Building secure cloud environments for the customers in Sweden

We’re pleased to introduce you to Vladimir, who is our DevSecOps guru working at the Stockholm office. On a daily basis, he helps our customers in creating safe cloud environments. We decided to ask him about his experience in harnessing modern cloud technologies for our Swedish customers.

1. Where are you from and how did you end up at Nordcloud?

I’m originally from Russia but I have lived in Sweden since 2011. Before joining Nordcloud I used to work for Ericsson as a solution architect in the systems integration domain. At some point, I realised that I needed a major change, so I left Ericsson and joined Nordcloud to work on public and hybrid cloud projects.

2. What is your role and your core competence?

When it comes to core competencies, I have 25 years of experience spanning across many roles including software developer, UX designer, product manager and solution architect. Currently I’m addicted to building modern CI/CD pipelines with security focus, so called DevSecOps. 

3. What sets you on fire / what’s your favourite thing technically with public cloud?

I really like guiding customers in the best ways to develop and support modern containers / serverless-based applications and workloads.

4. What do you like most about working at Nordcloud?

I have the full freedom to do what I believe is best for the customer, I’m not limited by specific products, services, or processes.

5. What is the most useful thing you have learned at Nordcloud?

Ultimately, ‘learned’ is not the right word being in the past tense, as I have realised we need to learn constantly in our fast-changing world of IT. Nordcloud is a community of great colleagues, who are willing to share deep technical and “how-to” knowledge and experience.

6. What do you do outside work?

Trying to help my daughters to do things right. Personally I do a lot of sport activities – alpine skiing, mountain biking, calisthenics, and table tennis.

7. How would you describe Nordcloud’s culture?

While this is not our official culture, for me personally I think it’s built around a fast paced environment, that encourages each individual to have the freedom to use their skills to help customers challenges, while always going that extra mile to find solutions.

Blog

Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

Blog

Building better SaaS products with UX Writing (Part 3)

UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

Blog

Building better SaaS products with UX Writing (Part 2)

The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

Get in Touch

Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








    Multi-Cloud: Why Stop At One Platform?

    We deal with a number of major providers, each with its own outstanding features and strengths. A business just has to identify its needs and pick the service that best meets those.

    Everyone knows the importance of picking the right tool for the job. Keen woodworkers have a selection of hammers, chisels and saws, golfers carry bags full of clubs, and even the most ardent sports car enthusiasts can see the limitations of a Ferrari when it’s time to take five kids to the beach.

    The cloud is the same. We deal with a number of major providers, each with its own outstanding features and strengths. A business just has to identify its needs and pick the service that best meets those.

    Except Why Stop At One Cloud Provider?

    Let’s say, for the sake of an example, that a substantial portion of your compute needs are predictable, stable and that latency isn’t an overriding issue. You might consider a provider that offers a relatively inflexible service, doesn’t necessarily have data centres located close to your users, but that is highly cost effective. The lack of flexibility isn’t an issue because of the predictability of your requirements while the low cost makes it highly attractive.

    However, let us also suppose that you also offer applications where latency is an issue and where it’s also important to be able to scale usage up and down do meet spikes in demand. A second cloud provider, one that has data centres close to your main users and that offers a flexible deal on capacity, is an attractive option even though its charges are higher than the first.

    So, does it have to be an either or? Of course not. We live in a world where it’s possible to choose both.

    But Which Cloud Provider Excels In Which Areas?

    However, as the psychologist Barry Schwartz has argued, choices can complicate matters. You have to understand which cloud provider excels in which areas, the likely impact of their terms and conditions, and you also have to have a breadth of expertise in order to take advantage of multiple platforms, both to develop applications within the different environments and to create the architecture needed so that data can flow easily between platforms where required.

    This is very much one of Nordcloud’s roles, to act as an expert facilitator between customer and cloud providers. It’s our job to know how to match a particular offering to a particular requirement. It’s our job to understand the implications of each provider’s terms of business for our customers, and it’s one of our great strengths that we have the resources to supplement our customers’ in-house technical expertise with our own. So, if your team’s proficiencies allow you to manage one provider’s platform but not another, we can help you to clear that hurdle. Our expertise in building a businesses’ Security & Governance models and core infrastructure, as well as delivering data centre migrations and optimised Cloud environments in a consistent way across the major Cloud platforms has allowed us to become one of the most trusted providers.

    Benefits Of Microsoft Azure

    Though we were already working with a number of excellent cloud providers, we have partnered with Microsoft to offer Azure cloud services to our customers. Azure offers particular advantages that make it an attractive option for businesses looking to locate some or all of their computing needs in the cloud.

    For starters, there’s the familiarity of the MS environment, though it should be pointed out that Azure is equally adept at hosting Linux-based applications. Windows is ubiquitous and Microsoft’s range of tools and apps is beyond comprehensive.

    Azure has put especially put emphasis on simplicity and speed. If you need to spin up a project quickly, you need to consider Azure. The human resources are easy to come by – most businesses have no shortage of people skilled in Microsoft-related development – and the tools are easy to use.

