CloudTweaks.com http://cloudtweaks.com Cloud Computing Industry - Current Trends, Insights, News and much more... Wed, 01 Jul 2015 17:45:03 +0000 en-US hourly 1 Cloud Pinup: Cloud Management With CloudMGR http://cloudtweaks.com/2015/07/cloud-pinup-cloud-management-with-cloudmgr/ http://cloudtweaks.com/2015/07/cloud-pinup-cloud-management-with-cloudmgr/#comments Wed, 01 Jul 2015 17:45:03 +0000 http://cloudtweaks.com/?p=42577 Content by CloudTweaks.com

Cloud Management With CloudMGR Listed as one of the Top 20 Most Promising AWS Solution Providers 2014, CloudMGR delivers an easy-to-use platform for managing and optimizing AWS Cloud Resources. With a team of cloud application specialists, CloudMGR connects different cloud-based point solutions into a single suite for improved billing, monitoring, provision, and support. The company […]

The post Cloud Pinup: Cloud Management With CloudMGR appeared first on CloudTweaks.com.

]]>
Content by CloudTweaks.com

Cloud Management With CloudMGR

cloud-mgrListed as one of the Top 20 Most Promising AWS Solution Providers 2014, CloudMGR delivers an easy-to-use platform for managing and optimizing AWS Cloud Resources. With a team of cloud application specialists, CloudMGR connects different cloud-based point solutions into a single suite for improved billing, monitoring, provision, and support. The company makes use of the full stack of AWS products and services, and also assists with service and customer management, improving business profitability and cost-effectiveness.

Effortless Deployment

CloudMGR’s service covers all aspects of AWS, with features catering to all of your needs. Integration with CloudCheckr helps you optimize your cloud, saving money and reducing operational risks, and scheduling and automation tools save you time and reduce effort. CloudMGR also provides disaster recovery management with automated copying and moving of data to multiple regions within the AWS data center network, and supports multiple AWS regions and accounts. Easy server interface and customizable groups let you use and organize your resources to best suit your needs while CloudMGR’s Server Build Wizard enables the quick and effortless deployment of new servers. Permission management is also simplified, taking the hassle out of defining who has access to what. ITs, MSPs, and agencies that manage AWS resources for clients will additionally benefit from CloudMGR’s integration with Autotask and ConnectWise, reducing management overheads while simplifying client administration.

Best Practices

optimization

As is essential, data security is a top priority, and as an official Amazon Web Services APN Technology Partner CloudMGR guarantees strict access controls and secure data centers. Employees are granted the minimum system access required to perform assigned functions, and all data is stored in AWS data centers – all of which have achieved ISO/IEC 27001:2005 certification, PCI DSS Level 1 compliance, and SAS70 Type II compliance. Two-factor authentication for account access and protection is also provided.

With more than 45 products, Amazon Web Services is the world’s leading public cloud. CloudMGR’s 3rd party integration enhances the user experience, with CloudCheckr providing accurate usage information and best practice recommendations which can be easily implemented through CloudMGR. You’re also able to connect cPanel and WHMCS on AWS for an easily scalable shared hosting environment, and Autotask and ConnectWise round off the solution for full AWS account and IT business management.

Reserved Instances

Furthermore, a free RI usage report is available to check how efficiently your Reserved Instances are working. The report gives you information including the number of ECS Servers you have, the number of Reserved Instances you have, total EC2 Servers covered by Reserved Instances as well as total EC2 Servers not covered by Reserved Instances, and tallies the dollars wasted by incorrectly allocated Reserved Instances. CloudMGR notes the top five AWS Reserved Instance mistakes as over-buying, under-buying, buying for too long, miscalculating, and not managing changes, and suggests the solutions of flexible payment options, selling of RIs, and modifying and monitoring of RIs, helping ensure you get the most out of your AWS Cloud. Cloud MGR’s tools help optimize Reserve Instance spend through the management of purchasing and selling, server coverage, auto scheduling, and assisted changes.

