Policy Archive

Considering Compliance When Adopting Public Cloud Services

John.Weigelt

Published: June 16, 2011Posted in: CIO Toolbox, Cloud, General, Policy, Privacy, Security

Cloud computing processes and technologies offer organizations the opportunity to transform their approach to IT services delivery and ultimately transforming their overall services delivery. While several characteristics fundamental to cloud computing are relatively novel to these solutions (e.g. elasticity, transparent scalability, usage based billing) there are some aspects of cloud services, especially in procurement, that organizations will be familiar with. Many organizations are using public cloud services for their service delivery. While the path each has taken to implement cloud services has been different, there are some activities that they have commonly performed:

1. Select a candidate service (capability) that will provided – While many CIOs have included “moving towards cloud services” in their strategies, actual implementation of these services requires that CIOs and their service delivery leaders go well beyond the concept and take a detailed look at what services and information holdings they plan to host in the cloud. For existing services, organizations should take the time to examine how their user community is actually using the services over and above to the official purpose of the system in question. This will help identify any unexpected categories of information that need to be supported. Organizations should also take the time to think about and almost predict how their community may find alternate uses of new services that they are looking to deploy in the cloud. This will help avoid any unintended consequences.

2. Assess the compliance obligations for the service (PCI, FOIPPA, PHIPPA, SOX etc.) – The output from the first step should be a clear understanding of the services and information that will be transitioned to the cloud. Since all services are governed by legislation, policy or standards, it is essential that a fulsome analysis of the compliance obligations be carried out by a compliance team composed of a partnership between the service owner, legal and IT organizations. It is often the case that several compliance regimes will apply to an individual service.

3. Take a realistic look at how the organization conducts business today (Mobile devices, Internet presence, partner connections, POTs, social network use etc.) – While any change in how an organization delivers its services provides an opportunity for improvement and to address gaps that have arisen over time, a balance must be struck not to over-engineer the solution. Instead of taking a blank slate approach to delivering services via the cloud, successful deployments have taken a look at the current service delivery environment and examined the differences that the cloud services introduces. This approach effectively addresses arguments for security, privacy, availability etc. that deal with absolutes.

4. Conduct a preliminary Privacy Impact Assessment (PIA) and Threat Risk Assessment (TRA) – Now that a clearer understanding of the services has been developed; there is an opportunity to conduct preliminary TRA and PIA. These assessments identify the information assets, the threats to those assets, the safeguards required and provide an insight into the remaining risks that need to be addressed before the services are deployed. These preliminary reports go beyond technology based recommendations and will help identify policy, process, people and publication safeguards/controls for the services. Should the organization determine that the remaining risk of their planned deployment is too high, there is an opportunity to go back and revisit the approach and add additional safeguards. Organizations can also look to hybrid models where the sensitive information remains on premise and a less sensitive portion of the service is migrated to the cloud.

5. Pilot the service – The very nature of cloud services provide a great way to deliver new. Because you only pay for what you use, organizations can quickly and cost effectively get access to cloud services so that they can investigate how they could work with their plans. These pilots/prototypes can be done at the same time that the policy/compliance work is being done.

6. Assess the potential risk delta in moving to new cloud model. – The preliminary PIA and TRA provide the foundation for the business assessment for the adoption of cloud services. It should consider the current operational environment and the planned cloud end state. It is essential that the risk be considered in the context of the current ways that the services are performed since starting from a blank sheet or ideal world scenarios can introduce scope creep explosion which will extend far beyond the project in question.

7. Conduct a detailed review of the Service Level Agreement, including a mapping to current service levels. – The Service Level Agreement is the cornerstone safeguard for effective outsourced service provision since it describes the expectations and obligations of both the service provider and consumer. Several organizations have made the case for cloud services to their senior management based upon the service enhancements over their existing service delivery capabilities (e.g. availability, capacity, discoverability). Organizations should take the time to fully describe their service expectations and avoid sending poorly understood services to cloud providers. A sure recipe for failure is where a poorly understood service is tossed into the cloud since both parties won’t know what’s expected leading to discontent.

8. Build out the business case. – Successful deployment of any full service ultimately relies on a solid business case. While cloud services do have the potential for organic, bottom up growth because of usage based billing, fully sustainable solutions are supported by solid business cases. The biggest challenge experienced with business cases is accurately capturing the current total cost of ownership. Organizations generally underestimate the current costs because it is often difficult to get full access to the various direct and indirect costs associated with a service.

9. Decide and manage the risk – Ultimately the decision to maintain status quo, adjust a service or deliver a new service comes down to a risk management decision. All of the activities described above help develop the evidence for the line of business leader to make an informed risk decision.

Canadian organizations are beginning to take advantage of cloud services for their service delivery initiatives. Those that have been successful in deploying have generally performed these high level steps to tease out and address the risks and opportunities associated with their move to the cloud.

Fun with Numbers?

