Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Do you fear the auditor more or the attacker?? asks Peter Bassill, chief information security officer at gambling giant G ala Coral Group. It is a key question for IT leaders thinking of dabbling in on-demand computing provision through the cloud. For Bassill, there is only one answer, particularly for firms operating in highly regulated sectors: "A lot of companies fear the auditor more. If you hold data internally, you can show the auditor your controls, but the cloud makes such demonstrations more difficult." The resulting complications mean many businesses still shy away from o n-demand IT. About 40% of UK companies use cloud computing systems, according to the Information Systems Audit and Control Association. This represents a significant proportion of British organisations, but implementation levels - certai nly with regards to large-scale enterprise systems - are nowhere near matching the cacophonous intensity of supplier hype. While suppliers often portray the cloud as ground-breaking, most independent commentators agree there is nothin g inherently new about on-demand IT. Mainframe computing and hosted technology have been around for many years. Application service provision (ASP), for example, represents an often forgotten stage of hosted computing that might be more usefully viewed as the early stages of software-as-a-service (SaaS). The on-demand marketing push - which started from about 2008 - means anything hosted suddenly represents "the cloud". So, why is the current phase of hosted servic es different? Most CIOs appear unsure, especially while suppliers continue to hype services and swerve security concerns. Exploring the cloud "We are not an early adopter; we were not an adopter at all until recen tly," says Bassill, speaking recently at a BT roundtable in London. The Gala CISO has run a trial of cloud-based provision to help capture error data relating to the failure of systems. The approach involved using the cloud as a virtual datacentre, renting processing power and disc space on-demand to aggregate error logs. Success here allowed Bassill and his team to explore the applicability of cloud for other business areas. But results have been inconclusive, part icularly with regards to the persistence and recoverability of data. The studies leave Bassill to conclude that the potential wider use of cloud is complicated. While the on-demand provision of computing resources can help drive down costs, it can also increase risk - especially for a UK business operating in a heavily regulated sector, such as gambling. Bassill needs to provide a complete audit trail, and providing such visibility to a supplier's infrastructure is an inherently complicated task. "We need to know where our information is at any point in time," he says. "We need UK data to be kept in a UK cloud. Finding a supplier to meet that demand is a significant challenge. The cloud suppl ier must prove that the datacentre is secure and that information will not be moved between locations." Less regulated industries are more likely to make an early move towards the cloud, says Ian Cohen, CIO at insurance broker Jardin e Lloyd Thompson Group: "As good as the technology could be, heavily regulated firms will have concerns until suppliers are able to answer the question, 'where is the data being held?'. The market needs to think more carefully about r egulated businesses." A supplier might be able to confirm that data will be held in a particular location for the majority of time, for example, but the potential for a change in location, and a lack of visibility to supplier records , will not satisfy the auditor. Growth drivers The likely growth in cloud computing means a new approach is required. The sudden growth in on-demand computing could lead to suggestions that the technology is now mo ving faster than legislation, and that auditors need to take a more sophisticated approach. But for now, responsibility once again lies with the suppliers. "What are the cloud suppliers doing?" asks Cohen. "What is the latest piece of technology that will help me to implement the cloud?" Both are key questions for Cohen, who says he is looking at doing some "cool stuff" with the cloud in the near future. Gala's Bassill also expects use of on-demand computin g to increase, especially as the cost of silicon is now so low that power and air-conditioning are by far the biggest costs associated with running a datacentre. Analyst firm Gartner confirms the inevitable emergence of on-demand provisi on, with cloud computing leading its recent list of top 10 strategic technologies for 2010. So, what conditions will help push the growth in on-demand technology? Richard Mahony, director of telecoms research and analysis at Ovum, poi nts to a series of converging factors, including the reduced cost of broadband bandwidth, the potential for increased network capacity, and the possibility for suppliers to work together to offer secure and reliable services. "Cloud is everywhere; it is the trend of the moment," he says. "You can centralise and standardise your operations within the cloud and this has caught CIOs' imagination. Blue-chip businesses and large public sector organisations are now loo king seriously at the cloud. But software providers, as they move into the cloud, have to develop new areas of business; it is not just about software and boxes." Virtualisation is one area of provision often associated with cloud co mputing, and some experts see the approach as a platform for launching on-demand IT. But such thinking is dismissed by many IT leaders, with just 24% of technology chiefs responding to a recent CIO Connect survey suggesting they have imp lemented virtualisation as a first step towards cloud computing. Cost and complexity The most obvious conclusion, despite the hype surrounding on-demand IT, is that we are still at the beginning of the journey towa rds true cloud computing. That is a theory that resonates with John Robinson, group IT director at technology company Morse. When it comes to implementing cloud in his own business, Robinson says he investigated some of the easier target s first, such as messaging and spam filters. "You need to understand the service you are offering and the cost," he says. "Then you can start looking at your own business, and talk about what fits and what does not fit. You can use the cloud to deliver a commodity service to the business. Here, you can measure the impact easily and see how provision might compare in more complicated areas that are related to business process, which is still an area of development in most businesses." The same complications ring true in the public sector, as confirmed by a recent Siemens Enterprise Communications roundtable in London, attended by Westminster City Council CIO David Wilde. He says financial cons traints are creating a shifting mindset among senior leaders, but perception of the cloud still remains a concern. "You need to put together a defensible business case," says Wilde. "The challenge for CIOs is how do you get your ch ief executive to understand the complexity? The answer is to put a figure on your project; show how much something will cost if you do not press ahead." More than anything, prove that the hype surrounding on-demand IT is nothing to b e scared of: "We are not edgy about the cloud, it is just not that new," says Wilde. "I mean, what is all the fuss about?"
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

"Do you fear the auditor more or the attacker" asks Peter Bassill, chief information security officer at gambling giant Gala Coral Group.