Sign up is free, and CloudMGR provides you with a 14-day free trial, and free sandbox. Once you decide you’d like to opt into their service, three product options are offered: STD at $99 per month lets you manage up to 10 servers with a monthly spend of up to $2K; PRO for $199 per month, managing up to 25 servers with a monthly spend of up to $5K; and ENTERPRISE at $299 per month for management of up to 50 servers and a monthly spend of up to $10K. No payment details are required for the free trial though, so you’ve got a no-strings-attached chance to assess the service.

By Jennifer Klostermann

The post Cloud Pinup: Cloud Management With CloudMGR appeared first on CloudTweaks.com.

]]>
http://cloudtweaks.com/2015/07/cloud-pinup-cloud-management-with-cloudmgr/feed/ 0
Bridging The Chasm Between Business And IT – GRC Way http://cloudtweaks.com/2015/07/bridging-the-chasm-between-business-and-it-grc-way/ http://cloudtweaks.com/2015/07/bridging-the-chasm-between-business-and-it-grc-way/#comments Wed, 01 Jul 2015 15:11:09 +0000 http://cloudtweaks.com/?p=42568 Content by CloudTweaks.com

Business And IT  In today’s world, company operations function at two distinct levels: the business operation level and the IT infrastructure operation level. While the two functions operate independently, IT exists to support the business. Many of the IT operations, like the deployment and management of IT infrastructure, applications and services are driven by the […]

The post Bridging The Chasm Between Business And IT – GRC Way appeared first on CloudTweaks.com.

]]>
Content by CloudTweaks.com

Business And IT 

In today’s world, company operations function at two distinct levels: the business operation level and the IT infrastructure operation level. While the two functions operate independently, IT exists to support the business. Many of the IT operations, like the deployment and management of IT infrastructure, applications and services are driven by the business layer requirements in a top-down fashion to enable the company to carry out its business. IT infrastructure management, including addressing cyber security risks is exclusively done in the IT layer. There are several tools, such as FireEye, McAfee, Qualys, ArchSight and BMC Software which IT deploys and uses in order to identify and manage IT security risk, but something is missing.

A chasm exists between the IT layer and business layer, when looked at from a bottom-up perspective.

Let’s say someone hacked into your organization’s network, and some data was compromised. What does that IT event really mean for the business? It’s vital to understand that in business terms because that event could potentially put the company at serious risk.

Perhaps the data breach jeopardized the company’s financial data; then it will need to do some proactive reporting. Perhaps the data breach made the company non-compliant with a regulatory requirement; then it will need to re-certify. Perhaps the data breach compromised personnel records, like the June 2015 federal government hack; then the company will need to alert its employees.

The point is you need a unified business and IT perspective towards comprehensive enterprise risk assessment and management.

Don’t lose the signal in the noise

signal

The massive 2013 Target data breach showed what can happen when you ignore the gap between IT and business risks.

Target was PCI-certified (Payment Card Industry), thanks in part to a $1.6 million malware detection system from FireEye. On November 30, 2013, Target’s security team in Bangalore, India, received alerts from FireEye, and informed Target headquarters in Minneapolis. But no one foresaw the risk to the business. In the words of Molly Snyder, a Target spokeswoman: “Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up.

Obviously something critical got lost in the noise. The first IT event detected was not high priority—from the IT perspective. But from the business perspective, red flags waved: the event occurred during the busiest shopping period and involved customers’ credit card information.

The data breach cut Target’s profit for the holiday shopping period by 46 percent, compared to the previous year. Worse yet, Target still faces dozens of potential class-action lawsuits and legal actions from creditors.

Prioritization is Key

Today’s IT departments cope with a tsunami of security events, but how do they know which one to prioritize? How do they know that an event that may, on the surface, seem trivial and unimportant can have significant impact and jeopardize the business?

There is an obvious need to fill this gap that exists where low-level IT events can be mapped into enterprise risk from a bottom-up perspective.

