You’ll no doubt have noticed that I haven’t update this site for a while, but I am making a commitment to come back. I’ve written a couple of guest posts at http://bepublic.ca . You can find them here:
Where Private Cloud Fits in Your IT Strategy
Weighing the Risk of a Cloud Strategy
Oh, and I’m sure you’ll find my TEDx Manitoba presentation interesting as well.
I’ve had the opportunity to chat with many people across Canada over the past few months about the potential of the cloud and more recently during the cross Canada “Journey to the Cloud” tour.During these conversations I was able to confirm first-hand that while Leger marketing has found that “Cloud computing is confusing Canadian businesses”, the number of businesses with a clear view of the opportunity presented by the cloud increases steadily every day.Conversations have leapt ahead from exploratory discussions on service descriptions to detailed conversations investigating how to leverage the innovative service delivery models possible through the use of the cloud.
Organizations exploring cloud services have the flexibility not only to leverage software as a service, platform as a service or infrastructure as a service in a public, hosted or private cloud service delivery model, but they also have the opportunity to divide up their business services across each of these possibilities.While the flexibility may seem daunting, think of the cloud as a toolbox where each of the options as a tool fit for a particular task;Screwdrivers for screws, saws for cutting etc.Beware the cloud provider that suggests you use a hammer for everything.
A case study from Aerlingus gives a great example ofthe power of the cloud though the ability to provide each part of the user experience from the best technology for the job.This separation of workloads (or business services) across a variety systems; some moved into the cloud while some staying on premise provides the solid foundation for innovation in the customer experience.The hosting of the computation intensive and network demanding graphic tiles associated with the route maps into the Cloud while maintaining the booking systems separately helps illustrate how organizations can leverage the strengths of the cloud.The cloud provides the scalability, network reach and capacity, elasticity, economies of scale required for the images and is complemented with the existing corporate IT investments, namely the booking system which is overlaid upon the route maps.
I’ve had the good fortune to participate in brainstorming sessions with Canadian organizations to explore how the cloud can change the way that they deliver services.During one of these brainstorming exercises, the CTO of a Canadian Healthcare community discussed some of the innovative telepathology work underway in Canada.Essentially, medical images from remote locations without pathologists in Canada are shared to a network of pathologists across Canada who, with proper authorization and security, can provide their analysis in a much timelier manner than having to travel to the location in person.As you might imagine, medical images are compute and network intensive, placing huge demands on centralized servers and resources when accessed from across the country.What if the cloud could be used to distribute this critical data?Using the Aerlingus case study as an example, we explored the potential of distributing only the image portion of the files using the cloud, while keeping the patient data in the existing systems.This separation could speed the delivery of the image files across the country because to the capabilities of the cloud, while safeguarding the existing investment in the patient data systems.Of course this was a brainstorming session and any number of details would need to be worked out before this type of project would be launched, but I think it helps demonstrate the power of the cloud and the new flexible thinking and innovative services that it enables.
Innovation is the engine that lifts organizations out of the economic downturn. Konrad Yajkubuski, of the Globe and Mail Report on Business pointed out that “innovation is the only sure way for Canada to be more productive” and that “innovation is the only sure way to create wealth.” More recently, The Institute for Competitiveness & Prosperity identified in their 9th Annual Productivity report :
Ontario’s prosperity gap is a productivity gap; the productivity gap is an innovation gap. We need more innovation today for our long-term prosperity.
As we recover from the economic downturn, the Task Force on Competitiveness, Productivity and Economic Progress urges all Ontarians to step up our innovation capabilities to achieve our long-term Prosperity Agenda.
As we look to determine opportunities to increase the innovation and productivity of Canadian businesses, it’s important to take a quick look at the businesses that make up the Canadian economic fabric. According to Industry Canada in their July 2010 Key Small Business Statistics, fully 98% of Canadian businesses are considered “small businesses” (less than 100 employees).
