Looking back over my lifetime the superstars of technology in some ways did us disservice. I applaud Mr. Gates, the late Mr Jobs and others’ achievements in making technology seamless and universally accessible, but by doing so they distanced us from it, making it mysterious. Most kids have little understanding of how the machines that infest their lives work, which is a shame. It is also undesirable to most since we end up in a world where a few are able to exploit the many with their clever wizardry – look only to Apple’s eye-watering profits which recently surpassed mighty Google’s revenues!

An old passion reignited

I was fortunate to have been brought up by an electronics engineer (my Dad) who had a keen interest in computers. I have fond memories of him teaching me how to mock things up with a bread board (a rapid prototyping system for designing electronic circuits) and the nuances of good soldering. Aged 9 I was making simple burglar alarm systems so I could tell when my sister was trying to sneak into my bedroom, by 11 I was making my BBC Master computer do real world interactions via its parrallel port and some circuitry I’d rigged up and at 12 I built a model hovercraft. Making such devices is not actually that complicated!

I’m ashamed to admit that I allowed those passions to fade. I moved on to programming instead and immersed myself in the virtual world, then the Internet, but in the last year my passion for real-world electronics and computer interfacing have been rekindled. I’m delighted to report that I am also very much not alone in this! Perhaps the best known “movement” are Hackspaces – places where like-minded hackers can get together, pool ideas and resources and make cool stuff.

One of the technologies that has really helped us hackers is Arduino – a programmable, open source, simple to use board for under £20 that you can hook up to your own electronics to do all sorts of things. Combining computing and home-brew electronics just got practical again, whereas during the age of the PC it was frankly rather impractical for most since you needed quite advanced skills to directly interface basic electronics with a PC and they are expensive and large so you can’t stick one in a box to run your door bell, for instance.

In short, modern personal computers had distanced the user from the underlying technology compared to my old BBC Master which has made them accessible to a wider audience but also limited innovation to a small number of well-resourced companies. Even Linux did not help much since although the operating system is more accessible to a hacker the underlying hardware was still a PC and not really designed to have bits of DIY circuitry attached. But that is changing.

The Internet of Things

I’m not suggesting that hacking with home-brew electronics and small computers will bring the UK out of a double dip recession. What has changed though is the addition of ubiquitous network connectivity into that mixture along with an acceleration of innovation.

What I am in fact predicting is that 2012 will be the year that the Internet of Things really takes off, driven by the hacker community.

It is already here, but what will rocket-boost it is the hacker community empowered by cheap open source hardware platforms. There are two platforms in particular I’d like to highlight: Nanode and Raspberry PI. Nanode is an Arduino with the capability to speak over IP built in conveniently. It is actually quite a pain to make an Arduino communicate via IP or even serial by itself (I’ve tried, trust me!) but Nanodes make it easy, and they are dead-cheap – under £20 for a kit and about an hour to solder the components onto the PCB.

Even more exciting is the British Raspberry PI; an ARM GNU/Linux computer for $25. ARM are the British central processor chips that used to be in Acorn computers and are now powering the world’s smart phones, tablets, netbooks and more. With such a cheap and powerful computer available the possibilities are no longer limited by money, but rather by one’s imagination. I am not suggesting that all those new devices will be one-off non-commercial affairs either. As we have seen with the ‘Web and with smart phones many of the services and apps that have been developed have gone on to become major commercial offerings, and I would expect the same of the exponentially-increasing network-connected devices littering our lives. The revolutionary aspect will be, I believe, that everyday people will drive the innovations rather than established corporations.

Limitless possibilities

To give you some examples, I have a few Nanode projects on the go myself. First I’m using one to monitor the moisture level in the soil of my sole houseplant which was inherited from my Mum who in turn got it from my grandfather. I’m hopeless at remembering to water things and it is a very precious plant, so I have applied technology to the problem. The circuitry is very simple and rather than worry about polling data and doing charts etc. myself my next step is going to be to get it publishing data to Pachube, a cloud-based service to do all the useful stuff you want with data like drawing charts, sharing it with people and delivering notifications to your phone.

Another more commercial project is a temperature and humidity monitor (a Nanode with a SHT15 sensor) to monitor the environment in my cupboard under the stairs which is my home’s nerve centre (I’ve noticed it is getting a bit hot thanks to the collection of IT kit in there). My plan is to use the eventual design in our data centres as well – why pay some vendor £hundreds for an IP data centre environmental sensor when we can get a job lot built for us on the cheap?

I’ve got numerous other ideas and I’m not alone. Hackers are out there working on cheap-and-cheerful solutions for everything from home-care for the elderly to asset tracking in the field to home and industrial energy management. It does not stop with the individual applications either though; looking at the likes of Pachube one starts to realise the enormous potential of pooling and analyzing all the data we are starting to collect.

British invention

Britons are fabulous inventors – our history is steeped with examples of ingenuity – but we have arguably lost our way. I believe that it is time to correct that and that these low-cost, flexible, open source, community driven platforms are an ideal vehicle to reignite the nation’s passion for invention and innovation. Further, many of the most inspiring developments are happening right here in Blighty – Nanode and Raspberry PI are British and if you want to see something really cool check out these Arduino-based aerial drones.

With the Euro-zone teetering on the brink of collapse and a new recession looming we should fall back on our strengths and look to technology innovation to drive our economy forwards. ARM is the perfect example; they don’t make anything, that is all done in Asia, but they are enormously successful at creating the intellectual property and licensing it to a hungry and growing global market.

So, hackers of Britain, get out your soldering irons, make your way to your local Hackspace, share your ideas, ask the “stupid” questions (there is no such thing and have a go at bending technology to your will. We can all be wizards now!

When I recently took delivery of my magic mouse I was struck by how aptly it was named. If it were presented to someone only a few decades ago – a smooth pebble-like object which could be used to interact with a computer by moving it or merely brushing one’s fingers across its surface – might it not have appeared magical? Mr. Jobs’ elegant creations brought to life Arthur C Clarke’s maxim that any sufficiently advanced technology is indistinguishable from magic.

Adding to this, the world economy continues to stutter, teetering on the brink of another global recession fuelled this time by not the banks defaulting, but the prospect of entire governments being declared bankrupt. Is this really the time for fancy new technologies?

3D printing

Perhaps the most obvious transformational technology to pick as the one to watch would be 3D printing. It is hard to understate the likely impact of “printers” able to create almost any device object as common as personal computers are today, but we are quite a way from that point. At present they are relatively crude, able only to print a small range of types of plastic and quite expensive.

An interesting area to watch is the open source RepRap, which can be used to make some of the parts for additional copies of itself. The implications of machines that are able to make anything, including copies of themselves, are profound indeed, but I am not convinced that 2012 will be the year of 3D printers and fully automated manufacturing.

