be as important as getting the latest app version out the door, and also that we as consumers realise the importance of our data regardless of where we leave it.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on February 11, 2013

Enterprise SaaS: Service and Support is Vital for Growth

Too many Enterprise SaaS and Cloud vendors focus their efforts on marketing and spinning a good story to attract new customers, rather than spending time or money looking after those customers once they have signed on. Once the ink is dry on the contract ongoing service and support seems to be an afterthought.

According to newly released global research from The Enterprise Strategy Group (ESG), Enterprises value SaaS applications, particularly for email-management, but customers are facing significant service and support challenges plus a lack of ongoing aftercare from their SaaS vendors.

The “SaaS with a Face” report, which asked 248 global companies currently using SaaS-based e-mail management about their usage and service satisfaction, indicates the problem is so bad that of non-Mimecast SaaS customers 22% are looking for a new SaaS email management vendor.

Given some of the largest and most aggressively marketed vendors in the Cloud email management space are publically listed companies, it’s quite clear their drive to attract new customers is part of a shareholder-pleasing business plan. Ongoing aftercare and customer satisfaction seem not to be a concern to them.

If these vendors want to grow, they need to wise up about their customers’ expectations. Service and support is a vital addition to an Enterprise SaaS product offering; simply delivering a fancy Web 2.0 interface, or expecting your customers to fend for themselves on support forums is not enough. The ESG SaaS with a Face report identified that 66% of customers cited vendor support as an important vendor selection criteria, only 34% noted that they had actually achieved improved service and support compared to traditional software vendors. It would seem that well-known cloud vendors are letting their customers down.

The impact of bad service and support by SaaS email management vendors are wide and have a significant impact on their customers. When asked what service and support challenges customers faced with their SaaS email management vendor the list of problems indicates a severe lack of aftercare; for example 27% of non-Mimecast customers were not able to find the right person to solve their problem. A further 15% reported inexperienced support staff, while missed SLAs and long support wait times were reported by 18% and 17% respectively. Worryingly 12% of non-Mimecast customers cited that some problems were never resolved.

For a true Enterprise SaaS vendor, offering industry leading service and support is an essential part of the relationship we have with our customers. Unlike other SaaS and Cloud email management vendors who build their solutions by cobbling together a collection of acquired of OEMd products, Mimecast’s infrastructure is purpose built by our own team. This means we are not tied to 3rd parties for customer service and importantly can support our own customers in the high standards they expect.

This personal level of involvement by all our service, support, development and customer facing teams means the Mimecast difference, or out “SaaS with a face”, really shows; our customers rate our award-winning customer support highly and, as a result, report satisfaction well above the industry average – 85% of Mimecast customers have no plans to move to a different vendor.

To read the complete ESG SaaS with a face report, click here. We also hope you like our infographic, embedded in this post, which reflects the findings of the report.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on September 27, 2012

$62m Series C Funding from Insight Venture Partners – How to Spend it…

Today it was confirmed that leading global private equity firm, Insight Venture Partners, has invested $62m in Mimecast. This will catapult us to even greater endeavors over the coming years as we build on our efforts and progress of the past nine. It’s a validation of the vision we had back in 2003, where we sought to consolidate the patchwork of fragmented LAN-based email infrastructure into a single cloud-based platform. We called it Unified Email Management (UEM), and today we’ve got more than 6,000 customers and 1.6m users on our service, processing, protecting and storing several petabytes of their most valuable business data.

However, my colleagues would probably agree – that now that ‘the cloud’ is going mainstream, some of the really interesting work and opportunities start here. First of all, more and more companies are buying into our UEM proposition. We compete strongly in multiple different markets here; email security, email archiving, email continuity and DR, DLP, eDiscovery, to name a few; and while we sell some of these things separately, our customer delight tends to come from the discovery that all of these things can be managed centrally through a single admin console as all of Mimecast’s applications are all built on a common platform.

