Cloud computing is fraught with security risks, according to analyst firm Gartner. Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor, Gartner says in a June report titled "Assessing the Security Risks of Cloud Computing." 

Cloud computing has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e-discovery, regulatory compliance, and auditing," Gartner says. (Compare security products.)

Amazon's EC2 service and Google's Google App Engine are examples of cloud computing, which Gartner defines as a type of computing in which "massively scalable IT-enabled capabilities are delivered 'as a service' to external customers using Internet technologies."

Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that's been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.

Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.

1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions," according to Gartner.

3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.

5. Recovery. Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."

6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."

7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

Microsoft laid out on Monday its road map for SQL Server and a complement of add-ons it hopes will eventually redefine business intelligence and data warehousing.

The next version of the database server, code-named Kilimanjaro, is slated for release in the first half of 2010 with a focus on self-service and reporting capabilities for BI. Microsoft plans to have a "community technology preview" (CTP) available within the next 12 months.

The self-service features are wrapped up in a set of technologies code-named Gemini. Those technologies let users build BI applications that can access data across many sources, aggregate the data, build charts and reports, and share the resulting applications via SharePoint.

Microsoft also plans to integrate the unified communications capabilities of Office Communications Server to aid the sharing of BI results.

Microsoft said much of the Gemini technology will be tied to Excel, allowing users of that desktop program access to the self-service analytics.

Microsoft made the announcements at its annual BI Conference, which is going on in Seattle this week and is expected to draw 2,500 users and partners.

The company's acquisitions in the BI market and its stated intentions to expand BI capabilities on the back of its popular SQL Server have been shaking up the market in the past six months.

Giants like Business Objects/SAP, Cognos/ IBM, and Hyperion/ Oracle are among the BI heavyweights with an eye on Microsoft.

A report by Gartner earlier this year said Microsoft still "lags behind pure-play vendors in terms of metadata management, reporting, and dashboard and ad hoc query capabilities."

Microsoft plans to systematically address those deficiencies.

The immediate goal is to extend its BI tools and software so they are more accessible to users, especially those using Excel and SharePoint.

With Gemini, Microsoft hopes to bring BI to users without sacrificing IT control.

"One important thing about Gemini is managed self-service," says Fausto Ibarra, director of product management for SQL Server. "Managed means IT is in control of the process where today end-users use Excel without control of IT or without control on data."

With Gemini, IT will be able to see how data is being shared, will have control of security on the data, and will make data sources available to users.

Those sources could include ERP data, mainframe applications and independent software vendor programs.

Another key feature of Gemini is in-memory BI, which analyzes large amounts of data in memory in order to speed performance.

At the conference, the company also unveiled plans for a highly scalable database technology code-named Madison that would be available in an appliance. Madison integrates SQL Server with technology the company acquired when it bought DataAllegro earlier this year.

DataAllegro developed large-volume data warehousing appliances, and Microsoft hopes to scale Madison to handle hundreds of terabytes of data. At the conference, Microsoft showed a demo using 1 trillion rows of data.

The company also plans to use data quality technology acquired when it bought Zoomix in July to enhance the quality of available information. Microsoft would only say the technology will come in "future versions" of SQL Server.

CTPs of Madison will roll out in the next 12 months with the appliances available in the first half of 2010. Dell, HP, Unisys, Bull Systems, and EMC have signed on as hardware partners.

Mixing together a m?lange of services, software, and marketing, IBM's announcement this week of its Cloud Services Initiative is about putting an organizing construct around all of its cloud offerings, according to one IBM executive.

To that end, it does not appear that there is much new in the way of products or services in the initiative.

Mostly repackaging of IBM datacenter and Lotus technology Bluehouse, the centerpiece of the initiative, is a Web-based tool for collaboration. However, while the name may be new, Bluehouse actually incorporates a great deal of Big Blue's existing products, such as IBM's Lotus SameTime collaborative and social networking environment. Bluehouse builds on the services currently offered in SameTime for instant messaging and unified communications. "Bluehouse adds document sharing, contact sharing, and community building all in a SaaS (software-as-a-service) model," said Dave Mitchell, director of strategy for cloud services at IBM.

[ Confused about what cloud computing really means? Find out in InfoWorld's definitive guide to cloud computing. And for more on Bluehouse, see "IBM bundles up cloud computing initiatives." ]

Along with Bluehouse, IBM also announced SameTime Unyte, a Web conferencing offering. Unyte is part of Bluehouse as well.