The Internet of Things into life

But no, I think the next big revolution will be something called the Internet of Things. So what is it? In this context I’m talking about all the Internet Protocol (IP) connected devices that litter our lives. Why does this matter? Well mainly because there are a lot of them – estimates of between 50 billion and 1 trillion by 2020 are out there. You might be thinking, “Nah, I only have a couple of computers, what are they on about?”. Well, I counted up all the IP devices in my home recently and got a surprise:

• 1 x Mac mini (our media computer – I recently cancelled Sky and we stream all TV)
• 1 x Cable modem with integrated Wireless Access Point
• 1 x ReadyNAS file server (for backups and storing large files such as movies)
• 1 x X-box
• 1 x Wii
• 2 x Mac Air Laptops
• 2 x HTC Desire Android smart phones
• 1 x Amazon Kindle
• 5 x IP CCTV security cameras
• 1 x CCTV system head unit
• 1 x Burgular alarm system
• 2 x Televisions
• 1 x Hi-fi amplifier

A total of twenty IP-connected devices! Now, I’m a well-off technologist so you could argue that I have more devices than most and that most people would not connect all their devices (like the TVs – all mine do is auto-update their firmware at present). However, first that list is for two people (my girlfriend and I) and second we are actually fairly minimalist with our technology and tend to have as few devices as possible; we have one laptop and phone each, only one pad device (the Kindle) between us, and a couple of other computers and consoles. Anyway, call it in round numbers 10 IP-connected devices each and assume there are 1bn people like us in the developed world and you get 10 billion devices in the West. Suddenly 50 billion in 8 years seems very likely, in fact if anything a bit low!

More addresses!

Until recently the potential for this explosion was also hampered by the fact that we were running out of IP addresses. IP addresses are codes like “78.31.108.54″ that are used to address machines on the Internet – that one happens to be my personal virtual machine. The old system is called IPv4 and each of the four parts of the code could be a maximum of 255, so the total possible addresses was about 256^4, 2^32, or about 4 billion (4 * 10^9). Some devices are inside home or office networks so don’t have an Internet address themselves, but if they could it would potentially accelerate the potential of the Internet of Things even more.

Recently new version of IP addressing, IPv6, has been rolled out which gives us vastly more – a mind-boggling 2^128 possible addresses, or about 3.4 * 10^38. As described in a lovely XKCD cartoon, it is unlikely that human society in anything resembling our current state will ever consume that many addresses, but I digress!

The peoples’ revolutions

For something to be a revolution you need a bit more than device proliferation though. Let’s take a step back and look at the last couple of decades and the other recent revolutions. I would like to contend that since the headline technology revolutions of my lifetime (personal computing and personal network connectivity) there have been two further major revolutions and that both of them have been community-driven, albeit reliant on the first two revolutions. As an aside, that is often the way of innovation, as in the words of W. Brian Arthur:

“Novel technologies form from combinations of existing ones, and in turn they become potential components for the construction of further technologies.”

The third technology revolution of my lifetime, and the first driven more by people than by institutions, was the World Wide Web, which grew organically without any central authority and whose content was created by people everywhere, especially in the beginning. I remember being at university and sitting in a tiny bedroom next to my room mate in the wee small hours while we both built our personal Web sites, borrowing bits from others who had gone before. Today the content is being generated by even more people now that the technical knowledge requirements have been reduced with systems like blogging and wikis.

The fourth revolution has been in software development communities. I’m cheating a bit and rolling two revolutions into one; first the open source software movement – generally free community-sourced and managed applications; second the accessible software development ecosystems that have been created for smart phones by companies like Apple and Google realising the awesome power of enabling the community to get creative with their platform. There are further examples as well, such as the popular Linux-Apache-MySQL-PHP (or Python, Perl etc) “stack” which millions of bedroom hackers and professional programmers alike use to rapidly develop their own Web applications; a free development platform created by the open source community.

The benefits of accessible app development platforms is fairly obvious (just look at all the things your smart phone can do), but amazingly some hard-headed business people are still in denial about open source software despite it being responsible for many systems that are now integral to our daily lives. The Linux operating system, to pick but one example, has proven to be massively reliable – more so on our experience than closed source Windows by a long way – and is completely free. Open source is an amazing example of functional communism at work. I’m a particular fan since I have built my entire business on open source technologies and thanks to them I’m able to undercut all my competitors and still make a healthy profit. Everyone wins!

You might be asking, “What about smart phones or social media? Are they not revolutions?”. Back in 2000 I had a Palm Pilot that could do quite a few smart phone type functions and Moore’s law has always predicted that we would have powerful computers in our pockets. Ubiquitous network connectivity is also key to smart phones but that too is a long-term trend. What has made smart phones really work compared to my old Palm Pilot has been the people-power behind the app development. As for social media, again I see that as more an evolution of technology; as far back as 1997 I was using Internet Relay Chat (IRC), usenet news and online forums, all arguably social media. It is the Web that is the revolution, driven people finding cool new ways to use that technology – social media being just a prominent example.

The hackers’ revolution

I believe that the fifth major technology revolution of my time will be the Internet of Things and that like other recent revolutions it will be powered by a community, in this case the hacker community, their innovative drive empowered by cheap open source hardware platforms.

I’m not suggesting that hardware hacking is anything new, but what has changed is the addition of ubiquitous network connectivity into the mix along with some cheap and flexible platforms such as Nanode (an Arduino board with ethernet attached) and Raspberry PI, a Linux computer for $25. Especially exciting is the fact that those innovations are both British.

In my next post I will describe how I think hacking is making a come back, how it will rocket-boost the Internet of Things revolution and how I believe that together it could be a real boon to our faltering economy.

The evolving threat

On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion

dDOS (distrubited Denial of Service) attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests Unfortunately the only real defense against such is to have more bandwidth than an attacker, but with more companies moving to cloud providers with massive pipes like us that means that the attacker would need a bot net of many thousands of machines to cause damage.

There has also been a marked increase in criminals attacking popular sites and advertising engines to steal information and disable websites for political reasons. The recent wave of ‘hacktivists’ presents new issues for web hosts, as many traditional organisations are now having their sites hacked.

Web Development

The first stage in solving the security problem starts with the development and design stage. If developers neglect to address all security issues, a future hacker will very likely exploit the flaw to run commands which can compromise the data on in your hosting account, some of which might even be confidential. To fix this problem, you must ensure scripts are very well planned and tested, especially those parts that deal with private information. Testing all inputs to the software is vital – ask your developer if they have enabled taint checking and if they look at you blankly get another developer!

Any forms that handle sensitive data should be using HTTPS (secure HTTP) of course. Be sure to enable SSL and buy a a Digital Certificate (Digital ID) from a trusted certificate authority – SSL certificates do not cost much compared to the cost of securing your site! Ensure that your developer makes any sensitive forms redirect to HTTP versions of the site too. Why is SSL encryption important? Well if you’re accessing a Web site over normal HTTP using, say, a public Wifi then I can “sniff” (read) your traffic (with a little cleverness) just by being on that same Wifi network! End-to-end encryption is always best for all online communications – don’t trust the network.

Finally, if you are using a content management system like WordPress be sure to keep it updated. The number one culprit we see after bad passwords (see below) is a WordPress site that has not been updated in ages. The same goes for all software you put online – keep it updated! With the automated tools that allow you to do so there is no excuse not to. The number two is badly-written PHP sites by the way – see above!

Password Management

The majority of hacks are caused by bad passwords. Its not just a simple matter of changing ‘l’s’ to 1′s either, as these are still easy to hack. Anything based on a dictionary word or piece of memorable information is vulnerable. It is vastly better in my experience to choose a good password and then stick with it for that site rather than changing it often also.

We have performed rigorous mathematical analysis on how good a password needs to be by working out how much money it would take to crack if you had the password file and were using cloud computing. We determined that an 8 character random string formed from a-z, A-Z and 0- (using open source pwgen) is adequate for the vast majority of purposes, costing about $100,000 to break. A 10 character randomly generated password will cost $13m to crack using cloud computing and quite frankly there are easier ways for hackers to get your information for that amount of money!

We get all staff to choose an auto-generated password created PWgen. This approach is much better than making them choose their own (often guessable) one and changing it periodically (which means they need to write it down to remember it).

