Tag: Cloud

What is Security as a Service?

Posted on by QuoStar

what is security as a service

Security as a service (SECaaS) is the outsourced management of business security to a third-party contractor. While a cyber-security subscription may seem odd, it’s not much different from paying for your anti-virus license. The difference is that SECaaS is the combination of a lot of security products wrapped up into one more central service.

The range of security services provided is vast and goes down to a granular level. Examples range from simple SPAM filtering for email, all the way through to cloud-hosted anti-virus, remote automated vulnerability scanning, managed backups, cloud-based DR and business continuity systems and cloud-based MFA systems.

The services are either delivered directly from the vendor where the reseller takes a commission or they are delivered from specialist firms who have the in-house skills capable of building, integrating and managing specialist security services for their customers.

Just a note here: you may have heard of SaaS (software as a service). This is different to SECaaS.

1. Is SECaaS dangerous?

Putting your security in the hands of another business may seem like a big risk. And if done incorrectly, it’s almost guaranteed to have a less than ideal outcome. But businesses have had success with SECaaS and there’s no reason you can’t either.

The most likely cause for an issue is choosing a supplier based solely on price. A business offering SECaaS that’s been around for a few years and has a range of clients but charges £50 per user per month is going to be very different from the business that offers “cloud-based security” for £10.99 per user per month.

Do not instantly go for the cheapest option when considering SECaaS.

Sure, you might be paying nearly 5 times as much. But if your SECaaS provider has the lowest price on the market they’re skimping on something. And if there’s one thing you don’t want to skimp on, it’s your cyber-security.

2. What are the advantages of SECaaS?

Cost-saving

Despite what was just said about avoiding cost-cutting when it comes to cyber-security, one of the main draws of SECaaS is the long term price savings it can have. Because you don’t actually own the infrastructure, you don’t need to pay for its floorspace or for its upkeep (prices which can fluctuate based on external factors). Instead, you only pay a flat rate that is unlikely to change.

Fully managed

Your provider is the person keeping up to date with the changing threat environment, not you. That means that you can focus more on your own business goals instead of diverting time towards understanding the various threats out there and ensuring that your defences deal with them.

Greater expertise

A good SECaaS provider is going to consist of people who know everything there is to know about cyber-security and regularly keep up with trends and changes in that area. As a result, they’ll have a much greater range of expertise which you can utilise to keep your business safe. This also lets you keep your core employee focus on your own sector rather than branching out and getting a dedicated cyber-security expert.

Frees up time from repetitive tasks

Time-consuming admin tasks that need to be done can be performed by your SECaaS provider instead. This can be things like reading system logs or monitoring the overall network status.

3. What are the disadvantages of SECaaS?

Reliant on SECaaS provider acting

This is the main reason that you should be choosing a high-end SECaaS provider.

Because SECaaS providers are the holders of a lot of data, they (and as an extension, you) become lucrative targets for cyber-criminals. If they are breached then you are breached so ensuring they have made big investments into their security is paramount.

To make sure that your chosen provider is continually investing in their security, be sure to keep in regular contact with them. Ask questions about what they are doing to address the latest types of exploit or flaw and dig deep into the specifics of what type of security they have in place on their own systems. Is it minimal or is it high-grade and comprehensive?

Whilst in the decision stage you should also be asking each provider exactly what kind of security they have in place or what is their policy is around topics like staff training. If they can’t prove that they are taking their own security seriously, you can bet that they won’t be taking yours seriously either.

Increases vulnerability to large scale attacks

The uniform security measures SECaaS providers have over multiple clients allow them to keep up a comprehensive level of security. But it also means that if a vulnerability is found for a business who use the same SECaaS provider as you, then that same vulnerability can be used against your security.

Because one vulnerability gives so many potential attacks for a hacker, probing the security of the SECaaS provider is much more rewarding for cyber-criminals. This means they put in a more concerted effort towards breaching the SECaaS provider’s security. This can inadvertently make you a prime target for cyber-attacks.

Be aware though, as a business (even a 2-10 employee one) you’re already a prime target for cyber-attacks. If done properly, the perceived increased danger of choosing SECaaS can be made negligible. Especially when compared to the increased overall security you would receive from a high-quality SECaaS provider.

3. Why is SECaaS being offered more often?

Security providers are becoming aware that with the rise of small businesses. There’s a growing market for security services that don’t need expensive internal employees or risky infrastructure investments.

Many growing businesses also don’t have the up-front funds to develop a hardware heavy security system. Therefore, they find a monthly plan to be much more manageable for their finances. For example, implementation of two-factor authentication and disaster recovery may have cost £100K five years ago. But SECaaS can deliver the same project on a £1,000 budget with no CapEx.

Because of the flexible nature of SECaaS, many of the decisions can now be addressed head-on. There is no longer the same level of risk anymore surrounding topics like setting up security infrastructure. Businesses can switch SECaaS providers more easily. So, this ‘de-risking’ of cyber-security has made the SECaaS market ideal for businesses who want to avoid making a bad decision.

Finally, with the rise of the cloud and increased internet speeds. Services offered over the internet are now on a par with in-house solutions. This has meant that cyber-security being offered as a service is now very feasible and is genuinely useful.