In addition to Bluehouse, the four-part initiative adds to IBM's SaaS platform offerings, whereby IBM hosts the delivery infrastructure for software vendors. What's new is not technological but marketing: IBM has broadened the definition of a partner, expanding it to mean any software vendor that uses two out of three products IBM delivers: middleware, hardware, and managed hosting. Partners are also the beneficiary of joint marketing efforts.

Services to integrate cloud components into an organization's business environment are also available for IBM customers.

The fourth component will provide a datacenter environment based on IBM's Cloud Computing Centers around the world. This will give customers remote access to computing power in an on-demand environment.

Looking past proprietary clouds Although the Bluehouse effort appears to be something IBM has been doing for a considerable number of years through its datacenter services, Mitchell hinted at doing something more, resolving an issue that has recently been swirling around the use of cloud solutions. "We are working with our partners using SOA to develop open clouds as opposed to proprietary clouds as in the past."

This comes on the heels of recent statements by Richard Stallman, for example, founder of GNU and a well-respected industry watcher who was quoted in the British newspaper The Guardian as saying cloud computing is nothing more than a "marketing hype campaign" and a "trap which will lock users into proprietary systems."

The difference between what IBM is offering and others, says Mitchell, is that an open cloud environment will give users more interoperability and more connections to partners.

Since 2005, Oracle has spent at least $32 billion on acquisitions -- turning itself into the vendor of a top-to-bottom enterprise software stack that is arguably broader in scope than any rival suite.

In doing so, Oracle hasn't diluted its database focus. Sales of databases and middleware still account for more than half of its revenue. And according to consulting firm Gartner, Oracle controlled 49 percent of the global database market last year, with more revenue than the next four vendors -- IBM, Microsoft, Teradata and Sybase -- combined.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

But Oracle has shown some signs of vulnerability at the high end of the database market. For instance, many Web 2.0 companies are eschewing its databases and instead running open-source technologies like MySQL on grids of PC servers. And corporate users with data warehouses sized in the hundreds of terabytes, or even in the petabyte range, are finding column-oriented databases and specially tuned data warehousing appliances to be more scalable than Oracle databases are.

So Oracle's annual OpenWorld conference in San Francisco two weeks ago was heavy on database news as the company tried to show that it is agile enough -- and its software is robust enough -- to respond to the new challengers.

At the top of the list was Oracle's announcement of a pair of hardware products -- its first ever -- aimed at users looking to get ultrafast performance out of their ultralarge databases.

For the past six months, Oracle CEO Larry Ellison had teased users and analysts with hints that the vendor would introduce a "database accelerator" at OpenWorld. That turned out to be the Exadata Storage Server, which combines Oracle's parallel query software with ProLiant servers from development partner Hewlett-Packard.

What makes the Exadata system different from a typical storage server, according to Oracle, is the database intelligence built into the device. Ellison claimed that Exadata can speed up large queries by performing lower-level calculations on the information it stores and then sending the results to the main database, instead of flooding it with raw data.

The other new product, the industrial-sounding HP Oracle Database Machine, is a self-contained system designed to match up against integrated data warehousing appliances from vendors like Teradata and Netezza.

The Database Machine combines eight regular database servers running Oracle Database 11g with 14 Exadata systems that have a total storage capacity of 168TB and InfiniBand connections offering 14GB/sec. of aggregate data bandwidth.

That all costs a mere $2.33 million -- for existing customers that have enterprise or unlimited Oracle database licenses. New customers would have to pony up for licenses for the eight database servers; based on the configuration recommended in an Oracle white paper, that would cost an additional $3.22 million, analysts said.

Even so, Christo Kutrovsky, a database administrator at The Pythian Group, an Ottawa-based company that manages databases for corporate clients, said he thinks the Database Machine could be worth the steep cost if the alternative is having the IT department try to assemble a similar system itself.

"Ninety percent of the problems I've seen are due to improperly configured systems," Kutrovsky wrote in Pythian's corporate blog. Installing the Database Machine eliminates that issue by making configuration errors "impossible," he said.