John.Weigelt

Published: January 14, 2011Posted in: General, Open Government, Security

I was at a workshop recently where the group was reviewing survey results. We were all a little surprised when some of the findings were not entirely as we expected. We had the good fortune to have a comprehensive understanding of the size of the survey audience, a little insight into their general demographics and the formality of the survey. As a result of this background, we were able to establish a “Blink” context behind the results and carry on with our work. This was great for our session, but it left me wondering, in these days of open data, what would happen if these statistics were reused without the context? It also reminded me of how important it is to consider the context behind information gathering, especially as organizations turn to online consultations to develop a deeper understanding of their environments.

Perhaps it’s because of my recent reading list of Risk, How to Lie with Statistics and the Skeptic that I have started taking a second look at statistics, or maybe it was from my kid’s favourite beverage that promised 100% flavor! Regardless of where it was from, it remains essential that we continue to maintain the context behind the numbers we are given and take an additional moment or two to look behind the data to determine how we are to interpret it. Outside of the policy challenges associated with opening data to the web, I feel that maintaining and sharing the context behind that data remains one of the most significant challenges to the open data movement. I don’t have any quick answers for sharing the context just yet, only the recommendation that we don’t through the baby out with the bathwater by taking an either/or approach to open data or traditional information sharing and include both the finalized reports as well as the data that support them.

We can, however, keep a close eye on how we gather information for our online consultations and collaboration. Let’s make sure that we at least cover off the basics for gathering opinions so that we can reliably use the data we have collected. Some of the pitfalls are:

Astroturfing – Online opinion polling must implement safeguards to protect against, often, automated input to a particular question or survey. I tend to emphasize the automated aspect to distinguish between this type of polling box stuffing and that which is more flash mob related.

Freeping – Survey and polling in today’s social media rich world must keep a keen eye on activities that would seek to skew the data by inciting individuals (often non stakeholders) to provide a biased input. Individual and community based call to action can be accompanied by Astroturfing.

Human behavior – I am surprised that many surveys and questionnaires don’t adequately consider how people will interact with the survey or don’t consider how they pose the questions.

- Interface – While there is a large body of research on the impact that user interfaces have on surveys (e.g. Cognitive Ergonomics), it seems that many survey and social interaction activities do not adequately consider these impacts. One recent consultation process placed the community provided suggestions with the most positive votes on the splash page for the initiative. Unfortunately, it allowed visitors to vote for those suggestions from the splash page without going through the other suggestions. Ultimately, this resulted in the early lead suggestions getting the lion share of the votes where the others received few if any since users generally did not take the time to dive deeper into the feedback repository.

- Demographics – In the absence of a widely available and reliable way to know exactly who we are talking with online, there is uncertainty as to the segment of the population that is providing input to online surveys. We must all ensure that we don’t jump to any conclusions about which community is providing the input.

- Leading Questions / Implicit Assumptions – I continue to be amazed at the number of surveys and questionnaires that employ leading questions or implicit assumptions. We can all recall when we first encountered a question like “Do you feel good after kicking your pet? (Y or N).” Of course we can see the assumption loud and clear in this question because we would never harm our pets, but in many other cases it’s not as readily apparent. Sometimes this hiding guiding of responses doesn’t appear in a single question, but is the result of opinion shaping through the narrative established by a number of questions.

Tenuous Extrapolation – Let’s face it. We’d all like to get everyone’s opinion or experience on a particular subject, but that is almost impossible for most practical surveys. So we have to deal with a subset and make some assumptions. These assumptions don’t always make it through to the results of the findings. Furthermore, these assumptions might not adequately address the full range of possible choices/outcomes. ( Nassim Taleb provides a comprehensive critique on the frailty of models and assumptions). I’ve seen “national level” conclusions draw from survey communities of less than 1/1000 of the population compounded by taking the maximum possible outcome from a questions (e.g. did you spend between $100 and $1000 (Y or N)). With these multiple order of magnitude ranges and the potential errors that can be introduced, we owe it all to ourselves and the community to extrapolate with care and to analyze carefully when reviewing conclusions.

Floating Foundations – In some cases surveys and questionnaires seek to establish a context behind the outreach by introducing the subject with a sort of call to action or background story. Unfortunately, perhaps fueled by our hyper connected world, there have been cases where misinformation takes the place of solidly researched data. Dan Gardner highlights one of these floating foundational numbers in Chapter 3 of his book “Risk.” There are many more floating foundation numbers that we need to be wary of.

As we collect and publish more open data, it is essential that we consider the potential pitfalls that might arise and be able to address them in both the collection and ultimate interpretation of the results.

Publishing for Access

John.Weigelt

Published: January 5, 2011Posted in: Accessibility, CIO Toolbox, General

Let’s face it, when you’re authoring stuff you want your thoughts to reach the broadest audience possible. You want to make sure that your ideas get to your audience just as you intended without missing any valuable content. In short, you want your content to be accessible. Despite a variety of tools and guidelines, there are still too many materials on the web that are inaccessible across the diverse products that people use to connect to the information that they need.

If we think a little bit about the people we are trying to reach, we quickly realize that they access the web using smartphones, tablets, slates, video game consoles, televisions, notebooks, screen readers, braille displays and even desktop computers. Some authors might simply shrug and note that if someone can’t see their blog post on a portable device that their readers will come back to visit on their desktop at a later time. I have to disagree that readers will come back and more importantly suggest that there are a number of people that rely on a single way to access the stuff that you post. I’ve heard first hand of the frustration experienced when information is not accessible by people who rely upon specialized tools to use their computers.