Conclusion

So, you may now be asking yourself if you should consider SECaaS for your business. Unfortunately, there’s no comprehensive answer. If you want to improve your security, without draining your budget, then it’s worth reviewing. But if you already have a fairly comprehensive security setup in place it may be better to ensure that it actually is as comprehensive as you think it to be and then just sticking with what you have, upgrading it and maintaining it as you already are. Alternatively, you could look into a UTM system for your business if you’re uncomfortable with SECaaS but want to make your security more comprehensive.

How can law firms reduce the risk of cloud services

Posted on by QuoStar

IT security - How law firms can de-risk the cloud

Rapid change within the legal sector nationally and internationally has made many firms look to the cloud for solutions. In times of turbulence, legal firms and, in fact, other businesses look for change, to get an edge over the competition, to pick up that golden chalice dangled in front of their noses by a smart salesperson. However, when you are hungriest, you need to be doubly careful with decisions. Don’t take risks. Be informed. Take your time.

The cloud is a very large playing field, so I’m going to talk in general terms and at a ‘high-level’. After delivering and consulting on cloud systems for more than a decade, we’ve seen and heard pretty much everything, so this blog post is just a summary.

So many IT service providers are pumping cloud services as the only ‘real’ IT solution for the modern legal firm. This is simply false and negligent – the cloud isn’t always the right solution. Whilst there are many areas where cloud services can deliver a business gain – you should just throw everything into the cloud without consideration.

Cloud is a tool, no different from a new server or piece of software. For example, if you’ve bought your marketing department Apple Macs, should you now roll them out throughout your firm? No. It’s the same with cloud services. They have their uses but you need to apply clear business rationale to any decision – think of now and the longer-term.

It’s important to remember that cloud isn’t some brand new technology – it’s mainly just hype. Hype causes issues and clouds judgement. It creates a sense of urgency and a fear of missing out. The herd mentality within the legal sector only exacerbates this further.

The cloud gold rush has got every man and his dog trying to provide and resell cloud services to fill a demand. You even have phone system companies and printing machine companies trying to resell IT services on a cloud model into the legal sector. This is just insane, IT isn’t simple – true business-enhancement comes from careful analysis, effective tailoring and solid integration of numerous different technologies and systems. Legal firms need to be evaluating and analysing their business models, workflow and general operations, looking for improvement and identifying the right technologies and systems to support that change. Technology should not be leading change, merely supporting it.

So, what needs to be covered when speaking to Mr Provider about the shiny new cloud solution? I’ve created a list of ‘high level’, not exhaustive, questions legal firms should consider.

Ask yourself:

  • Has our firm, and its operations, been analysed in suitable depth by the provider, and a clear business case made for the change?
  • Will they stand by and guarantee any claims made in their proposals?
  • Are there any changes to the firm in the foreseeable future that could impact our chosen solution?
  • Do we have options, both in and out of the cloud?
  • Do we clearly understand the benefits and drawbacks of the different options?
  • What are the true costs of the options over the term of the contract or life of the solution?
  • Do we need to factor other costs into the project, i.e. do we need additional network connections, training, resource allocation, etc.?
  • If this doesn’t work – how are we going to fall back?
  • Does the solution meet our regulatory requirements?

Ask the provider:

  • What is the financial status of the provider?
  • How long have they been delivering cloud services?
  • What certifications and accreditations do they hold?
  • What are their Service Level Agreements and what happens if they don’t meet them?
  • How will you exit the cloud service should you wish to or need to?
  • Do they have control of their infrastructure and services, or are they reselling someone else’s?
  • How can they assist with your migration into the cloud – and vice versa?
  • What can impact the service they are delivering to you, and how can those risks/effectors be mitigated?
  • How are they securing your data from external threats? Can they Certificate testing?
  • What levels of resilience have you built into your infrastructure? If a server fails what happens? A network connection? A disk storage system? Power?
  • How will the billing model change if you ramp the firm up or down?

Don’t steer away from the cloud. As with any IT system, when it’s been chosen through careful analysis and tailored to a business’s operations the results can be impressive and game-changing. Just have your eyes open and take the time to breathe.

Robert Rutherford, CEO of QuoStar

NEXT>> Can cloud help businesses to go green?

Why is business continuity planning so important?

Posted on by QuoStar

Business continuity - Why you need a plan

We are fortunate in the UK that major incidents such as earthquakes, wildfires, flooding or terrorist attacks are rare. Yet when they do occur, we often find ourselves ill-prepared for the trials they present. In countries that regularly deal with these catastrophes, a disaster recovery plan is a standard part of a business plan. However, this is not always the case for organisations in the UK.

To give an example of what can happen, we can look to the Holborn fire in 2015. It’s the perfect example of how an event out of your control can cause significant disruption to your business. In the case of the Holborn fire, an electrical fault caused damage to a major gas main, resulting in an underground blaze that lasted for 36 hours… in the middle of London. It wasn’t until six whole days later that power in the area was finally restored.

Can you imagine the impact of one day where you’re unable to access any emails, files or client details? Here we’re talking about nearly a whole week! Many businesses who suffer a major disaster never fully recover – losing orders, contracts, key employees. Some even go out of business entirely.

As IT is now a pivotal part of so many businesses, the associated cost of downtime is rocketing. Prolonged IT downtime can also damage the reputation of your business, as it impacts your service and availability for clients. So what can you do?

You build your business continuity plan.

How to create a business continuity plan

Contingency planning is now essential for any organisation with business-critical IT. However, one of the most difficult elements is establishing which elements need protecting and how to do this.

An effective Business Continuity Plan (BCP) must assess the dangers and be departmentally broad. It should consider the needs of the whole business, and take into account the many factors such as systems, people, technologies and suppliers.

