Welcome!

DevOps Journal Authors: Liz McMillan, Noel Wurst, Carmen Gonzalez, Pat Romanski, Elizabeth White

Related Topics: Cloud Expo, SOA & WOA, .NET, Security, Big Data Journal, IoT Expo

Cloud Expo: Article

What Cloud Startups Need to Know About Hunting Elephants

Large companies have several sets of requirements for solution providers that differ from smaller companies

"Cloud computing" is more than just a buzzword - it has transformed the tech industry. Having been in the business of building enterprise infrastructure for over 15 years, I've had the opportunity to witness how cloud has altered the landscape, including most recently at my company, Nexgate. It has not only ushered in a radical wave of innovation, but has also created new business models. The easily accessible and inexpensive nature of its on-demand structure has both paved the way for the rapid launch of new technologies and enabled the growth of businesses.

Yet, as with any technology, it also has its limits and risks, especially for cloud startups. If not configured well, cloud doesn't necessarily fit hand-in-hand with the needs of large enterprises. While the benefits of gaining a big customer are certainly obvious, the demands of doing so are not talked about nearly as frequently, despite that both are important. Hunting elephants is a dangerous game if you're a mouse.

Large companies have several sets of requirements for solution providers that differ from smaller companies, which aren't as concerned about security and scalability. Whereas the size of smaller companies doesn't require a focus on mitigating the risk of a high profile security breach or managing complex systems on a mass scale, for larger companies, these concerns are very real. Hence, it's not enough to just have a great product to engage on an enterprise level - large companies have dedicated security teams and requirements that you as a vendor need to work with to close the deal.

Having a disaster recovery plan in place is one of the first steps to becoming enterprise ready. Any sizeable organization is going to want assurance that in the event of a crisis, any lapse in the service you provide is going to be as brief and as painless as possible. And, furthermore, that enterprise is going to want proof to back up that assurance. That proof is called a disaster recovery plan. A disaster recovery plan specifies how your company intends to mitigate the risk of an incident resulting in downtime, as well as the processes in place for remediating and recovering from one. Given organizations' increasing dependency on information technology to run their operations, the more critical your product is to the day-to-day functioning of an enterprise, the more you must demonstrate this competency.

Creating and maintaining a disaster recovery plan is no simple task. Each employee should be trained in his or her role and responsibility in the event of a crisis or outage, and the plan should be documented and tested to ensure continuity of procedures and availability of essential resources in the event of a disaster. Your plan should specify easily executable and repeatable procedures for recovering and repairing any damaged IT resources and restoring them to operation as rapidly as possible. Be sure to include a summary of the critical assets and services, their recovery objectives, and recovery priorities, in addition to the contact information for disaster support agencies and a secondary data center service provider or other temporary means of providing service.

Security policy and practices are another prerequisite for navigating a large corporate environment. Without demonstrating the security of your product, you've effectively lost your seat at the table with enterprise companies. In today's tech-saturated world, an information security breach, hack, or hijack can cost thousands of dollars - not to mention inestimable damage to brands and consumer trust. This means an even greater burden of proof lies on vendors (and their cloud providers) as far as security is concerned to prevent such an event from happening. For example, if you're storing data on behalf of customers, are they encrypted in your database? Do you have strong access policies? Are your employees trained and certified when it comes to securing both corporate and personal accounts? If you're a web-based app, do you use a web app firewall (WAP)? Do you have IP and firewall restrictions in place from a cloud security service like Dome9? And what level of security does your cloud provider (e.g., Amazon Web Services) provide? The answers to these questions can help you structure your security policy and practices in alignment with enterprise needs.

To augment these policies and practices, you should also implement security review and testing. Policy and procedures are critical, but without confirmation and review of their execution, they only live in theory. For this reason, implementing internal and external reviews to ensure that your company, your employees, and your partners are all following your policy is critical. Ultimately, you should be able to show that you've created a process that's being applied day-to-day, which is sufficient enough to hold off socially engineered attacks and risks from phishing and malware, among other threats to your security. Allowing for third-party penetration testing is a great strategy to demonstrate your security capacity in this way. The more you can verify the process and results of that testing, the more you can prove to an enterprise that your product is effective and safe for use on a large scale.

Working with enterprise certainly has massive upsides, but with those benefits inherently comes a higher level of skepticism, scrutiny, and caution. Expect to have to prove that you can support sophisticated systems on a large scale, not only in terms of operation but also when it comes to appropriate processes, documentation, and security. The more you can anticipate enterprise needs and have the necessary procedures in place right out of the gate, the greater the level of confidence larger organizations will have in your company, and the better you can serve your customers.

For additional information about making your organization enterprise ready, check out these resources:

  1. Disaster Recovery Journal Sample Plans
  2. Cloud Security Alliance (CSA) Security Guidance
  3. AWS Security Center

More Stories By Rich Sutton

Rich Sutton is co-founder and CTO at Nexgate, a cloud-based social media compliance and security solution. Along with holding multiple patents, he has more than 15 years of experience in enterprise software and application development experience. Prior to working at Nexgate, Rich led a 50+ person engineering team building Websense’s web security product portfolio and also held senior management and technical positions at Symantec, 8e6 Technologies (now Trustwave), and eFunds (now Fidelity) building everything from SaaS applications to high-throughput network appliances, client security software, and mobile applications.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Latest Stories from DevOps Journal
Founded in 1997, ActiveState is a global leader providing software application development and management solutions. The Company's products include: Stackato, a commercially supported Platform-as-a-Service (PaaS) that harnesses open source technologies such as Cloud Foundry and Docker; dynamic language distributions ActivePerl, ActivePython and ActiveTcl; and developer tools such as the popular Komodo Edit and Komodo IDE. Headquartered in Vancouver, Canada, ActiveState is trusted by customers and partners worldwide, across many industries including telecommunications, aerospace, software, financial services and CPG. ActiveState is proven for the enterprise: More than two million developers and 97% of Fortune 1000 companies use ActiveState's solutions to develop, distribute, and manage their software applications. Global customers like Bank of America, CA, Cisco, HP, Lockheed Martin and Siemens rely on ActiveState for faster development, ensuring IT governance and compliance, and accelerating time-to-market.
The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. The DevOps Summit at Cloud Expo--to be held November 4-6 at the Santa Clara Convention Center in the heart of Silicon Valley--will expand the DevOps community, enable a wide sharing of knowledge, and educate delegates and technology providers alike. Recent research has shown that DevOps dramatically reduces development time, the amount of enterprise IT professionals put out fires, and support time generally. Time spent on infrastructure development is significantly increased, and DevOps practitioners report more software releases and higher quality.
DevOps Summit at Cloud Expo Silicon Valley announced today a limited time free "Expo Plus" registration option. On site registration price of $1,95 will be set to 'free' for delegates who register during this offer perios. To take advantage of this opportunity, attendees can use the coupon code, and secure their registration to attend all keynotes, DevOps Summit sessions at Cloud Expo, expo floor, and SYS-CON.tv power panels. Registration page is located at the DevOps Summit site.
Leading provider of Continuous Delivery and DevOps software XebiaLabs today announced enhanced integration between Puppet and XebiaLabs' XL Deploy, the deployment automation solution that supports DevOps and Continuous Delivery teams. XL Deploy in combination with Puppet means one seamless automation process to deploy your apps.
Software is eating the world. Companies that were not previously in the technology space now find themselves competing with Google and Amazon on speed of innovation. As the innovation cycle accelerates, companies must embrace rapid and constant change to both applications and their infrastructure, and find a way to deliver speed and agility of development without sacrificing reliability or efficiency of operations. In her keynote DevOps Summit, Victoria Livschitz, CEO of Qubell, will discuss how IT organizations can automate just-in-time assembly of application environments – each built for a specific purpose with the right infrastructure, components, service, data and tools – and deliver this automation to developers as a self-service. Victoria’s keynote will include remarks by Kira Makagon, EVP of Innovation at RingCentral, and Ratnakar Lavu, EVP of Digital Technology at Kohl’s.
PagerDuty, the leader in operations performance management, announced the public release of its Advanced Analytics tools, which provide insights IT teams can use to improve team and system performance. Leveraging PagerDuty’s robust data on key operational metrics like incident frequency and time to respond and resolve, companies can now drive even faster incident resolution. The new capabilities further expand PagerDuty’s operations performance platform by giving managers the ability to analyze and improve key drivers of uptime.
In today's application economy, enterprise organizations realize that it's their applications that are the heart and soul of their business. If their application users have a bad experience, their revenue and reputation are at stake. In his session at 15th Cloud Expo, Anand Akela, Senior Director of Product Marketing for Application Performance Management at CA Technologies, will discuss how a user-centric Application Performance Management solution can help inspire your users with every application transaction.
SYS-CON Events announced today that Serena Software will exhibit at DevOps Summit Silicon Valley, which will take place on November 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA. Serena Software supports DevOps and Continuous Delivery by providing application deployment automation and software release management solutions to replace slow and error-prone manual processes. 2,500 enterprises around the world trust Serena to help them develop and deploy better software.
DevOps Summit at Cloud Expo Silicon Valley announced today a limited time free "Expo Plus" registration option through September. On site registration price of $1,95 will be set to 'free' for delegates who register during special offer. To take advantage of this opportunity, attendees can use the coupon code, and secure their registration to attend all keynotes, DevOps Summit sessions at Cloud Expo, expo floor, and SYS-CON.tv power panels. Registration page is located at the DevOps Summit site. Your DevOps Summit registration will also allow access to @ThingsExpo sessions and exhibits. Register For DevOps Summit "FREE" (limited time) ▸ Here
Qubell, an innovator in application deployment and configuration management, empowers online companies to do what they have never been able to do before: put into consumers' hands innovative new features and services, almost as fast as they can conceive them, without sacrificing control, reliability or uptime. Qubell emerged from stealth in the summer of 2013 (see related press release) and announced that Kohl's completed its initial implementation (see press release). Founded by pioneers in enterprise cloud applications and services, Qubell has its headquarters in Menlo Park, Calif. For more information, visit qubell.com.