Finally, having lots of different passwords to remember can be a pain. There are packages to help though. For most Web sites I use my browser’s password safe, which is encrypted because my entire laptop is entrypted, though many have encryption options available. For other passwords such as banking details I keep them in a password safe called KeePassX. I then use a 16-character randomly generated password (from pwgen) as my master password and I don’t have to remember any others. You should really have one password per site but personally I group a few together based on how much I trust the sites. For banking always use a unique password per site though!

Tight Controls on Accessing Data

If you are allowing access to your Web site’s back end, for example for order fulfilment, that will often expose a vulnerability that a hacker could exploit. Therefore it is important that you ensure that any device accessing that “soft spot” is secure.

That should not stop you operating completely over the wire / in the cloud though. We allow all staff to access from anywhere using a laptop and a browser, using HTTPS for the security. However, we do not allow access from just any laptop; it must be a company one, we require that everyone follows good password practices (see above) and every person has their own unique loginl.

Unique logins for each member of staff is vital, so that you can react quickly in the event of a compromise. We have regularly tested and audited procedures for revoking user access quickly so that in the event of a lost laptop or compromised user password (or SSH key for command-line access to systems) we can rapidly change that user’s access credentials.

As an additional precaution, any laptop that is used to store company data (most of it is in the cloud, but sometimes information is stored locally) must have an encrypted hard drive.

In conjunction with requiring that everyone uses a screen saver password lock our company laptops are effectively impervious even if stolen while running and decrypted in RAM. No data can be retrieved since the thief would have to power down the machine in order to access the drive.

Personnel / ‘purchase key’ attacks

The biggest security weak-point for any organisation is its people. A determined attacker will not bother with trying to steal servers nor hack into them, but will attempt to gain leverage over key members of staff; the “purchase key attack”. To protect yourself and your data, you should look to take steps to mitigate the risks. These are some of the things we do at Memset:

1. All staff with access to company and customer data are CRB / background checked.
2. Access to servers is gained via personal keys and all activity is logged.
3. Access to Web-based systems is gained via personal credentials and all activity is logged.
4. Logs and activity should be routinely checked by head of security.

Carefully Select Your Hosting Provider

The only thing one can really do about bot nets is to have more bandwidth than the attacker (ie. an army of hijacked home computers), which is yet another reason why companies should be giving up owning and managing their own data centres and moving to the cloud where providers like us have gigabits of connectivity so can withstand such attacks, which happen frequently.

We also have firewall technology to dynamically detect and block attacking IPs in real time. This sort of cyber warfare is not new though, but has only recently made the news. We have been fighting off such attacks for as long as I have been in the hosting industry (12 years). All that has changed is the scale of the weaponry.

Finally, at Memset we are very upfront about our approach to secure hosting. I would be strongly suspiscious of a provider that was unwilling to share with you how they protect your data. Be sure to ask them and look for externally-audited credentials like the well-recognised ISO 27001 Information Security Management System.

Why small businesses matter

To my first assertion – my scepticism that this bonds scheme will actually help small businesses. Remember that the “SME” category is actually a very broad church. The usual definition is a business with less than 250 employees. There are 1.17 million such private enterprises in the UK generating about £1.29 trillion per year in turnover¹.

However, 1.02 million of those are micro businesses (under 10 employees), and such businesses tend not to have the best growth prospects; Britain’s fish-and-chip shops and car garages. The real powerhouse of economic growth is the 204,000 small (10-50) and medium (50-250) sized businesses who have already demonstrated their ability to grown beyond the micro stage. The former account for £470 billion per year (bn/y), the latter for £430 bn/y, further demonstrating their status as the “gazelles” of the economy when compared with those million-odd micro businesses who do a paltry £404 bn/y between all of them.

What I expect is that the proposed measures will help the medium-sized businesses, which is all well and good but that is only 30,000 companies. The real boon to the economy would come from supporting the 170,000 small businesses which have the most growth potential. However, speaking as one of those businesses (we employ 25 staff) I can report that there is no appetite among banks to lend to such companies without asking the directors to guarantee the loan – impractical for those of us whose livelihoods is their business – and I cannot see this approach changing that since it would rely on the existing banking systems to do that, and the banks remain entirely risk-averse.

Memset: a case example

To give some context so that you don’t think we have struggled to get finance for good reasons; we are an extremely successful multi-award-winning, multi-million pound company, growing at ~40% compound annual growth rate while simultaneously accumulating significant cash – impressive in any economic climate. We have had steady, profitable growth for 9 years and are ranked 7th in our industry of ~200 for commercial and financial strength². We want to borrow to bolster our own reserves in order to invest in infrastructure and grow even faster with our sights on global exports. The best Barclays could offer, without us guaranteeing the debt with our homes was a £200,000 loan, provided that we left it on account with them. I kid you not.

Cloud: A golden opportunity for Britain

While this might seem self-serving, I passionately believe is is important for the UK information and communications technology (ICT) industry as a whole, and as an extension to that I believe it is important for UK PLC. Following the demise of financial services, retail and construction as previous “engines of growth” for the country, and a recovery in those sectors looking unlikely in the near term, the country should be looking once more to our strengths as innovators. More than any other sector, ICT has the potential to be a real new engine of growth for Britain.

Further, now more than ever the opportunity is enormous, especially in the cloud space. I pick cloud because it is especially suitable as an export, something which we need in the UK, and because it is the fastest growing area of ICT. Gartner have predicted that the infrastructure as a service (IaaS) global market will grow from $3.7 billion in 2011 to $10.5 billion in 2014³. Currently about a third of that is believed to be Amazon Web Services, so there is lots of room for new players.

Gartner also forecast that the global Software as a Service (SaaS) market will be $12.1 billion in 2011, and that market is growing by 21% annually⁴. If that growth continues the global SaaS market will be $26 billion in 2015. Add in IaaS and an estimate for Platform as a Service (PaaS) at $5 billion⁵ and the global cloud services market could easily be worth over $40 billion by 2015.

Western Europe already has $2.7 billion of the SaaS revenue, predicted to grow to $4.8 billion in 2015. At 23.3%, Western Europe’s market share is growing faster than the global market (ie. we are gaining market share), and most excitingly growing faster than America’s at 18.7% (SaaS growth).

These are serious numbers at any scale, and as a country we are uniquely placed, both literally and in terms of economic cycle, to take advantage of the opportunities for global export of cloud services and the rapid revenue growth that would bring. One could easily envisage us within a few years being a major hub of cloud services, serving the American and European markets.

I’ve seen estimates of Britain’s share of the current global cloud market at about 10%. The source was part of a Chattham House rules presentation, so I cannot share it, but that would mean we have 44% of Western Europe’s market which seems plausible with a little squinting. In that case, if we get our act in gear and merely hold on to our share then by 2015 we could have $4 billion of the global cloud market. If we grew our market share as well then perhaps we could get to $6-$8 billion by then, which would be about 0.4% of British GBP (though there are a lot of “if’s” in there)! Given that the Treasury only expects GDP (the entire economy) to grow by 1.2%⁶ in 2012 these are potentially significant numbers. Further, cloud is just one of many exciting technology areas in which we excel, high-tech manufacturing being another. However, that vision will not come to pass unless some things change.

