“They basically are telling you compliance is all up to you regardless of the regulation,” said Joe Granneman, an information security professional with experience in the heavily regulated industries of health care and financial services. “This makes a lot of sense because there is no good way for Amazon to guarantee compliance when it only provides the infrastructure. The customer connects the infrastructure together and builds on top of it, which Amazon cannot guarantee. This document drives home the fact that compliance is still up to the customer and not the IaaS provider.”

via AWS cloud computing compliance paper details customer responsibilities, and Amazon Web Services: Risk and Compliance.

We’ve released two security enhancements to Gmail that help protect you from phishing attempts.

1. Going forward, email address will be visible next to the display name for senders that aren’t in your Contacts list.
2. We now scan messages and alert you if the sender may have spoofed a Gmail address.

Good – issue #1 there has irritated me for a long time.

via Google Apps update alerts: Protect your account with new security features in Gmail.

“ShareFile is spread across multiple availability zones on Amazon’s EC2 data center and uses all five of their major data centers in Northern Virginia, California, Ireland, Singapore and Japan. In addition, we have a whole farm of servers, spread across availability zones, that handle our customers’ uploads and downloads, and the servers are more or less interchangeable so that if one, or a handful of servers go down, our customers are not affected by any downtime.”

If an availability zone were to incur an issue, ShareFile has a monitoring system that will constantly monitor servers for a bi-directional data transfer heartbeat. Should that server become unavailable, it is dropped from the aggregated server farm automatically. I inquired specifically as to the sequence of events that happened in the US-East region and how ShareFile accommodated the outage, to which Lipson responded:

“When Amazon experienced it’s outage in one of the availability zones on the East Coast, the affected servers were automatically dropped from ShareFile’s server farm without any human intervention and the upload/download success rates were normal. The next day our team added some extra server capacity on the West Coast as a precautionary measure in case the issue got worse on the East Coast, but our customers didn’t experience any downtime. Since we are focused on businesses that share large and sensitive files externally and internally, there’s an expectation that these files reach the right people at the right time and we’ve been pretty conscious, since ShareFile’s inception, to provide continuous service for our customers.”

So basically, the same way you’d avoid downtime in your own server farm, but with cloud resources.  Well done.

via How innovative design allowed one cloud company to withstand Amazon’s recent outage | TechRepublic.

Kaviza’s VDI-in-a-Box, a plug-and-play virtual desktop system that has been gaining traction, enables just about anyone (not necessarily an IT specialist) to get a deployment up and running for a small or midsize business. Kaviza’s truly is an automated, turnkey way to do it; users install the software on a commodity server, and the software finds all the system nodes automatically.

Citrix, the world’s second-largest VDI provider (behind only Hewlett-Pacakrd[sic]), needed the IT that Kaviza brought to the table because it had not previously addressed the SMB space with a purpose-built VDI offering. Most of Citrix’s customers are large enterprises.

When Kaviza is running, the virtual desktop runs in its own browser-type window with all the application functionality needed. Little or no latency is apparent. Users can continue to use their local applications as normal. Read Frank Ohlhorst’s product review here.

Kaviza One of First to Do VDI on iPads

Four-year-old Kaviza, with its VDI-in-Box product, was one of the first to provide VDI support for iPads, iPhones and Android smartphones running on a data center hypervisor—Citrix Xen or VMware ESX 4.1.

via Citrix Acquires Virtual Desktop Provider Kaviza – Virtualization – News & Reviews – eWeek.com.

AWS Elastic Beanstalk is an even easier way for you to quickly deploy and manage applications in the AWS cloud. You simply upload your application, and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring. At the same time, with Elastic Beanstalk, you retain full control over the AWS resources powering your application and can access the underlying resources at any time. Elastic Beanstalk leverages AWS services such as Amazon EC2, Amazon S3, Amazon Simple Notification Service, Elastic Load Balancing, and Auto-Scaling to deliver the same highly reliable, scalable, and cost-effective infrastructure that hundreds of thousands of businesses depend on today. AWS Elastic Beanstalk is easy to begin and impossible to outgrow.

via AWS Elastic Beanstalk.

A Microsoft study bears out what environmentally-conscious companies have hoped for all along: cloud computing has the potential to reduce energy consumption and carbon emissions by 30 percent or more.

Large data centers, like those run by tech giants Microsoft and Google, benefit from economies of scale and operational efficiencies, according to the study. Small businesses, of about 100 users, moving business applications away from on-site servers into the cloud can see net energy and carbon savings of more than 90 percent, the researchers wrote. For mid-sized organizations, of about 1,000 users, the savings were between 60 to 90 percent, according to the Microsoft-commissioned study.

via Microsoft Study Finds Cloud Computing Is Good for the Environment – Cloud Computing – News & Reviews.

In a nutshell, Cisco will embed Citrix’s XenDesktop in its desktop virtualization offering, which is part of the company’s unified computing effort. The Cisco Desktop Virtualization Solution will include Citrix’s XenDesktop, FlexCast and HDX technology. The Cisco-Citrix combination will be available from channel partners Cisco blog, statement, Citrix blog. Simply put, Citrix will ride along as Cisco’s Unified Computing System architecture gains steam.

via Cisco, Citrix team to push desktop virtualization | Network Administrator | TechRepublic.com.

I start by identifying what will be required of the desktops, what sort of hardware (client and server) will be required to support the requirements, and then I dive into the murky, swirling world of licensing:

1. License costs

In addition to the “three C’s” one of the most important testing criteria is licensing costs. None of the competing vendors make it easy to do an apples-to-apples comparison, so you’ll need to do some noodling to get a price per-desktop, per-year figure. It makes a difference how many years you include in your calculations. I suggest looking at a minimum of three and a maximum of five years, depending on your current physical desktop or laptop formula. Speaking of physical systems, you should factor in the costs of the user devices on which the remote virtual desktops will be hosted.

via Critical Testing Criteria: Virtual Desktop Infrastructure – Virtualization from eWeek.

CloudAudit and the Automated Audit, Assertion, Assessment, and Assurance API (A6)

The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.

Now, via Anton Chuvakin Blog – “Security Warrior”: CloudAudit Delivers – Cloud Compliance Maps:

CloudAudit delivers it’s first batch of cloud compliance specifications. Quoting from the announcement:

“The CompliancePacks map control objectives to specific namespace entities which are contained below and feature NIST SP800-53, PCI DSS, HIPAA, ISO27002 and COBIT compliance frameworks. Ultimately these directories are where a Cloud Provider will store and secure the assertions and supporting materials related to each compliance framework or assertion.” [<- the bold part is kinda the whole point

If you’d like to audit your cloud, give it a read.

Adoption of virtualization and cloud computing is not slowing down, and neither are the challenges facing businesses looking to migrate to the cloud. At the top of the list for many firms is maintaining security and compliance when moving from physical to virtual and cloud environments. Though an update of the PCI DSS (Payment Card Industry Data Security Standard) regulations is forthcoming and the PCI Security Standards Council has a special interest group looking at virtualization and how that maps to PCI, the council does not plan to release separate guidance on cloud computing. This means that businesses looking at the cloud may not get much detailed guidance on what to do. However, there are multiple sources for those searching for advice. With that in mind, eWEEK has compiled a list of the most important steps your business can take to make sure PCI compliance does not fall to the backburner of your plans for virtual, public and private cloud environments.

via Virtualization, Cloud PCI Compliance Tips for Your Enterprise – Virtualization from eWeek.