    Azure has also addressed concerns relating to server stability with a comprehensive outage protection plan that mirrors users’ data to secure virtual environments. If the possibility of outages and lost data is a worry, then Azure is a good answer. Microsoft has an impressive data centre network with global coverage and is moving into Southern Europe, Africa and South America ahead of the competition. We’re confident that, as providers expand their infrastructure, Azure users won’t find themselves left behind. The business also offers great means of analysing and mining your data for business intelligence through its managed SQL and NoSQL data services.

    Of course, the other cloud services that Nordcloud offers come with their own strengths, but a growing number of businesses, perhaps a majority, are now looking to mix and match with cloud providers to get the best of each to suit their specific needs. It’s a trend we only expect to keep growing.

    Blog

    Part 1 – GCP Networking Philosophy

    When working with cloud architecture, it's important to see the world from different perspectives.

    Blog

    Part 2 – Two Different Types of GCP Network Designs

    When designing your network in GCP, you need to decide if you want to go fully GCP native or use...

    Blog

    Accelerate resource tagging with PowerShell — Microsoft Azure Tag Report

    Once, I prepared this script to quickly tag many resources deployed on the Microsoft Azure platform. There are many ways...

    Get in Touch

    Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








      How Hybrid Do You Need To Be?

      Cloud is moving forward so fast that most hybrid cloud platforms and tools will probably be outdated before you get them up and running. Choose carefully what you need as core features, and plug into the knowledge of a company like Nordcloud.

      Everybody appreciates the agility and elasticity of the public cloud, however, there are also large amounts of legacy apps that simply don’t move easily to the public cloud. This means that up until now, the Hybrid Cloud choir has been singing their ‘happily ever after’ song.

      Unfortunately, this hybrid cloud choir has largely become led by the vendors who have the most to lose and use this as a way to stall things. So let’s break down what you actually need and what could be seen as a colossal waste of time and money.

      The Good

      These activities will benefit you in the long-term

      • Common security and governance framework. Regardless of the clouds you use, you should enforce the same security and governance principles.
      • Every cloud is a silo so if you want to have an end to end understanding of your IT, you need a tool that monitors across all clouds. That also goes for all core ITBM tools.
      • A light portal will help end users by collecting the different clouds under one interface and access control. But keep it light as most cloud usage is through automated API calls, not through a manual portal.
      • Any activity that gets your apps to run on software-defined infra, including containers, network virtualization etc.

      The Bad

      • Any investment around workload movement between clouds (beyond virtualising and using containers) can waste you both money and time. Legacy app workload movement between clouds is not really achievable in the first place and you need to consider what is the real benefit (and your appetite to invest) of the ability to move between clouds. You’re much better off having a multi-cloud procurement approach where the threat of other clouds keeps the prices in check. You can then implement any technical cloud brokerage, workload movement solution etc.
      • Private cloud – yes it would be wonderful to have the same experience with ‘on-prem’ that you have in public clouds, but the cost of achieving this is just not worth it, especially considering that you have 15% less apps needing it every year. AWS and Azure implement hundreds of new services every year. How would you keep up with that in your own private cloud?
      • Inertia is probably the worst consequence of a hybrid strategy. Any investment in hybrid technologies is money off your budget which could be used to innovate, by modernising and building new apps. In short, money that is actually used to improve business. Secondly, any investment needs usage and you urgently need to prove that this is a good investment leading to suboptimal workload placement. Thirdly, you have a large, complex platform that is not keeping up with the demand for new services, needs constant upgrades and doesn’t scale when needed.

      The Bottom Line Of Hybrid Cloud

      At the end of the day, this is all about focus. Hybrid cloud strategy means that you invest into 3 areas – implementing and improving your private cloud, your cloud brokerage platform, and increasing your usage of public clouds. How much more could you achieve with the money if you just focus on one of them?

      Cloud is moving forward so fast that most hybrid cloud platforms and tools will probably be outdated before you get them up and running. Choose carefully what you need as core features, and plug into the knowledge of a company like Nordcloud who can help you to choose the right tools whilst also keeping them updated.

      Blog

      Part 1 – GCP Networking Philosophy

      When working with cloud architecture, it's important to see the world from different perspectives.

      Blog

      Part 2 – Two Different Types of GCP Network Designs

      When designing your network in GCP, you need to decide if you want to go fully GCP native or use...

      Blog

      Accelerate resource tagging with PowerShell — Microsoft Azure Tag Report

      Once, I prepared this script to quickly tag many resources deployed on the Microsoft Azure platform. There are many ways...

      Get in Touch

      Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








        Security In The Public Cloud: Finding What Is Right For You

        What many businesses still don’t realise is that the public cloud is a shared responsibility, from both the cloud provider and customer.