The high-tech brain drain

The problem is that we keep selling our golden geese! I was recently on a UKTI cloud trade mission to Silicon Valley with a bunch of other cloudy entrepreneurs. That illustrious company reminded me that we as a nation are awesome technology innovators; let’s not forget that (despite what VMware’s propaganda would have us believe) server virtualisation was pioneered with the Xen Hypervisor (hypervisors are a key technology underlying compute clouds) under Dr. Ian Pratt at Cambridge University, UK, in the late 90′s.⁷ Today, Xen is owned by Citrix, an American company, and to my dismay many of my fellow cloud missionaries were intent on seeking US investment – yet more great technical innovation being siphoned out of our shores.

The problem is two fold: First, there is a gap in the UK funding market. Fast growing small businesses (as defined above) usually need cash, but in the £2m-£10m range (roughly 10-50 people for most ICT firms) banks are not lending and the companies are too small to float on an exchange (aka “go public”). This means that those companies have to turn to venture capital, and those institutions almost always insist on a sale in 3-5 years to reap their profits. Those sales are almost always to larger, American firms.

The second part of the problem is culture. I am extremely unusual among my British technology entrepreneur peers in that I have my sights firmly on the big game. My ambition is to take Memset to the global market and have us become the next Autonomy or ARM. That means we eschew VC funding since their goals are far too short-term. My fellow entrepreneurs however, almost exclusively, believe that the way one does business is the above – get going, get VC funding, sell for a few £m, rinse and repeat (if they are serial entrepreneurs, otherwise sit on a beach I suppose). We need to challenge that culture as well and reignite our faith in our ability as scientists and technologists with outstanding skills in innovation.

An alternative

What I would like to see is Mr. Osborne using those £billions to set up a government-owned bank with the specific mandate of lending to small businesses with a proven revenue model who could accelerate their growth with additional capital. I foresee such a bank facilitating the development of our own “Mittelstand” – the German-owned SMEs that are the powerhouse of the German economy. Such a bank should not be run by civil servants, whose track record is no better than the bankers’, but by private sector professionals with expertise in high-growth SMEs.

Measures to get part-publicly-owned banks to lend (project Merlin) have failed in my view. Further, politicians are still, amazingly, operating under the misapprehension that schemes like the Enterprise Finance Guarantee are working. They are not, and similar complex schemes will just once again allow risk-averse banks to hide behind the mechanisms and not actually do what we need them to do: share a small amount of the risk with us, the golden geese, and in doing so allow us to fulfil our potential as drivers of economic prosperity.

Update: Seems I’m not the only one thinking this: “Credit easing plans ‘must go beyond the banks’” – Telegraph

However, is this new cyber security concern warranted and do we need government and/or academia to get involved with a dedicated centre for tackling the issue? In short, I don’t think so, and this is why.

Just doing our job

As a hosting company we are players in a constant cyber war going on quietly behind the scenes that most people are not aware of. We have been successfully defending ourselves and our customers against hackers, script kiddies and DoSers for as long as I’ve been in the industry (since 1998). The weapons (bot nets and internet connections) have got bigger and the complexity of the systems and hacks has become more sophisticated, but we have evolved too.

We host 20,000 of Britain’s largest and busiest Web sites. In just the last week our automated denial of service (DOS) protection system, affectionately known as the “DOS-squasher”, blocked just over 200 attacks aimed at our clients. None of them even knew that anything untoward had happened.

On my personal server alone in the last week there were over 50 break-in attempts, all automatically deflected by a combination of good password choice, operating system lock down and firewalling. Multiplied up across our entire server estate that amounts to someone trying to compromise one of our customers’ servers every few seconds.

We regularly handle phishing sites and such which have been set up by criminals on compromised customer servers (it should be noted that they are generally only hacked only when we are not managing the security for them and usually as a result of a poor password) as part of the day job. Again, nothing terribly exciting for us and where necessary we liaise with the police.

I am uncertain that a government- or education-run department would add much value here. Instead I would advocate their drawing on the vast experience of the hosting and Internet Service Providers’ businesses in the UK by encouraging or incentivising us to pool our best minds to tackle possible threats to national infrastructure.

People and education

Now, it is true to say that we struggle to find good people with the right skills, but again I don’t think a university programme focussed on cyber security is necessarily the right approach. The soldiers and lieutenants in the silent cyber war are systems administrators and network engineers. They have the skills, but more of the good ones get those skills on the job. What I would like to see is more universities doing courses like those found at Portsmouth.

Half of our recent operations recruits have come straight from their computer network management and design BSc, a course that actually teaches them the skills they need to be a systems administrator. I’d like to see more courses like that, including modules on cyber security training for as standard within them. I do not believe it needs a special skill set since security should be part the curriculum for any IT training.

Serious crime

As well as kids in bedrooms with an axe to grind some cyber threats fall into the category of serious crime. On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion. Take a typical gambling Web site; they could easily be bringing in tens of thousands of pounds per day. They get a major distributed denial of service attach (dDOS) which takes them out for a few minutes. Rattled, they then receive an email demanding thousands of pounds with threats of a much more prolonged dDOS if they don’t pay up. What do they do? Well, they pay. I can’t name names, but I know this has happened.

dDOS attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests Unfortunately the only real defense against such is to have more bandwidth than an attacker, but with more companies moving to cloud providers with massive pipes like us that means that the attacker would need a bot net of many thousands of machines to cause damage.

This is serious crime and as with any crime should be the domain of the police. A good central authority that was able to track down hackers, phishers and protection racketeers, working with us, would be welcome. At present the police are not especially responsive and often don’t appear to understand the issues at hand.

National threats

When looking at a national level, such as the rumored attacks against Georgia originating from Russia back in 2008, that is something that central intelligence agencies such as CESG should be prepared for. However, again, the people who have the expertise and the means to help are the existing ISPs.

One concept I did quite like, however, was that of being able to “attack back”. One possible way to defend oneself against dDOS attacks is to launch your own attack on the originating sources from a number of ultra-high bandwidth locations. This has the effect of tying up, or even crashing, the bot net computers and making it difficult to control them. The problem here is that the bot net are innocent, zombies if you will that have been infected and are only guilty of having poor security (aka. “running Windows” . The real target should be the command and control servers, but determining where they are is not usually a quick task. Again, here, it should be the job and/or CESG of finding out who the perpetrators are and bringing them to justice.

Regardless, as I said before, the best defence against this sort of real cyber war is to have bigger pipes than your attacker. If we want to ensure our national network is not vulnerable then we need to be investing in it, and in our international connectivity, so that we can stay ahead of developing nations. Last year we were falling behind Eastern Europe, but we may have recovered a little now.

Conclusion

In short, cyber crime and cyber warfare are nothing new – it is just that they have recently entered the public and political consciousness. Government should simply support us, the ISPs, in our existing activities.

As for education, they should a) stop putting off teenagers by teaching them that “ICT” means “Microsoft Office” and b) at a university level actually teach students the skills that the industry needs, not dead operating systems and languages.

Cloud computing can be regarded as essentially the provision of computing resources and/or software as a utility, in the same way that your business uses familiar utilities, such as electricity, water, gas etc. Cloud computing enables you to pay for computing resources as you need them. These services are provided over the internet, on a consumption-based pay-as-you-use model, with short-term contracts and without up-front expenditure.

Whether you realise it or not, you’re probably already using cloud-based services. Facebook and Google are two prominent companies offering cloud-based software as a free online service to billions of users across the world. Google, for example, hosts a set of online productivity tools and applications in the cloud such as email, word processing, calendars, photo sharing, and website creation tools.

Broadly speaking, to be considered “cloud computing” an application’s data and core processing functions would be hosted/stored and managed online or ‘in the cloud’, and accessible from any PC, laptop or mobile device with a network connection in real-time.

