Rendezvous with a person in the Cloud: Mr Tim Barker

In search of my answers about the Cloud and its future I recently met Mr Tim Barker, Senior Director, EMEA Product Marketing (Salesforce.com) at the Cloudforce 2 event in London. It was quite a meet which did clear a few doubts & queries had about the Cloud.

In words of Tim “CC is the collective usage of computing resources over the net. Such resources may be infrastructure, platform or applications.” I did know a little about this & that the various organizations have been evaluating the model for quite some time. Also, Google and SFDC have a sort of close tie-up amongst them for promoting the Cloud services.

To elaborate on the evolution of computing he said “...mainframes were the start of computing revolution with resources being centralized and the accessibility restricted to a few. The Client-Server model changed it all, every user had access to resources & the server had limited control now. In cloud computing the backbone is the idea of centralization, thus accessibility to the server is primary.... The change has been driven by Moore’s Law.”

Well to me the primary concern in a cloud environment has been the Trust factor. Why should an organization trust any CSP with any of its data? Tim did approve of my concern “.....trust is the primary requirement in any business. What we offer to clients is service-at-par. Any prospective client can send its security experts to check the level of security we provide. On an average we handle 4 such requests every day....” He added, “....we also offer to our clients a unique concept of “seed & grow”. The client can set up his cloud based services on a small scale; it may learn the service, check the ROI and then proceed accordingly.....”

I have been quite amused how the various CSP adhere to an organization’s data law & other regulations. Again Tim was quote forthcoming about it, “...we have an expert legal counsel which helps clients with such requests. The issue is that there is lack of information with the organizations rather than lot of such issues. We abide by the EU Safe Harbor Framework as outlined by the U.S. and the European Union....” When I asked Tim to explain which “law” does he mean which would be applicable to get “lawful” access to a client’s data he couldn’t comment!

Another concern I had was the Cloud data might be with 3rd party service providers which the CSP might employ to give it the necessary flexibility & scalability. The concern was primarily that a CEO/CIO is always accountable for the data, irrespective of its location. Tim was quick to allay such fears “...We do not have any 3rd party vendors. All our data is with our data centres in the US & Singapore. We manage all the data ourselves. Moreover when a client wants to sign with us for the cloud based services it’s given a choice of data centres to choose from. We use the multi tenancy concept and thus are ahead of the curve in terms of security. Every client that we have irrespective of its size or structure gets the same level of security.”

I always used to wonder what if there is a unforeseen situation and the Cloud doesn’t work. When asked about the same Tim said, “....all real time data about security and incidents is regularly updated on our trust.salesforce.com website. Besides, an organization on its end can restrict access to the cloud through a specific set of IP’s. Any attempt to access from any IP other than the ones permitted by the organization would not allow access to the cloud. As regards to disaster recovery, we provide hot backups. We have a SAS 70 certification. We are also certified with the ISO 27001. Being certified with such certification we have to undergo regular tests for such issues.”

I was getting quite impressed by the Cloud; still a few questions about the basic vulnerabilities & patch management that exist even in today’s environment were there in the back of my mind. Tim was quick to respond, “.....such issues exist in any computing scenario but we have an advantage. That being once there is a vulnerability report or an update; all the clients are updated in a single instance. The whole process doesn’t take more than 5-10 minutes.”

As a security professional I know that weakest element is the Human factor. When asked in context with his organization Tim said, “...organizations can lock access to their cloud by assigning specific IP set for access to the cloud services. We also keep a log of all the IP that any client uses to access their cloud, in case of any problem these can be made available to the client. We also expect the clients to apply a certain degree of rules at their end to keep their data safe.”

I have always heard a strong argument opposing the future of Cloud that it will make the services quite pricy & will lead to a monopoly with a client being stuck with the CSP. Tim on being asked about it said, “...in case of such a requirement we can provide a client the XML files containing every single customization that was made. Also, we have track of all the data that belongs to any client. In case of any requirement we can point exactly where the data of a client is.”

By this point I was feeling quite reassured by the Cloud and its security except for a simple query in my mind! The Cloud functions over the Internet, what if there is no Internet!! Isn’t the Cloud highly vulnerable to DoS or DDoS attacks? Won’t the client lose millions by the time a CSP restores the clients Cloud based services? Who would be accountable for any loss that the client suffers? Tim didn’t quite allay my fears about such issues; “....you’ve put me in a Catch 22 situation. I can’t disclose much but rest assured we have a very competent Networking team who is well prepared for any such situation.”

With the questions about Internet based attacks and Law in mind, I continue in my search to explore the Cloud.

Image: cloudsummit.ie