        Security concerns in the cloud pop up every now and then, especially when there has been a public breach of some sort. What many businesses still don’t realise is that the public cloud is a shared responsibility, from both the cloud provider and customer. Unfortunately, 99% of these breaches are down to the customer, not the cloud provider. Some of these cases are due simply to the customer not having the competences in building a secure service in the public cloud.

        Cloud Comes In Many Shapes And Sizes

        • Public cloud platforms like AWS, Azure and GCP
        • Medium cloud players
        • Local hosting provider offerings
        • SaaS providers of variable capabilities and services: From Office 365 to Dropbox

        However, if the alternative is to use your own datacenter, the data center of a local provider, or a SaaS service, it’s worth building a pros and cons table and making a selection after that.

        Own data centre
        Local hosting provider
        Public cloud
         – Most responsibility
         – Competence varies
         – Variable processes
         – Large costs

        However

         – Most choice in tech
         – A lot of responsibility
         – Competence varies
         – Variable processes
         – Large costs


         – Some choice in tech
         – Least responsibility
         – Proven competence & investment
         – Fully automated with APIsConsumption-based


         – Least amount of choice in tech

        Lack of competence is typical when a business ventures into the public cloud on their own, without a partner with expertise. Luckily:

        • Nordcloud has the most relevant certifications on all of the major cloud platforms
        • Nordcloud is ISO/IEC 27001 certified to ensure our own services security is appropriately addressed
        • Typically Nordcloud builds and operates customer environments to meet customer policies, guidelines and requirements

        Security responsibilities shift towards the platform provider the more high value services like IaaS, PaaS, SaaS are used. All major public cloud platform providers have proven security practices with many certifications such as:

        • ISO/IEC 27001:2013 27013, 27017:2015
        • PCI-DSS
        • SOC 1-3
        • FIPS 140-2
        • HIPAA
        • NIST

        Gain The Full Benefits Of The Public Cloud

        The more cloud capacity shifts towards the SaaS end of the offering, the less the business needs to build the controls on their own. However, existing applications are not built for the public cloud and therefore if the application is migrated to the public cloud as it is, similar controls need to be migrated too. Here’s another opportunity to build pros & cons table: Applications considered for public cloud migration ‘as is’, vs app modernisation.

        ‘As is’ migration
        Modernise 
         – Less benefit of cloud platform IT-driven

        BUT

        – You start the cloud journey early
        – Larger portfolio migration
         – Time to decommission old infra is fast
         – Slower decommissioning
         – Individual modernisations

        BUT

        – You can start you cloud-native journey
         – Use DevOps with improved productivity
         – You have the most benefit from using cloud platforms

        Another suggestion would be to draw out a priority table of your applications so that you gain the full benefits of the public cloud.

        In any case, the baseline security, architecture, cloud platform services need to be created to fulfil requirements in the company security policies, guidelines and instructions. For example:

        • Appropriate access controls to data
        • Appropriate encryption controls based on policy/guideline statements matching the classification
        • Appropriate baseline security services, such as application level firewalls and intrusion detection and prevention services
        • Security Information and Event Management solution (SIEM)

        The areas listed above should be placed into a roadmap or project with strong ownership to ensure that the platform evolves to meet the demands of applications at various stages in their cloud journey. Once the organisation and governance are in place, the application and cloud platform roadmaps can be aligned for smooth sailing into the cloud where appropriate, and the cloud-native security controls and services are available. Nordcloud’s cloud experts would be able to help you and your business out here.

        Find out how Nordcloud helped Unidays become more confident in the security and scalability of their platform.

        Blog

        Are you too late to go cloud native?

        You’re never too late to choose a cloud native approach, no matter what stage of cloud maturity or digital transformation...

        Blog

        Why do so many CCoEs fail?

        When you reach a certain stage of cloud adoption, you set up Cloud Centres of Excellence (CCoE). There are noble...

        Blog

        Part 1 – GCP Networking Philosophy

        When working with cloud architecture, it's important to see the world from different perspectives.

        Get in Touch

        Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








          Why The Financial Services Industry Needs To Rethink Its It By Embracing The Cloud

          To be relevant in the future, financial institutions should partner with hyper-scale cloud providers and enablers like Nordcloud.

          2018 has witnessed PR failures from some of the major global financial institutions in the UK after the breaching of certain regulatory compliance due to outdated technical architecture and processes which fail to manage risk within these businesses.

          This is not only a huge reputation risk but also highlights the weak areas and slow pace of innovation at these big conglomerates.

          At the same time, these financial institutions are taking a hit on their customer satisfaction and loyalty due to operational glitches/service non-availability. In an industry where the competition and cost of customer acquisition is fairly steep, this is an anti-pattern which should be avoided.

          Regulators and banking associations have significantly improved their messaging. Instead of giving hints and tips, they are coming out in the open and offering solid guidelines & directives for the Financial Services Industry to think about the changing technology landscape, business dynamics (as new customer products & offerings emerge), and increased regulatory overhead which is mandatory to gauge the health of the FSI vertical.