Furthermore, some 50% of corporate email users are still on Exchange 2003 and Exchange 2007, many of them increasingly throttled by the ‘point’ applications they have added to their network over the last five years or more. We are still 100% committed to helping these people as they think about their migration path to Exchange 2010 and 2013.

New frontiers are emerging too. While some people like to mutter about the impending death of email at the expense of social media and enterprise collaboration tools, we unashamedly fight in the opposing corner. Email is the ONLY global standard for asynchronous communication in business. It’s the global standard but, perhaps, not the gold standard. It has some issues.

So we’re taking up the challenge of trying to take email, the one tool we all know how to use, and make it better at supporting the collaboration scenarios we all face so often nowadays.

We’ve worked hard on solving some of the big email infrastructure problems like security, storage and information management, and now we’re looking at the end user problems too. It’s here that the frustration with email is boiling over.

We think we can make email even better. We already offer an incredibly rich experience for users of Microsoft Outlook, integrating security settings that the user can configure on a ‘per-email’ basis before pressing send, and real time archive search. And we extend this user experience to the full range of smart-phones and iPads, and of course the web.

But while tools and devices, and apps, have a reassuringly contemporary feel to them from an IT perspective, it’s what we do with the data in the archive that really will make the difference.

Our industry appears to be obsessed with long-term data storage. Words like ‘vault’ conjure images of dusty archives of information locked away behind ten inch steel doors. Even the word ‘archive’ sounds too passive – too much like a whisper-quiet library; books gathering dust.

We see a world where the business – HR people, IT people, end users from all departments – dip in and out of the archive every day, using clever apps, or suites of apps, that enable them to collaborate on projects, visualize complex relationships in the metadata chains, search and browse documents from file stores, email archives or Sharepoint on an iPad …

We’re currently calling this the Interactive Archive, and it underpins an idea we’ve been working on for some time called Information Banking. In a few years’ time, there will be a handful of companies with whom businesses of all sizes entrust their corporate data. We’re betting that they will do it because it’s safer with us, but also because they can do more – an awful lot more – with that data once we’ve got it in our Interactive Archive.

So that’s the next leg of the journey we’re mapping out for ourselves and our new investment partners, Insight. It’s going to be an exciting ride.

Add your comment (2)

Co-founder and CEO
Mimecast

Article Tags

, , , ,

By on July 20, 2012

10 Ways the Cloud Can Support You and Your Users this Summer

This is the second post in the mini-series that I’m planning, to coincide with the Games taking place in London this summer. In my previous post I suggested the arrival of the Olympic Games on London will probably cause businesses to rethink about how best to service their users, especially if a greater number of users than usual are working remotely.

This summer London’s businesses will have to face a set of untested scenarios as more of the workforce are driven to work outside of their normal patterns. Remote working in particular will be high on everyone’s agenda as the advice from Boris to Londoners is to get ahead of the games. Previously I suggested the Cloud as a solution to support you and your remote users, especially for highly demanded services like email; so here are ten ways the Cloud can help take the weight during the Games.