According to Oracle, customers that tested production workloads on a half-size Database Machine said queries ran 10 to 72 times faster than they did on other systems. Those early users include the Chicago Mercantile Exchange, supermarket chain Giant Eagle and LGR Telecommunications, which develops data warehousing systems for telecommunications carriers.

In a blog post, Forrester Research Inc. analyst James Kobielus described the introduction of the Database Machine and Exadata as "a bold move into petabyte scale-out territory -- an emerging, very-high-end niche in which one veteran vendor, Teradata, has been preeminent."

Kobielus also noted that Oracle's storage layer is transparent to applications, meaning they don't need to be rewritten in order for users to see performance gains on the new systems.

Lukewarm receptionBut Tim Hall, a U.K.-based Oracle DBA, blogged that he was "a little underwhelmed" by the OpenWorld announcement. "It all seems a little irrelevant to me," Hall wrote, citing the price tags and high-end focus of the new products. "For me, this is like discussing the merits of a Lamborghini when I'm actually going to buy a Renault Clio."

And independent database analyst Curt Monash said that although the Database Machine and Exadata are impressive from a technical standpoint, he doesn't expect them to win over many Web 2.0 companies or other new users. The technologies make the most sense for businesses that already use Oracle's data warehousing products and "are content to pay Oracle prices," Monash said.

For companies that don't have money to spend on a turbocharged system like the Database Machine, Oracle is touting 11g's Advanced Compression option. In a session at OpenWorld, Oracle officials said the data compression technology can dramatically shrink database table sizes and boost read/write speeds by as much as three to four times in data warehouses as well as transaction databases.

In fact, Oracle claims that companies using Advanced Compression no longer need to move seldom- or never-used older data to archives. Instead, they can keep all that information in their production databases, according to Oracle officials.

But users haven't flocked to Advanced Compression yet. One reason is that it's not a free add-on: Licenses start at $11,500 per processor -- a relatively high price in its own right.

In addition, the technology is available only to users of the year-old 11g Enterprise Edition, which has yet to be widely adopted. Andrew Mendelsohn , senior vice president of server technologies at Oracle, said that 75 percent of the company's database customers are running its 10g release, while another 20 percent are still using the even older 9i version.

For instance, LGR Telecommunications has built a pair of 300TB data warehouses for AT&T, which stores its caller data records in them. But the databases, which run concurrently, are based on 10g and can't take advantage of Advanced Compression yet.

Hannes van Rooven, a technology manager at LGR, said during a presentation at OpenWorld that his company uses compression only to a limited extent now, although it does plan to increase its usage "extensively" in the future.

Intermap Technologies Inc. is running the spatial version of 11g for an 11TB database of mapping and imagery data that is expected to grow to 40TB by the first quarter of 2010. But Sue Merrigan, senior director of information management at Intermap, said that the company doesn't compress the data "because we're concerned it would lose its accuracy."

That wouldn't happen, Oracle officials said. But comments such as Merrigan's show that even among some of its loyal customers, the vendor still has a sales job to do on Advanced Compression -- never mind the Database Machine and Exadata.

Chris Kanaracus of the IDG News Service contributed to this story.

CA plans to unveil this week its datacenter automation product that industry watchers say will help IT staff offload server resource-provisioning duties and give CA an advantage over competitive products from BMC and HP .

CA Data Center Automation (DCA) Manager r11.2. will let customers automate systems monitoring and resource provisioning. The software competes with technology HP acquired with Opsware and BMC bought with BladeLogic. CA developed its product in-house, which industry watchers say could give CA an edge if competitors are still working to integrate acquired software.

[ Stay ahead of advances in technology with InfoWorld's Ahead of the Curve blog and newsletter. ]

"CA's seemingly slow progress on the DCA technology is a sign of an internal design approach which might just be the right one," says Evelyn Hubbert, senior analyst with Forrester Research. "Acquisitions are always challenged by architectures, which need to be matched or modified mostly to the disadvantage of the client. CA knows its architecture and can design integrations and extensions from the ground up."

For instance, DCA Manager will integrate software for network and systems management as well as ties to Wily Introscope 8 and Customer Experience Manager 4.2 products for application performance management, which are also scheduled to be announced this week.

DCA Manager runs on a server and works with existing agents in a customer environment to gather information and trigger events. The software collects system software and hardware configuration information, discovers applications and their dependencies, and detects change across the environment. Integration with existing products also give the software access to network availability, application performance, and business service management data, which CA says can help automate resource allocation based on demand.

