Cloud Services for Universities & Colleges

Many Universities and Colleges are moving to the Cloud Services to save costs and provide more facilities for the students.

Curtin University, Perth Australia moves more services to the Cloud with Windows Azure.
Copenhagen Business School moves to the Cloud. They recently switched their student email to the Cloud, using Live@edu.

DFEEST (Department of Further Education Employment Science and Technology) wanted to build a new messaging platform for their 85,000 staff and students, either using their existing Novell Groupwise solution, or using an external email service. They evaluated Google & Microsoft and chose Microsoft's Live@edu. The big benefit for DFEEST is that they're saving money, at the same time as delivering a better services to their users.

The Business School at Brno University of Technology, in the Czech Republic, is one of the universities moving to Cloud services, to enable 4,000 students to connect to their learning whilst they are away from campus. They're using the Microsoft BPOS (Business Productivity Online Services) system to connect e-learning to their students in employment, and in other countries including the UK and the US. What they've found is that it gives their students more opportunities for learning, at the same time as helping them deliver a more flexible service within their limited IT budget. And a significant result for them is that they are able to do this with no more staff resources - leaving them to focus on the quality of teaching and learning.

The School of International Relations at the Economics University in Prague is another of the universities moving to Cloud services, as they have moved students studying IT management to the BPOS Cloud services.

By choosing to move to the Cloud, all these universities have claimed to have speeded up their deployment, which in turns speeds up access to educational resources for their students. They've also reduced their cost of ownership, by not having to rely on the existing university infrastructure.

Universities and Colleges are becoming a big business hub for Cloud Service Providers and the competition in this segment is heating up very rapidly!

References: Microsoft Case Studies on www.Microsoft.com
Also published on BMC Communities blog - Cloud-n-more

Cloud Penetration Testing simplified

What is a Penetration Test?
It is a security testing methodology that gives us an insight into the strength of the Cloud network security by simulating an attack from unknown malicious source. It involves an active analysis of the cloud service for potential vulnerabilities due to incorrect system configuration, hardware / software flaws, or operating system level weaknesses. This analysis is carried out from the perspective of a potential hacker and can involve active exploitation of security vulnerabilities. The intent of this test is to proactively determine the feasibility of a hack attack and also try to determine the extent of damage to the business.

Why is Penetration Testing needed on the Cloud?
Cloud Penetration Testing has become a necessity today. The evolution of the cloud technology has focused on the ease of use from an operational perspective with an exponential increase in the complexity of the computing resources! Also, skills needed to hack into systems have steadily decreased with so much knowledge available online. Add to that, the number of network and cloud based applications have increased many fold. And lastly, a security breach on enterprise assets can be a huge detrimental issue to the goodwill and the image of an enterprise!

How is Penetration Testing carried out?
It is usually carried out within a "Black Box" - without any knowledge of the infrastructure to be tested. At a basic level, there are 3 phases in a Penetration Test.

1. Preparation - This is the planning phase where formal non-disclosure agreements are signed and ensures legal protection for both the tester and the client. It should list the IP addresses to be tested along with the timeline at a minimum.
2. Execution - The test is executed and potential vulnerabilities are exposed. The test should address vulnerabilities, risks to applications, remote access systems, VoIP, wireless networks
3. Delivery - Results of the test are communicated to the client and corrective action is advised.

What are the Tools & Techniques for Penetration Testing?
There are a variety of tools & techniques that can be used to conduct Penetration Testing on Cloud Systems. Tools like Whois, Nslookup, Traceroute, VisualRoute, SmartWhois, SamSpade can help gather information about the target network.

• Whois gets you the domain's registrant, administrative & technical contacts, addresses, phone numbers & domain servers.  
• Nslookup gets you the Internet domain servers, information about DNS infrastructure, MX records, IP of the mail servers etc. 
• Traceroute exploits the Time To Live (TTL) feature of the Internet Protocol and gets you the path the IP packets traverse between two systems by sending out consecutive User Datagram Protocol (UDP) packets with ever increasing TTL's. This utility reveals the DNS names, network affiliations & geographic locations.
• VisualRoute from VisualWare gets you traceroute, ping tests, DNS & Whois lookups and displays the actual route of connections and IP address locations visually on a global map.
• SmartWhois gives you comprehensive information regarding the IP address, hostnames, domain names, country, state, city, network provider, contact information etc.
• Sam Spade is a freeware tool to track down spammers and comes with many useful network tools including ping, Nslookup, Whois, IP block Whois, traceroute, finger, SMTP, VRFY, SMTP relay check etc. 