  1. Ubiquity of access: The Cloud, by definition, is available from pretty much anywhere you can get an Internet connection, but unlike your own remote access platforms it is built for access, and lots of it. Your users can access Cloud-enabled services from any device and any Internet connection, they’re not limited to a single VPN service or gateway.
  2. Scalability of access: Your own remote access service was something I covered in the last blog post, in that the in-house systems you’ve got were probably only designed for a small percentage of your users. The Cloud services’ your business can use are completely different – those services were built with the ubiquity of access (above) in mind so won’t act as the remote access bottle-neck like your on-premise solution.
  3. Make remote working easy: I often watch remote workers on trains and in cafés trying to access their corporate systems. Usually there is a VPN client required, a token of some sort, multiple interfaces and portals to negotiate, some even send a text or make a phone call. Most of the time all of these people want to do is simply hit send/receive in Outlook. I’m not being disparaging about access control or security policies, but very often the security applied is far too restrictive and as a result leads to point four below.
  4. Keep users in house: We already know from research that if you demand that your users jump through too many hoops to access your on-premise resources remotely, they will default to their own web-based platforms simply because they are easier to use. Using a cloud platform for business that offers the required level of security and accessibility means you can keep your users on the reservation, which is vital for corporate governance.
  5. Support mobile platforms & BYOD: There are limited ways your on-premise infrastructure can support users on the hoof i.e. those who have a few minutes to kill and might have a smartphone or tablet to hand. Of course email is accessibly on most devices, but normally a maximum of 30 days – not hugely useful if your users want to refer back to older messages. Deploying a Cloud platform that also supports users mobile platforms will give them the ability to be more productive for longer. If you don’t issue those devices but support a BYOD policy, then you really do need a platform that supports ubiquity of access like the Cloud.
  6. Keep corporate governance going: As I mentioned in point four, your users may be jumping out to other webmail services just to get their job done. For any IT Managers this will mean a governance nightmare, as the corporate perimeter no longer applies. Email in particular is susceptible to this problem, but using a cloud-based email management solution that is easy to access from anywhere, on any platform will mean your users are still under your control and your policies and governance will still be applied. Centrally.
  7. Deliver reliable and available services to users: As I mentioned in my last post, the Games are going to test your infrastructure to its limits. Most IT admins I know aren’t looking forward to finding out where that limit is, and wished they had thought about this sooner. Most reputable Cloud vendors will give you 100% availability, wouldn’t it be more comforting if that were an SLA you could pass onto your own business?
  8. Re-deploy your IT team more meaningfully: I doubt your highly trained IT team want to be waiting by the phone this summer. Some companies I know are letting all their staff work from home except their IT team in case something does go wrong; but wouldn’t it be more productive to let them work on those projects they’ve been putting off for years because of the constant firefighting. All of the points above indicate how your IT team are working to keep systems up and running, but also how the Cloud can take the weight of on-premise applications and augment them, freeing up the time of your IT team.
  9. Future-proof your environment: This will be the core topic of an upcoming blog post, but in short I’d suggest that changes you make to your environment now in preparation for the Games (if you’re not too late) will be like your own Olympic Stadium; you’ll enjoy the immediate benefit of the Cloud now, as well as finding a way of on-ramping the Cloud into your network for the future.
  10. Be prepared!: Need I say more? We used to talk about the cloud as an SME tool, but today enterprise class businesses are using the cloud to augment their creaky on-premise services, the writing is on the wall I think.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, , ,

By on July 18, 2012

Standardizing the Cloud for Security

Cloud computing is becoming the paradigm shift it always promised to be, even for larger organizations who scoffed at the cloud’s lack of enterprise support or security and thought it was for SMBs only. The promised all-around savings in almost all aspects of IT’s hard and soft costs are driving more and more businesses to adopt the cloud, as it allows them to shift large chunks of budgetary Excel spreadsheet from Capex to Opex.

Over the last few years, the cloud has brewed up a storm in the IT Infrastructure world. The basic idea behind the cloud is to deliver centralized IT services, usually from a third party, to help free up almost all operational and administrative burdens in the local IT department of your business. The cloud is routinely defined as having a handful of essential characteristics; on-demand self-service, broad network access, resource pooling, rapid elasticity and scalability.

The underlying technology behind the cloud is not that different from the systems traditionally within your network; cloud services generally offer platforms that replace onsite services like email, file handling, information management, and so on. The cloud simply uses them like any other platform in its normal communication and every day operation, so there is really nothing new here. We shouldn’t worry about how the cloud utilizes these standards, as being RFC compliant is an essential part of Internet participation.