It is a key question for IT leaders thinking of dabbling in on-demand computing provision through the cloud. For Bassill, there is only one answer, particularly for firms operating in highly regulated sectors: "A lot of companies fear the auditor more. If you hold data internally, you can show the auditor your controls, but the cloud makes such demonstrations more difficult."

The resulting complications mean many businesses still shy away from on-demand IT. About 40% of UK companies use cloud computing systems, according to the Information Systems Audit and Control Association. This represents a significant proportion of British organisations, but implementation levels - certainly with regards to large-scale enterprise systems - are nowhere near matching the cacophonous intensity of supplier hype.

While suppliers often portray the cloud as ground-breaking, most independent commentators agree there is nothing inherently new about on-demand IT. Mainframe computing and hosted technology have been around for many years. Application service provision (ASP), for example, represents an often forgotten stage of hosted computing that might be more usefully viewed as the early stages of software-as-a-service (SaaS).

The on-demand marketing push - which started from about 2008 - means anything hosted suddenly represents "the cloud". So, why is the current phase of hosted services different? Most CIOs appear unsure, especially while suppliers continue to hype services and swerve security concerns.

Exploring the Cloud

"We are not an early adopter; we were not an adopter at all until recently," says Bassill, speaking recently at a BT roundtable in London. The Gala CISO has run a trial of a cloud-based provision to help capture error data relating to the failure of systems. The approach involved using the cloud as a virtual datacentre, renting processing power and disc space on-demand to aggregate error logs.

Success here allowed Bassill and his team to explore the applicability of cloud for other business areas. But results have been inconclusive, particularly with regards to the persistence and recoverability of data. The studies leave Bassill to conclude that the potential wider use of cloud is complicated.

While the on-demand provision of computing resources can help drive down costs, it can aalso increase
risk - especially for a UK business operating in a heavily regulated sector, such as gambling. Bassill needs to provide a complete audit trail, and providing such visibility to a supplier's infrastructure is an inherently complicated task.

"We need to know where our information is at any point in time," he says. "We need UK data to be kept in a UK cloud. Finding a supplier to meet that demand is a significant challenge. The cloud supplier must prove that the data centre is secure and that information will not be moved between locations."

Less regulated industries are more likely to make an early move towards the cloud, says Ian Cohen, CIO at insurance broker Jardine Lloyd Thompson Group: "As good as the technology could be, heavily regulated firms will have concerns until suppliers are able to answer the question, 'where is the data being held?'. The market needs to think more carefully about regulated businesses."

A supplier might be able to confirm that data will be held in a particular location for the majority of the time, for example, but the potential for a change in location, and a lack of visibility to supplier records will not satisfy the auditor.

Growth drivers

The likely growth in cloud computing means a new approach is required. The sudden growth in on-demand computing could lead to suggestions that the technology is now moving faster than legislation, and that auditors need to take a more sophisticated approach. But for now, responsibility once again lies with the suppliers.

"What are the cloud suppliers doing?" asks Cohen. "What is the latest piece of technology that will help me to implement the cloud?" Both are key questions for Cohen, who says he is looking at doing some "cool stuff" with the cloud in the near future.

Gala's Bassill also expects the use of on-demand computing to increase, especially as the cost of silicon is now so low that power and air-conditioning are by far the biggest costs associated with running a datacentre. Analyst firm Gartner confirms the inevitable emergence of on-demand provision, with cloud computing leading its recent list of top 10 strategic technologies for 2010.

So, what conditions will help push the growth in on-demand technology? Richard Mahony, director of telecoms research and analysis at Ovum, points to a series of converging factors, including the reduced cost of broadband bandwidth, the potential for increased network capacity, and the possibility for suppliers to work together to offer secure and reliable services.

"Cloud is everywhere; it is the trend of the moment," he says. "You can centralise and standardise your operations within the cloud and this has caught CIOs' imagination. Blue-chip businesses and large public sector organisations are now looking seriously at the cloud. But software providers, as they move into the cloud, have to develop new areas of business; it is not just about software and boxes."

Virtualisation is one area of provision often associated with cloud computing, and some experts see the approach as a platform for launching on-demand IT. But such thinking is dismissed by many IT leaders, with just 24% of technology chiefs responding to a recent CIO Connect survey suggesting they have implemented virtualisation as a first step towards cloud computing.

Cost and complexity

The most obvious conclusion, despite the hype surrounding on-demand IT, is that we are still at the beginning of the journey towards true cloud computing. That is a theory that resonates with John Robinson, group IT director at technology company Morse. When it comes to implementing cloud in his own business, Robinson says he investigated some of the easier targets first, such as messaging and spam filters.

"You need to understand the service you are offering and the cost," he says. "Then you can start looking at your own business and talk about what fits and what does not fit. You can use the cloud to deliver a commodity service to the business. Here, you can measure the impact easily and see how provision might compare in more complicated areas that are related to business process, which is still an area of development in most businesses."

The same complications ring true in the public sector, as confirmed by a recent Siemens Enterprise Communications roundtable in London, attended by Westminster City Council CIO David Wilde. He says financial constraints are creating a shifting mindset among senior leaders, but the perception of the cloud still remains a concern.

"You need to put together a defensible business case," says Wilde. "The challenge for CIOs is how do you get your chief executive to understand the complexity? The answer is to put a figure on your project; show how much something will cost if you do not press ahead."

More than anything, prove that the hype surrounding on-demand IT is nothing to be scared of: "We are not edgy about the cloud, it is just not that new," says Wilde. "I mean, what is all the fuss about?"