Other tools include utilities like Port Scanners, Vulnerability Scanners & Password Crackers. More to come later...

References: Cloud Security - Ronald L.Krutz & Russell Dean Vines
Also posted on BMC Communities blog - Cloud-n-more

Questions to Ask Your Cloud Service Provider...

If you were to sign up for a Cloud Service, be it Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), what are the questions that you would ask? I have tried to list down most of the questions, however, feel free to be extra cautious and do due diligence before you sign the dotted line!

1. Where will my information be stored? Do I have any control or say in this matter? What are the Security laws in these locations?
2. Can I physically inspect your Cloud operations?
3. Can I get historical data on your Performance Indicators along with historical downtime records?
4. What are the Exit Charges or Penalties if I want to switch to another Cloud Service Provider? Will you delete all the data if I move? How do you prove that all data has been removed from your systems?
5. What are your Disaster Recovery Plans & Policies?
6. What are your Privacy Policies?
7. What types of logs will you provide? Can I get a sample log file? How long do you keep the logs?
8. What are your policies regarding my sensitive data during a legal investigation?
9. What are your up-time SLA's?
10. What types of encryption policies will be implemented?
11. How will my servers be provisioned / decommissioned? 

This does not purport to be a full list of questions but tries to cover the majority of questions that you need answers before you sign-up...

Also posted on BMC Communities blog - Cloud-n-more

Cloud Computing & Business Continuity Planning

Business Continuity Planning (BCP) or Disaster Recovery Planning (DRP) is on the mind of every Enterprise. This can be compared to an Insurance Plan that you or I would buy and companies pay a huge premium to take care of a disaster scenario to ensure that their critical business processes & customers are not impacted or minimally impacted in a disaster situation. From the cloud perspective these days, the critical business processes and systems are very dependent on the Cloud-based applications. BCP involves scoping & planning, conducting a Business Impact Assessment and developing the plan and DRP includes developing the recovery processes, testing them and implementing the disaster recovery processes.

Cloud Computing provides the alternative to an in-house BCP/DRP implementation. You should NOT assume that if you are onto a Cloud Service, you automatically have BCP/DRP. That is a very wrong assumption that many have. In many instances, Cloud platforms do have alternate sites and if one goes down, the availability of your service is automatically served from the alternate site but again, it depends on how the Cloud Service Provider has configured the service!

Your fate is in the hands of the Cloud service provider whose fate is in the hands of..........?

A lot of planning goes into the BCP/DRP with involvement from senior management and key BCP functions / departments. Adopting a cloud strategy for BCP/DRP offers significant benefits to the enterprise without large amounts of capital expenditure and human resources. An enterprise should define their BCP/DRP needs and then carefully evaluate the Cloud Service Provider to ensure that the business needs are met by the provider. A critical issue is the stability and viability of the Cloud Service Provider (CSP). The CSP should be financially strong, technically capable and have the organizational structure & resources to ensure that it will be around when you need it in the short run & the long run!  The CSP should be able to provide secure access from remote locations, distributed architecture, redundancy, geographical dispersion, backup infrastructure, dynamically scalable & storage area networks.

So choose your Cloud Service Provider wisely after doing thorough research so that you are not caught without an umbrella or a rain coat on a sudden rainy day!

Also posted on BMC Communities blog - Cloud-n-more

Cloud Forensics & Obstacles

What is Cloud Forensics?
Cloud Computing usage is increasing day by day and so is criminal activity as cyber criminals figure out ways to monetize unauthorized access to IT solutions in the cloud environments. Cloud Forensics is like any other forensic investigation where experts try to gather evidence of a cyber-crime in a cloud environment and try to persecute the criminal. Computer forensics attempts to ensure the authenticity of data, but cloud computing environments pose significant obstacles to this process since the hardware, software, infrastructure does not usually belong to the organization that has been attacked / compromised or breached.

Significant Obstacles
When I say significant obstacles, I refer to the architecture of the Cloud Computing, Cloud Services & Delivery Models. With multi-tenant hosting, globalization of the servers and data centers, different jurisdictions in different countries, lack of standards, lack of access to network routers, firewall & other hardware it becomes very difficult to obtain evidence of attacks, breaches & cyber-crime

So how to overcome these obstacles?
There is no easy way to overcome these obstacles! Very few tools are available that continuously record everything in the cloud environment. a few tools that do record these events produce huge logs that are humanly impossible to sift through. What is needed is a compact log file that can be read and understood by even the common man to understand and back-track the events that led to the cyber-crime! It's not very far when we get to that technological nirvana!