Your plans need to work off of two key variables:

  • Recovery Point Objective (RPO) – This is essentially the amount of data your business can afford to lose in the event of a disaster. For most businesses, this number will be a low percent.
  • Recovery Time Objective (RTO) – This is the target amount of time it should take for systems to be restored and for you to go back to normal operations.

These objectives vary for each organisation, so perform evaluations on each system to develop individual RTO and RPO. You will need to review and redefine these are regular intervals as the business needs and environment develops.

But resorting to your plan should be a safety net. Ideally, you should instead prevent the impact of a disaster from becoming debilitating. To solve this, you can use technology.

How to protect your systems from disaster

You can protect your critical IT systems by using a hybrid solution which means adopting secure cloud technologies alongside existing onsite infrastructure. The cloud is a cost-effective way to safeguard essential assets. It allows you to replicate crucial data, systems and services for instant recovery in the event of a disaster. Cloud’s adaptability to exact requirements also suits the individualised nature of BCP.

Through using a hybrid approach, you can gain full or partial protection to your critical IT systems as in the event of a systems failure, employees can work remotely accessing the systems they need from the cloud.

On a final note, remember, when establishing a business continuity plan – don’t only focus on the effect natural disasters could have. Security breaches must be part of the overall plan as well as personnel availability. A malware-driven system failure or bout of illness could have a significant effect on business operations.

The realities of remote working

Posted on by QuoStar

IT strategy - What are the realities of remote working

Remote working has been around since communications have been available to the roaming and remote worker, in general terms. It’s been pushed and pulled by small, medium and large-sized enterprises. It’s been claimed as the future of working and also criticised as the destroyer of efficiency and culture. But there’s one important question that has to be asked:

Why do the claims about remote working vary so much?

It’s quite simple, there are so many variables. You cannot simply implement remote working and claim success. It doesn’t work for every individual, every work-type, or every operation. Can it work for them all? Well in theory – no. Can it work for a business in general if implemented correctly – generally yes. It can, however, be a lot of work to deliver results on the bottom line. If you aren’t working for results on the bottom-line then what’s the point? That should be the primary focus, a strategic focus that requires top-level support.

Marissa Mayer of Yahoo famously declared the end of remote working a few years ago, stating they needed to improve the “speed and quality” and benefit from the “decisions and insights that come from hallway and cafeteria discussions.” That’s rather broad brush, but taking into account the size and complexity of the business it’s difficult to really measure the decision.

There is no doubt that technology now allows the worker to access IT systems in exactly the same manner as if they were in the office, generally without exception. They also have all the communications at their fingertips, such as the same telephone extension, video conferencing, instant messaging and internal social media platforms. Is that enough though?

It’s not enough to just have someone available to work remotely. You need to ensure that the culture and the business operations and processes support that model. Yes, it’s possible, but it’s really not easy. By nature, we are social animals and work collectively to accomplish tasks, so actually, it’s against our nature. Does that mean it can’t work? No. It’s just not as simple as pushing out technology and saying ‘go ahead and be productive’.

What factors make it work?

Typically the main elements to focus on are technology, personality, communication, organisation and culture. I’ve worked with hundreds of companies as well as running on my own, so I know it’s not easy to get it right. In reality, it’s impossible to make it work across the board, however, with the analysis you can understand what will and what will not work. I can, however, tell you one thing – it does not work in all environments. So, let’s look at the core elements I’ve seen. Do remember that I’m talking in general terms here.

1. Technology

Technology is easy. Don’t spend time worrying about this side of things in terms of your remote working. Any IT department or firm should be able to enable your staff to work in the same manner that they do in the office, without hindrance, without effort and without huge costs. The technologies are robust, secure and proven – the sums will stack up if the business case does. There are however new systems and technologies that will enhance remote working, such as private social networking, but they are only applicable when the strategic thinking has been done. Don’t focus on the technology, focus on your business requirements first. Any decisions led by technology will not deliver anywhere near the impact compared to a strategic decision made by a clear business case.

2. Personality

Some people work best in a team or around other people, some work better alone, and some work best in a mix. Those who work best in a mix are typically those who have a mix of work, i.e. when planning or managing projects they are better thinking alone. However when working on delivery, actually working in the team (which many do) they are best being in the office as this supports their planning, management and their delivery. These characters will often need some flexibility and giving them the option of flexible and remote working could certainly deliver positive results for your business.

You also get those who work best alone. You’ll often find that lawyers, developers, and project managers often work very well whilst away from the distractions of the office, or simply because at times their personality or working style suits it. They’ll typically adapt very well to total remote working or with the odd day in the office per week or per month.

Some people are social animals and need an office environment to work productively as they thrive when working with people. If you put them at home or in a serviced office alone you could quite easily find productivity loss or total loss of that employee.

Always think of the people and the teams when planning your strategy around remote working. This will save you both money and HR headaches.

3. Communications

General communications from an IT systems perspective should not be an issue, nor should the general communication systems, i.e. telephone, instant messaging, etc. The issue comes more on the personal level, i.e. meetings, team chat, etc. There are a plethora of solutions to enhance these areas, but they require planning and consideration. If you don’t have face to face communication with a team then you can miss visual clues, which can lead to unnecessary issues.

