Can You Trust The Cloud?

Can You Trust The Cloud? Everything you need to know about cloud security.

CAN YOU TRUST THE CLOUD? Page 1 Can you trust the cloud?... 2 Understanding the risks of the cloud... 3 Is it all just bad press?... 4 Understanding the vulnerabilities... 4 Compliance and legislation... 5 How to protect your data in the cloud... 5 Choose the right cloud... 6 Public cloud... 6 Private cloud... 7 Hybrid cloud... 7 MyCloudStack... 8 Cloud buyers checklist... 10 Appendices Appendix 1 Sony PlayStation Network data breach... 11 Appendix 2 - Amazon EC2 Service downtime... 11 4 TIMES

CAN YOU TRUST THE CLOUD? Page 2 Can you trust the cloud? Cloud computing Cloud computing offers a new and powerful IT strategy that can make systems leaner, more agile and cost effective whilst freeing up IT expertise and resources. Organisations also benefit by moving from a fixed to a dynamic working infrastructure, providing greater flexibility to respond to market changes without any capacity limitations. The cloud has revolutionised many business processes, vastly improving communications, collaboration, and efficiency. It is trusted to house sensitive data such as personnel details, customer details and supplier information. The cloud offers variable cost structures, state-of-the-art infrastructure and the latest software, without the risk of heavy investment and eliminating under-utilised infrastructure. The advantages have attracted many businesses to move to the cloud to support their cost-reducing strategy. Forecasts have shown that many more will follow; Forrester has predicted that the cloud computing market is expected to grow from $40.7 billion to $240 billion by 2020 1. With many major companies including Apple developing cloud services, it is inevitable that cloud computing will become a fundamental part of our IT infrastructure. Cloud computing has transformed IT infrastructure with innovative virtualisation technologies. Through the Infrastructureas-a-Service model it has revolutionised the way businesses operate. The cloud removes the complexity of managing IT infrastructures, increasing performance and security levels, as well as reducing costs when setup correctly. Key benefits Enhanced security and data protection Infinite scalability Reduced capital expenditure and maintenance overheads Increased performance Greater business flexibility This must-have service model offers all of the benefits that are top of the agenda for IT decision makers; however, not all clouds are equal. Some clouds unfortunately do not cover their biggest concern; the safekeeping of their business data and very few providers offer water-tight guarantees and service level agreements. This means that if you make the wrong choice, your data can be at risk and the standards of support available will fall way below the expectations of most businesses. The considerable advantages of cloud computing make this technology extremely desirable. So, how do you choose the right infrastructure? IT decision makers must choose a provider that delivers the correct controls, protection and transparency needed to help protect data and avoid data loss, leakage, downtime and risk of online threats. 4 TIMES

CAN YOU TRUST THE CLOUD? Page 3 Understanding the risks of the cloud Cloud security The majority of research supports a sharp growth in the adoption of cloud computing. However, a recent survey conducted by Kapersky indicates that 62% of IT managers claim security issues are an obstacle to the increased adoption of cloud computing. 2 The main factors for concern include: 1. Data security Accidental release of protected data User authentication Access control 2. SLA guarantees Service outage Loss of control Reliability Performance Uptime & availability 3. Job losses It is unsurprising that their main concern is data security. With many online threats and frightening news stories, the cloud becomes a daunting place to store your business data if you don t fully understand it. In reality, a cloud solution can offer the same levels of high security afforded to more traditional dedicated server solutions, providing you know what to specify. The Information Systems Audit and Control Association (ISACA) has stated that the number of security threats on the internet appears to be increasing; its investigation has shown that online threats and attacks are becoming more commonplace and increasing in complexity and sophistication. UKFast offers end-to-end security solutions that protect your sensitive business data from viruses, and online threats. Our proactive security solutions dynamically monitor your solutions to catch any security risks and respond to security threats with controls that will protect your business. As a member of the Cloud Industry Forum, UKFast puts great importance on data security. Network protection Hardware protection Software protection Security standards Must have protection Dedicated managed Cisco ASA firewall Intrusion detection system McAfee Active Virus Defence Annual security audits DDoS protection Understanding the risks, vulnerabilities and the very latest layers of defence available is crucial when choosing a cloud hosting provider. It is imperative that your solution incorporates advanced data security and redundancy provisions. Whatever solution you have, security must be top priority. 4 TIMES