  • A Governance, Risk and Compliance (GRC) system, promises to help fill this gap between the IT and business layers.
  • Governance, Risk, and Compliance (GRC) systems help organizations connect the dots across key areas: the limits for regulatory compliance, the analytics for risk management, and the metrics for risk controls. Because a GRC system spans the enterprise, it can help guide and prioritize the appropriate response.
  • When setting up a GRC system, a company must define its critical assets, metrics, and risk assessment controls. The system can help manage and prioritize anything that impacts regulatory compliance —such as Payment Card Industry (PCI) compliance or the Health Insurance Portability and Accountability Act (HIPAA).
  • A GRC solution provides a bottoms-up approach to managing and addressing IT events—by keeping the business needs in mind. An apparently low-level risk will be given higher priority if it threatens a critical asset—or if it jeopardizes a regulatory requirement. This integrated and pervasive 360-view is where the value of a GRC solution lies.

Visibility

visibility

It’s all about understanding the business risk context when prioritizing IT assets and responses to IT events.

Chief Risk Officers (CROs) see and understand key business risks. They have the visibility and they can make the call. They report out on the organization’s risk profile by leveraging a variety of tools and risk dashboards to the Board of Directors level. Equally important, they collaborate across the C-suite and provide management with the guidance on what needs to be addressed, how, and when.

Needles in Haystacks

Moving forward, I see challenges ahead on all three fronts: regulations, systems and threats.

Regulatory requirements are increasing and it’s more challenging for companies to be 100 percent compliant with all the appropriate risk controls in place. In terms of systems, an organization’s IT footprint and adoption of cloud-based applications is constantly evolving and expanding.

Meanwhile, the variety and number of cyber threats are increasing, and malware is becoming ever more sophisticated. I anticipate that the volume and severity of IT events will increase significantly. Figuring out which events will have the biggest impact on a company’s business is like finding a needle in a haystack. But it need not be.

That’s precisely where a GRC system can help. By leveraging the correct GRC analytics and intelligence, organizations are able to identify and understand their risks from both the business and IT perspective. Bridging this gap can lead to better data-driven decision making and superior business performance.

(Image Source: Shutterstock)

##

rajesh-raman

By Rajesh Raman / Vice President at MetricStream

Rajesh is responsible for Zaplet, an Enterprise GRC Platform-as-a-Service (PaaS) business unit. Rajesh is a seasoned senior software executive with extensive experience in leading products and technology in Security, Networking and Cloud domains. Previously Rajesh worked at Cisco, where he led the development of a number of innovative and pioneering products, including Cisco’s award winning Identity & Policy based Secure Access & Mobility product, Identity Services Engine (ISE), and the Application-Oriented Networking (AON) products. Prior to that Rajesh worked in leadership roles at companies such Oblix, BEA Systems (both acquired by Oracle) and Lotus/IBM. 

The post Bridging The Chasm Between Business And IT – GRC Way appeared first on CloudTweaks.com.

]]>
http://cloudtweaks.com/2015/07/bridging-the-chasm-between-business-and-it-grc-way/feed/ 0
The Business of Security: Avoiding Risks http://cloudtweaks.com/2015/07/the-business-of-security-avoiding-risks/ http://cloudtweaks.com/2015/07/the-business-of-security-avoiding-risks/#comments Wed, 01 Jul 2015 12:16:55 +0000 http://cloudtweaks.com/?p=42562 Content by CloudTweaks.com

The Business of Security Security is one of those IT concerns that aren’t problematic until disaster strikes. It might be tomorrow, it could be next week or next year. The fact is that poor security leaves businesses wide open for data loss and theft. News outlets just skim the surface, but hackers cost business up […]

The post The Business of Security: Avoiding Risks appeared first on CloudTweaks.com.

]]>
Content by CloudTweaks.com

The Business of Security

Security is one of those IT concerns that aren’t problematic until disaster strikes. It might be tomorrow, it could be next week or next year. The fact is that poor security leaves businesses wide open for data loss and theft. News outlets just skim the surface, but hackers cost business up to $575 billion each year. What’s concerning for CIOs is that risk assessment is placed solely on the IT department, even if the breach stems from BYOD and other personal systems.

Encryption Isn’t Enough

security

The traditional school of thought – especially with SMBs – is to encrypt data and use SSL or TLS on public systems. While this protects from eavesdroppers, it doesn’t protect from creative cyber threats that often phish for legitimate credentials from employees or contractors.