In this context, “in the cloud” actually means that the application, along with the data it uses, is installed one or many powerful computers called servers, which are similar to home computers but in a different form factor and without screens, that reside within specially adapted buildings called data centres. Data centres are like warehouses filled with banks of servers in cabinets called racks. Data centres have powerful air conditioning systems to keep the servers cool and highly resilient power and internet connections. A picture of one of ours before being filled up is here.

Three Flavours of Cloud – the “service models”

One of the biggest confusions over cloud comes from the fact that it actually applies to a number of different layers in the “stack”. Don’t worry about what I mean by the stack, but if you’re curious see this post. There are three flavours of cloud, which broadly go down in cost but up in the required level of technical know-how in the order I have listed below:

Software-as-a-Service (SaaS)

These are usually applications or services that you access via a Web browser. Google Mail and Google Docs are examples of this kind of cloud computing. Some companies host an application on the internet that many users sign-up for and use without any concern about where, how, by whom the compute cycles and storage bits are provided.

Some SaaS is delivered via customised client applications, for example if you use Twitter or Facebook from an app on your phone. Our own SquirrelSave personal cloud backup product is also an example of SaaS in that sense – you, the user, doesn’t have to worry about where the data is getting stored nor the internal workings of the platform we have developed.

A better term than “software” might be “application”, since the platform part is also really just software, but SaaS has already gained wide acceptance. SaaS is usually the most expensive form of cloud since you are paying for the software as well as the underlying infrastructure and it requires no technical know-how. Examples of paid SaaS include Salesforce.com, though presently the most widely known examples are “free”. Of course, nothing is truly free, and by giving away their services companies like Facebook and Google are getting something – your information and time.

Platform-as-a-Service (PaaS)

This is a set of lower-level services such as an operating system or computer language interpreter or web server offered by a cloud provider to software developers. Developers write their application to a more or less open specification and then upload their code into the cloud where the app is hosted and automagically scalled without the developer having to worry about it overly. Microsoft Windows Azure and Google App Engine are examples of PaaS.

In old-school hosting parlance, a managed hosting service might also be considered PaaS – the developer gives the hosting provider some code, and the provider worry about how many servers, how much bandwidth (internet connectivity), etc. and just give the developer one bill. Because of the auto-scaling and ease-of-use afforded by PaaS, and the abstraction/obfuscation it gives the vendor, it usually costs a premium over renting the underlying infrastructure directly (IaaS).

For the more astute readers: You might hear people say that that Facebook is also a “platform”. This can easily get confusing; yes they provide a platform for developers to make add-ons, like the popular game FarmVille, but in reality they are just being a gateway (FarmVille runs on servers outside Facebook’s data centres) and are not providing any computer resources, so they are not providing PaaS. A similar example is Apple’s iOS platform – they provide tools to developers and a gateway to sell their apps (the app store) but if those applications that have a cloud component will likely be using IaaS or PaaS from elsewhere.

Infrastructure-as-a-Service (IaaS)

IaaS is the provision of virtual servers and storage that organisations use on a pay-as-you-go basis. This is the most powerful type of cloud in that virtually any application and any configuration that is fit for the internet can be mapped to this type of service, but is also the most technically challenging to exploit. Amazon’s Elastic Compute Cloud (EC2) and Simple Storage Service (S3) are examples of IaaS, as are our own Miniserver VM® cloud compute and Memstore™ cloud storage services.

In practice, cloud suppliers often provide additional services alongside IaaS offerings, so the boundary between IaaS and PaaS can become blurred. However in its purest form compute IaaS can be considered as a bunch of unmanaged virtual machines (VMs) for which you provide the operating system image, that can be scaled up and down (by spinning up and tearing down VMs) according to your application’s needs in near-real time (ie. within minutes). IaaS data storage is more simple, working like a giant disk drive where you only get billed for what you are using, usually on an hour-by-hour basis.

A virtual server or virtual machine (VM), is just like a normal server but is smaller in terms of CPU, RAM and disk than a whole physical server, and several sit on each physical host server. We typically put about 15 VMs on each host server, for example. VMs have the advantage that they can be created and destroyed effectively in real-time in dynamic response to demand.

Private vs. Public – “deployment models”

As well as IaaS, PaaS and SaaS (the “service models”), cloud has a number of “deployment models”. The ones I’m going to focus on here are “private” and “public” cloud. There are also “community” and “hybrid” clouds, but I’m going to save that for a later article. Also, here I am just going to briefly cover what public and private cloud means in the IaaS context.

Public cloud means that your virtual machines are sat on the same physical host servers as other clients. A private cloud is where the host servers, and in some cases the physical network or even an entire data centre facility, is dedicated to one client. When most people say “private cloud” what they usually mean is “a company’s own data centre with some virtualisation software”. This is arguably not cloud since you lose the scalability aspect. When we, as a cloud provider, say “private cloud“, we mean infrastructure dedicated to one client that we scale (by adding dedicated host servers into their set from our standby pool) as necessary. Some people would call that a “virtual private cloud”.

Moving To The Cloud?

One of the great things about cloud is that it can be experimented with very cheaply. If you are looking to make use of cloud services then I suggest just dive in! Start small, with one service, and then move more services once you are ready.

Analysts have indicated that future technology leaders will gravitate to cloud-based models as a way to deploy software and to store content, and we are certainly seeing that trend. A lot of customer start using our cloud as their development “sandbox”, costing a few £10s of pounds per month, and as they gain confidence gradually migrate more critical applications across.

I was technical co-lead on phase two of the G-Cloud project. Miles Gray of the NHS (the other lead), the technical team and I proposed a fairly detailed architecture for the G-Cloud (here). There were some core principals that we felt were vital: it would not be a “thing”, but instead a collection of cloud infrastructures, services and applications, probably mostly provided by private sector but with some public sector in there too, all bound together by open standards cloud APIs with an app store and services interchange at the heart. The Public Sector Network (PSN), the Government Secure Intranet’s (GSi) proposed successor, would be the unifying platform.

I am increasingly convinced that G-Cloud will happen. Martin Bellamy,  Ministry of Justice official and previous G-Cloud project leader thinks so, and Chris Chant, now head of the programme, certainly thinks so too! The public sector is already moving to cloud; there are a number of local government initiatives with pooling infrastructure resources and running shared services. A good example is Hampshire, who run infrastructure and services for a number of smaller local authorities, linked together via the Hampshire PSN.

There are two main features that make G-Cloud different to other government ICT projects, and which are why it will work:

1) There is no “big bang” spend. We, the supplier community, are making the up-front investments and then simply offering those services to government on a pay-as-you-go basis, with no requirement for long-term contracts. Therefore, there is little risk to government.

2) The G-Cloud services will be vastly cheaper than what government is used to paying, but will come with a seal of approval from CESG’s new Pan Government Accreditor body so that government customers can have some surety that the services meet requirements.

On the security front, working with the security work stream we proposed multiple G-Clouds, one per Business Impact Level. Applications, data, suppliers and users at similar security levels would be grouped together.

The core commercial tenet would be government not pay anyone up front to build any infrastructure or software, but instead would consume everything on a pay as you go basis, with the app store doing the billing. Suppliers’ service quality record would be shared (a bit like eBay ratings), to enable cost-quality buying decisions, and supplier switching would be straight forward thanks to the disintegrated stack approach and standardized infrastructure and platform as a services (IaaS/PaaS).