CAN YOU TRUST THE CLOUD? Page 4 Is it all just bad press? Private cloud testimonials Cloud computing has recently suffered major PR nightmares, with the downtime of Amazon s Elastic Compute Cloud and the Sony PlayStation Network data breach. These data security issues have fuelled concerns that cloud computing is inherently unsecure and unreliable. The more popular a service is, the more of a target it becomes to hackers, and with hundreds of websites being affected by downtime or theft of data, it will almost certainly make the headlines. This was indeed the case for Sony PlayStation when it recently suffered the biggest ever security breach on record (see appendix 1). In truth, cloud services aren t necessarily more risky or less secure than maintaining applications and data in the corporate data centre. In fact, some experts still believe that the cloud provides greater security to enterprises, but this depends on their technical makeup. But, is the cloud more secure than your in-house IT infrastructure? The answer can most certainly be yes, if the cloud is built properly. IT outsourcing allows you to take advantage of enterprise class IT without the need for costly upgrades, server management or maintenance. And with leading cloud providers offering expert technical services, business class security technologies, 24 hour monitoring and support outsourcing to a reputable provider can release you from the day-to-day IT issues that so often impede business progress. A private cloud means we are able to call upon more capacity when we need it without suffering any degradation in performance, which is critical to our clients. It means we can grow and grow and grow without having to change our platform or our architecture every time we bring on a new client or several large clients. Andrew Milner, development director at Gecko. Instead of having to outlay for the provision of new equipment and new servers when they know the campaign is only running for three months, they can scale up, pay for that particular amount of time, then scale back to their normal amounts. Jonathan Whiteside, founder of Building Blocks. Understanding the vulnerabilities IT infrastructure of all types will continue to remain vulnerable to online threats and failures. Hackers will constantly evolve their processes to attempt to bypass the latest security patches and infrastructure is often labelled as the weakest link due to its complex set-up and technology. Therefore having additional protection, redundancy and monitoring in place mitigates the risk. Amazon recently fell victim to infrastructure failure due to poor setup; a section of its cloud failed which caused extreme downtime for their clients (see appendix 2). According to Jim Reavis, executive-director for the Cloud Security Alliance (CSA), as more firms switch to third-party cloud computing infrastructure solutions, the need for adequate security provision will increase - simply because there will be a greater number of security loopholes for cybercriminals to exploit. 3 This statement highlights the need to partner with progressive cloud hosting providers that build in layers of control and protection to mitigate the risks of online threats. >> Use the checklist on page 10 to ensure your cloud solution is properly secured. 4 TIMES

CAN YOU TRUST THE CLOUD? Page 5 Compliance and legislation UKFast service level agreement The latest security issues have boosted a case for compliance and legislation to effectively oversee the cloud hosting environment. You cannot be sure if data is accessed just by you and no one else you don t know if it s protected or not. You almost know nothing, and this is the reason why it s really important to create some legislation ruling, said Mr Nikolay Grebennikov, chief technology officer at Kaspersky. To protect your business, you should insist that your cloud service provider offers visibility into security processes and controls to ensure confidentiality, integrity, and availability of data. UKFast s service level agreement is a demonstration of our continuing commitment to the very highest standards of customer service, support and care. Our UK based technical assistance gives you 24/7 support. 100% network availability 15 minute rapid response promise 24/7 reboot guarantee This view is shared by IT and security leaders, who were surveyed in the 2011 Global State of Information Security Survey by PricewaterhouseCoopers. They identified compliance (34%) and regulatory compliance (33%) among the top five business issues that will drive information security spending in their organisation in 2011. 4 A code of practice has been established by the Cloud Industry Forum (CIF). Its mission is to improve transparency of cloud services to help provide end users with confidence when choosing a provider. The forum guidelines will allow cloud hosting providers to demonstrate their ethics, practices and processes. Maintaining a protocol will support the growth of this IT infrastructure and encourage providers to preserve a minimum standard of security and service. 1 hour hardware replacement guarantee Lifetime warranty on parts and labour 24/7 emergency support How to protect your data in the cloud Security breaches will continue to feature in the press, hackers will continue to target high profile databases and technology will always have the potential to fail. A move to the cloud requires caution, vigilance, planning and design with full system backup and redundancy. Supplier transparency and maintaining some control of your infrastructure and design can help to ensure that you understand your cloud architecture completely. Companies also face legal proceedings and penalties by promising more than they can deliver. If a company is vague, its biggest threat is bad publicity when a hacking attack or a technical error exposes customer information. 4 TIMES

CAN YOU TRUST THE CLOUD? Page 6 Having a cloud solution makes you think a lot more about security than perhaps you would if you were running it in-house. With a cloud solution we are thinking longer and harder about how we can secure those solutions for our customers, said Jonathan Whiteside, founder of niche technical agency Building Blocks, whose clients demanded the flexibility of a cloud solution but had concerns over security and data protection. We ve addressed those concerns by making sure we think about every possibility before we deploy the solution. How are we going to deploy the solution? How will we access the solution? We make sure things have secure, long passwords. Neither Building Blocks or our clients have experienced any security problems associated with the private cloud. The risks will not prevent organisations from moving to cloud-based strategies but more security and resilience need to be factored in when choosing a cloud provider. Choose the right cloud Public cloud Public cloud computing utilises virtualisation technologies, allowing cloud hosting providers to segment their servers to take advantage of economies of scale. Your data will essentially be stored on shared SAN storage that will also house the data of other companies. Public clouds are appropriate for certain applications and certain sizes of organisations only. It is therefore important to fully appreciate the benefits and risks in order to make an informed decision. Benefits of outsourcing to UKFast Reduced capital expenditure Increased ROI Affordable monthly payments Enterprise class hardware Performance optimised network Increased availability Advanced data centre security Built-in business continuity 24/7/365 expert IT support 100% system compliance Rapid scalability and deployment 100% carbon neutral The public cloud reduces your level of control and increases your level of risk; it is inherently beyond control of the end-user, which presents an increased chance that your data can be compromised. The major limitation of the public cloud is that the end users will share processing power, switches and security applications such as firewalls. This therefore makes the public cloud unsuitable for high traffic websites, business critical application hosting and sensitive data. The recent high profile cloud security breaches have all been associated with the public cloud. Sharing resources comes with its own risks, as your data can be governed by the usage and practices of the companies that you share with. The public cloud does however deliver substantial cost savings and is particularly suitable for low load websites and applications housing unrestricted information. Outsourcing your IT infrastructure to the public cloud also allows business users of all sizes to gain access to advanced infrastructure at a very low cost. >> Use the checklist on page 10 to ensure your cloud solution is properly secured. 4 TIMES

CAN YOU TRUST THE CLOUD? Page 7 Private cloud Our commitment to you The private cloud is ideal for businesses; it delivers all the advantages of the public cloud but in an isolated environment. Private clouds do not share security or processing resources, meaning all resources are dedicated to your environment and secured behind dedicated firewalling. This isolation from other network users is crucial for maintaining high performance, high availability and maximum security. The private cloud also utilises virtualisation technologies to allow you to consolidate all of your under-utilised physical hardware on to virtual machines, therefore reducing your capital expenditure and maintenance costs. All layers of security and control that are available on a traditional dedicated server solution such as encryption, passwords and firewalls can be incorporated into a private cloud; giving your solution the advantage of increased security, performance and availability, with decreased operational overheads. Gecko, a digital campaign management company, recently adopted a private cloud solution to enable them to deal with spikes in traffic during clients campaigns. It gave us the capacity and flexibility that we needed, particularly for clients when they are in cycles of campaign activity, said Andy Milner, Gecko s development director. Security is critically important to us and we ve not compromised on that with a private cloud. Hybrid cloud The hybrid cloud delivers a combination of dedicated hosting and private or public cloud hosting. Providing you with greater flexibility and additional capacity when required, hybrid clouds are well suited for businesses with seasonal peaks or marketing driven spikes in traffic. Offering a cost effective solution, a hybrid cloud ensures that your services can meet these periodic traffic demands whilst maintaining control, visibility and data protection. UKFast aims to deliver a broad range of value for money products and services to meet all your key business needs, and respond to your changing circumstances and requirements. UKFast is committed to providing total quality and aims for 100% performance 24-hours a day. UKFast is committed to providing the very best quality of low latency and reliable service at all times. By constructing the network to the highest specifications, UKFast achieves absolute reliability. UKFast believes that consistent superior customer service is a critical element in attracting and retaining customers. UKFast makes significant investments in staff motivation and provides its staff with technical and administrative training programmes. In short, a hybrid cloud combines the ultimate security of a dedicated hosting solution with the elasticity of cloud computing. 4 TIMES