Providers of cloud services and platforms also subscribe to an evaluative standards model as a way to differentiate themselves and ensure they are providing best practice and recognizable standardized behaviour to their customers. Evaluative standards are used to certify providers’ infrastructure, services and importantly their processes; the most common and well known form of evaluative standards are the ISO family, and the most applicable for this discussion is ISO 27001:2005, or to give it its full name ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems – Requirements. These standards are the most obvious areas we can improve on for the purposes of securing the cloud, and to some extent work has already begun.

Continue Reading →

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on May 2, 2012

Placing Your Trust in the Cloud

Arguably the single biggest challenge for Cloud vendors is helping customers understand and justify the implications of handing over not only data but business processes to a Cloud Vendor, especially when the Cloud space has lacked maturity and standards.

And it’s becoming an increasingly important decision as Cloud becomes the “default” choice for many businesses, they need to understand where their data is and how safe it is.

Yes, Cloud Computing is still in its relative infancy, but it’s growing up fast.  To hear a highly respected and influential Gartner analyst saying that he rarely recommends anything but SaaS solutions to companies looking to change their email security service shows that the die is well and truly cast.  It’s a similar picture in the archiving space.  SaaS vendors are growing far faster than their on-premise counterparts, although SaaS still accounts for a small share of the overall market.  And of course, with Microsoft’s strategic priority to transfer the on premise dominance of Exchange into the cloud (with Office 365), it’s fairly clear that at some point in the future, all these technologies will be delivered to customers from the cloud.

It’s a matter of when, not if.

What’s surprising however, there seems to be a two stream approach to Cloud adoption, the haves and the have not’s- those who have Cloud and those who don’t. Yet.

On the one hand, especially in the SMB and midmarket, cloud vendors are now dealing with a far more enlightened customer base.  Many CIOs are now on their second or third cycle of purchasing cloud services.  They have wised up to vendors who over-promise, or hide behind bogus SLAs, and they will have rejected out of hand any service that doesn’t do what it says on the tin.  Their next decision could potentially be based on a specific business or technical need, but more likely, it will be based not simply on the service but on the vendor’s approach to delivering that service.  In other words, it will be based largely on the vendor itself.

The second stream is convincing the have not’s to adopt, often larger enterprises that their data is safe in the cloud. This is a slower burning challenge, because these businesses often have massive legacy investments in on premise IT resources, both in terms of tin and human capital.  That makes a move to cloud technology not only a technological change in mindset but a cultural shift as well.  But it doesn’t matter how big the organization is, the pressure on IT departments to reduce costs while delivering more value is the same.  And most if not all roads lead to the cloud.

But IT departments needn’t fear- Jevons Paradox predicts that more IT will be required for the future, not less- it’s just going to be different to what they’re doing today. But that’s technology for you. When was the last time IT staff used their Windows 3.1 skills?

The danger here is that CIOs of large enterprises tend to ‘trust’ the biggest, most established technology brands with the deepest marketing pockets, best placed to “Cloudwash” their dated technologies. I use the term ‘danger’ because, when it comes to cloud, money can’t buy you trust.  The big brands have whole shoals of fish to fry and are usually more interested in wooing consumers than they are safeguarding the interests of customers and their data.  For smaller, pure play cloud vendors like Mimecast, this is ALL we do.  And that means we can’t slip up.  So we have to earn trust the hard way, and the only way.  And that’s by building a history of excellence in delivering Cloud Services.

For those CIOs who’ve already made the leap of faith and are committed to a cloud strategy, we’re now hearing – anecdotally at least – that customer service and support has jumped up the purchasing priority list alongside cost.  That is largely because customer support has been the single biggest pain point for consumers of cloud service over the last two years.  Why?  Because it is, arguably, the most underinvested business function in the cloud industry.

But of course, the economics of SaaS and cloud only work if you retain those customers for long periods.  At Mimecast we retain over 98% of our customers. It goes without saying that the product has to work.  But perhaps the key variable is our ability to look after our customers.  To put it politely, the cloud industry has a patchy record in providing customer service.