          How To Improve Operation Resilience For Financial Market Infrastructure

          Recently, Prudential Regulatory Authority (PRA) and Bank Of England (BoE) published an article and also kicked off a joint discussion paper (DP) to improve operation resilience for financial market infrastructure in the light of recent incidents. Yet another great example of how regulators are trying to push the boundaries and asking these firms to think ahead and embrace new technology to solve business problem.

          They laid down a few key concepts:

          • Business continuity planning (BCP) to manage operational resilience

          BCP is key to operational resilience, a lot needs to be done (from procuring to testing to maintaining) to have a truly good BC plan. Buying upfront capacity and taking a hit on CapEx is an option but clearly losing out on the opportunity costs (what else can you do if not this?) and also not viable long-term strategy. Public cloud offers amazing business agility and with automation that can manage back-ups, auto-provisioning and disaster recovery across the globe they can significantly improve operational resilience at much lower costs and let you focus on what you’re best at.

          • Board approved tolerances and level of disruption

          This again highlights the holes in the existing IT governance and how an exacerbated IT demands good governance. Cloud not only offers the right tools to give management level visibility and KPI tracking, it also enables smarter governance by automation & effective risk management through infrastructure as code and compliance as code. It’s important to re-organise, up-skill, and operate with a new governance model to set tolerances and manage them better.

          • Planning for failures

          This is a great point. Financial institutions often plan for service operations and not really for failures. This requires significant scaling capabilities along with full infrastructure for IT teams to perform a series of non-functional tests before they can ship their products to the market. Cloud is perfectly suited to offer the on-demand scalability along with tools that boost staff productivity and improve code quality through DevOps process improvement.

          Public Cloud Providers Can Solve Operational, Technology and Security Issues

          We think it’s a great start and a perfect way to start discussions within the FSI and to help them re-focus on operational challenges. More importantly, it will help with what they want to do today, tomorrow and next year to make them profitable.

          It’s clear that financial institutions are great at creating financial products and public cloud providers are great at solving operational, technology, security issues as they have the skills and the resources to do so. It’s important that financial institutions start off-loading these non-core functions and look for partnerships or create joint ventures with hyper-scale cloud providers and enablers like Nordcloud to be relevant in the future.

          Cloud Computing Is On The Rise In The Financial Services – Are You Ready?

          Download our free white paper Compliance in the cloud: How to embrace the cloud with confidence, where we outline some of the many benefits that the cloud can offer, such as:

          • Lowered costs
          • Scalability and agility
          • Better customer insights
          • Tighter security

          Blog

          Are you too late to go cloud native?

          You’re never too late to choose a cloud native approach, no matter what stage of cloud maturity or digital transformation...

          Blog

          Why do so many CCoEs fail?

          When you reach a certain stage of cloud adoption, you set up Cloud Centres of Excellence (CCoE). There are noble...

          Blog

          Part 1 – GCP Networking Philosophy

          When working with cloud architecture, it's important to see the world from different perspectives.

          Get in Touch

          Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








            Multi-cloud webinar by Nordcloud and SSH

            CATEGORIES

            Blog

            Join our 60 min webinar on Feb 21!

            The public cloud promises to bring savings, agility and scalability. All of this is attainable provided that you know which services to choose for your purpose, and how to set up your environment following best practises.

            Join multi-cloud experts from Nordcloud and SSH.COM for this exclusive webinar hosted by Cloud Security Alliance where we will discuss the following topics:
            • Why vendor-lock might not be your best option in the cloud
            • Why ensuring the best possible privileged access experience for developers and administrators is vital for your business
            • How to make daily access routines operationally efficient with automation
            • How to choose best-of-breed services for the cloud based on your business needs
            • Why existing cloud vendor or legacy solutions might sometimes add increase costs

            Date: Feb 21, 8:00 pm EET  Finland – Helsinki  – or after on demand. 

            Presented by Petri Kallberg, CTO at Nordcloud Finland and Markku Rossi,CTO at SSH.COM 

            Register now!

            Blog

            Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

            When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

            Blog

            Building better SaaS products with UX Writing (Part 3)

            UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

            Blog

            Building better SaaS products with UX Writing (Part 2)

            The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

            Get in Touch

            Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








              Cloud Computing News #11: Quantum Computing is the New Space Race

              CATEGORIES

              Blog

              This week we focus on quantum computing.

              Classical computers store information in bits that are either 1 or 0, but quantum computers use qubits, which can be thought to exist in both states of 1 and 0 at the same time, and also influence one another instantaneously via a process known as “entanglement”. These exotic new qualities for quantum bits mean that upcoming quantum computers computing power will be exponentially larger and faster.

              Quantum computing is expected to, for example, boost machine learning and have a big impact on artificial intelligence – and cloud services are being looked on as the method for providing access to quantum processing.

              Now as Nordcloud´s partners Google and Microsoft are investing massively into quantum computing, we are keenly following this development to be ready to bring this power to our customers in the future.

