By Sramana Mitra and guest author Shaloo Shalini
SM: What is your take on security in the cloud? As part of delivering this enormous infrastructure to your clients, you obviously have to worry about data security. What is the data security strategy that you deploy for your cloud-based infrastructure?
LO: You mean comprehensive security, right?
LO: Some of our clients need Payment Card Industry (PCI), the data security standard for payment cards, from our compliance perspective. So, we have to provide the appropriate level of encryption technology and data segregation to those clients. We can do that in our cloud. There are obviously a variety of those; we use [ . . . ] penetration testing on a daily basis in this environment.
We can provide those results to our clients if needed. There are a variety of practices we follow, but I think more important to our clients, from a security perspective, is less of what we can tell them in a sales cycle – “here is what we do from a security perspective” sort of pitches – and more our being able to demonstrate that we do this consistently over time. This is what is really required and where compliance frameworks come into play, right? We are in a great position because we do a lot of business in the area of federal government projects. The federal government has rigorous and comprehensive security requirements, both in the civilian sector and in the Department of Defense (DoD).
Since we don’t like to have one-off solutions, we have adopted a lot of those security capabilities for our commercial business. So, our commercial clients have benefited from that level of maturity [in government]. The frameworks we use today, whether they are the PCI or SAS 70, are relatively more comprehensive and broader than those of other cloud providers. We do that because we need to demonstrate to the DoD that we are following these control sets. We can provide that same information following all those control sets to our commercial clients as well. That is one of the lessons we have learned. We are a fairly mission-critical application, and there is a lot more scrutiny by security and IT in using RightNow than there is in using WebEx, for example, or even a sales automation tool like Salesforce. This is because we have had to mature more rapidly and become more acceptable to large corporate enterprises that take a comprehensive approach to data security.
SM: What about redundancy and disaster recovery (DR)?
LO: It has to be built in from the ground up. So, at any point, we want to make sure that we can maintain continuity of operations in case of machine failure or even application stack failure.
SM: What do you do for DR? What stack do you use, or what kind of architecture do you deploy?
LO: We are an open source stack, so we rely heavily on MySQL, Apache, Memcached, Hadoop – those types of platforms to run our cloud solution. We rely heavily on data synchronization and replication technologies across this platform to make sure that at any point a customer has more than one operating environment they could be in. We do that on both ends – a single data center, which we designed to be highly available, and another geographically separate location – and we are able to do that in different places around the world for our clients.
SM: Would you talk about what you see in the market about private cloud adoption? It seems, at least from my discussions over the past six to eight months, that there is quite a bit of private cloud adoption going on. I guess the question I am asking is, Do you provide private cloud-based solutions? Is that a trend you see as well?
LO: Because I have had a lot of different definitions of private cloud, would you define and put a boundary around what you mean by it? Do you mean a multi-tenant cloud infrastructure that I would deploy on a customer’s premises?
SM: Yes; it is not even multi-tenant but single tenant.
LO: So it is private to a particular customer but managed by me in terms of release management and that sort of thing?
SM: Yes, that’s right.
LO: We do something similar for the U.S. federal government, particularly for the DoD. They are not interested in having their environments and data co-mingled with those of commercial clients, particularly corporations that are partly owned by foreign entities. It doesn’t matter how much security you bring to the table, they are just not interested. So, we have gone in as the first commercial cloud provider to be able to deploy a fully certified multi-tenant clouds just for the DoD. We run an application on a military base, we manage the application, it is fully multi-tenant, and it is exactly like the one we deploy for commercial purposes. It is just located in a sanitized environment, and it’s private for the DoD. Of course, there are multiple branches: the Army, the Air Force, the Marine Corps, the Navy, and multiple agencies within those branches. That is the multi-tenant nature whereby they have different solutions with different workload characteristics.