To some extent, then, in the SMB and mid-market space, there will be a period of ‘natural selection’, where the new breed of cloud savvy IT purchasers weed out the suppliers whose service doesn’t match the promise, for whatever reason — unreliable product, unrealistic SLA, non-existent support, dodgy security protocols, or fudged solutions built on OEM arrangements or poorly integrated acquisitions.  The cloud vendors who are playing the long game and investing properly where it matters will rise to the top through this process, and others will fall by the wayside.  (In fact we’re already seeing this happening in the early part of 2012.)

For first time purchasers and larger enterprises, though, we still have to help them with their trust issues, and we won’t achieve that by focusing on customer service excellence.  Instead, we have to put our weight behind meaningful industry initiatives that can turn ‘trust’ from an intangible to a tangible purchasing criterion.  One example of this is Cloud Security Alliance’s Security Trust and Assurance Registry, or STAR, which is addressing the need for Enterprises moving applications and data to the cloud, or consuming a provider’s services, to understand cloud provider security. Another is an organisations willingness to adhere to security standards such as ISO 27001. But providers remain hesitant to give up proprietary information, or expose themselves to exploitation.  In fact, to date, only Mimecast, Microsoft and Solutionary have agreed to publish their STAR controls.

Transparency is clearly going to be a major factor in the success of cloud technology, particularly as a means of building confidence amongst enterprise CIOs that their data is safe and secure in the cloud.  But while we will continue to embrace standards initiatives such as STAR and ISO27001 that make trust a tangible factor, our growth in the mid-market will most likely come from good old fashioned values, such as delivering strong after-sales support, and from sharing stellar recommendations from existing customers.

STAR launched in the fourth quarter of last year and its aim is to be a public repository of providers’ security controls. Providers who are STAR members can fill out either the CSA’s Consensus Assessments Initiative Questionnaire or the Cloud Controls Matrix framework questionnaire, both built according to the ISO 27001 standard, and ultimately agree to have that data published online and publicly accessible. 

Image CC Flickr- Lyncis

Add your comment (2)

Chief Strategy Officer
Mimecast

Article Tags

, , ,

By on February 13, 2012

The Great Cloud Vendor Lock-In Fallacy

I had the opportunity to write a post for the Future of Cloud Computing Forum; I’d like to share the post here with you.

Most innovations and disruptive technologies tend to bring out what I refer to as the flat-Earthers – individuals who wait for the tipping point of a new technology or idea to be well past proven before getting on board, or as Geoffrey Moore calls them in ‘Crossing the Chasm‘ – “Laggards!” Why is this? It’s because as humans we’re very dependent on habit forming behavior and love to hark back to a “better time” – and ”they don’t make them like that anymore” thinking. Adapting to change takes time, and I believe that Cloud Computing is at last winning over some of the last and most ardent deniers. But there may still be one last fallacy to overcome, which is cloud vendor lock-in. Nothing is quite as open and flexible as an old on-prem solution – or is it?

When mainstream Cloud Computing appeared (setting aside the whole mainframe, client/server, cloud discussion for a moment), there was much worry about how secure and ‘safe’ this new Cloud environment would be. Security was the cloud-deniers main argument for staying firmly entrenched in their onsite infrastructures. Now most agree that the Cloud generally offers a greater degree of security and resilience than would be possible on site, unless you have a DoD sized budget. Unfortunately there are still those who would have you believe the Cloud means you’re locked into a cloud-vendor, until death you do part.

I believe that this Cloud vendor lock-in fallacy is being touted by those who have a vested interest and would rather you kept your data onsite and within your own data center. There are many reasons cited by these flat-Earthers. Let me try to dispel their most common arguments.

Cost of migrating off Cloud platforms

One of the two most common problems cited is the cost of migrating away from Cloud platforms when the customer chooses to leave or the Cloud vendor implodes (implosion, another symptom of this Cloud computing sickness apparently). The argument usually goes like this; companies sit down to work out their ROI on a Cloud investment and get excited to see the Cloud demonstrably saves them money. However in their excitement the IT team neglects to factor in the cost of migrating OFF a cloud platform at some time in the future. This cost will come as a surprise when the inevitable Cloud Rapture finally arrives.