              BlackBerry races ahead of security curve with quantum-resistant solution

              According to TechCrunch, Black Berry announced a new quantum-resistant code signing service that anticipates a problem that does not yet exist.

              “By adding the quantum-resistant code signing server to our cybersecurity tools, we will be able to address a major security concern for industries that rely on assets that will be in use for a long time. If your product, whether it’s a car or critical piece of infrastructure, needs to be functional 10-15 years from now, you need to be concerned about quantum computing attacks,” Charles Eagan, BlackBerry’s chief technology officer, said in a statement.

              While experts argue how long it could take to build a fully functioning quantum computer, most agree that it will take between 50 and 100 qubit computers to begin realizing that vision.

              Read more in TechCrunch

              Quantum mechanics defies causal order

              Physics World highlights an experiment by Jacqui RomeroFabio Costa and colleagues at the University of Queensland in Australia, that has confirmed that quantum mechanics allows events to occur with no definite causal order. In classical physics – and everyday life – there is a strict causal relationship between consecutive events. If a second event (B) happens after a first event (A), for example, then cannot affect the outcome of A. This relationship, however, breaks down in quantum mechanics.

              In their experiment, Romero, Costa and colleagues created a “quantum switch”, in which photons can take two paths. As well as making an experimental connection between relativity and quantum mechanics, the researchers point out that their quantum switch could find use in quantum technologies.

              “This is just a first proof of principle, but on a larger scale indefinite causal order can have real practical applications, like making computers more efficient or improving communication,” says Costa.

              Read more in Physics World

              Two Quantum Computing Bills Are Coming to Congress

              According to Gizmodo, quantum computing has made it to the United States Congress. China has funded a National Laboratory for Quantum Information Sciences, set to open in 2020, and has launched a satellite meant to test long-distance quantum secure information.

              “Quantum computing is the next technological frontier that will change the world, and we cannot afford to fall behind,” said Senator Kamala Harris (D-California). “We must act now to address the challenges we face in the development of this technology—our future depends on it.”

              The bill introduced by Harris in the Senate focuses on defense, calling for the creation of a consortium of researchers selected by the Chief of Naval Research and the Director of the Army Research Laboratory. Another, yet-to-be-introduced bill, seen in draft form by Gizmodo, calls for a 10-year National Quantum Initiative Program to set goals and priorities for quantum computing in the US; invest in the technology; and partner with academia and industry.

              Read more in Gizmodo

              Blog

              Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

              When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

              Blog

              Building better SaaS products with UX Writing (Part 3)

              UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

              Blog

              Building better SaaS products with UX Writing (Part 2)

              The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

              Get in Touch

              Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








                Why the Financial Services Industry needs to rethink its IT by embracing the cloud

                CATEGORIES

                Blog

                2018 has witnessed PR failures from some of the major global financial institutions in the UK after the breaching of certain regulatory compliance due to outdated technical architecture and processes which fail to manage risk within these businesses.

                This is not only a huge reputation risk but also highlights the weak areas and slow pace of innovation at these big conglomerates.

                At the same time, these financial institutions are taking a hit on their customer satisfaction and loyalty due to operational glitches/service non-availability. In an industry where the competition and cost of customer acquisition is fairly steep, this is an anti-pattern which should be avoided.

                Regulators and banking associations have significantly improved their messaging. Instead of giving hints and tips, they are coming out in the open and offering solid guidelines & directives for the Financial Services Industry to think about the changing technology landscape, business dynamics (as new customer products & offerings emerge), and increased regulatory overhead which is mandatory to gauge the health of the FSI vertical.

                 

                How to improve operation resilience for financial market infrastructure

                Recently, Prudential Regulatory Authority (PRA) and Bank Of England (BoE) published an article and also kicked off a joint discussion paper (DP) to improve operation resilience for financial market infrastructure in the light of recent incidents. Yet another great example of how regulators are trying to push the boundaries and asking these firms to think ahead and embrace new technology to solve business problem.

                They laid down a few key concepts:

                • Business continuity planning (BCP) to manage operational resilience

                BCP is key to operational resilience, a lot needs to be done (from procuring to testing to maintaining) to have a truly good BC plan. Buying upfront capacity and taking a hit on CapEx is an option but clearly losing out on the opportunity costs (what else can you do if not this?) and also not viable long-term strategy. Public cloud offers amazing business agility and with automation that can manage back-ups, auto-provisioning and disaster recovery across the globe they can significantly improve operational resilience at much lower costs and let you focus on what you’re best at.

                • Board approved tolerances and level of disruption

                This again highlights the holes in the existing IT governance and how an exacerbated IT demands good governance. Cloud not only offers the right tools to give management level visibility and KPI tracking, it also enables smarter governance by automation & effective risk management through infrastructure as code and compliance as code. It’s important to re-organise, up-skill, and operate with a new governance model to set tolerances and manage them better.