The latest big-time hacks circumvented encryption defense. The recent OPM hack that gave cyber criminals access to data covering millions of government employees and contractors wouldn’t have helped. Encryption protects data from being seen by unauthorized users and eavesdroppers, but OPM hackers had valid security credentials. They mimicked real login attempts, which circumvent basic encryption.

Even following common standards isn’t enough as Target discovered in 2013. Target lost 40 million credit card numbers to hackers who penetrated their point-of-sale (PoS) systems. You might think that Target oversaw some security standard, but the company was PCI compliant. PCI compliance is the de facto in credit card processing security, and Target’s security followed all the requirements. Regardless of its security implementation, hackers were still able to find a hole in the system.

Both OPM and Target have two things in common – the security hole was created by their own employees and vendors who gave up security credentials to phishing malware.

Assessing Risks Across Internal Systems

CIOs are tasked with providing employees with more mobility and freedom across the network while still creating a secure environment that’s hacker-proof. It’s not an easy task when you’re limited to what you can lock down.

Bring-your-own-device (BYOD) policies are a good start. Mobility is one of the fastest trending benefits for employees. BYOD lets them use personal laptops, smartphones and tablets for business. It’s become a part of corporate culture, and it offers more flexibility for employees to work at the office or at home. Before CIOs can implement a policy, they need to know the risks.

Mobility offers flexibility for employees and hackers. Mobile devices are even more vulnerable to viruses than desktops since most people have antivirus software on a desktop but not a mobile device. This leaves mobile devices wide open as a vector for trojan or virus injection onto the network.

Mobility isn’t the only risk. Telecommuting also gives employees the ability to work from home and saves in office resource costs. VPN connections allow employees to connect to the corporate network from any personal device. Just like BYOD security risks, these desktops could house malware that then transfers to the internal network.

VPN and BYOD are two hot topics in corporate security, but there are numerous others. Before CIOs can assure protection from cyber threats, they first must document each mode of network connection and assess risks associated with them. Even if the internal machine is completely anonymous to outside traffic using a firewall, it can still house vulnerabilities. It’s a team effort to assess risk, but it’s also a prudent part of IT asset management.

Creating Security Policies

risk-management

With both VPN and mobility risks assessed, CIOs can craft security policies that focus on flexibility for teleworking while still protecting internal resources. MDM tools track the number of mobile devices. IDS software identifies rogue, suspicious network traffic. IPS software tests servers and software for any common security flaws. Find the right tools on the market that make risk management more efficient.

CIOs and security experts are still new to mobility, so the commonality between most businesses is piecing together a policy that works for the business. It’s tempting to lock down systems and remove mobility altogether, but this type of policy isn’t feasible in today’s mobile market.

Quarantining mobile hotspots from critical systems is one way to manage risk. Users can share and store data on a segmented part of the network away from sensitive data, servers, and workstations.

Your policy should implement granular authentication and authorization that matches users with data they need to know. Classify information, so then security roles can be assigned to authorized employees. While this won’t guarantee protection, it will limit the amount of damage in case of a breach.

Training Staff

One of the most important parts of risk assessment and IT security is training staff. Protecting data should be a unified effort between all employees, vendors, contractors, and outside visitors.

Training is an ongoing effort from IT security staff that should integrate well into the on-boarding staff process. It’s not a process that’s limited to just employees. All executives, managers and employees should understand the risks and work to protect data from cyber threats.

In conclusion, reining in assets and risks and then applying the right security management is a huge effort for any CIO. Whether the business is small and growing or large and revenue-generating, a security policy should be a line of business that strategically defends against cyber threats and hackers.

By Jennifer Marsh

This post is brought to you by The CIO Agenda.

KPMG LLP is a Delaware limited liability partnership and is the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. The views and opinions expressed herein are those of the authors and do not necessarily represent the views and opinions of KPMG LLP.

The post The Business of Security: Avoiding Risks appeared first on CloudTweaks.com.

]]>
http://cloudtweaks.com/2015/07/the-business-of-security-avoiding-risks/feed/ 0