Also posted on BMC Communities blog - Cloud-n-More

Amazon EC2 Outage - What just happened?

Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers. However, it just went down for many customers in the East Coast and the cause - Network Error! There were some issues with the Backup jobs failing as well and thereby eliminating redundancy.

The popularity of Amazon’s cheap, easily scalable hosting is showing its downside right now, with a number of popular websites and services throwing up errors or being down completely. Foursquare, Quora, Reddit, Moby and Hootsuite are among those affected by technical troubles on Amazon’s servers. The company’s status dashboard currently shows problems with the company’s Elastic Compute Cloud and Relational Database Service operations, based in North Virginia, with connectivity issues confirmed.
Let's hope that this is just a short term issue and will be fixed immediately, else customers may lose their confidence on the EC2.

So if you are planning to jump onto the EC2 band-wagon or any other low cost Cloud Service, expect these kind of outages as we are dealing with machines and machines may go down! Even their SLA's specify 99.95% uptime, right?

How did Cloud Computing evolve?

There were a number of dynamics involved in contributing to the evolution of Cloud Computing. Virtualization technologies, high-bandwidth internet & communication technologies, delivery of enterprise apps, software inter-operability standards, Web 2.0 were some of the key influencing factors for the emergence of the "CLOUD" world!

In 1999, the face of Cloud Computing entered the corporate world with the introduction of SalesForce.com to deliver Enterprise Applications over the internet. This marked the beginning of Software As A Service (SaaS). In 2006, Infrastructure As A Service (IaaS) and Platform As A Service (PaaS) were introduced by Amazon's Elastic Compute Cloud (EC2) commercial web service. In 2009, Google & Microsoft entered into the foray of offering enterprise application services!

Is Cloud Computing the same as Grid Computing?
Not really! Grid Computing uses distributed virtual machines to usually complete a focused single large task, whereas Cloud Computing also uses distributed virtual machines to to complete different types of tasks!

Is Cloud Computing the same as Software As A Service?
Not really! Software As A Service (SaaS) is a software that an organization can purchase and use & it can reside on the user's machines or machines owned by a service provider. SaaS is one of the sub-sets of Cloud Computing.

Is Cloud Computing the same as Virtualization?
Not really! Virtualization can be used to implement Cloud computing.

Is Cloud Computing the same as Service Oriented Architecture?
Not really! Service Oriented Architecture (SOA) supports data exchange among different applications that are a part of a business process.

All the above perceived synonyms (not exactly synonyms!) are used with reference to Cloud Computing, but they should not be confused with Cloud Computing as they are sub-sets or bits & pieces of the Cloud Computing world!

More on this tomorrow!

What is Cloud Computing?

Cloud computing refers to the provision of computational resources on demand via a computer network. In the traditional model of computing, both data and software are fully contained on the user's computer; in cloud computing, the user's computer may contain almost no software or data (perhaps a minimal operating system and web browser only), serving as little more than a display terminal for processes occurring on a network of computers far away. A common shorthand for a provider's cloud computing service (or even an aggregation of all existing cloud services) is "The Cloud".

The most common analogy to explain cloud computing is that of public utilities such as electricity, gas, and water. The phrase “cloud computing” originated from the cloud symbol that is usually used by flow charts and diagrams to symbolize the internet.

In an October 2009 presentation titled "Effectively and Securely Using the Cloud Computing Paradigm" by Peter Mell & Tim Grance of the National Institute of Standards and Technology (NIST) provides a concise and specific definition:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

The Cloud Model is composed of 5 Essential Characteristics, 3 Service Models & 4 Deployment Models.

5 Essential Characteristics:

• On Demand Self Service
• Rapid Elasticity
• Network Access
• Resource Pooling
• Independent of Location
• Measured Service

3 Service Models

• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)

4 Deployment Models

• Private Cloud - Enterprise owned
• Community Cloud - Shared infrastructure for a specific community
• Public Cloud - for the public, big-scale infrastructure
• Hybrid Cloud - Comprises of 2 or more types of clouds

More coming up in my next post...Thanks for reading!