Cloud Archive

Do the Math!

By
John.Weigelt
Published: December 11, 2011Posted in: CIO Toolbox, Cloud, General

I just came across yet another security pro recommending private audit of a cloud services provider facilities to get comfortable with the operations.  Really?!  It seems that the security and privacy professionals recommending this need to catch up on their reading and perhaps a little bit of math.

Fundamentally, cloud services are all founded on the principle of “scale.”  Microsoft’s “Economics of the Cloud” whitepaper discusses the many ways that scale contributes to the supply and demand side economics of cloud services provision.  In my blog post “Special is Extra” I explored how special requirements have the potential to increase the costs associated with the cloud service.  Enterprise class cloud services providers therefore look to use standard approaches across their environments to provide scale at lower costs to customers.  Standard approaches often include third party audits to test compliance against recognized approaches such as SAS70, ISO 27001, FISMA and HIPPA.

Now consider a cloud service provider with 10000 customers using geographically distributed resilient facilities.  Full compliance audits against any recognized audit standard is a lengthy endeavor, even when all the supporting processes and paperwork are in good order.  Audits can often last several months.  So even if customers engage auditors with cloud services experience, these private audits will not be single day affairs and will require many days on site.  If we were to be very optimistic and suggest that each audit would require a week on-site, with approximately 200 working days a year (no weekends, holidays, round down for easy math), that would leave 40 potential audit slots.  At any one audit slot, there would be 250 (10000/40) individual customer reps going through the cloud facilities.  The number of individuals could be far higher since each company would be represented by more than one person.

Let’s consider the impact of this from a security perspective. We quickly see that this practice, even if practical, would greatly reduce the assurance of the cloud services and increase the costs of the services (due to the added staff required to assist the 250 audit teams each week, to shepherd the teams through the facilities, conduct clearances and reviews of all visitors etc.)

As you consider your enterprise class service provider, review the independent audit reports against your compliance requirements.  Rest assured that the independent experts that conducted these audits did so on your behalf and on behalf of all other customers using the service.

Share

Clouds and Condos

By
John.Weigelt
Published: August 25, 2011Posted in: Cloud, General

I’m a big fan of metaphors to help describe new technologies since they often help people that aren’t immersed in the stuff on a daily basis gain a quick understanding by building a crosswalk to those things with which they are familiar.  Of course I fully appreciate the limitations of metaphors as well.  I can’t tell you how many debates that have been started as the trolls look for any discontinuities in the examples used.

It’s been interesting to be caught up in the technology transformation that we know as cloud computing.  While this transformation has had a significant impact on how technology is delivered, it also has had a significant impact on people having the conversation on these technologies.  No longer are only the technology people discussing new ways of delivering the services, it’s also the organization’s service delivery leaders, the financial group, the legal group and even the board of directors level that are actively engaged in the conversation.  This is where the challenge arises.  Cloud is an umbrella term that covers a wide variety of technologies, processes and even philosophies for delivering IT as a service.  All these different permutations and combinations can quickly lead to confusion and rat-holing when decisions need to be made.  Enter the metaphor.

One of my favourite places to look for a metaphor is the automotive industry, and I’ve used the collection of parts, kit car and dealership example to try to characterize cloud services.  I’ve also used the lumberyard, pre-manufactured home and site built homes as well.  Unfortunately, I still get some blank stares from the audience (maybe it’s just my delivery :-) ).  So I gave it a little more thought and came up with what I think is an example that I think everyone can relate to and doesn’t give the trolls too much to complain about.  Since everyone needs a place to live, I thought that the housing example, refocused, could serve as a useful way to help clarify the different cloud services.  Here it goes:

When organizations are looking to gain an appreciation of the degree of flexibility offered by the cloud service delivery models of Public, Community/Hosted and Private cloud, confusion often arises within the various stakeholders.  A simplified approach may be to use the metaphor of apartment, condominium and building ownership to help illustrate the respective levels of specialization an organization can expect.

Public Cloud as an Apartment

If you think back to when you rented an apartment, you’ll remember in addition to looking for a space that fits all your stuff you also considered what services were included in the monthly rent.  Electricity, Water, Gas, Heat and even cable came up in the discussion.  Even paint colours (configurations of the space) could be limited (no flat black walls please).  Ultimately, it was all described in the standard rental agreement which was the same for all tenants.  Public cloud services are not unlike the apartment model in that they provide a given set of packaged services to a broad community.  If you find a cloud offering that you think fits, you complete legal agreements and set off to configure them to meet your needs.  Just like you aren’t able to tear out a wall or encroach on your neighbor in the rental, the public cloud offering will also note the extent of customization possible.  Finally, like the apartment where you rely on city inspectors for their review of the building, public cloud services will have third party reviews to provide subscribers with assurance.