I know a few small business owners and have had the opportunity to chat with them about what they do, their challenges and how they use technology. All are passionate about the work that they do, be it carpentry, social services, retail sales, helping safeguard Canadians, etc. Ultimately, they chose the work that they do because of their love for it. Not surprisingly for most, technology was a frequently cited as a source of frustration for the Non-IT entrepreneurs. There was a general sense that they could do more with technology, but were a little intimidated by what seemed to be a complex endeavor.
One personal experience helped drive this point home. I was asked to help a friend resolve a problem with a slow computer that they used for their work. I took a quick look and found that this poor Internet connected computer had not been updated in well over a year, it had no anti-virus, it was infected with three pieces of hostile code and was plagued by Spam and spy ware to such an extent that it literally crawled along. After a little care and feeding I was able to get the computer back in shape and get my friend back to work. One of the things that came to mind is how can we keep small business, Canada’s economic engine, as productive as possible, doing what they do best and provide them technology in a way that helps them innovate in delivering their products and services.
The cloud offers a compelling opportunity to help Canadian businesses become more productive and support innovation in the marketplace. The provision on up to date business applications (email, office productivity, PC management, CRM, etc) allow businesses to focus on their core competencies and leave the operations to those with deep IT experience. The small business owner can take comfort in the availability of critical services wherever and whenever not only from the deep experience of cloud providers like Microsoft, but also through strong service level agreements.
Removing infrastructure costs, updates management, security failures and overall access to IT resources from the task list of small business owners has the potential not transform both the funding model (Opex vs Capex) and total spend. It also presents the opportunity to shift resources from the routine infrastructure monitoring to innovation at the application enablement and development activities. The recent Microsoft whitepaper “The Economics of the Cloud” suggests that since organizations spend roughly “80% of their time and budget on “keeping the lights on”” it goes further to state that “Cloud services will enable IT groups to focus more on innovation while leaving non-differentiating activities to reliable and cost-effective providers.”
So as we look to improve the productivity and innovation for Canadian business, let’s look to the cloud to explore how these utility services can act as a catalyst for businesses and the Digital Economy.
I’ve had the opportunity to talk to many people about cloud computing at a number of conferences across Canada. I have to say that there is considerable enthusiasm about the potential of the cloud and the many opportunities that it unlocks. Unfortunately there is a lot of uncertainty that accompanies this enthusiasm and perhaps rightly so given some of the game changing approaches that accompany the familiar. Where there is uncertainty, there are well-meaning groups and individuals who, perhaps resistant to change, paint fairly negative pictures of the cloud. I’ve collected this list of top ten myths that I have heard perpetuated at conferences and provided my thoughts on why these are indeed myths.
Perhaps one of the most common myths is that for organizations to use cloud services they must use consumer oriented services available on web. It certainly doesn’t help that those companies with an internet-only service delivery model continue to push the message very hard.
In reality, cloud technologies and cloud services are available in a variety of formats: on the internet, on private networks and even within your own organizational boundaries. Many organizations are getting started with cloud technologies by building out their own “private cloud” services on their own internal networks. Even hosted cloud service providers often provide options where their services are provided over private networks to their customers. These non-internet dependent cloud services are especially important where internet connectivity may be intermittent or non-existent.
2. All cloud services are the same
Another common myth being perpetuated is the grouping of all forms of cloud services under a common umbrella and broadly applying the characteristics of one type of service to another completely different class of service. Perhaps the most common association is where consumer oriented cloud services are equated with enterprise grade cloud business services. I’ve seen music marketplaces lumped in with business collaboration sites, social networking with infrastructure services.
