Case study: UK-based firm adopts Azure cloud platform for critical cash security application

UK-based security firm G4S is moving its mission-critical cash management division's E-Viper application onto Microsoft's Azure platform for greater independence and agility.

Warwick AshfordUK-based security firm G4S is moving its mission-critical cash management division's E-Viper application onto Microsoft's Azure platform for greater independence and agility.

The company is currently testing its E-Viper track-and-trace application for cash and valuables on Azure ahead of a European roll-out, which starts with its operations in Cyprus at the end of November.

"Moving to Azure will help reduce our reliance on a managed service supplier and increase the speed with which we can scale up and expand," said Richard Wallace, technology director at G4S.

Slowness in responding to requests to add new sites has been a concern in the past, which will be remedied with Azure, he told Computer Weekly.

"Although we have taken some marginal monitoring duties on board, Azure enables us to add users ourselves and really runs itself with Microsoft managing the infrastructure for us," said Wallace.

Azure will also enable G4S to login to move instances of the database as required and set up new countries within hours without a lengthy change request process.

"Setting up new countries on a global platform such as Azure will be easier than working with a UK-based managed service provider," said Wallace.

The move to Azure will also cut the monthly cost of running the E-Viper application by two-thirds, he said.

Passing the security test

In preparation for the move, G4S assessed Azure against the security firm's list of 170 security checks and rewrote the application code to enable it to run on Microsoft's .Net framework.

"We had to be sure Azure would meet our stringent security requirements and that neither Microsoft nor any of its other customers would be able to access our application or data within the multi-tenant environment," said Wallace.

It was also important for G4S customers in Europe that the company could specify that only Azure's Dublin and Amsterdam datacentres be used, to comply with EU data protection requirements, even though it does not process any personal or business transaction data.

G4S will also benefit from greater resilience by moving onto the Azure cloud computing platform, which offers quick failover to deliver the 100% availability the company requires.

The due diligence part of the project took around two weeks and was a lot easier than expected, said Wallace.

"Microsoft, like Amazon, knows how to answer security questions quickly and efficiently and provide the necessary assurances to customers of cloud-based services," he said.

Wallace said G4S is one of the front-runners among organisations taking business-critical applications to the cloud.

"We believe our business can benefit from the innovation enabled by Azure and take advantage of the resiliency and high availability provided by Microsoft's Hyper-V technology," he said.

Michael Newberry, Windows Azure product manager at Microsoft UK, said as a trusted platform that can manage complex, sensitive data and systems, Azure was a natural fit for E-Viper.

"Our heritage in providing products and services built on a foundation of security and privacy was a primary factor in G4S's decision," he said.

Managing risk in the cloud

Companies such as G4S provide evidence that cloud implementations are moving from collaboration applications only to include mission-critical applications as well, said Adrienne Hall, general manager of Microsoft's Trustworthy Computing group.

According to Microsoft, it has more than 30,000 Dynamics CRM customers, which represents around two million users of its cloud-based customer relationship management (CRM) application.

Less than 1% of security exploits in the first half of 2011 were against zero-day or unpatched vulnerabilities, according to the latest Microsoft Security Intelligence Report (SIRv11), which means getting the basics right means that organisations can guard against most attacks, she said.

This also means that by switching to cloud-based managed services, organisations have the opportunity to transfer some of the risk of common threats to service providers, she told delegates at the RSA Conference Europe 2011 in London.

"Most risks are manageable, but many organisations are not doing all they can to reduce attacks. Cloud-based managed services could help with that," she said.

Cloud providers, such as Microsoft, are resourced to focus on security, said Hall, and in moving the management of a portion of security functions, resources are freed up to focus on other areas of security or on different IT projects altogether.

Microsoft's cloud-based services, she said, are all based on the company-wide security development lifecycle (SDL) to ensure that security is built-in and checked at every stage of development.

Outside organisations have downloaded more than 700,000 copies of Microsoft's standard platform-agnostic SDL since 2004, said Hall.

The fact that organisations have downloaded around 18,000 of the agile version of the SDL for cloud since it was released in November 2009 shows that development for cloud is gaining momentum, she said.

The availability and resilience of Microsoft's cloud-based services is assured through investment in datacentres around the world, and security of operations is certified by multiple organisations and audited by the British Standards Institute and Deloitte.

In addition, the security and privacy of Microsoft's cloud-based services are monitored around the clock by four global operations centres, said Hall.

Microsoft is doing all it can to help build trust and make people comfortable with the shift to cloud computing, she told Computer Weekly, by expanding its trust DNA to cover the global cloud instead of just building capabilities behind the scenes.

Read more on IT news in your industry sector