CAN YOU TRUST THE CLOUD? Page 8 MyCloudStack TM What makes UKFast different? New and exclusive to UKFast, MyCloudStack is the latest evolution in cloud technology - a private cloud-ina-box. Developed in collaboration with Microsoft and available on Hyper-V and VMware, MyCloudStack offers the highest standards of protection available in a cloud environment. MyCloudStack is a private cloud hosting solution that provides you with the controls, privacy, protection and availability that your business needs. MyCloudStack is designed to offer you a flexible package built to your exact requirements. MyCloudStack encompasses: Defence layer Performance layer Virtualisation layer Storage layer Backup layer Monitoring layer MyCloudStack allows you to take advantage of the strengths of cloud computing with added data security, performance and redundancy. Managed defence layers monitor your private cloud for any hacking attempts and alert you to any signs of cyber-crime that could affect your business. UKFast started operations in 1999 as a trade supplier of bandwidth. Nowadays this means we have strong relationships with bandwidth providers offering high quality bandwidth. Our global connectivity is second to none. Two main data centres in the UK are Telehouse in London, and MaNOC in Manchester. These facilities house some of the top peering points in the UK and Europe. Having your servers located at either of these sites means your UK customers are able to view web pages faster than they could, just about anywhere else in Europe. We invest heavily in our network and deliver on our promise to never oversell space. All core equipment and circuits run well below capacity, ensuring optimised conditions for server hosting. We aggregate bandwidth from seven top tier providers including Verio, Level 3 and AboveNet. Offering you the best protection for your business, MyCloudStack incorporates premium security features to reduce any chances of your business falling victim to an online attack. This can include: Redundant pair of dedicated managed Cisco ASA firewall with Security Plus license Intrusion detection system McAfee Active Virus Defence Annual security audits DDoS protection >> Use the checklist on page 10 to ensure your cloud solution is properly secured. 4 TIMES

CAN YOU TRUST THE CLOUD? Page 9 The tailor-made hosting solution allows you to quickly feed into cloud reserves, gain maximum flexibility and reduce costs by choosing your exact requirements. Being able to mix and match components allows you to balance levels of availability with security concerns and price. In addition, because it sits on the UKFast high performance business network, you get the added benefits of increased network security. Offering enhanced firewalling, advanced connections, resilience and speed, UKFast provides the most robust network with certified security assurances. UKFast is ISO 9001, 14001 and 27001 accredited and PCI DSS compliant. With strict information security protocols, your systems are protected around the clock in our secure data centres with access to technical support 24/7/365. Don t let your business become a soft target to cyber criminals; ensure that your sensitive business data is protected with MyCloudStack. Why the best companies choose UKFast Data centre location, 2 x direct fibre links to the hub of the internet (Telehouse) with dark fibre redundancy Accreditations ISO9001, ISO14001, ISO27001, PAS2060, PCI Compliance Certified Level 3 engineers manning the support desk 24/7/365 UK based support round the clock HQ & on-site DC engineers 3 rings policy + 15 min rapid response + 1hr hardware replacement guarantee Managed firewall for all clients Call our solution experts on 0800 954 0899 to discuss the possibilities now. Or to learn more about our solution visit /mycloudstack.html Intelligent backup secure, effortless full state system backups Proactive uptime monitoring continuous monitoring with engineer & client alerts Award winning ISPA Best Hosting Provider 4 consecutive years, ISPA, ISPA Best CSR High grade bandwidth, optimised for web acceleration 100% network uptime guarantee Technology partners 4 TIMES