Complex deployments of information-worker software always seem to need someone to migrate data during an upgrade or swap out. I would argue that the cost of migrating from one on-premise solution to another is likely to be dramatically more expensive than a Cloud solution, simply because the Cloud vendor is:

  • expecting to absorb or ingest your data at some point, and
  • already planned on giving your that data back at the termination of your contract.

No customer should sign a Cloud vendor’s contract without that clause, and no Cloud vendor should expect them to. On premise solutions hide all sorts of complexity that makes it very hard for you to leave that solution. The cost of finally moving to any new platform means you’ve created your own on-premises vendor lock in.

Cloud Standards or Lack Thereof

The second of the two loose threads regularly pulled in this discussion: Industry standardization within the Cloud market is still a ways off. But this is not for want of trying. To address this, organizations like Open Stack counter the problems caused by a lack of Cloud standardization and drive the concept in the right direction.

Some believe Cloud vendors operate in a Wild West-like corner of the Internet where anyone with a domain name and an AWS account can set themselves up and attempt to lock you into their systems for years to come, by simply keeping their platform as proprietary as possible. This simply isn’t the case – Cloud vendors are in most cases quite reputable and treat your data as sacrosanct. There is already a lot of support for standards within the cloud market and many vendors are building standards-support into their environments without the need for regulation. Openness and transparency are inherently easier for a Cloud vendor to achieve given the availability of metadata within their environments. Try delivering openness and transparency in a network of closed systems and platforms.

The Highly Customized Nature of On-Premises Applications

Customers using big CRM and ERP applications are a breeding ground for custom modules and plugins for those monolithic applications; it’s the only way they get the functionality they want. For the time being it’s also the primary way the CRM and ERP vendors hold onto their customers, but the groundswell behind Cloud platforms like Salesforce mean this won’t last forever.

This corner of the discussion is quite closely tied to the cost of migrating a platform to or from a Cloud vendor too. On-premise applications that have undergone extensive deployments across massive WAN enabled infrastructures, and then have had to be tweaked with endless customizations, are going to be almost impossible to migrate to any other platform, Cloud or not. Declaring system bankruptcy and starting from scratch is often their only way out.

An example that demonstrates this well, might be moving a DB2 system to Oracle over the weekend.

Proprietary Formats and Data Types

Proprietary system formats and storage data types are possibly the earliest form of smoke and mirrors used by on-premise software vendors to lock their customers into on-premise solutions; odd that many of those on-premise vendors have since launched or supported some sort of cloud-washed version of their own platform.

Luckily the truth slowly prevailed as openness and transparency became the chosen path for reputable Cloud vendors, who in a bid to make their platforms more attractive and capable than their on-premise competition built in the functions require to search, export, extract and generally make your data available when you want it.

The Final Fallacy?

Quite simply, I believe the last great fallacy touted about Cloud computing is that of cloud vendor lock-in. Cloud is innovative and is becoming quite disruptive – businesses are turning to the Cloud to help solve complex problems which only a few years ago would have required a huge on-premise infrastructure.

We won’t have to wait long for this fallacy to die away. As more and more enterprises consider the Cloud first over on-premise solutions, the ruthless due diligence of the end users, administrators and the rest of the IT community will filter out these last remaining pieces of flat earth rhetoric.

Photo CC via ||read|| on Flickr

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

,

By on November 18, 2011

How Does Microsoft Approach Cloud Security?

Doug Cavit, the Chief Security Strategist at Microsoft recently did a great video on Cloud Trust at 10,000 feet.

It boiled down to- Can you trust it and how does Microsoft do Cloud Security? Which raises the obvious question: How does Mimecast compare?