You will find on a simple level, take a key employee into a different room in a key meeting and let them communicate via email and telephone platforms without the face-to-face things fall apart, or at least they are not as effective as if they were in the room. You need to think about how these issues will impact productivity and team-working. Again, it varies from person to person, role to role, business to business. Getting the environment right is critical.

Face to face video conferencing is the next best medium for communications. It’s pretty straightforward to chat and collaborate via a screen with systems such as Microsoft Lync. You do obviously miss some of the dynamics, but there are some telepresence systems at the top end of the market which are impressive. Obviously, the price points vary hugely, so mapping technologies to their correct applications is crucial.

The frequency of communications is also key when managing or working in a remote working environment. It’s essential to hold regular meetings to keep the teams operating as a team. It’s too easy over time for people to drift into a virtual cave. When they get to this place it’s hard to get them out of it and this can damage productivity. You also risk them becoming disjointed from the business and risk them moving on.

4. Organisation

Managing and operating in a remote working environment can be like herding cats at times. You can just feel disconnected and frustrated, you can’t just grab everyone needed and stroll into a meeting room, grab a working lunch, etc. Calendars become king and can also become full of noise if you are not careful. You can get people disconnecting, rather than connecting as you don’t get some of the natural corrections that occur between a team located in the same office.

Technology helps with some of the organising and holding together of teams but only if it’s mapped correctly to the operations effectively. It’s also crucial that the company’s policies and processes are clearly documented, understood and accessible. Typically IT systems will assist in the organisation of teams, such as the standard Microsoft Office suite and Microsoft SharePoint. Again, the key is to design and configure these systems correctly to ensure they enable teams. All information needs to be simple and fast to view, edit and collaborate on. It’s all about giving the teams deep vision and a central anchor point to their day to day operations. If they all work from a single pane it’s much easier to ensure that they are aligned and effective.

5. Culture

As we all know, culture is critical to the success of modern businesses, but it is even more important when managing and working with remote workers and teams. It needs deeper planning and carefully nurturing to really work. We are social animals at heart, so forming bonds with others and loyalty to the firm is essential.

Many firms bring their people together regularly or at least once a year to ensure that bonds are built and teams aligned. With the best will in the world, you can’t get the best teams without them ever touching-the-flesh. Sure, you can build trust from a capability perspective without meeting physically, but the bonding and softer side of relationships, the part that will give a team an edge needs that investment.

It’s also possible to enhance the culture by creating virtual social environments. Many businesses are using Yammer to fulfil this requirement. In essence, it’s a private social network for businesses. You can have employees post in forums, chat, upload photos, just like Facebook, except it’s focused on the working environment. These tools really do enhance and develop a culture, not just for the remote working teams.

Aside from technology, regular team and one-to-one calls or video conferences can help. They should be scheduled in though. If they aren’t, communications, relationships and productivity can drop off. They shouldn’t be just focused on work though. You should also facilitate discussions around people’s personal lives to build bonds. It will feel a little awkward at first but over time the team will get to know each other.

Conclusion

If you really think and plan your remote working strategy and operations it can work just as well, or arguably better than an ‘everyone in the office’ scenario. However, it really does need the thought, beyond simply implementing technology for remote access. As you can see there are so many factors to consider, not giving them due time will give you little or no gain, perhaps even causing your firm damage. If you do it right you will certainly grow a better business with happier employees, whilst increasing productivity and reducing costs. The potentials are too big to ignore, and we are operating in a new age. Technology has advanced beyond recognition from the days of dialling in to pick up email or even using the trusty (slow) VPN.

You probably already have remote working in some sense. Is it really delivering to its full potential? Could it be more effective? Could it improve your culture?

Robert Rutherford – CEO of QuoStar

NEXT>> Three things that will make remote working a great success

How will the IoT change manufacturing?

Posted on by QuoStar

Manufacturing - How can manufacturers benefit from the IoT?

Since the industrial revolution, the manufacturing sector has had to change and evolve to compete. It has gone through 3 main technical ages, from mechanisation to assembly lines and then onto programmable logic controllers. Going forward, with the rise of the Internet of Things (IoT) we will see a fourth definable technical age.

It has started somewhat through manufacturers using technology to deliver vision through the manufacturing process, from raw materials, through manufacturing cells, into the store and then onto dispatch. Many operations are already keeping in contact with their equipment post-sales, to improve levels of service, additional revenue streams and customer buy-in. This trend is rising as the technology around the Internet of Things (IoT) ramps up. The amount of intelligence that the manufacturer will be able to get from its products calling home is just huge. It’s going to change things quickly for many, such as:

1. Service improvement

We all know that IT service desks within businesses have been connecting remotely to their client PCs, laptops and other devices for years. They can quickly connect, identify issues and get the customer operational again, typically within a short time frame. This will be taken further on a wider level down to the IoT, i.e. products will also be able to report in to proactively alert the manufacturer to issues, allowing them, or a 3rd party to make contact with the customer before an issue impacts them. It should also be noted that connected products will also be able to receive software updates, reducing issues whilst improving reliability and security. All of these touchpoints also help with brand-loyalty and potentially cross-selling/up-selling.

2. Quality

The data can be to whatever level they wish, within reason and without customer privacy issues. All of this field data can be mined to provide information. For example, the mean time before failure of a particular product or a part, performance issues, reoccurring problems, etc. This data will allow for the identification of trends, to assist with areas, such as future product development and supplier selection.

3. Additional revenue streams

Network connected products mean that the manufacturer or an intermediary is providing a service to their customer. This potentially paves the way for additional features to be built into products to enhance functionality, service and revenue.

4. Inventory optimisation

If products can communicate back into service hubs it does give an operation an opportunity to deal with inventory more effectively. From automatic ordering to build scheduling or shipping in preparation for a product that is signalling issues. For many years IT hardware manufacturers have been shipping replacement hard disks if a monitoring system flags that a disk may fail. Of course, this service is only available to customers with an up-to-date warranty – again another opportunity!

5. Research and development

The data collected and analysed from products in the field will greatly aid manufacturers’ research and development cycle. The ability to collect live information, analyse and adapt at speed will be essential in the coming years. Also, historical data from in the field products married with service information, sales trends, etc. will give manufacturers real vision and shape product development going forward.

Manufacturers have always been one of the first to adopt developing technology and are constantly striving to improve factory efficiency. So I believe we are going to have some very interesting and exciting times ahead of us. In reality, the IoT is here in many ways, but it will penetrate further and deeper than most imagine. The other thing to be aware of is that the technologies and principles aren’t that new, so manufacturers will be able to exploit the benefits with relative ease.

Robert Rutherford – CEO of QuoStar

Discover QuoStar’s IT solutions for manufacturers

7 legal technology trends for 2015

Posted on by Robert Rutherford

legal technology trends for 2015

In terms of technology, process and systems the legal industry is changing more rapidly than any other sector. It has a lot to get to grips in a short space of time, far shorter than many may believe. Larger global firms have mostly begun to change, but it’s now the turn of the small and mid-market. They need to become much more commercial and competitive in their outlook.

It is particularly smaller firms need to make the biggest changes as they are being squeezed from multiple directions. However, the progress in these firms is often slowed by resistance to change. As well as not having the necessary skills in place within the firm to deliver it. Firms shouldn’t be fearful of the current environment, they should be looking at the opportunity. Particularly to seize the competitive advantage over the competition

I see the following technology trends really taking root in 2015, particularly in the small and mid-market:

1. Customer relationship management

Law firms are now simply service providers. This means that the key to earning revenue comes down to relationships, as much as expertise. As the legal market is now more international, understanding clients is more important than ever. CRM systems have in the past been used as glorified address books, but expect them to be used to gather more intelligence on clients, behaviours and relationships.

2. Process/workflow management

The business operations within many small and mid-market law firms often leaves a lot to be desired. The worst thing is that many do not truly understand how bad things are and how much additional margin can be gained through process re-engineering within a firm, using existing IT systems and people. Of course, cultures can be difficult to change, but partner teams need to be pushing through change in order to remain competitive in a rapidly shifting market. We are already seeing a monumental shift to process re-engineering in the legal sector; it’s exciting to see how small changes can make a real difference to profitability.

3. Automated time management

Time management and capture has typically been a relatively cumbersome process. Some lawyers do it as they go, some at the end of the day, some at the end of the week. This obviously can lead to issues, things do get forgotten or missed and clients are often suspicious of how time is really captured. The rise of passive time capture is now unstoppable and will become a prerequisite for clients very quickly. This method works to the firm’s and the client’s benefit as it’s seen as more transparent. It also stopping billable time slipping through the net.

4. Business analytics

– As every firm should understand, business decisions cannot be made without clear information. Many firms do not understand that the majority of the information that they require to become more profitable is already being captured by their existing IT systems. It can often take a matter of days to bring data and information together to give clarity to ‘gut-feels’, sometimes without any significant cost. Expect to see more demand for analytics and real-time dashboards to allow partners to really see what is happening within a firm.

5. E-billing

– Many other sectors find it hard to believe that firms are not billing the bulk of their clients electronically. I fully understand that it is more difficult for certain departments, but many clients find it frustrating and somewhat bizarre. Personally, as a business owner, I find it slightly concerning if my suppliers cannot bill me electronically. It’s just so much more efficient and cost-effective to bill electronically, and firms are now seeing this in hard Return on Investment figures.

6. Cloud infrastructure

Cloud in law has been treated with great caution by some firms. In all honesty, this has been the fault of the cloud industry, due to overpromising and not pushing back on security concerns. Cloud, in particular, private cloud, is now a norm for most businesses. We are now seeing legal firms gaining confidence in the cloud, and using it to gain the IT platforms they need without the associated capital and running costs. It should be noted that not that many firms will be cloud only within the next 2 years, especially the mid-sized firms, they are much more likely to operate in a hybrid arrangement – a mix of on-premise and cloud-based solutions.

7. Outsourcing

Too many firms are holding onto all elements of IT. This will be inefficient for many firms, increasing the risk to the firm whilst also decreasing profit margins. We are looking at a second, some say the third wave of more intelligent outsourcing. Internal IT teams should typically focus on adding value, leaving the day to day operations and security to the experts. Many firms have been reluctant to outsource, however, now they must do so in order to actually gain more control.

Obviously, there are other areas of IT within legal that will change over the coming year. The interesting thing now is that it’s varying from firm to firm, as it should do. In the future we will see less of the herd mentality in legal, well at least I hope we will.

Cloud isn’t a golden chalice

Posted on by QuoStar

Cloud - Cloud isn't a golden chalice

Obviously, the cloud is a very large playing field, so I’m going to talk in general terms and at a ‘high-level’. After delivering and consulting on cloud systems for over 10 years we’ve seen and heard pretty much everything, so this blog is just a summary.

So many IT service providers are pumping cloud services as a beginning and an end solution to IT within businesses. This is simply false and negligent – the cloud isn’t always the right solution. There aren’t many businesses where a cloud service of one type or another won’t deliver a business gain – but that doesn’t mean you should be throwing everything into the cloud without consideration.

Cloud is just a tool, no different from say perhaps a new server, or perhaps a new piece of software. For example – just because you buy 30 new Apple Mac’s for your design studio, does not mean you should roll them out throughout your business. It’s the same with cloud services. They have their uses but you need to apply clear business rationale to any decision, think of now and the longer-term.

It’s important to remember that cloud isn’t really some new-fangled technology – it’s mainly just hype. Hype causes issues and clouds judgement. It creates a herd mentality, a sense of urgency and a fear of missing out.

The hype surrounding the cloud has created a gold rush. You have everyone trying to provide cloud services to fill a demand. You even have phone system companies and printing companies trying to resell IT services on a cloud model. This is just insane. IT isn’t simple, true business-enhancement comes from careful analysis, effective tailoring and solid integration.

When going into the cloud, firstly consider these ‘high-level’ questions, at the very least. They do not by any means cover every situation but they will get you and those bidding for your work thinking and talking.

Questions to ask yourself:

  • Has the provider analysed our business and its operation in suitable depth and made a clear business case?
  • Are there any changes to the business in the foreseeable future that could impact our chosen solution?
  • Do we have options, both in and out of the cloud?
  • Do we clearly understand the benefits and drawbacks?
  • What are the true costs of the options over the term of the contract?
  • What other costs do we need to factor in? For example, do we need additional network connections?
  • If this doesn’t work how will we fall-back?

Questions to ask the provider:

  • What is the provider’s financial status?
  • How long have they been delivering cloud services?
  • What certifications and accreditations do they have?
  • What are their Service Level Agreements and what happens if they don’t meet them?
  • How can we exit the cloud service if you wish to or need to?
  • Do they have control of their infrastructure and services, or are they a reseller?
  • How can they assist with your migration to and from the cloud?
  • What can impact the service they deliver to you, and how can they mitigate those risks?
  • What levels of resilience have you built into your infrastructure? If something fails what happens? (A network connection, server, a disk storage system?)
  • How are they securing our data from external threats? Can they certificate testing?

Don’t steer away from the cloud. As with any IT system, when it’s been chosen through careful analysis and tailored to a business’s operations the results can be impressive and game-changing.

Robert Rutherford – CEO of QuoStar

Get guidance on achieving your cloud migration success

Technology trends forecast for 2015

Posted on by Robert Rutherford

technology trends for 2015

As we are at the end of the year, here is my forecast for the key technology trends for 2015:

1. Mobile exploits will grow significantly

We’ve seen a rise in exploits on mobile devices over the last 12 months, across all platforms. This is just the start of a trend, there’s absolutely no doubt about that. The threat landscape is just too big of a target and the rewards for criminals are too great.

2. Cloud growth continues to spiral up, yet becomes specialised

The issue with cloud providers over the last few years are that the majority have tried to be all things to all businesses. This just hasn’t worked and has instead muddied the water, leaving a bad taste in a great many mouths. Expect cloud to continue to grow, but expect more specialist providers too, i.e. for legal cloud services, finance, DaaS, etc.

3. Big data noise will fade down

Big data was a ridiculously overused term in 2014. Yes, there are some real uses for it, but that only applies to a small percentage of businesses, typically the giants with giant pockets. You can expect the return of the technologies in a few years when all of the investment in research and its applications have been made. It’ll then start to slide down the hill until we get some real figures around ROI. We are seeing a big rise of the term ‘Big Data’ in the legal sector, but a big percentage of this does appear to be business analytics badged as ‘Big Data’.

4. Cloud hype turns to Hybrid Cloud

The cloud has been overhyped since the term was coined. The technologies and business benefits are huge when used in the correct hands. However, the cloud isn’t the answer to every IT requirement. Thankfully the voices of the real engineers and business people out there are coming through the noise now. The cloud for many businesses does deliver but is often best when mixed with say an in-house IT system or another cloud platform, i.e. private cloud.

5. Enterprise security spends

The rise in cyber-crime for financial gain continues to rocket as does the number of devices that come into contact with unprotected networks. This alone is enough to make firms spend more on security. The threats are more worrying than ever, but still, the biggest weakness is the unaware employee. If end-user security education doesn’t pick-up, then breaches will just keep happening.

6. All we’ll hear is IoT

You are probably aware of the new marketing drum beating around the Internet of Things (IoT). This will lead to pressure from all angles to connect non-traditional IT equipment onto the network. There will obviously bring significant challenges, particularly around security. You can also expect the IPv6 spectacle to raise its head again throughout the year in relation to the IoT – as without it the trend could be stifled.

7. The client demands Business Continuity

With the growth of the cloud and IT in general as the core of most businesses, clients are now demanding guarantees around how businesses respond to disasters and disruptions of any size. It’s not uncommon for businesses to be audited around this area or for clients to expect certifications such as ISO 27001 and ISO 22301. Expect a rise in these demands in 2015. Actually, expect them around IT security in general.

8. Apple’s enterprise demise

With the rise of the Microsoft Surface, expect to see Apple devices, particularly the iPad to drop in popularity. The device just can’t compete in terms of productivity. A great device when it came out has been surpassed by other devices that do ‘everything the iPad can’ plus a lot more. This will likely lead to a general weakening of Apple in the enterprise.

Does a bigger cloud provider guarantee better service?

Posted on by QuoStar

Cloud - Is a bigger provider better?

When choosing cloud, is a big name always best? Over recent years, we’ve seen a number of significant outages at a good number of the larger cloud providers and platforms out there. Some have been just blips and some outages have lasted days. And to prove it’s not just small providers facing downtime issues here’s evidence even the big players sometimes stumble:

The above is, of course, a small snap-shot of the biggest names. But what I’m showing here is a simple demonstration that bigger doesn’t necessarily mean better – and you shouldn’t ignore that fact.

A big name doesn’t mean better service

I am forever frustrated by those who go out and buy a core business service from businesses who, in effect, sell their services primarily based on cost, backed up by their size. I’ve just lost count how many adverts I’ve seen and sales calls I’ve had (clearly not reading my website) telling me how great their cloud platform is, how big it is, how cheap it is, often how new it is‽ So, through experience – what have I learnt?

1. You are probably a drop in the ocean

Bigger providers simply mean that you are one of perhaps 10,000, 100,000, 1,000,000 – or more customers. If there are issues, which we’ve seen – your voice is lost, your cry means nothing. You get what you pay for when it comes to IT infrastructure and cloud services, well you certainly do if you are comparing providers in a sensible manner. If something is cheap you have to seriously understand where that saving has come from. To hear that it’s bigger, thus we get better pricing due to volumes is not usually a sensible answer – scratch beneath that.

2. Unless a cloud service provider has been providing the services you are buying for more than 3 years, be careful

It does take a number of years to bed in a new environment and to iron out issues… no matter what the size of the organisation. Also understand if it’s actually that business providing and managing that service, in essence, they have some control if something goes wrong. I was approached by a very large hosting company the other day who had moved into IaaS but it was built by a 3rd party – I then see that a month later they had a 6-hour outage on that new platform.

3. SLA’s mean nothing

Don’t think that an SLA on paper means anything. What’s your comeback on a Service Level Agreement? Very little if you really look into it. Will you speak to someone who really has the clout to make anything happen on your behalf, very unlikely. The bigger the organisation delivering you the service the less important you really are.

4. Resource demand

I was speaking to one of the largest cloud providers in the UK, who were advertising fast or slow storage. In effect, this meant that they were selling SAS storage and SATA storage. I obviously understand that this is irrelevant as the speed is also dictated by the RAID set and also the number of clients on a particular RAID set. If you don’t know what IOPs are then read my explanation on the QuoStar Blog. However, in short, the individual speed of a disk is generally irrelevant.

5. Understand the billing

When you take into account the resource demand many providers can deal with that – but they will bill you accordingly. Just make sure that you understand if you are better off on a fixed service, rather than an elastic one – often advisable for fairly static and loads, such as an Exchange server or a Citrix server. Also understand what they bill you for data going in and out of your environment, in terms of both disk I/O and network bandwidth. You’ll often sign up on a low basic package that starts to ramp as you use it.

The issues with smaller cloud providers

I’ve obviously learnt a lot more, but the five points above are particularly relevant when looking at a large provider. I should state that I’m not necessarily saying you should always go for a smaller provider, as I’ve seen a whole raft of issues with this side of the spectrum. Including problems like:

1. They often outsource

They may have no control over your systems as they just make a sales margin on stuffing your systems into a larger provider, often one of the large providers stated above.

2. They don’t have the migration skills

Sure the cloud is great for a large percentage of businesses, but the technical bit is the easy bit from that side. You have to have a significant amount of experience to really make cloud a success, not everything works without some real understanding of the issues and the relevant mitigation techniques. This can only really be gained through experience, no matter how good the technical skills.

3. Cloud’s not right for every environment and business

Many of the smaller, well in effect the larger providers, will just pump cloud as it’s all they know or it’s what they know how to sell and implement, or simply what the sales team is incentivised on.

4. Underspecification

Many smaller providers, and actually most of the larger organisations as well, will just specify what you ask for, or make a judgement call on what they deem you need. You may not really understand all the implications so you sign a contract based on that initial quote. You’ll often find that you are then contracted, you complain that the speed is slow so they’ll say okay you need to pay more to up the resources to address that issue.

5. A home-built system

The cloud is big so many smaller providers have built their own systems over the last few years. Many will have environments that are sound but many will not. You need to understand at the very least:

  • How old is the cloud platform (how long they have been using it to deliver business-class services)?
  • Who runs that system? Is it them or is it managed/supported by a 3rd party?
  • Who built the system? Did they build it, or did a 3rd party?
  • Do they have accreditation? They’ll tell you the data centre is ISO 27001 compliant (audited from a security systems standpoint), but are they as the company actually managing your systems accredited? If they aren’t then it doesn’t really mean anything.
  • Is the connectivity diverse (numerous carriers)? If it isn’t, then walk away. Also, make sure they have N+1 (one plus a spare) at least on every element of their cloud platform.
  • Know where your services are running from. I’ve actually seen some providers running ‘cloud services’ from their offices!

6. Going too local

If you are evaluating the cloud then chances are that a portion of that decision will be business continuity, either you’ll specify that or the smaller provider will state the benefits to you. As a rule, I’d generally advise a data centre out of your area, perhaps at least 25 miles away, you don’t want a serious and large-scale event such to affect you and the data centre simultaneously.

All the above are things I’ve seen time and time again. Of course, I’ve just given you a small snapshot of a few key areas, but you need to understand the detail. It all depends on your business, but just understand that the big names are not always the best option.

NEXT>> What is the cost of cloud computing?

In the press: Securing your hybrid cloud

Posted on by QuoStar

securing your hybrid cloud

The debate over public cloud versus private cloud continues to rage within the IT industry. As most organisations take an ad-hoc, evolutionary approach to new technologies, the environment over the next five years is likely to be a mixture of the two.

IT leaders will not only have to deal with a hybrid cloud environment, they will, in most cases, have to manage both traditional, non-cloud, and cloud infrastructure. Within this complex management challenge, security will remain a key concern.

The infrastructure can be made safe enough to avoid costly breaches that can not only damage the infrastructure but can also incur reputational damage to the enterprise.

So what are the steps needed to ensure sufficient security and what technologies are at the IT manager’s disposal to carry out the job?

At the lowest level of the stack, it is essential to secure the hardware. Networks have to be intruder-aware and processors must have to carry hard-wired within the silicon that allows professionals to monitor infrastructure for any potential breach.

Intel and AMD have embedded security onto the chip that can flag up potential threats to security systems deployed on the infrastructure. In general, attackers are looking at firmware, processors and Bios as a means to compromise systems.

For Intel this involves its Trusted Execution Technology, which looks at software component integrity and provides a hardware security check before a virtual machine boots up. Meanwhile, its Advanced Encryption Standard New Instructions set strengthens data protection encrypting and decrypting data ten times faster than software-based encryption. Its virtualisation technology also provides hardware-based isolation of virtualised workloads that share a common set of memory and I/O.

AMD offers similar root protection of the hardware before a VM is launched as well as alleviating Bios, Bios Extensions and bootstrap loader vulnerabilities. It also offers on-chip virus protection that sets aside parts of system memory as “data only”. There are extensions to the instruction set that pre-authenticate the hypervisor or VM image before users can decrypt and load them. IBM offers similar solutions with chipsets in embedded systems and smart devices.

When moving to a hybrid environment, IT managers should always ask detailed questions of potential cloud providers and check they have clearly defined service level agreements for service provision and security standards.

Most IT industry security standards, which evolved in the pre-cloud era, require the enterprise to have the ability to monitor and control access to networking, systems, applications and data. Whether your apps, systems and data are managed internally or outsourced to an external provider; a cloud environment must offer the same ability. Regularly scheduled audits using industry-recognised methods and standards, such as SAS 70 Type II, the Payment Card Industry Data Security Standard, ISO 27001/27002 and the Cloud Security Alliance Cloud Controls Matrix, should also be conducted, to ensure that security standards are meeting industry benchmarks.

According to Gavan Egan, Head of Cloud & Security Solutions (EMEA), at Verizon, companies should also bear in mind that migration to the cloud elevates the issue of security from an IT department to the board level.

“Instead of being solely about ‘securing the perimeter’, data security is now about understanding the value of your data and what reputation, compliance and cost implications could be felt if that data got into the wrong hands,” he says. Where especially sensitive data is concerned, the enterprise must have complete visibility into where it is being stored. If it resides in the cloud, the portions of the environment containing the data must be isolated, by implementing virtualised versions of firewalls and intrusion prevention systems.

Isolation of data or infrastructure is particularly vital in the public cloud, to protect one organisation’s data from other in multi-tenanted environments.

Vladimir Getov, Senior IEEE Member adds that even if a “private cloud is hosted by a third party, the fact that it relies on external architecture means that IT Managers are no longer in sole control of their data.

“Security remains a major adoption concern, as many service providers put the burden of cloud security on the customer, leading some to explore costly ideas like third party insurance,” he says. “It is a huge risk, as well as impractical, to ensure billions of pounds of company data – potential losses from losing major trading or logistical applications are enormous.”

Service providers need to reassure customers that insurance is not needed. One solution might be a regulatory framework that would allow cloud subscribers to undergo a risk assessment prior to data migration, helping to make service providers accountable and provide transparency and assurance, suggests Getov.

He goes as far as to say that hybrid cloud is by definition, never ‘yours’, which is where the security concerns stem from.

“If we are talking about true ‘private cloud’ – hosted entirely on your own premises, then the security concerns for an IT manager are no different to those associated with any other complex distributed system.”

When using a hybrid cloud model the IT manager has to accept that the data will, by definition, be outside of the on-premise infrastructure at some time. Matt Hawkins, founder and MD at IT infrastructure solutions provider C4L, warns that hybrid cloud security is just about data, but also where you put it.

“Businesses need to ensure that the physical location of their data has the right logical and physical security and meets all relevant ISO data centre standards,” says Hawkins. “This is one area where, due to economies of scale, a cloud provider could do better than in-house IT.” He adds that the IT manager should expect cloud providers to house their data in data centres with multiple layers of physical security including biometrics, security cameras, multiple layers of access control and personnel on-site 24 hours a day, seven days a week.

That is not all. According to IT consultancy QuoStar Solutions, a company that stores data anywhere, both on-site and within a cloud infrastructure, must perform risk assessments on their data storage and IT infrastructure as a whole.

“It must understand every possible risk and assign proper controls to those risks,” says managing director Robert Rutherford. “Just because you outsource a degree of IT infrastructure and service into the cloud, it doesn’t mean that you can outsource responsibility – doing so is negligent,” he adds.

Source: Techworld