The only parts that we envisaged vital for the government to own and control (to maintain its impartiality) were the app store / services interchange and the proposed “Pan Government Accreditor” – a centralized CESG body that would pre-certify G-Cloud components (IaaS/PaaS/SaaS, stand-alone applications, etc.). Cloud economics expert, Simon Wardley, of CSC’s Leading Edge forum, agrees that it is imperative that any app store remains centralized and government controlled.

I was therefore worried to learn at a briefing on PSN at last week’s Efficient ICT, Greener Government conference that Cable & Wireless are attempting to “do an Apple” and turn PSN into a platform where they offer 3^rd party services, hosted on their infrastructure, to government, taking a slice of every transaction. Such plans should be resisted.

My other big worry about the G-Cloud was that they would only talk to the usual suspects – the large systems integrators that appear to have government ICT sewn up and have done a highly debatable job of delivering value – who I do not believe are capable of delivering the cost benefits of cloud. SMEs are going to be a vital part of the G-Cloud ecosystem, and as part of the technical architecture we envisaged ways to facilitate their entry. For example, by splitting up the stack an innovative software development SME, once they and their application was pre-certified, would not need to invest in List-X data centres to offer a secure solution, they could partner with a pre-certified IaaS or PaaS supplier and get their solution into the app store.

So, what of SMEs? Well, as an SME who has recently been signed up to the IaaS/PaaS foundation delivery partner activities for the G-Cloud project, I am pleased to report that they are staying true to their word of assigning 25% of the contracts to SMEs. The next step is for our Miniserver VM® virtual server and Memstore™ cloud storage services to go through accreditation with CESG’s new pan government accreditor. Some of the commercial aspects also need to be finalised, but the aspiration is to be able to provide IaaS to government via the G-Cloud framework as early as January 2012.

So far, so good, but there are hurdles to enable pre-certification, and thus easy buying of cheap, secure services: i) EU procurement rules remain a problem, though a framework agreement is coming out imminently which will hopefully enable pre-certification; ii) Security responsibility needs to be centralized, but getting SIROs to trust the pan government accreditor would be a major culture shift; iii) The usual suspects have huge vested interests and appear to have convinced government that a 30-40% saving is acceptable. It is not. The government should actually be aiming for a 70-80% savings on their ICT spend from the G-Cloud. If done properly, G-Cloud has the potential to be hugely disruptive and could be saving the government £12bn per year by 2020.

Blogging, microblogging and social networking services are rapidly growing in use by business. Can they be beneficial to businesses or are they a pointless waste of time? I take a detailed, frank (I may rename this post “How to lose friends and alienate people on Twitter by being too open about my calculating approach” ) and balanced look at one of the biggest, Twitter, with some tips on how you can make strategic use of it and blogging.

According to a recent 02 survey, an estimated 700,000 small businesses are using Twitter with 6,000 joining everyday. The numbers certainly suggest that it is more than a craze, but there are plenty of examples of companies just jumping on the latest band-wagon, so is there real value in such tools?

Being human

I’ve found that having a ‘face’ on your business is really important. As the old sales adage goes, “people buy from people”. It might sound a little odd coming from a technologist who is a firm believer in the future of the cloud IaaS market as an automated, interoperable commodity market place much like the electrical power grid is today, but we are not there yet and even then there will always be people and values behind the companies.

Therefore, about four years ago I decided to borrow a leaf from the US IT entrepreneurs and put myself firmly and visibly out there as the face of my company, Memset. That started out with putting a bit of information about me and the management team on our Web site, with pictures, and me starting this blog.

Another part of that strategy was also to ramp up our press relationship effort. I think of my professional blog and PR in a similar vein, and with a similar purpose. Making myself available to journalists was particularly key, since often the easiest way to get some coverage is to get a sound-bite in someone else’s article, and the blog posts often helped with that too. It was a place I could voice an opinion and, slowly at first, I started to get picked up on that.

So, now our new customers were not just buying from a faceless corporation, but from an organisation run by a real, accessible (I also put a direct email address on our Web site) human being, with views and opinions that were starting to gain traction in the technical press as well. While it is not quantifiable, I am confident that contributed significantly to our early success and helped us, as a small company at the time, punch above our weight.

Shorter, faster, more interactive

Today I use Twitter a great deal as well, and in many ways it is achieving the same things as my blog but in a more real-time, bite-sized manner: micro-blogging. I see two purposes to my work Twitter account, @Memset_Kate:

1. A promotional tool
2. A place to ask questions (and get answers)

Here I am mainly looking at the first element, using it to raise your or your company’s profile, but the second element is also very important to me. Twitter is a fast, convenient way to plug into the collective wisdom of people with similar interests, in my case mainly around technology. For example, if I were looking for a new software package for a task, Twitter would be my first port of call. In fact, I value that distilled wisdom so highly that I recently launched Tweet Download™ since I wanted an easier way to preserve my tweets and others’ replies.

Many people also advocate Twitter as a way to plug into news, but personally I find subscribing to a sensible magazine (The Economist and New Scientist being my personal choices) or Web site much more effective and less time consuming.

Twitter is quite different to a traditional blog in a number of ways beyond the obvious brevity and frequency. With a traditional blog it is helpful to engage with commenters, and to get something of a dialogue going, but that is by no means the core of what it is about. Twitter is all about the dialogue though, and if you just post tipbits of information but never engage with your followers you’ll fail to reap the benefits.

As with more static Web content’s ability to humanise an organisation if used correctly, Twitter enables us to again plug into something that people enjoy and which makes them feel more comfortable about other people (and thus organisations): conversation. Also akin to our natural interactions, Twitter is a collective of inter-connected communities, but with the added feature of popularity being quantifiable (ie. follower count), and that is important if you want to use it to leverage your brand.

As with any social circle, in order to be liked and make friends you need to do certain things: say interesting stuff, help others out, and engage in the conversation. Most Twitter users want to be popular, and you can therefore gain favour by mentioning them, replying to them or retweeting them in your stream. In return they are more likely to engage with you and return those favours, helping you raise your own profile. In doing so you become more popular, and what happens with to the popular kids? More people want to be their friend.

Keeping it real

Before continuing with the mechanics of online social interactions it is worth mentioning topics. With my blog I found it best to be mainly focussed on a narrow range of topics (green technology, hosting, business, cloud etc), but I still try to write openly and frankly, and I do write the articles myself. I firmly believe that it is important to be yourself – a real person – when using such tools. Too often you see blog posts that are clearly generated by a PR department, or done generically from a company, and I think they are missing that important objective of presenting a personable face.

With my tweets I take it a step further and do sometimes touch on personal stuff. Now I’m not advocating a blow-by-blow account of what you have for lunch, but as part of presenting oneself as a real person (not a corporate suit) I believe it is helpful to let one’s followers in a little bit. Have a look at my twitter feed for examples of what I mean.

Being a bit of a bitch

Unfortunately, however, we can’t be friends with the whole world. I have a couple of thousand followers and little time to spend chatting to them. The key to making successful use of Twitter is to be selective, though ideally without showing yourself to be thus. I have a number of steps in the process, and they revolve around an approximate ranking system for how valuable I think someone is, a lot (but not all) of which comes down to how well-connected they are:

1. Followers:followee ratio – if someone is followed by more people than they follow it is a good sign of a high degree of quality and/or influence.
2. Are they a journalist?
3. Are they someone senior in my field of interest?
4. Do they interact bi-directionally with a journalist or someone senior?
5. Do they talk about relevant topics (vs. “I like cheese!” / political rants / etc.)?
6. Do they know their stuff (vs. “Blah blah cloud, blah blah cloud, blah blah platform”)?
7. Have they helped me out already, eg. by re-tweeting me?
8. Do I feel I could have a rapport with them?