                • Planning for failures

                This is a great point. Financial institutions often plan for service operations and not really for failures. This requires significant scaling capabilities along with full infrastructure for IT teams to perform a series of non-functional tests before they can ship their products to the market. Cloud is perfectly suited to offer the on-demand scalability along with tools that boost staff productivity and improve code quality through DevOps process improvement.

                 

                Public cloud providers can solve operational, technology and security issues

                We think it’s a great start and a perfect way to start discussions within the FSI and to help them re-focus on operational challenges. More importantly, it will help with what they want to do today, tomorrow and next year to make them profitable.

                It’s clear that financial institutions are great at creating financial products and public cloud providers are great at solving operational, technology, security issues as they have the skills and the resources to do so. It’s important that financial institutions start off-loading these non-core functions and look for partnerships or create joint ventures with hyper-scale cloud providers and enablers like Nordcloud to be relevant in the future.

                 

                Cloud computing is on the rise in the financial services – are you ready?

                Download our free white paper Compliance in the cloud: How to embrace the cloud with confidence, where we outline some of the many benefits that the cloud can offer, such as:

                • Lowered costs
                • Scalability and agility
                • Better customer insights
                • Tighter security

                Download white paper

                Blog

                Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

                When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

                Blog

                Building better SaaS products with UX Writing (Part 3)

                UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

                Blog

                Building better SaaS products with UX Writing (Part 2)

                The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

                Get in Touch

                Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








                  Security in the Public Cloud: Finding what is right for you

                  CATEGORIES

                  Blog

                  Security concerns in the cloud pop up every now and then, especially when there has been a public breach of some sort. What many businesses still don’t realise is that the public cloud is a shared responsibility, from both the cloud provider and customer. Unfortunately, 99% of these breaches are down to the customer, not the cloud provider. Some of these cases are due simply to the customer not having the competences in building a secure service in the public cloud.

                  Cloud comes in many shapes and sizes

                  • Public cloud platforms like AWS, Azure and GCP
                  • Medium cloud players
                  • Local hosting provider offerings
                  • SaaS providers of variable capabilities and services: From Office 365 to Dropbox

                  However, if the alternative is to use your own datacenter, the data center of a local provider, or a SaaS service, it’s worth building a pros and cons table and making a selection after that.

                  Own data centre
                  Local hosting provider
                  Public cloud
                  • Most responsibility
                  • Competence varies
                  • Variable processes
                  • Large costs

                  However – Most choice in tech

                  • A lot of responsibility
                  • Competence varies
                  • Variable processes
                  • Large costs

                  – Some choice in tech

                  • Least responsibility
                  • Proven competence & investment
                  • Fully automated with APIs
                  • Consumption-based

                  -Least amount of choice in tech

                  Lack of competence is typical when a business ventures into the public cloud on their own, without a partner with expertise. Luckily:

                  • Nordcloud has the most relevant certifications on all of the major cloud platforms
                  • Nordcloud is ISO/IEC 27001 certified to ensure our own services security is appropriately addressed
                  • Typically Nordcloud builds and operates customer environments to meet customer policies, guidelines and requirements

                  Security responsibilities shift towards the platform provider the more high value services like IaaS, PaaS, SaaS are used. All major public cloud platform providers have proven security practices with many certifications such as:

                  • ISO/IEC 27001:2013 27013, 27017:2015
                  • PCI-DSS
                  • SOC 1-3
                  • FIPS 140-2
                  • HIPAA
                  • NIST

                  Gain the full benefits of the public cloud

                  The more cloud capacity shifts towards the SaaS end of the offering, the less the business needs to build the controls on their own. However, existing applications are not built for the public cloud and therefore if the application is migrated to the public cloud as it is, similar controls need to be migrated too. Here’s another opportunity to build pros & cons table: Applications considered for public cloud migration ‘as is’, vs app modernisation.

                  ‘As is’ migration
                  Modernise 
                  • Less benefit of cloud platform
                  • IT-driven

                  BUT

                  • You start the cloud journey early
                  • Larger portfolio migration
                  • Time to decommission old infra is fast
                  • Slower decommissioning
                  • Individual modernisations

                  BUT

                  • You can start you cloud-native journey
                  • Use DevOps with improved productivity
                  • You have the most benefit from using cloud platforms

                  Another suggestion would be to draw out a priority table of your applications so that you gain the full benefits of the public cloud.

                  In any case, the baseline security, architecture, cloud platform services need to be created to fulfil requirements in the company security policies, guidelines and instructions. For example:

                  • Appropriate access controls to data
                  • Appropriate encryption controls based on policy/guideline statements matching the classification
                  • Appropriate baseline security services, such as application level firewalls and intrusion detection and prevention services
                  • Security Information and Event Management solution (SIEM)

                  The areas listed above should be placed into a roadmap or project with strong ownership to ensure that the platform evolves to meet the demands of applications at various stages in their cloud journey. Once the organisation and governance are in place, the application and cloud platform roadmaps can be aligned for smooth sailing into the cloud where appropriate, and the cloud-native security controls and services are available. Nordcloud’s cloud experts would be able to help you and your business out here.

