Welcome!

Cloud Security Authors: Derek Weeks, Liz McMillan, ManageEngine IT Matters, Mehdi Daoudi, XebiaLabs Blog

Related Topics: @CloudExpo, Microservices Expo, Microsoft Cloud, Cloud Security, @BigDataExpo, @ThingsExpo

@CloudExpo: Article

What Cloud Startups Need to Know About Hunting Elephants

Large companies have several sets of requirements for solution providers that differ from smaller companies

"Cloud computing" is more than just a buzzword - it has transformed the tech industry. Having been in the business of building enterprise infrastructure for over 15 years, I've had the opportunity to witness how cloud has altered the landscape, including most recently at my company, Nexgate. It has not only ushered in a radical wave of innovation, but has also created new business models. The easily accessible and inexpensive nature of its on-demand structure has both paved the way for the rapid launch of new technologies and enabled the growth of businesses.

Yet, as with any technology, it also has its limits and risks, especially for cloud startups. If not configured well, cloud doesn't necessarily fit hand-in-hand with the needs of large enterprises. While the benefits of gaining a big customer are certainly obvious, the demands of doing so are not talked about nearly as frequently, despite that both are important. Hunting elephants is a dangerous game if you're a mouse.

Large companies have several sets of requirements for solution providers that differ from smaller companies, which aren't as concerned about security and scalability. Whereas the size of smaller companies doesn't require a focus on mitigating the risk of a high profile security breach or managing complex systems on a mass scale, for larger companies, these concerns are very real. Hence, it's not enough to just have a great product to engage on an enterprise level - large companies have dedicated security teams and requirements that you as a vendor need to work with to close the deal.

Having a disaster recovery plan in place is one of the first steps to becoming enterprise ready. Any sizeable organization is going to want assurance that in the event of a crisis, any lapse in the service you provide is going to be as brief and as painless as possible. And, furthermore, that enterprise is going to want proof to back up that assurance. That proof is called a disaster recovery plan. A disaster recovery plan specifies how your company intends to mitigate the risk of an incident resulting in downtime, as well as the processes in place for remediating and recovering from one. Given organizations' increasing dependency on information technology to run their operations, the more critical your product is to the day-to-day functioning of an enterprise, the more you must demonstrate this competency.

Creating and maintaining a disaster recovery plan is no simple task. Each employee should be trained in his or her role and responsibility in the event of a crisis or outage, and the plan should be documented and tested to ensure continuity of procedures and availability of essential resources in the event of a disaster. Your plan should specify easily executable and repeatable procedures for recovering and repairing any damaged IT resources and restoring them to operation as rapidly as possible. Be sure to include a summary of the critical assets and services, their recovery objectives, and recovery priorities, in addition to the contact information for disaster support agencies and a secondary data center service provider or other temporary means of providing service.

Security policy and practices are another prerequisite for navigating a large corporate environment. Without demonstrating the security of your product, you've effectively lost your seat at the table with enterprise companies. In today's tech-saturated world, an information security breach, hack, or hijack can cost thousands of dollars - not to mention inestimable damage to brands and consumer trust. This means an even greater burden of proof lies on vendors (and their cloud providers) as far as security is concerned to prevent such an event from happening. For example, if you're storing data on behalf of customers, are they encrypted in your database? Do you have strong access policies? Are your employees trained and certified when it comes to securing both corporate and personal accounts? If you're a web-based app, do you use a web app firewall (WAP)? Do you have IP and firewall restrictions in place from a cloud security service like Dome9? And what level of security does your cloud provider (e.g., Amazon Web Services) provide? The answers to these questions can help you structure your security policy and practices in alignment with enterprise needs.

To augment these policies and practices, you should also implement security review and testing. Policy and procedures are critical, but without confirmation and review of their execution, they only live in theory. For this reason, implementing internal and external reviews to ensure that your company, your employees, and your partners are all following your policy is critical. Ultimately, you should be able to show that you've created a process that's being applied day-to-day, which is sufficient enough to hold off socially engineered attacks and risks from phishing and malware, among other threats to your security. Allowing for third-party penetration testing is a great strategy to demonstrate your security capacity in this way. The more you can verify the process and results of that testing, the more you can prove to an enterprise that your product is effective and safe for use on a large scale.

Working with enterprise certainly has massive upsides, but with those benefits inherently comes a higher level of skepticism, scrutiny, and caution. Expect to have to prove that you can support sophisticated systems on a large scale, not only in terms of operation but also when it comes to appropriate processes, documentation, and security. The more you can anticipate enterprise needs and have the necessary procedures in place right out of the gate, the greater the level of confidence larger organizations will have in your company, and the better you can serve your customers.

For additional information about making your organization enterprise ready, check out these resources:

  1. Disaster Recovery Journal Sample Plans
  2. Cloud Security Alliance (CSA) Security Guidance
  3. AWS Security Center

More Stories By Rich Sutton

Rich Sutton is co-founder and CTO at Nexgate, a cloud-based social media compliance and security solution. Along with holding multiple patents, he has more than 15 years of experience in enterprise software and application development experience. Prior to working at Nexgate, Rich led a 50+ person engineering team building Websense’s web security product portfolio and also held senior management and technical positions at Symantec, 8e6 Technologies (now Trustwave), and eFunds (now Fidelity) building everything from SaaS applications to high-throughput network appliances, client security software, and mobile applications.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Val...
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the USA and Europe, we work with a variety of customers from emerging startups to Fortune 1000 companies.
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
@GonzalezCarmen has been ranked the Number One Influencer and @ThingsExpo has been named the Number One Brand in the “M2M 2016: Top 100 Influencers and Brands” by Analytic. Onalytica analyzed tweets over the last 6 months mentioning the keywords M2M OR “Machine to Machine.” They then identified the top 100 most influential brands and individuals leading the discussion on Twitter.
Cognitive Computing is becoming the foundation for a new generation of solutions that have the potential to transform business. Unlike traditional approaches to building solutions, a cognitive computing approach allows the data to help determine the way applications are designed. This contrasts with conventional software development that begins with defining logic based on the current way a business operates. In her session at 18th Cloud Expo, Judith S. Hurwitz, President and CEO of Hurwitz & ...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Today we can collect lots and lots of performance data. We build beautiful dashboards and even have fancy query languages to access and transform the data. Still performance data is a secret language only a couple of people understand. The more business becomes digital the more stakeholders are interested in this data including how it relates to business. Some of these people have never used a monitoring tool before. They have a question on their mind like “How is my application doing” but no id...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Web Real-Time Communication APIs have quickly revolutionized what browsers are capable of. In addition to video and audio streams, we can now bi-directionally send arbitrary data over WebRTC's PeerConnection Data Channels. With the advent of Progressive Web Apps and new hardware APIs such as WebBluetooh and WebUSB, we can finally enable users to stitch together the Internet of Things directly from their browsers while communicating privately and securely in a decentralized way.
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound e...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
The age of Digital Disruption is evolving into the next era – Digital Cohesion, an age in which applications securely self-assemble and deliver predictive services that continuously adapt to user behavior. Information from devices, sensors and applications around us will drive services seamlessly across mobile and fixed devices/infrastructure. This evolution is happening now in software defined services and secure networking. Four key drivers – Performance, Economics, Interoperability and Trust ...