I cannot remember exactly who I should be making the effort with at any one point though, so I have some techniques and tools. First, I only follow back about 50% of people who follow me, and I’ve delegated that task to my PA since I get an awful lot of new follower requests. That gives people a warm-fuzzy feeling of mutual interest, but I must admit that is a bit of a deception.

In reality I rarely look at my “all friends” column, instead I have a private group, “faves”, as a column in Tweetdeck (a great application for those serious about Twitter – the Web site alone is insufficient) to which I add people with which I think it is worthwhile interacting. I then focus my attentions on tweets appearing in that column, as well as my mentions column of course. If someone is talking to you then it is important to reply, and usually not time-consumptive unless you allow yourself to be drawn into pointless debate (“Someone is wrong on the Internet!”).

In terms of choosing who I follow, other than people who follow me first, I use the same targeting rules as above. If there is someone who often gets re-tweeted or mentioned by other people that I deem of high value, then I’ll tend to follow them and make the effort to get into their online social circle.

This may sound all rather conniving, but is it any different to how we act when in business networking situations? We seek out those who are on our social level which can help us be noticed by the people with more influence in hopes of elevating our social position. Also, one has to be a bit hard-headed about this sort of activity, otherwise you risk allowing a highly addictive and fundamentally unproductive diversion to end up costing you a lot of valuable time.

Staying in touch

Unlike blogging, Twitter and such does have another very important ability: to help the dialogue with your customers. If a customer has a problem with our services they are much more likely to moan about it on Twitter or a forum than they are to send in a complaints email, and that is fantastic since it gives us an opportunity to publicly stand up for ourselves or, where necessary, apologise. Equally, when someone praises your business you can leverage that, and often people ask others’ opinions on brands via tools like Twitter, and without a presence you will be unable to react to such queries.

We encourage our systems administrators to assist on some forums partly for that reason. Forums are just another online social network, but with a very specific topic, and they are a great way to gain exposure and demonstrate your expertise if you are willing to put the effort into the interactions.

The future

So, do I believe in the future of social networking as a business tool? In short, yes, but I am unsure as to what extent. I think that it can be very helpful right now, but I think the social networking landscape may be changing. I also use Twitter heavily in a personal capacity, to organise nights out with friends and keep up with them, but that is a very private account. My friends, most of whom are in their twenties, and I are increasingly locking down our Twitter and Facebook accounts, dropping “unknowns”, making them private/”friends only”; keeping ourselves to ourselves.

Therefore, I do wonder whether the novelty will wear off in time; whether we will return to principally interacting privately with people we know in the flesh, using online social networking as an augmentation to those meat-space interactions and largely ignoring strangers. There is a danger that the current Twitter-boom is partly driven by people like the work-me, or those of you reading this article, trying to get a leg up for themselves or their business.

iCloud is a hosted storage service that will seamlessly copy and sync documents, e-mail, calendar, and contact data from a Mac or Windows PC, back and forth to iOS devices like the iPhone and iPad.

Great for those of us who are now much more mobile and face the challenge of making sure the same e-mail, contacts, calendar events, and documents are available whether you are sitting at your desk, using a tablet from home, or working on your smartphone while riding in a taxi.

Businesses, particularly small companies reliant on iOS and Mac OS X hardware, will find iCloud an appealing way to simplify file management and distribution.

However most businesses are unlikely to use iCloud until Apple adopt an open cloud standard.  The fact that iCloud won’t deliver on other platforms like Android smartphones and tablets are going to be a major hurdle for Apple to overcome.

In Apple’s defence they have done a good job with the development tools, always a key area for driving adoption of a platform technology. In a recent Appcelerator and IDC survey 51% of mobile developers said they planned to use Amazon’s cloud services in the next year, and 50% said they planned to use iCloud.

Apple also seems to be the only manufacturer that is edging away from PCs/desktop machines and encouraging greater uptake in the “cloud”. For example, MacBook Airs never came with DVD drives, and the new Mac mini range no longer have an integrated DVD drive either.  Similarly new Sandy Bridge Airs and minis can have OS X reinstalled directly over the internet rather than booting from USB or external hard/DVD drive. Apple’s mobile devices are now getting over the air updates and are no longer going to be tied to iTunes on the desktop.

Our new cloud storage solution, Memstore (in beta, live next week), uses open source software, OpenStack, combined with in-house technologies, to deliver a flexible, scalable and safe way for customers to store their data in the cloud on a pay-as-you-use basis.  The service will also be the cheapest on the market as well, in line with our “costs plus” pricing model, showing that you don’t need mega-scale to achieve low price points. According to Forbes, iCloud will be more expensive than Amazon and Google’s comparable services, which already arguably inflated.

OpenStack’s code base comes principally from Rackspace, and you might wonder why a successful company like them would give away their software? The answer is simple: Amazon. From a standing start 5 years ago Amazon Web Services has grown to an eye-watering $1.4bn in revenue. Rackspace, their leading competitor in the cloud space, is thought to have about one tenth that figure in revenue from cloud. So, Rackspace and the other out-paced cloud providers have clubbed together to create an open, interoperable cloud system. Their hope is of creating an open market for cloud resources, which would be more attractive to business users and promote innovation, and thus get bigger bite of Amazon’s lunch.

Now, last year Apple’s market valuation exceeded Microsoft, and as of this week they exceeded Exxon to become the world’s largest company valued at just over a third of a trillion dollars. So, if anyone was going to try and take on both Amazon’s somewhat open, and certainly cross-platform, cloud as well as the likely future in the form of OpenStack it would be them.

But can they really? Due to being a fairly closed system, iCloud’s success is contingent upon their iOS user base since that is the main demand area at present – personal content distribution and mobile applications. However, Google’s Android mobile operating system has over 40% of the global smartphone market in terms of devices sold/shipped and Apple only has about 15%.

Essentially Apple sees iCloud as a consumer rather than a business service – and Apple have never really been interested in enterprises or business, despite the work they done to support policies and enterprise standards like Microsoft Exchange ActiveSync on the iPhone.

In addition to the closed, proprietary, non-interoperable system being likely to put off serious business users there are two other issues. It does not look like iCloud will not come with a substantial service level agreement, which guarantees iCloud uptime or quality of service, and they don’t seemed to have paid a huge amount of attention to security. CIOs aren’t going to entrust important data to a service that may or may not be available when needed.

Still, even if it is a consumer service, Apple is a quality brand so one would have thought that security would be a priority, and these days consumers are increasingly aware of the need for keeping personal data safe, especially online.

I firmly believe that adoption of open cloud standards is one of the keys to unlock the full and global potential of cloud computing and to breaking down the duopoly of Amazon’s IaaS and Google’s consumer SaaS. Jobs & co may be making astonishing profits, and will likely continue to do so for some time, but unless they either out-landgrab Android in the smartphone and tablet market or open their doors to cross-platform services their success may be short-lived. But maybe that is not a concern. Maybe, with Jobs’ rumoured ill health, he has decided that there are few more golden apples to lay and that he should cash in while the going is good.

INTRODUCTION

As the increasing use of cloud computing and other technologies is changing the world of data management, keeping your data private and secure is an ongoing concern for everyone. As a cloud computing Infrastructure as a Service (IaaS) provider, I’m sharing an insider’s perspective on what you should be doing to keep your data safe.