                  Find out how Nordcloud helped Unidays become more confident in the security and scalability of their platform.

                  Blog

                  Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

                  When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

                  Blog

                  Building better SaaS products with UX Writing (Part 3)

                  UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

                  Blog

                  Building better SaaS products with UX Writing (Part 2)

                  The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

                  Get in Touch

                  Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.








                    Cloud security: Don’t be a security idiot

                    CATEGORIES

                    Blog

                    The cloud has some great advantages: storing a large amount of data and only paying for what you use without buying it all upfront or using hundreds of different services or API’s offered by a cloud provider.

                    We commonly hear that security is a major step when moving to the cloud, but we actually see quite the opposite. By the time a lift-and-shift or a refractor approach gets completed, the organisation has already invested in so much that they need the system up and running. Studies show that the movement to public cloud computing is not going to decrease anytime soon, but will increase by 100 billion USD. With this increase, be sure to expect not only a growth in security breaches but attacks as well.

                     

                    Cloud Security Breaches & Attacks

                    In today’s digital world, data is the new currency. Attackers had a massive impact on businesses with the ransomware outbreaks like WannaCry and Petya, and with the increase of attacks and poor security standards, everyone and everything is vulnerable.

                    It might be easy to think we are all part of some sort of Darwin experiment because the same things keep happening around the industry. Budget cuts and time-to-market are both enablers that affect security. As a society, we have our security methods back to front and upside down and we forget the internet is relatively young.

                    We see it time to time again where organisations are deploying unsecured best practice approaches. For example, Accenture back in October 2017 left an S3 bucket open to the world. This was later found out by the public, but the biggest issue was the content inside the S3 bucket was a list of passwords and KMS (AWS Key Management System). It is unknown if the keys were used maliciously, but they are not the first nor will they be the last to let this slip.

                    Later in November, a programmer at DXC was sending the code to GitHub. Without thinking, this individual failed to realise that the code also had hard-coded AWS Keys into the code. It took 4 days before this was found out, but over 244 virtual machines were created in the meantime, costing the company a whopping 64,000 USD.
                    Dont_be_a_security_idiot_picture1

                    Sometime you can’t control the security issues, but that doesn’t mean you shouldn’t worry about it. A chip security flaw was announced to the public at the beginning of 2018 called Meltdown and Spectre that was released by a team called Google Project Zero. The chip flaw infected all Intel processors and attacked at the kernel level.

                    This meant that someone with that knowledge could theoretically create a virtual machine on any public cloud and could view the data inside the kernel level of all the virtual machines on that bare metal server. Most companies patched this back in the fall of 2017, but not everyone keeps the most updated security patches on the OS layer.

                    UPDATE: Intel has just released that not every CPU can be patched.
                    UPDATE: New Variation

                     

                    Shared Responsibility

                    Cloud providers are paying close attention to the security risk, but they all have a shared-responsibility model. What this means is that a customer is 100-per cent accountable for securing the cloud. As the cloud provider doesn’t know the workload being used, they can’t limit all security risks. What the provider guarantees is the security of their data centres, usually software used to provide you with the API’s needed to create resources in the cloud.

                    Most providers will explain to you (multiple times!) that there is a shared-responsibility model, the above diagram shows the most up-to-date version.

                     

                    Data Centre Security

                    Another big question that is commonly asked is, “What makes the cloud provider data centre more secure than my own data centre?”. To answer this question we first need to find out what the current Data Centre Tier is and compare that to a cloud provider.

                    Data Centres are often associated with data centre “Tier”, or its level of service. This standard came into existence back in 2005 from the Telecommunications Industry Association. The 4-tiers were developed by Uptime Institute. Both are maintained separately but have similar criteria. There are 4 tier rankings (I, II, III, or IV), and each tier reflects on the physical, cooling and power infrastructure, the redundancy level, and promised uptime.

                     

                    Tier I
                    A Tier I data center is the simplest of the 4 tiers, offering little (if any) levels of redundancy, and not really aiming to promise a maximum level of uptime:

                    • Single path for power and cooling to the server equipment, with no redundant components.
                    • Typically lacks features seen in larger data centers, such as a backup cooling system or generator.

                    Expected uptime levels of 99.671% (1,729 minutes of annual downtime)

                    Tier II
                    The next level up, a Tier II data center has more measures and infrastructure in place that ensure it is not as susceptible to unplanned downtime as a Tier 1 data center:

                    • Will typically have a single path for both power and cooling, but will utilise some redundant components.
                    • These data centers will have some backup elements, such as a backup cooling system and/or a generator.

                    Expected uptime levels of 99.741% (1,361 minutes of annual downtime)

                    Tier III
                    In addition to meeting the requirements for both Tier I and Tier II, a Tier III data center is required to have a more sophisticated infrastructure that allows for greater redundancy and higher uptime:

                    • Multiple power and cooling distribution paths to the server equipment. The equipment is served by one distribution path, but in the event that path fails, another takes over as a failover.
                    • Multiple power sources for all IT equipment.
                    • Specific procedures in place that allow for maintenance/updates to be done in the data center, without causing downtime.