Community Cloud as a Condominium

For many people, a condominium provides them with additional say in their living space, albeit with an additional cost if the form of condominium fees.  The condominium can provide the resident with the ability to configure their internal space as they see fit.  Replacing fixtures, changing floors and other light customizations are generally permitted.  Since many condos also share common space, a community association is typically established to define those common services the community can use.  In some cases, there may also be agreement on common standards to adhere to for community (exterior colours, roofing, public spaces).  Community clouds have similarities in that they provide customer clusters with the ability to customize services across the community.  Through the community, each tenant has a voice in what services are generally provided as well as the manner in which the service can be used.  Like a condominium where significant infrastructure upgrades (say, window replacement) can be scheduled based upon the residents, often community cloud services provide the ability to define the timing of significant changes.  Finally, the condo agreement often provides tenants the flexibility for input and adjustments to meet their requirements.

Private Cloud and the Building Owner

Sometimes it’s a noisy neighbour, sometimes it’s the ability to put that new satellite dish on the roof but there may come a time where you want to have full control over your entire domain.  In those cases you need to buy the building.  When you own and manage the building, you have full reign to customize the spaces, but will find that you also have full accountability for them as well.  Of course, this generally comes with added expense as well.  As a building owner you can often save money by adopting the practices of others, be they preventative maintenance to environmental sustainability.  There is a similarity here with Private cloud where organizations operate the infrastructure they own.  Adopting private cloud processes and philosophies will allow organizations to gain some of the efficiencies found in the other cloud models while continuing to be in full control of all aspects of the service.

So while all metaphors have their pitfalls (I haven’t figured out yet how to make the above mentioned spaces elastic so that they expand when more capacity is needed ;-) ), I think you’ll find these helpful in framing the degree of specialization each cloud model accommodates.

Share

Special is Extra

By
John.Weigelt
Published: July 7, 2011Posted in: Cloud, General

It’s funny to read the fine print included in some ads.  I guess I never thought of trying to get double meat on my fast food sandwich for the same price.  After all, a double is a double and a single is a single.  I think we can all appreciate that there are some options that we can choose when ordering which will be included in the price, and there are other special asks that might cost a little more.

Now you might ask:  “what’s he on about fast food sandwiches and disclaimers” in a technology oriented blog.  Great question!  The connection lies in a recent presentation I made at a conference on “Cloud Computing Law.”  I have to admit that as an engineer, I felt a little out of place in the roster of legal professionals that followed my kick-off session, but having worked with IT as service for the better part of 10 years, especially focused on cloud and legal/policy issues for the last four I could provide a practitioner’s perspective.  Of course I always start off with the “demystifying the cloud” messages that help everyone appreciate the variety of technologies, processes, business models and locations that cloud services can refer to.  There is still confusion out there and it’s making business leaders wary of going to the cloud.  It’s also perpetuating some of the myths I’ve written about earlier.  As organizations look to take advantage of the opportunities of cloud computing they have the choice of whether to build cloud capabilities in their facilities, ask a service provider to host their cloud services or make use of public cloud services over the Internet.

Moving from internal cloud services to the public cloud services allows economies of scale to kick in and decreases, often dramatically; the costs associated with the IT service (see Economics of the Cloud paper).  However, as you move from private, through hosted to public cloud services your ability to obtain customized solutions decreases.  Generally, the broader the audience the solution serves, the more that you’ll have the simplicity of configuration.

This takes us back to the presentations at the cloud computing law conference where there were several suggestions around what organizations should demand from their cloud services provider.  In many cases cloud providers have already packaged these requirements into the baseline services offerings or the business agreements that are struck with customers.  In some cases, well, it just doesn’t work that way.  One example that stands out in my mind is the suggestion that cloud consumers demand a private right to audit the operations of the cloud provider.  Trustworthy cloud operators will have already had independent validation of their operations against one or more audit standards, be it SAS 70 or ISO 27001 to provide a consistent, industry recognized measurement of the trusted operations of their facilities.   These worldwide recognized audit standards have been developed to provide confidence without requiring separate independent reviews.  Think of it like the health inspector checking out the restaurant so that you don’t have to go through the kitchen yourself.  Can you imagine what the operations of a cloud service provider would look like if each of their thousands of customers audited their facilities?  My sense is that on any given day there would be 10s, if not hundreds, of audit personnel in the data centre.  Operators would have little time to actually operate their facilities and would be kept busy shepherding people throughout their facilities and documentation.

If you really want to have your own non-standard capabilities, you may need to look to a provider who is more specialized to meeting your custom requirements and that, of course, may cost extra.