CLOUD BUYERS CHECKLIST Page 10 Key features to look for when evaluating a private cloud hosting provider. UKFast Competitor Solution Protection: Hardware Protection: Software Protection: Network Security: Performance: Support: Security Standards: Managed Cisco ASA Firewall Dashboard alert control centre Intrusion detection system DDoS protection Server clustering Server replication Monthly performance reports SafeDNS Server maintenance and patch updates Proactive monitoring Hardware SLA UK based data centres Annual security audits Latest generation Dell and HP servers McAfee Active Virus Defence Security patches Intelligent burstable backup Capacity Threshold Monitoring Juniper front edge router Cisco anomaly detection and traffic analysis 100% network uptime guarantee Self healing network Tier 2 classified data centres 2 x direct fibre connection to Telehouse London 100% carbon neutral hosting Webcelerator caching technology Layer 7 dedicated load balancing Rapid scalability Highly resilient SAN storage Level 3 qualified support engineers 24/7/365 helpline Calls answered in 3 rings Call centres 100% UK based Fully manned data centres 24/7/365 15 minute rapid response promise 1 hour hardware replacement guarantee ISO 9001 ISO 27001 PCI DSS compliant CIF membership 4 TIMES

APPENDICES Page 11 Appendix 1 Sony PlayStation Network data breach The Sony PlayStation breach has been reported as the biggest ever security breach in history, internet experts are calling this one of the largest data thefts on record. Hackers gained access to the PlayStation network by installing a communication tool through a vulnerability in the application server to then establish an intrusion route. The compromised data included personal contact information, date of birth, passwords, card details and also direct debit information. The hackers goal is to learn information about people and exploit it to their advantage. Sony PlayStation customers are now at the peril of spam emails, and the threat of their details being sold to other parties. They have been urged to be vigilant when receiving correspondence from their banks and also to ensure that passwords are changed at the earliest opportunity. Surprisingly Sony s customer base has been quite forgiving; the PlayStation gamers have been reported to understand the technological implications and the ferocity of hackers therefore giving Sony the benefit of the doubt. However credit card companies haven t been so lenient of the situation, as they have indicated that they are facing a possible cost of $300 million to replace the cards used on such accounts. Sony are now forensically analysing how the attack was conducted to help them to enhance their data security policies and ensure that the correct preventative measures are in place to avert further attacks. Could the Sony Network breach have been avoided? Critics have stated that Sony could have prevented the breach or at least made it more difficult for hackers to gain access. It has been pointed out that Sony could have certified their network security by carrying out regular security audits and penetration tests to identify vulnerabilities that could have been patched to stop the attacks from occurring. One thing no business owner wants is to expose his client base to online threats. In this fragile economic environment it is imperative that every precaution is taken to lock-down sensitive information to protect brand equity and your bottom line. Appendix 2 Amazon EC2 Service downtime Amazon also cast a bad shadow on the cloud with a significant system outage of their public cloud due to an infrastructure issue. Amazon s datacentres suffered major downtime that caused extensive disruptions to websites around the globe. Their client base incurred huge losses due to the interruption of their services which for some lasted hours whilst other websites were offline for days. This downtime also affected dozens of high profile companies including Quora, FourSquare and Reddit. Their infrastructure fault came about due to a traffic shift that was executed incorrectly. Traffic was routed onto a lower capacity network which couldn t handle the level of load that it was receiving causing it to fail. The crash has not only taken the websites offline, but has also destroyed a large amount of client data. This outage has reinforced concerns that the cloud cannot offer adequate security and stability. Having correct hardware protection could have avoided this disaster. Capacity Threshold Monitoring and Proactive Uptime monitoring facilities would have alerted Amazon to the traffic issue in time for them to shift the load or increase their capacity before it had an impact on their services. 4 TIMES

Best ISO 9001, ISO 14001, ISO 27001

0800 458 4545 GIVE YOUR BUSINESS THE COMPETITIVE EDGE Page 12 Last year we helped more than 4000 businesses double their traffic. Let us put you first. Call today. 4 TIMES

GIVE YOUR BUSINESS THE COMPETITIVE EDGE Page 13 4 TIMES

References 1. http://www.itproportal.com/2011/04/27/cloud-computing-market-predicted-240-billion-2020/#26 2. http://www.kaspersky.co.uk 3. http://www.sys-con.com/node/1805301 4. http://www.infosecurity-us.com/view/17688/security-is-left-behind-in-rush-to-cloud-survey-finds/ Your future is our business UKFast City Tower Piccadilly Plaza Manchester M1 4BT t. 0800 458 4545 f. 0870 458 4545 w. e. headoffice@ukfast.co.uk Copyright 2011 UKFast.net Ltd.