                    Expected uptime levels of 99.982% (95 minutes of annual downtime)

                    Tier IV
                    At the top level, a Tier IV ranking represents a data centre that has the infrastructure, capacity, and processes in place to provide a truly maximum level of uptime:

                    • Fully meets all requirements for Tiers I, II, and III.
                    • Infrastructure that is fully fault tolerant, meaning it can function as normal, even in the event of one or more equipment failures.
                    • Redundancy in everything: Multiple cooling units, backup generators, power sources, chillers, etc. If one piece of equipment fails, another can start up and replace its output instantaneously.

                    Expected uptime levels of 99.995% (26 minutes of annual downtime)

                    Now that we understand the tier level, where does your data centre fit?

                    For AWS, Azure, and GCP, the data centre tier is not relative to such a large scale, because none of them follows the TIA-942 or uptime institute standards. The reason for this is because each data centre would be classified as a Tier 4, but since you can build the cloud to your own criteria or based on each application, it’s difficult to put it into a box. Once you add the vast number of services, availability zones, and multi-regions, then this would be out of the scope of the Tier-X standards.

                    Don’t be a Security Idiot!

                    When it comes to security in the cloud, it all falls down to the end user. An end user is anyone with an internet connection or an internet enabled device and a good rule of thumb is to think that anyone can be hacked or any device can be stolen. Everything stems from the organisation and should be looked at from a top-down approach. Management must follow and also be on board with training and best practices when dealing with security.

                    Most organisations do not have security policies in place, and the ones who do haven’t updated them for years. The IT world changes every few hours and someone is always willing to commit a crime against you or your organisation.

                    password

                     

                    Considerations

                    YOU ARE the first line of defence! Know if the data is being stored in a secured manner by using encryption and if backups are being stored offsite or in an isolated location.

                    Common Sense

                    Complacency: Wireless devices are common now, but does your organisation have a policy about this? Once or multiple times a year, all of your employees should have to review a security policy.

                    Strong Password policies: A typical password should be 16 characters long and consist of special characters, lowercase and capital letters. Something like: I<3Marino&MyDogs (This password would take years to crack with current technology). Suggestion: don’t use this exact password!

                    Multi-Factor Authentication: Multi-Factor authentication means “something you know” (like a password) and “something you have,” which can be an object like a mobile phone. MFA has been around a long time. When you use a debit/credit card it requires you to know the Pin Code and have the card. You do not want anyone taking your money, so why not use MFA on all your user data.

                    Security Patches: WannaCry is a perfect example of what happens when people don’t update security patches. Microsoft released a fix in March 2017, but still, 150 countries and thousands of businesses got hit by the attack in the Summer of 2017. This could all have been avoided if Security Patches were enforced. Always make sure your device is updated!

                    Surroundings: Situational awareness is key to staying safe. Knowing what is going on around you can help avoid social engineering. Maybe you are waiting for a meeting at a local coffee shop and decide to work a little before the meeting. The first thing you do is connect to an Open Wi-Fi and then you check your email. The person behind you is watching what you are doing and also has a keylogger running. They know what website you went to and what you typed in. Keep your screensaver password protected and locked after so many seconds of inactivity.

                    Report incidents: You are checking your email and received a zip file from a future client. You unzip the file and see a .exe, but think no more of it. You open the .exe and find out that your computer is now infected with malware or ransomware. The first thing you should do is turn off the internet or turn off your computer. Call or use your mobile to send a message to IT, and explain what has happened.

                    Education: The best way to prevent a security breach is to know what to look for and how to report incidents. Keep updated on new security trends and upcoming security vulnerabilities.

                    Reporting: Who do you report to if you notice or come into contact with a security issue? Know who to send reports to, whether it is IT staff or an email dedicated to incidents…

                    Encryption: Make sure that you are using HTTPS websites and that your data is encrypted both during transit and at rest.

                    Most of all when it comes to public cloud security, you share the security with the platform. The cloud platform is responsible for the infrastructure and for physical security. Ultimately, YOU ARE responsible for securing everything else in the cloud.

                    Blog

                    Starter for 10: Meet Jonna Iljin, Nordcloud’s Head of Design

                    When people start working with Nordcloud, they generally comment on 2 things. First, how friendly and knowledgeable everyone is. Second,...

                    Blog

                    Building better SaaS products with UX Writing (Part 3)

                    UX writers are not omniscient, and it’s best for them to resist the temptation to work in isolation, just as...

                    Blog

                    Building better SaaS products with UX Writing (Part 2)

                    The main purpose of UX writing is to ensure that the people who use any software have a positive experience.

                    Get in Touch

                    Let’s discuss how we can help with your cloud journey. Our experts are standing by to talk about your migration, modernisation, development and skills challenges.