Posts Tagged ‘Compliance

Cloud can make your environment *more* secure. A new cloud service alerts IT pros when specific events happen in their environment. For example, you might want to receive an email when a sensitive resource gets accessed, certain permissions get granted, membership for a privileged group gets changed and so on. This all is now part of the Quest OnDemand Log Management service – just watch this two-minute video to see how it works:

(Full disclosure: I work for Quest Software and participate in our Quest OnDemand efforts.)

What’s best is that this is a cloud service – so no local deployment or additional infrastructure is required. You can just go to the website, sign-up for a free trial, download a small agent, and start getting alerts for the events you care about!

Cloud is good for you! Sign-up for a free trial now and have the cloud help you keep your environment secure.


The common word out there about cloud computing/SaaS and security/regulatory compliance are that these don’t go well together. However, things don’t have to be that way. Doing security right can cost a lot of money and public cloud services could carry some of these costs. Thus, there probably will be a point in time when paradoxically cloud may become a cost-effective way to compliance.

With these thoughts in mind, I was delighted to find a report by Scott Crawford from Enterprise Management Associates – “The Security Paradox of Cloud: Five Questions for Cloud Providers“.

This is a great report in a sense that it not only talks about that same paradox but also formulates the 5 questions which need to be answered by the cloud vendors to make these happen:

  1. “How much visibility do I have into how you manage my risks?”
  2. “What risks do your other tenants pose to me… or to you?”
  3. “Are your tools and techniques for managing risk mature enough?”
  4. “Is my data safe with you?”
  5. “How will turning to cloud impact my current approach to management?”

For each of the questions Scott provides a good discussion – so the report is well worth checking out.

Here are a few comments which I had on the paper:

In my opinion, “cloud” is inevitable because it offers better economics than do-it-yourself on-premises approach: think market economy specialization vs. natural household. This does not mean that no IT services will remain on premise but we are most likely up to some kind of hybrid model. How far we go there does depend on the ability by the industry to answer Scott’s questions.

Scott’s notes on how cloud with its separation of duties could also become a more viable security solution are spot on. With proper legal and certification framework cloud approach would let companies split liability risks with the cloud provider – as opposed to having to deal with liability all by themselves. Adhering to retention policies is costly – outsourcing multiyear document/communications retention to Microsoft/Google/etc. and sharing not only storage costs but liability and risks with them is a pretty good deal.

  • Certifications (such as SAS 70) are a good step in ensuring better security. Scott seems skeptical about certifications (and rightly so) but these are one of the components of the solution because they provide a vendor-independent common set of standards.
  • Publicly disclosed industry-proven identity management, authentication and authorization architectures (such as “Geneva” for example) is another good step – security by obscurity will not cut it here.
  • There will probably be a bigger place of encryption/DRM in the picture. These do come at a price though and if the limits are pushed too hard the cloud systems may become useless: not being able to provide valuable functionality without access to data.
  • Legal frameworks providing for shared liability.

With all that said, this will not happen overnight. Kids are sick more often than adults, and the cloud industry is still in its infancy so 2009 and 2010 will bring us quite a few outages and security breaches.

Read Scott’s report here.

Technorati Tags:
, , , ,

Compliance is often a concern when considering SaaS/Cloud solutions – after all in a sense you are loosing control over your data as it goes into the someone else’s datacenter.

Yesterday Google announced a few (mostly pricing) changes to their eDiscovery product. The service is basically an email archive built on top of their Postini (anti-spam/anti-virus) services with some retention settings and a UI for search through the archive. See the quick demo in the original blog post.

What’s interesting is that there is actually little consensus in the industry of what is eDiscovery. If you look at the list of eDiscovery products at – there are a lot of products and many of them are indeed simply email archiving solutions.

David Sengupta and Paul Robichaux wrote a whitepaper some time ago on how eDiscovery is more than just an archive and search – mostly concentrating on what needs to be done internally when eDiscovery is a concern. These tips seem to apply to hosted solutions as well. Some top eDiscovery products seem to be offering much more than just search UI and be more targeted at auditing people and making sure that the evidence collected with the product stands at court. Will SaaS products get into this niche?

In the blog video, Google is claiming SAS 70 compliance. SAS 70 is basically a version of IT controls-related parts of SOX for service providers. So it is not related to eDiscovery in any way but kind of implies that Postini datacenters have their IT processes relatively well organized.

We are probably yet to see court hearings with evidence produced from a hosted solution – but with more and more companies in that space this is bound to happen. Other online archiving and eDiscovery vendors include: Microsoft/Frontbridge, Fortiva, LiveOffice, MimeCast, Orange Legal, Sonian Networks, and MessageOne – looks like a pretty crowded space for SaaS solutions directly tied to compliance!

Technorati Tags: , , , , , , , , , , , , , ,

RSS My company’s main blog

My Recent Tweets



The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer Jelastic or anyone else for that matter. All trademarks acknowledged.

© 2008-2012 Dmitry Sotnikov

%d bloggers like this: