IBMCC14

(In fact the report points out that it's an issue in on-premise as well...)

Security is an issue regardless

There is no more inherent risk having data in a public cloud than most private data centers with access to Internet or remote workstations

Like any system, it can have good security measures or poor ones. 2-factor authentication used to encrypt data is a great way to limit accidental breach

- two schools of thought seem to have unfolded, 1) don't know don't care, or 2) already scared stupid by legacy IT security and cloud fear is 1,000 fold higher.

Agree w/ @jpmorgenthal. Security is a red herring for #cloud specifically.

- all too often it seems to be that migrations to any 3rd party cloud are made with an assumption that "someone esle" will sort out the base line security issues.

My biggest concerns for security in the cloud is around SaaS, where the user has little control over implementation of security architecture

We need equivalent of SAS-70 for SaaS applications

Agreed Dez - it's not just security either. Backup, AV, everything, loads of people assume it's 'done' in the cloud.

- for me it's more of a case of treating "cloud" the same way we treat every other environment as a strating point, bearing in mind that cloud moves faster so policy needs to be agile as a result.

@jpmorgenthal Transparency for SaaS apps can cut both ways though. Thoughts?

@tcrawford isn't transparency for sake of security one of the key tenets of open source?

most security concerns are manageable in my experience, you design it in.

Theoretically, yes. However, we're talking SMB here. There needs to be a level of trust.

- things get interesting when you ask a #cloud provider "physically prove your infrastructure we'll be "on" is actually in the country we have to legally domicile data within, and the Security Policy underpinning your own DevOps.

Martin Beckwith

For a Managed Service Provider hosting Cloud services, secruity is part of the deal. It's their bread and butter.

That's a useful point @dez_blanchfield - I wonder how many people have visited their outsourced data center?

@dez_blanchfield This goes back to @jpmorgenthal's comment about SAS-70. It could easily be addressed.

@tcrawford @dez_blanchfield the US Federal's FedRamp guidelines can also be used by commercial organizations to foster trust

I was at an IBM event a year or so ago at which MSPs were talking about picking up the pieces after things had gone wrong.

@dez_blanchfield Do you think locality of data is as critical for medium business as it is for enterprise?

Mike Kavis

@jpmorgenthal when I was building and selling SaaS solutions into retail, we were required to have SOC2 compliance. Our cloud software was more secure than our competitors on-prem software

- don't get me started on "backups" - I once had an account rep at Google tell me "you just don't get cloud" when I tried to explain federal government IT governance to them ;-)

brian bulkowski

@guyclapperton The new cloud technology - containers - has been shown deeply insecure - talk yesterday at OSCON. So we're stuck with virtual machine technology, which has proven fairly secure. Just don't get fooled.

@1BK2 Locality matters. But only as it applies to latency issues or compliance (i.e.: US Patriot Act).

@madgreek65 what did it take to gain SOC2 compliance timewise and cost?

@tcrawford See, now you've done it, this is the UK chat, now they're gonna be like, "damn Americans make it all about them" J

Mike Kavis

@jpmorgenthal a few months, not a big cost since we had no legacy and designed upfront for security

@jpmorgenthal Ahh... but it's not just about the US. Other countries have similar 'locality' requirements too.

- US fed gov references don't do much for those of us outside the USA, in Asia / APAC / ANZ / AU / NZ we're developing much of this from scratch with relevant local focus.

- state government agencies in the "medium" sized enterprise space are making huge inroads with state gov support here in AU: http://www.computerw...

@dez_blanchfield I think a lot of the issue is that larger enterprises need multi-national frameworks when the laws are local.

- multinational is another level of complexity to cope with, but the basic rules / governance is usually consistent across borders..

Martin Beckwith

No one's saying it's all or nothing. It's logical to keep mission critical data in house, and non-critical in the Cloud. Hybrid, in fact.

- for those interested here's a good starting point on how Australia's faring on readiness from Fed Gov level which guides many medium sized enterprises: http://www.finance.g...

Cloud Computing | Department of Finance
Policy The Australian Government Cloud Computing Policy supersedes the April 2011 Australian Government Cloud Computing Strategic Direction paper. It updates the progress on the deliverables of the 2011 strategic paper and provides whole-of-governmen...

@dez_blanchfield Thanks Dez, that's a good resource.

@dez_blanchfield Good set of documents! - I'm wondering what level of guidance there is published from other Goverments for medium business.

- the 2x boys at Cloud Advantage are seeing solid wins by speaking the lingua franca of medium sized enterprise ( busienss cases and cost models ) - http://www.cloudadva...

@dez_blanchfield There's legalities that need to be taken into consideration regarding compliance, but there's no reason the general framework of things like FedRamp would not be useful

- Australia's Federal communications minister, Malcolm Turnbull, wants Australian businesses to play a major role in the "cloud revolution": http://www.zdnet.com...

SMEs to be part of Australia’s cloud revolution: Turnbull | ZDNet
Small and medium businesses are set to play a major role in Australia's cloud revolution if communications minister Malcolm Turnbull has his way, with his department releasing a series of guides to encourage cloud services uptake in the sector.