Doug is a really interesting guy- he was the CIO of McAfee for 8 years- protecting them from threats – an important job if you consider what happened to RSA. When he joined Microsoft he worked on the OneCare product team as Microsoft started to become more of a service provider in the security space, so he’s definitely one of those people that’s been on both sides of the table.

In the video he’s answering one of the questions we get asked most: How can I trust my data is going to be safe in the Cloud? And it’s a question we take more seriously than anything else.

The fundamental difference in Cloud vs On-Premise is control.

When your data is on your own equipment, you have ultimate visibility and control over the policies and processes that operate on that data, which means you can be the ultimate arbiter as to how it’s treated. With the Cloud, you aren’t. So how do you deal with that?

With Cloud, you need to trade control for transparency.

That’s the only sustainable way to cede control over something so important- your business data, and in our case, your primary communication method, email.

So we take transparency extremely seriously here at Mimecast, to the point where we have a whole team of people here at dedicated to transparency- helping our customers receive the insight and information from us.

What makes a provider transparent and therefore trustworthy?

Policies are the jumping off point- ensuring these meet your requirements as a customer. Policies are fine, but how do you make sure they are followed into procedures? This has consistently been one of the hardest things for Cloud companies to prove because in an emerging sector like Cloud, standards always lag behind the technology. So we’ve had to forge best practices and procedures through collaboration with organisations like the Cloud Security Alliance, which is helping ISO update the Cloud security controls for ISO 27001. But we’re getting there, and hopefully soon we’ll have the most comprehensive ISO 27001 implementation of any Cloud provider to date.

What about reliability?

This is where the rubber meets the road. To take a phrase from the financial services industry- “Past performance is no guarantee of future results” couldn’t be further from the truth- what has the service provider delivered to date? Are they open about it? What’s their SLA to back it up? And we like to put our money where our mouth is too, with an industry leading 100% uptime SLA.

Thinking more broadly about putting your data in the Cloud- one of the most important things to think about is the actual data- how much risk does it represent? It sounds like a ridiculous question, but classifying the data is such an important part of GRC: you don’t need to protect your marketing brochures the same way you protect your trade secrets. Doug has a great quote from the video “I can’t protect something if I don’t know what it is”.

Thinking about the lifecycle of the data and your relationship with the Cloud provider is critically important-  I talk about Birth, Marriage and Divorce in my presentations. It’s easy to think about the birth and marriage when going to Cloud, but vital to think about divorce, in case you need to get it out at the end. It’s a tough question for structured data, like accounting or ERP but significantly easier for unstructured data like emails. Our customers can download their data at any time.

One thing he doesn’t mention is data sovereignty… where your data is physically located, which is becoming more and more important because of legislative requirements and judicial concerns, like the Patriot Act. Having your data located in the right jurisdiction is critical.

So like Microsoft we take a two step approach to security.

  1. We reduce vulnerabilities as much as we possibly can in software
  2. And recognising that issues will happen- when they do, the key is how you deal with them. Triage, Identify, Learn and Integrate that learning into processes. We’ve been doing that for 9 years- that’s a lot of experience built into our processes.

To top that off you can always reach a human being at Mimecast. Someone to help you resolve your issues and escalating them appropriately. I love that. When I got locked out of my Google Apps account the other day- it took a few days for them to respond to my email…

Having a deeper understanding of Cloud security will enable you to use the Cloud provider to do what they do well – abstracting your IT department away from the complexity of running the service.

So can you trust the Cloud? I think so. Like Doug says, just know what you’re trying to accomplish and make sure the vendor offers you the right amount of transparency.

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on September 7, 2011

Guest Post: Opportunity Knocks in Cloud Email

Our latest guest post is by Philip Carnelly an Analyst with PAC. With over 25 years of experience as an industry analyst, software developer and project manager, Philip has become one of the best-known and most respected analysts in the sector. His work has covered business applications, BI, document management and KM, and latterly Philip has focused on Cloud, Software as a Service and application services. We had the pleasure to spend a morning with Philip- and here’s what he thought- reposted from the PAC blog.