"The software includes algorithms and policy-based management features that, for instance, can compare how application performance correlates to resource consumption. Based on that information, DCA Manager can determine if resources need to be provisioned," says Stephen Elliot, vice president of strategy for CA's Infrastructure Management and Data Center Automation business unit (and a former IDC analyst). "Customers need to be able to allocate resources based on the business demand."

DCA Manager monitors utilization and performance across mixed-platform datacenter environments. The data can then be fed into customizable dashboards that give data center managers a view of their physical and heterogeneous virtual environments, which analysts say is a capability many vendors are looking to offer.

"It's unclear at this point if the market for data center automation products is tied to hardware, which could be HP's selling point, virtualization platforms like VMware and Microsoft or third-party software that can handle heterogeneous hardware, operating systems and virtual technologies," says Mary Johnston Turner, senior analyst with Enterprise Strategies Group.

CA says the DCA Manager software can also be used to provision resources on a scheduled basis, letting customers delegate duties. For instance, a self-service features lets non-IT staff schedule desired resources for specific applications or events at the university. Once scheduled, DCA Manager will use images and templates built by Husain's staff to automatically provision the server capacity for the assigned function. When the need is no longer there, the resources can be reclaimed by IT.

"When it comes to management, IT decision makers list the impact on IT staff and cost as the top factors they consider. CA's self-service reservation management systems gets IT in part out of the workflow and lets end users schedule resources for themselves," Turner says. "Technology that saves on staff time and keeps the business going is compelling, and right now investing in automation tools is really going to pay back for IT."

Naveed Husain, CIO at Queens College, a City University of New York public educational institution, is conducting a proof of concept on CA DCA Manager. He says the software, which is not fully implemented, could help him manage more than 100 Dell servers running Windows and Linux operating systems and supporting more than 20,000 students, staff, faculty and other employees at Queens College -- without adding head count. And with virtualization on the horizon, Husain realized he couldn't postpone an investment in infrastructure monitoring and automation technology any longer.

"It's embarrassing to have built a high-availability environment with redundancy and failover and get calls because disk utilization on a server is over 75 percent and you didn't know because you can't have human eyes on all the servers all the time," Husain says. "At the low end we would pay $36,000 for a help-desk position and then anywhere between $60,000 and $90,000 for senior IT staff. Because I can't invest in staff, I am going to invest in this automation tool because I believe it will make my staff's lives easier now and save us money while the work still gets done."

IBM has joined the companies jostling for position in the cloud computing space. The company has announced a variety of offerings that it claimed would allow users to better manager data and make collaboration easier.

The company has opened up the beta for Bluehouse, the company's so-called Facebook for the enterprise. The software has been available in closed beta for the past nine months but is now being made available to anyone. The company said that Bluehouse would combine social networking and online collaboration tools to help organizations to share documents, contacts, engage in joint project activities, host online meetings, and build social networking communities through a Web browser.

[ Learn more about what cloud computing really means and the new breed of utility computing and platform-as-a-service offerings. And for additional analysis of Bluehouse, see "IBM's cloud initiative repackages its familiar offerings." ]

The company has also bundled Sametime Unyte an existing product as part of the new cloud initiative. Sametime Unyte is Web-enabled collaboration tool that allows the sharing of documents, presentations, or applications, via a Web browser. There are several new enhancements to the product including a "waiting room" for meeting participants to gather and specialized alerts and prompts for meeting hosts. The company has said that Sametime Unyte will be bundled with Lotus Notes and Lotus Sametime to allow people working in e-mail or instant messaging to join Web conferences, with a single click of a button

Other products to be released include Rational Policy Tester OnDemand that the company said would reduce online risks by automating Web content to help with compliance.

Rational AppScan OnDemand will scan Web applications for security bugs and Telelogic Focal Point centralizes product information shared by product management, engineering, and marketing teams.

The company said that the moves were in line with user demand. "We are moving our clients, the industry and even IBM itself to have a mixture of data and applications that live in the datacenter and in the cloud," said Willy Chiu, vice president, high performance on demand solutions, IBM. "IBM's cloud computing strategy was inspired by feedback from the business world's broadest IT customer base indicating a growing desire to utilize data, applications, and services from any device and from any location based on open standards."

Techworld is an InfoWorld affiliate.