Share

Considering Compliance When Adopting Public Cloud Services

By
John.Weigelt
Published: June 16, 2011Posted in: CIO Toolbox, Cloud, General, Policy, Privacy, Security

Cloud computing processes and technologies offer organizations the opportunity to transform their approach to IT services delivery and ultimately transforming their overall services delivery. While several characteristics fundamental to cloud computing are relatively novel to these solutions (e.g. elasticity, transparent scalability, usage based billing) there are some aspects of cloud services, especially in procurement, that organizations will be familiar with. Many organizations are using public cloud services for their service delivery. While the path each has taken to implement cloud services has been different, there are some activities that they have commonly performed:

1.  Select a candidate service (capability) that will provided – While many CIOs have included “moving towards cloud services” in their strategies, actual implementation of these services requires that CIOs and their service delivery leaders go well beyond the concept and take a detailed look at what services and information holdings they plan to host in the cloud. For existing services, organizations should take the time to examine how their user community is actually using the services over and above to the official purpose of the system in question. This will help identify any unexpected categories of information that need to be supported. Organizations should also take the time to think about and almost predict how their community may find alternate uses of new services that they are looking to deploy in the cloud. This will help avoid any unintended consequences.

2. Assess the compliance obligations for the service (PCI, FOIPPA, PHIPPA, SOX etc.) – The output from the first step should be a clear understanding of the services and information that will be transitioned to the cloud. Since all services are governed by legislation, policy or standards, it is essential that a fulsome analysis of the compliance obligations be carried out by a compliance team composed of a partnership between the service owner, legal and IT organizations. It is often the case that several compliance regimes will apply to an individual service.

3. Take a realistic look at how the organization conducts business today (Mobile devices, Internet presence, partner connections, POTs, social network use etc.) – While any change in how an organization delivers its services provides an opportunity for improvement and to address gaps that have arisen over time, a balance must be struck not to over-engineer the solution. Instead of taking a blank slate approach to delivering services via the cloud, successful deployments have taken a look at the current service delivery environment and examined the differences that the cloud services introduces. This approach effectively addresses arguments for security, privacy, availability etc. that deal with absolutes.

4. Conduct a preliminary Privacy Impact Assessment (PIA) and Threat Risk Assessment (TRA) – Now that a clearer understanding of the services has been developed; there is an opportunity to conduct preliminary TRA and PIA. These assessments identify the information assets, the threats to those assets, the safeguards required and provide an insight into the remaining risks that need to be addressed before the services are deployed. These preliminary reports go beyond technology based recommendations and will help identify policy, process, people and publication safeguards/controls for the services. Should the organization determine that the remaining risk of their planned deployment is too high, there is an opportunity to go back and revisit the approach and add additional safeguards. Organizations can also look to hybrid models where the sensitive information remains on premise and a less sensitive portion of the service is migrated to the cloud.

5. Pilot the service – The very nature of cloud services provide a great way to deliver new. Because you only pay for what you use, organizations can quickly and cost effectively get access to cloud services so that they can investigate how they could work with their plans. These pilots/prototypes can be done at the same time that the policy/compliance work is being done.

6. Assess the potential risk delta in moving to new cloud model. – The preliminary PIA and TRA provide the foundation for the business assessment for the adoption of cloud services. It should consider the current operational environment and the planned cloud end state. It is essential that the risk be considered in the context of the current ways that the services are performed since starting from a blank sheet or ideal world scenarios can introduce scope creep explosion which will extend far beyond the project in question.

7. Conduct a detailed review of the Service Level Agreement, including a mapping to current service levels. – The Service Level Agreement is the cornerstone safeguard for effective outsourced service provision since it describes the expectations and obligations of both the service provider and consumer. Several organizations have made the case for cloud services to their senior management based upon the service enhancements over their existing service delivery capabilities (e.g. availability, capacity, discoverability). Organizations should take the time to fully describe their service expectations and avoid sending poorly understood services to cloud providers. A sure recipe for failure is where a poorly understood service is tossed into the cloud since both parties won’t know what’s expected leading to discontent.

8. Build out the business case. – Successful deployment of any full service ultimately relies on a solid business case. While cloud services do have the potential for organic, bottom up growth because of usage based billing, fully sustainable solutions are supported by solid business cases. The biggest challenge experienced with business cases is accurately capturing the current total cost of ownership. Organizations generally underestimate the current costs because it is often difficult to get full access to the various direct and indirect costs associated with a service.

9. Decide and manage the risk – Ultimately the decision to maintain status quo, adjust a service or deliver a new service comes down to a risk management decision. All of the activities described above help develop the evidence for the line of business leader to make an informed risk decision.

Canadian organizations are beginning to take advantage of cloud services for their service delivery initiatives. Those that have been successful in deploying have generally performed these high level steps to tease out and address the risks and opportunities associated with their move to the cloud.

Share

Guest Posts and More!

By
John.Weigelt
Published: April 6, 2011Posted in: Cloud, Digital Economy, General

You’ll no doubt have noticed that I haven’t update this site for a while, but I am making a commitment to come back.  I’ve written a couple of guest posts at http://bepublic.ca .  You can find them here:

Where Private Cloud Fits in Your IT Strategy

Weighing the Risk of a Cloud Strategy
Oh, and I’m sure you’ll find my TEDx Manitoba presentation interesting as well.

 

Share
« Older Entries