Back in the early days of Cloud applications a decade or so ago (it was generally called ASP back then), I was convinced that the most obvious and easy area for Cloud to colonise would be email. In a sense, that proved to be true, with the big webmail systems – Hotmail, Gmail, Yahoo!mail – gathering hundreds of millions of users. But they were free services. CRM got most of the publicity, because that got paid-for users – real companies putting down real dollars to use online CRM from Salesforce, Microsoft, and others.

But more recently, take-up of paid-for cloud-based collaboration solutions – email++ so to speak – has been gathering pace across the globe, with some big-name (and large-scale) adoptions: fairly evenly split so far, it seems, between Google (Gmail and Google apps) and Microsoft (BPOS and Office 365). IBM’s LotusLive is also still in the mix. Drivers for adoption include flexibility, rising need to support mobile workers, desire to off-load the management of a non-core, non-differentiating system, and the opportunity to consolidate multiple systems into a single platform: all goals facilitated by Cloud-based solutions.

The latest such move here in the UK is Tata Steel Europe (TSE), which signed up Capgemini to help it transition to an Office 365 system over the coming months. No numbers were released, but a quick squiz at the annual report shows that TSE has some 34,000 employees, of which I’d guesstimate that around half are in the UK – and I reckon that the majority of staff would be covered by the new system. This echoes another high-profile deal last year where CSC helped Royal Mail move 28,000 employees onto BPOS.

But the opportunities for cloud-based email don’t begin and end with the big two and the giant SIs. We’ve recently met with two smallish but innovative UK-based companies who are doing very nicely out of email in the Cloud – both taking advantage of the huge momentum behind Exchange.

The first is Mimecast, which grew its business 66% last year (and 91% in the US – a tough nut to crack for a UK company). The company offers a pure-SaaS security and archive/retrieval service for Exchange, which works equally well with on-premise and Cloud-based Exchange servers (Office 365). This latter is a real plus point – companies can sort out their security and archive/retrieval policies, put those in the cloud first, and then migrate to cloud-based mailboxes as-and-when convenient – possibly in a number of stages. It can work with intermittent connectivity solutions – handy for mobile workers and executives. It’s also compatible with Blackberry, and iPhone is coming soon: key “must-haves” for knowledge-based companies in particular. UK customers include law firm Eversheds, De Beers and Bolton Wanderers FC.

The second company is Cobweb, which is exhibiting a similar growth trend to Mimecast: it is likely to double its installed base in the coming year. Cobweb reckons to be the “largest independent SaaS provider in Europe of Microsoft Exchange & SharePoint.”  Customers range from small to large, and include Virgin Media, Thames Water and Bedfordshire Police. Cobweb offers multi-tenanted hosted Exchange solutions, linking up with Symantec (former MessageLabs) to provide the archive/retrieval and security side of things. This then, is a sort-of competitor to Office 365 – but as is the way with IT, Cobweb is also a strong partner to Microsoft. It is one of the few companies to truly exploit Exchange Hosting Edition. Its key challenge to growth right now seems to be recruiting sufficient partners to reach its potential audience but it must be careful to always show its value add/differentiation from vanilla Office 365.

What these two companies tell us is that while the Cloud is consolidating core infrastructure service provision, there’s plenty of scope for innovative solutions based around those core offerings. The growth of cloud-email is not limiting opportunities to simple resellers existing on the thin margins from commission-based sales of a vanilla service.

Small companies would be brave indeed – even foolish! – to go head to head with the US giants. But by bundling and pricing services in the right way there is plenty of scope remaining to carve out a lucrative and sizeable niche, both locally and in the US. This is particularly true in the middle market, where needs are more complex than simple mailbox provision, but skills and resources are more limited than in large enterprises.

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,
Previous Posts