Not only is this broad brush approach unhelpful, it really (no, really, really) discredits any valid points made about the considerations needed for each category or class of cloud services. While admittedly the shorthand “Cloud” services has been applied across a wide variety of technologies in different ways by a variety of providers the broad-brush approach would be like describing, perhaps, the characteristics of a motorcycle (e.g. You can get wet when it rains) across all vehicles. Certainly the characteristic applies to some vehicles (bicycles, convertibles, pogo sticks) but not to others. The same is the case in cloud services. Cloud services vary considerably not only from how people consume the service (Infrastructure, Platform, Software as a service), from the business function of the service (search, database, collaboration), the business model (subscription, advertisement, licensed), from a service model (private, hosted and public) and more. Some cloud services oblige its users assemble their own functionality, where others are pre-packaged. As you look at any assessment on cloud services, be sure to explore a little further to make sure that you appreciate how that assessment applies to your particular business situation and use of cloud technologies.
3. You cannot mix and match cloud services
Modern organizations use a variety of best of class tools to address their business requirements. For some reason, a misperception that the move to the cloud is an all or nothing proposition, either from a bundling perspective or from a business application delivery perspective. This misinterpretation can hinder the adoption of cloud technologies by organizations as they look to move to these services.
Flexibility is one of the fundamental advantages of the cloud. Cloud services provide flexibility to use just what you require, when you require it. This flexibility extends into new programming models where developers have the flexibility to separate data and compute, leveraging the best locations for their operations. The interoperability built into cloud services also provides flexibility to organizations allowing reuse of internal systems, such as identity management, with external cloud services. As organizations make their move into the cloud they often adopt one or two services while keeping connections to their existing internal services.
4. Cloud Providers just toss the data into their data centers
Some presentations I’ve attended would lead you to believe that cloud service providers manage their data like an episode of the TLC’s Hoarders TV series, where data simply piles up and becomes lost.
Compliance audits, certifications, service level agreements, availability and reliability assertions all oblige enterprise grade cloud service providers to know where their customer’s data resides.
5. Cloud providers just shovel over data in response to lawful access requests
One myth that instills concern in people is the suggestion of a half hazard approach to responding to lawful access requests. Perhaps this misperception is coupled with the previous myth since naysayers could conclude that if organizations don’t know where the data is, they would simply hand over an arbitrary collection and let law enforcement sort through it.
Really? This is perhaps the stuff of movies. Enterprise grade cloud providers have considerable experience in responding to lawful access requests and strive to provide exactly the specific information being sought. And because close control is maintained over the data, cloud providers can separate only the information requested from the other data.
6. Operators casually browse the data sets in their custody
I get the impression that some people think of a data centre operator’s job as a boring day, spent in front of a relatively blank screen perhaps playing solitaire. The reason that this comes through is because of false assertion that cloud operators casually browse customer data sets.
Well, if you have a single operator and a single server it could be a rather long day. But the business of cloud computing is a business of scale. To be successful, cloud service providers need to be able to operate their computing resources at a massive scale http://tinyurl.com/2622zqt. One example of this scale is in the coverage model of operators to servers. In world class enterprise data centers the ratio of operators to servers is around 1-140. For cloud service providers that ratio jumps by an order of magnitude. I think that you can all appreciate that in today’s economic reality, enterprises can ill afford to have employees that just sit around, so one could expect that the data center operators have gainful work expected of them throughout the day. Simply put, the operators are kept busy enough maintaining the high operational availability of the cloud services that they provide that they simply would not have the time to browse the data sets. And even if they did, there are a number of internal safeguards that have been implemented to prevent this sort of misuse.
7. Law enforcement browses the cloud at service provider’s locations
Much like the aforementioned myth, a number of individuals make assertions that every use of the cloud is automatically accessed by law enforcement. There is no mention of differentiation of services, no mention of safeguards applied by consumers, no mention of the need for warrants, just a presumption of almost casual access.
Let’s take a closer look at the reality. Yes, law enforcement agencies worldwide have procedures that they can use to obtain data from cloud services providers as part of an investigation. At this year’s Federal Privacy Commissioner’s consultation on the Cloud, David Fraser highlighted the equivalences between Canadian and US lawful access procedures. Input to the Trilateral Committee on Cross Border Data flows noted that the possibility of US law enforcement using their access to obtain Canadian data is “vanishingly small”. Perhaps it’s simply “System 1” getting the best of the pundits.