Martin Davies

@MartinBW For some businesses it makes sense for the Cloud to power revenue-critical applications though. Take retail.

- this thread may need to split into on-prem / off-prem as there are key differences, your private "non-internet connected" cloud is a safer place to take risks on security than any 3rd party cloud or internet cloud service.

@dez_blanchfield That's an entirely fair point.

@marjodasays - is there any value in segmenting a particular market like Retail? perhaps there is from a solutions focus, but the value proposition of IaaS / PaaS / SaaS surely applies to ALL biz?

Martin Davies

@dez_blanchfield Not all businesses need scalability for example. So it makes sense to think about those that do if that's a key benefit.

/ @marjodasays - you also need to be clear about the requirement to scale and if it's either Vertically or Horizontally, or Both.. they are chalk and cheese in most cases.

Guy Clapperton37

Let’s start with some basics – what does the cloud do specifically for the medium-sized business?

[+] Show Hidden Comments

let's clarify that question, public cloud has very different value proposition from private cloud

Public cloud offers compute capacity and economic alternatives that mirror that of very large enterprises

Thanks JP. Which do you use, and why? (Or does it have to be one or the other?)

For one thing I think it lowers the bar of entry for new projects/ideas - taking some of the risk away.

4 Votes Vote

- perhaps segment that a tad as SME is a very broad segment..

on the other hand a private cloud may add additional strain and burden on the IT organization to manage limiting upside of resource management

Indeed Dez - we're focusing on 'medium' rather than 'sme' here.

I'm an influencer. I recommend technology selection and provide cloud through leadership.

- early adoption thus far has obviously been tech savvy, how are you finding adoption rates faring from non-tech savvy ?

John Furrier

to me it's simplicity and easy of use to get access to compute to drive basic applications.

John Furrier

in big enterprises it's shadowIT in SME it's just IT #cloud #bigdata

- the benefits are easy to sell, it's the adoption that seems to be the key hurdle, as in "how to get the journey started".. ( i.e. what to migrate 1st ).

There's a difference between mid-size using public cloud directly vs. indirectly.

@furrier Good analogy

Interesting, Dez - how have you started answering that question about what to migrate first?

@dez_blanchfield I usually advocate to start with something new/small and find your feet, rather than migration of existing workloads.. unless there is a good use case. First small steps and all that.

according to the latest Cloud Industry Forum report, adoption rates among the midsize are 75%

I think many of them are tech savvy or going with partners who are

Yes @swimgal45 I agree - outsourcing is a powerful tool here. As long as you get the right partner.

@swimgal45 unfortunately, a lot of that is at the detriment of having the necessary internal IT staff to manage the data

@1BK2 what workloads are you seeing migrated 1st?

the right partner essential is essential or a service provider who does SaaS

@guyclapperton - yes, I've successfully stewarded a broad range of medium sized enterprise and government organizations through the challenges by crowd-sourcing "what should move first" within their own departments / staff.

@swimgal45 The smaller the org, the more they rely on their MSP for advice. #SMB

/ @swimgal45 - fully agree, 99% of the adoption I've seen in APAC / ANZ is tech heavy organisations - who are usually technically, commercially, and emotionally more ready and capable to leverage #cloud in some form.

@guyclapperton it's an enablement platform that offers fantastic business agility for almost all companies in almost any sector. Perfect for helping a UK Midsize business to punch above its weight! #cloudspeed!

Martin Beckwith

The right partner is vital according to your personal requirements and extent and type of the IT is to be outsourced. And whether they actually have their own data centre.

@swimgal45 No one clear winner in the workload migration stakes, I think in the small/medium space its mainly driven by tech refresh or new projects.

what to move first - I'd chose something in a new space, probably in Systems of Record: mobile, social, analytics...where you can get fast visible impact for the business without the overhead of heavy lifting in IT (syst of record)

@dez_blanchfield interesting about the emotional readiness for cloud. There are some hurdles here...I think one of them is around privacy and data location.

stet that should have said Systems of Engagement...

- can I invite you to kick off a new thread focused on example case studies we can point to to share pros / cons of real world examples as theory is fun but real beats theory hands down ;-)

/ @swimgal45 - I think we can all agree that even in medium sized organizations emotions drive many decisions in liew of experience, facts, or knowledge, cloud is no different in this case.

/ @cloudstuff - I highly recommend you start with DEV, then TEST, then INTEGRATION and UAT, and finally run a parallel PROD where you can do trial live runs, as your DEV and OPS folk will be ready and able to support your efforts.

/ @cloudstuff - you will find the recent success QANTAS have had interesting: http://www.itnews.co...

- get your customers business to answer the "what to move first" question for you, ask them "where are your biggest pain points" regarding "time to implement", "time to market", "capacity", "performance", "cost" et al..

@dez_blanchfield Thanks - may I repost that into the case studies thread?

- medium enterprise seems to respond better to the "educate rather than sell" approach as well - teach them and you will have champions of the cause, sell to them and you're an outsider..