Tag: available

Is the Cloud putting the personal back into computing?

We once thought of clouds as those objects in the sky that formed to our imagination: swans, dragons and storing life giving water. Now … the cloud [technologies] stores and provides access to our data, to our personal stuff.

Cloud computing has allowed people to try new things, to share information and stories with friends, family and work colleagues; just as PCs did in the early 1990s.

Personal and work lives can truly intersect allowing data from both to be available any where, any time from any device.

Strategies to evolve IT such as grid and utility computing and SOA, for the most part, were and are not focused on people, their data and the activities that lead to their decision making. They are focused on the plumbing of IT. The focus is from IT, on shareable infrastructures and notably cost reduction; not from the consumer (employee, customer) of information.

 Information usage has become personal, again

Cloud computing has allowed people to pick and choose the applications – tools – they want to use to manage the activities and outcomes of their work and personal life’s.

There is an immediate need for IT to focus on self-service, on-demand services that provide secure storage and access to data either through the provisioning of private or hybrid cloud ecosystems.

Not providing flexibility of choice or a diverse subscription model company data will continue to migrate – leak – from company IT managed systems to cloud service providers. Data will exfiltrate creating gaps in knowing where company data is located as well as confidentiality and management of that data, and ultimately customer and stakeholder trust.

IT is a broker of information technology

IT will need to evolve in its role as a broker of business solutions that will cross data center boundaries from internal to external information systems.

Not only will IT need to provision and support an ecosystem of systems that are comprised of internal and external system, but also there is a need to integrate external application and cloud service providers with internal system management and logging infrastructures.

A holistic – enterprise – view into the performance and usage of these external systems with internally managed systems will create a view of reliability, confidentiality, integrity and availability metrics. So that the question “Knowing Who accesses What, When, Why and from Where” can be answered appropriately.

Microsoft Hosting, for me, provides good perspectives, guidelines, practices, and capabilities to provide internally hosted on-demand services.

Just like from the initial use of PCs in the early 1990s, companies are not ready to manage the use of cloud based computing services by its employees. This creates gaps, and of course new opportunities, managing availability to information, protection of data from leakage and loss of confidentiality.

A disciplined approach to allow and provision cloud [self service, on-demand] services is required. IT needs to broker these solutions so that there is an assurance of form, function and importantly, fit.

There is a mounting need for IT to quickly provision on-demand services to satisfy business needs which can be subscribed by an individual employee or customer, otherwise gaps in managing data availability, protection and confidentiality will be hampered. If the IT organization cannot meet these needs quickly, then it becomes irrelevant and of little value to its business partners. IT will find and continually find itself outsourced to the SalesForces, the Amazons, the Apples, and the Dropboxes of the world.

As the information technology moniker suggests the IT organization needs to apply a systematic treatment – the execution of its craft – to the management of information under its guardianship.

Everything starts with data … even ‘Paleo’ man needed data

Everything starts with data which identifies a customer need or a product to sell. The question I ask, since everything, for me, revolves around the data, is “how do I?” …

Identify it
Collect it – (gather, store)
Aggregate it
Access it – (access, use)
Make sense of it
Use it
Ensure availability – (secure)
Allow for the creation of an action, a decision

Principles such as these help direct how a particular IT infrastructure needs to be designed, implemented and supported.

  • Reliability, Availability, Supportability
  • Confidently, Integrity, Availability

… are great principles to help guide IT teams ensure solutions align with the objectives these principles covey and to fulfill IT’s mandate to support the business’s information needs.

I also like this principle

  • Know who accesses what, why, when and from where

… to help determine what data is required to collect to ‘know’ the data is secure, what capabilities are required to ‘know’, what other systems need to be integrated to provide additional details, and specifics of the application, how it functions, and how it is used.

Principle Variable       Information Security Context       Information System Context
Know
  • The need to observe company related activities: request/response, data access & flow, communications
  • Monitor, to listen to, company conversations.”
  • To collect activates, establish a baseline and measure to determine an action
  • The beginnings of understanding and when to act.
  • To understand the action
  • To know what request/response pair to monitor and track
  • To understand the user request
Who
  • Identify the user/requester and the origination of the request.
  • Collect/log who or what is accessing the system”
  • Is this usage expected and acceptable?
  • Is this part of the threat model”
  • Identity could be a person and/or device, or a system
  • Who is this system [data] for?
  • How will you know the identity of the requester?
  • Identity could be a person and/or device, or a system
Access
  • The activity (the point of contact) where an event is triggered; to take notice, to start observing the system/data access
  • Is there a threat model for the accessed information system?
  • Can we Trust the access?
  • Define how a person or system will access the data: app, html, email, API, ODBC …
  • Rules that define how a person or system will access/connect
  • Employee and Customer profiles
What
  • What is being accessed … the DATA! via an information system
  • Collect the data & system access activities that have occurred, and by whom and/or what
  • What was the request?
  • What data accessed?
  • What was data changed?
  • Is there a scope to limit what a  request can perform?
    • eg. Limits to the amount of data returned or updated? “
  • Did the request complete successfully or did it fail?
  • Was there CRUD of data?
  • What data, information is being requested?
  • What is the request; create, read, update, or delete (CRUD)?
  • How is the request to be handled? Eg, Manage state, exceptions?
  • Did the request complete, an exception handled, or the request failed?
Why
  • Do we know why this request for data is occurring?
  • Why was the system accessed?
  • Was the access and request appropriate for the profile of the requestor?”
  • Do we know why this access is ok?
  • Is there attestation for continued access?
  • Under what context is this access to data occurring?
  • What is the request, is it correct, safe?
  • Role based access
  • Authorization to access
When
  • When did the access and request occur?
  • Was the access consistent with the employee and customer role/profile?
  • Does this conform to the requestor’s profile?”
  • Assumption is that it may differ for employees and customers
  • Customer and Employee role based to define availability
Where
  • Where did the access and request originate from?
  • Is the access consistent to a customer or employee role/profile?
  • Does this conform to the requestor’s profile?”
  • Do we have a whitelist of where employees and customers will/should be accessing the system and data from?
  • Do we have a baseline of previous access to measure against?
  • Can we trust the location from where the request is being made from?

 
  • How is the application/system designed to accommodate access from a variety of locations, and device/interface types?
  • Should access to data be from a specific or a variety of locations?
  • Will the request originate from a safe place?
  • Do we know and maintain the emaployee’s and customer’s usual IP address from where they access?
  • What type of device or interface?
    • Browser-based
    • Application-based
    • Network connection
    • Fast or slow?

To Gather, Access, Store and Secure data the IT business unit brings together and supports a variety of interconnecting technologies and solutions. It is imperative that IT understands from a holistic view how these infrastructure components function, connect and very importantly how they fit to form the larger infrastructure ‘house’ that is healthy and safe to ensure the business’s data is available and secure.