8. The cloud exposes your data to incidental access
Perhaps it’s from the olden days when the high tech crime investigators literally used yellow tape, chalk lines and computer confiscation to start their investigation, but there is a myth that investigations of cloud services providers begins with wholesale confiscation of hardware.
Cloud services have been around for many years, many for well over 10 years. Both law enforcement and cloud services providers have worked together to build effective processes to provide the data required for investigation support. These processes emphasize close cooperation to provide only the data required and respect the privacy and SLAs of other customers.
9. It’s against the law in Canada to use international Cloud services
There is a common misunderstanding that there are a large number of Canadian laws that prevent the transfer of data outside of Canada extending across different business sectors both public sector and private sector.
Let me start off with a disclaimer that I am not a lawyer, so all organizations should seek competent legal advice about the compliance requirements that their organization must abide by. That said I have been deeply involved with the deployment of broad consumer cloud services in Canada, assisted Industry Canada and the Federal Privacy Commissioner in their consultations on cloud security and privacy and helped deploy cloud based services in provinces, municipalities and private sector. There is one Canadian jurisdiction with a prohibition on the storage of a specific category of data outside of Canada. The British Columbia Freedom of Information Privacy Protection Act prohibits storage or access of personal information in its custody or under its control outside of Canada. Note that this is a subset of the information held by governments in BC and doesn’t apply to the information that private sector uses for their own services. I’ve highlighted a few of the organizations that have provided advice and guidance on considerations and safeguards for use of the cloud in a previous blog post.
10. The Cloud will displace all other technologies
Rounding out the group is the myth that everything will move to the cloud and that all other technologies will be replaced. Some suggest that mainframe computers will magically disappear, local servers and internal corporate networks will vanish, and that all applications will reside in the cloud leaving local devices a shadow of their current self; supporting perhaps no more than a browser.
If we were to look at the stepwise shifts in technology in the past, for example the rise of the PC, client server computing, the advent of the web, the adoption of services oriented architecture we see how the technological shifts were additive to the existing technologies. While some workloads moved away from the previous paradigm, after an adoption period equilibrium was reached where the old and the new coexisted. Looking broadly at the cloud technologies, we see that one of the key principles behind the cloud is ubiquitous network connectivity. As cell phone users we recognize quite well the connectivity dead zones that can exist for universal coverage (ever tried to take a call from the ice rink) Certainly as we look at the broad expanse of Canada we can see that while tremendous progress is being made, there are still some regions without broadband access. Consumers and businesses need to be able to use their computing resources even when connections are not available. Apps that are only available via the web might not be the ideal solution for individuals that find themselves beyond a connection from time to time. A more realistic scenario is where your devices will be able to work regardless of location and connect when available or convenient to synchronize.
As organizations explore the opportunities of cloud computing it is critically important that they look beyond the myths and begin to focus on the specifics on the which services they are looking to use, for which data in which way.
It seems everywhere you turn there is another gloomy statement about the potential dangers of cloud computing. This commentary is reaching a crescendo with sensational newspaper headlines citing speculation as fact. It’s time everyone took a step back to look objectively at what is actually happening, reflect on their decade plus experience using cloud based services and go beyond the negative hype.
So the first thing to do is to get clear on the Cloud. I often describe the challenge using the meteorological clouds which we are more familiar with. If I were to say to you, “Don’t go outside if there are clouds,” you would clearly think I was nuts. The clouds could be cirrus clouds (high and wispy), stratus clouds (low blanket like grey clouds), nimbus clouds (rain clouds), cumulonimbus (thunderstorm clouds) or even funnel clouds (tornados). For the everyday person, some clouds don’t require any additional actions be taken, some require modest safeguards e.g. umbrella and others, more significant safeguards (take cover!). For truck drivers there are considerations like fog lights, wipers, tarpaulins and tire chains. For pilots there are other considerations such as alternative airports, instrument flight rules, wing deicing, etc.
The naysayers deal in speculation and absolutes. Much akin to announcing: don’t fly in airplanes because they crash, they make pronouncements for the cloud that state indirectly that privacy intrusions are happening. Many would have you believe that the sky is falling, a meteor could drop onto the earth or you could, quite possibly, be struck by lightning as you read this. Now while I can’t absolutely guarantee that any of the aforementioned events won’t happen, I think you’ll agree that first, it’s fairly remote that they will happen, and second, in the case of the lightning strike, you could further reduce the vanishingly small chance of occurrence by avoiding that tin foil suit while standing in the middle of an empty field during a thunderstorm.
The first step to getting comfortable in the cloud is a review of the expert guidance for privacy and security safeguards for cloud services. The Ontario Privacy Commissioner’s office has published guidance on safeguarding data in cloud services in “Privacy in the Clouds: Privacy and Digital Identity – Implications for the Internet” and “Modeling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach.” The Government of Canada Treasury Board Secretariat has published a guidance document: “Taking Privacy into Account Before Making Contracting Decisions,” which provides a checklist and other tools to help organizations address their privacy requirements. Cloud providers also provide detailed guidance on how their services work. For example, Microsoft’s Global Foundation Services, the group that builds and operates Microsoft’s Data Centers and Online Services, has published a whitepaper that describes how they Secure Microsoft’s Cloud Infrastructure. You’ll note that the privacy development lifecycle outlined on Page 8 aligns with the Privacy By Design approach promoted in the guidance from the Ontario Privacy Commissioner’s Office. Noteworthy references such as these provide a useful foundation for the Threat Risk Assessment (TRA) process for security and the Privacy Impact Assessment (PIA) process that organizations routinely use to identify and manage the risks associated with internal and external service delivery.
Data Sovereignty is one discussion point that frequently arises in discussions on Cloud computing and privacy. The USA Patriot Act is the most common on international legislation that people are talking about. The Canada, Mexico and USA Trilateral Committee on transborder data flows held multiple meetings between September 25, 2008 and June 15, 2009 to explore the challenges associated with cross border information flows. In their final report they noted that:
In testimony at the second meeting of the committee, privacy expert Fred Cate indicated that “The likelihood of the government resorting to searches of personal data from provincial Canadian public sector authorities held by, or accessible through, service providers in the United States as a reliable law enforcement or counterterrorism tool is “vanishingly small.” The Federal Privacy Commissioner held public Consultations on Cloud Privacy in June of 2010 and while a final report remains outstanding, prominent Canadian privacy lawyer David T.S. Fraser presented the rough equivalence of legal authority in Canada and the US. He further reinforced the opinion that US authorities would sooner work directly with their Canadian counterparts than seek the information unilaterally through the US. This opinion is reinforced by the Canadian Advanced Technology Association in one of two publicly available submissions. And while one or two organizations continue to highlight concerns, albeit without consideration for the application of safeguards, it appears that the guidance provided by the Federal Privacy Commissioner on “Processing Personal Data Across Borders” remains as valid guidance for business leaders today. This guidance was also called out be the trilateral committee as leading “to increased understanding and less concern from individuals about cross‐border data transfers.”
As your organization looks to take advantage of the economies of scale, the business agility and the robust security inherent in cloud computing, it is vital that you understand that many of your applications do not deal with personal information and therefore would not require specific privacy impact assessments to move to the cloud. For those that do, there are a variety of safeguards, both already in the cloud and that you can implement, that will mitigate the risk to less than vanishingly small.
Enterprise 2.0: New Collaborative Tools for Your Organization’s Toughest Challenges by Andrew McAfee
DarkMarket: Cyberthieves, Cybercops and You by Misha Glenny
Numbers Rule Your World: The Hidden Influence of Probabilities and Statistics on Everything You Do by Kaiser Fung