IS THERE A SECURITY THREAT?

As you move data to the cloud there are many different challenges. Applications have to be designed differently. Security gets pushed further and further away from perimeter-based approaches. Security threats change when data moves to the cloud, with threats from the network or from the provider’s personnel being more pertinent than concerns over physical attack.

However, it need not be a big concern, you just need to apply the same common sense you would to sourcing any other service. Ask questions about your prospective cloud supplier; Are they financially sound? Do they have good security procedures in place? Is the infrastructure your data will be on shared with lots of other users, or will it be in it be segregated by virtualisation or even physically separate dedicated environments?

WHO TO TRUST?

Up until the existence of cloud computing the norm was to trust the IT department internally. Now that the IT department is outsourced people are asking the right questions about IT security. The focus must be on the security processes and procedures rather than the physical perimeter around the data storage devices. In many ways using the cloud can be much safer than hosting data on your own systems in your own building since a putative attacker no longer knows where to look. Even if, somehow, an individual were able to breach the heavy physical security of our data centres, they would be faced with thousands of identical-looking machines and no way of identifying their target.

The most likely source of data theft is always from within an organisation (the people), therefore for data management when it is not on your own systems, it comes down to trust. Just as if it were hosted on a computer in your office, then you need to trust everyone who has access to that machine, so if outsourcing to the cloud you need to trust the organisation that has access to the underlying infrastructure. Look for companies that have appropriate certifications like ISO27001 (as a minimum), and ask them about how they regulate and monitor their systems administrators’ access to servers holding client data.

THREATS FROM THE NETWORK

The other increasingly common source of attacks on cloud-based services is via the network itself. This can be greatly mitigated with good firewall systems, and if your services only need be accessed from a small number of office locations then the firewall should restrict access to only those IP addresses. That can prevent the helpful feature of universal access, however, so it may not be practical, but even then firewalling is important. Talk to the provider and they should be able to advise you.

For public-facing services there is also the danger of Distributed Denial of Service attack (dDoS), where servers are flooded with millions of bogus requests from hacked computers (a “bot-net”). Most providers should have a system for automatically detecting and blocking the source of such attacks, so ask them, but in cases where the attack is massively distributed the only defence is to have more bandwidth than the attackers, which means you need to be using an operator with large scale.

CONFIDENTIALITY

Confidentiality is a major question to ask your cloud hosting provider. Having the right tools in place to ensure that confidentiality is also being maintained is critical. So, some questions would be:

• What mechanism do you have to protect and securely deliver logs?
• What are you actually able to log?
• What activity are you recording within your cloud?
• Can the integrity of those logs be assured?

BACKUPS & DATA RESILIENCE

When entrusting a cloud provider to look after your data it is essential to ensure that there is adequate resilience in their storage systems. At a minimum they should be using RAID (Redundant Array of Independent Disks) systems, but most cloud storage providers will store multiple copies of your data across many independent machines. Memset’s cloud storage solution (currently in beta testing) stores all data in triplicate, for example.

Most providers will offer additional backup services, and these should certainly be considered when operating cloud based applications so that in the event of a serious hardware failure you can roll back to an earlier state. Also ask the provider what their normal restore times are.

Finally, as we have seen with the recent failure of Amazon’s Simple Storage Service, which included irrecoverable loss of some customer data, sometimes it is not enough to trust one provider. To help overcome this problem we will soon be rolling out a service to backup client’s cloud storage accounts with other providers’ onto our storage cloud.

WHERE IS YOUR DATA BEING STORED?

Although pushing data into the cloud is proving increasingly attractive for many organisations, there’s a growing realisation that geographic considerations remain important.

While the overriding concept of cloud involves the decoupling of data and applications from the underlying hardware on which they reside, knowing where that hardware is located can be vitally important.

For reasons of security, legal jurisdiction and privacy, many organisations are obliged to be aware where sensitive data is stored.  For British companies, data may need to be stored within UK borders for data protection purposes. For the majority of UK public sector IT requirements the data absolutely must remain within national boundaries.

THE PATRIOT ACT

Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities.

Microsoft has recently admitted that any EU-stored data, held in their EU-data centres, is subject to the US Patriot Act as Microsoft is a US headquartered company.

If you don’t want your data subject to the PATRIOT Act, then you have to use a non-US based company, in addition to a non-US data centre, for storing your data.

WHO CONTROLS YOUR DATA?

One risk with Software as a Service (SaaS) is that all your eggs are effectively in one basket, and if something goes wrong with that one provider you could face serious challenges. Memset’s approach is to disintegrate the stack enabling you to be able to move your software from one place to another. A typical example of this is using third party open source solutions to deliver hosted software services on their infrastructure. That way if the software provider fails you can still get to the data, and if the hosting company fails (assuming you have good backups) the software company can help you transfer to a new host.

DATA SEGREGATION

Many SaaS providers are essentially running one application for thousands (or many more) client organisations, with their data commingling on the same infrastructure and in the same databases separated only by the software itself. This presents a potential security risk, since if there is a flaw in the provider’s code it could be exploited to allow access to other customers’ data. For some services this may not be a problem, but for critical company or personal data it may be advisable to obtain additional segregation.

Memset’s stack disintegration approach solves this problem also. By using open source solutions (eg. Zimbra for Web email or Trac for integrated project management and Wiki), each hosted on virtual servers or dedicated servers for just that one client, there are additional layers of segregation between the software instances, thus providing greater security. While many SaaS solution’s code bases are not heavily tested, network and virtual machine segregation are very robust.

DATA PORTABILITY

You also need to think about data portability; the ability to be able to reuse your data across interoperable applications.  When weighing up SaaS suppliers, see if they have a “portability policy”. Where a privacy policy discloses what a company can do with your data, a portability policy discloses how a user can access and transfer their own data once it’s stored with that company. For IaaS providers this is normally a given, since they are just providing the infrastructure and you are able to extract the data as and when you wish at a root level.

MIGRATING OUT

Once you’re clear on who has your data, where that data is held, what they are doing with it and how they are protecting it, you also need to establish what procedures are in place to allow you to migrate your data out. Key characteristics to look for include:

• a clearly defined and established procedure for data migration
• low or no cost for migration
• data can be extracted in a meaningful, useful form for immediate re-use

For SaaS providers, look for an API or tools to download your data in a meaningful context. This could be as simple as a widget to download a CSV file (like with Google Contacts), or it might be a fully-fledged XML API. Failing that, and if taking the stack disintegration approach, ensure that the database in which the information is stored is transparent and well-documented. It is frequently not in a SaaS provider’s interest to make data portability easy though, so this can be a difficult item.

MITIGATE RISK WITH CLEAR SLAs

As with any service provider contract, you should negotiate clear SLAs for your cloud provider.  These should include, but not be limited to, clear metrics around performance (both networking and computing), provisioning, change management, patching and vulnerability remediation.

To ensure your data is safe in the cloud at all times, make sure you think about the following:

• Who has access to your data
• Where your data is held
• What they are doing with it
• How they are protecting it

CONCLUSION

In summary, the cloud is, and will continue to be, a critical part of many companies’ IT strategy so must it therefore be considered in their security policies. This role is likely to grow as a raft of new services are developed and commercialised and users’ level of familiarity and comfort with this approach to service delivery develops and grows. But it is also likely that the most effective network security strategies will be a hybrid model that takes the best that the cloud has to offer and combines it with the skills and focus of experts working on the ground.