There are some very easy ways to prevent the frustration.

1. Think about the different ways people might get at your information – Awareness is often the first step to making information accessible. So consider the individual reading your materials on the small screen of a phone or having the information read aloud by a screen reader. If you haven’t experienced the ease of access tools (e.g. Narrator, Magnifier, High Contrast, etc.) give them a try (just press the Windows key and “u”)

2. Appreciate the details –There are a few things that authors should consider when creating content that can be consumed across a variety of devices. Considerations such as providing textual descriptions of the images or making sure presentations build and flow correctly. A common gotcha is saving a document as an image file thereby losing the ability to have it narrated by a screen reader.

3. Consider the tools at your disposal – As with many other communications technologies, there are a number of techniques available to help you reach the broadest audience possible. Some of these techniques vary with the role that you might have; be it a software developer, a web designer or content creator. A common pitfall is to look narrowly at one approach, say a web only model, and inadvertently restrict other useful techniques (for example, downloadable content not generally covered by web techniques can easily be made accessible as well)

a. Developers – I know that this is a broad category with any number of interpretations. In this context I mean the community that builds tools that leverage technical specifications for protocols, document formats, markup languages, application programming interfaces etc. Developers have the responsibility to leverage the accessibility functionality in those protocols, APIs etc that they leverage in a consistent way. There is plenty of great advice out there for developers, including the advice found on MSDN.

b. Designers – Designers establish the frameworks or templates for content developers to contribute to atop the software applications created by developers. (Of course one person can have all three roles). Designers are responsible for establishing frameworks or structures that simplify publishing content that is accessible across a variety of different devices. Examples of considerations for designers can be found in the W3C recommendations for Cascading Style Sheets.

c. Content creators – Content creators are the largest community since, after all, don’t we all create content? Content creators are responsible for making sure that the information that they create includes the details needed to make it accessible across the wide array of devices and format in today’s computing and communications environment. Microsoft Office 2010 includes an accessibility checker for Word, Excel and PowerPoint to help everyone create documents that are accessible to everyone.

4. Test it – Once you have created your content and are ready to publish it or send it out, test it out to make sure that it is consumable using a wide variety of tools. This might mean grabbing one or two different devices to have a look, or it might require formalized certification or conformance checking against government standards such as the US Section 508 or the W3C Web Content Accessibility Guidelines. As with any compliance review, organizations should look beyond the checklists to ensure that they have provided meaningful access to their content.

I’m sure that you’ll agree that the awareness, understanding, create and review processes listed above fit well with the normal content creation process and so won’t unduly impinge on the regular day to day routine. Just some small extras that will help you reach the broadest audience possible, be they the person next to you on the plane reading their mail when their device should be safely stowed or that other person having it read aloud to them.

Rethinking IT Service Delivery Through the Power of the Cloud

John.Weigelt

Published: December 14, 2010Posted in: Cloud, General, Policy, Privacy

I’ve had the opportunity to chat with many people across Canada over the past few months about the potential of the cloud and more recently during the cross Canada “Journey to the Cloud” tour.During these conversations I was able to confirm first-hand that while Leger marketing has found that “Cloud computing is confusing Canadian businesses”, the number of businesses with a clear view of the opportunity presented by the cloud increases steadily every day.Conversations have leapt ahead from exploratory discussions on service descriptions to detailed conversations investigating how to leverage the innovative service delivery models possible through the use of the cloud.

Organizations exploring cloud services have the flexibility not only to leverage software as a service, platform as a service or infrastructure as a service in a public, hosted or private cloud service delivery model, but they also have the opportunity to divide up their business services across each of these possibilities.While the flexibility may seem daunting, think of the cloud as a toolbox where each of the options as a tool fit for a particular task;Screwdrivers for screws, saws for cutting etc.Beware the cloud provider that suggests you use a hammer for everything.

A case study from Aerlingus gives a great example ofthe power of the cloud though the ability to provide each part of the user experience from the best technology for the job.This separation of workloads (or business services) across a variety systems; some moved into the cloud while some staying on premise provides the solid foundation for innovation in the customer experience.The hosting of the computation intensive and network demanding graphic tiles associated with the route maps into the Cloud while maintaining the booking systems separately helps illustrate how organizations can leverage the strengths of the cloud.The cloud provides the scalability, network reach and capacity, elasticity, economies of scale required for the images and is complemented with the existing corporate IT investments, namely the booking system which is overlaid upon the route maps.

I’ve had the good fortune to participate in brainstorming sessions with Canadian organizations to explore how the cloud can change the way that they deliver services.During one of these brainstorming exercises, the CTO of a Canadian Healthcare community discussed some of the innovative telepathology work underway in Canada.Essentially, medical images from remote locations without pathologists in Canada are shared to a network of pathologists across Canada who, with proper authorization and security, can provide their analysis in a much timelier manner than having to travel to the location in person.As you might imagine, medical images are compute and network intensive, placing huge demands on centralized servers and resources when accessed from across the country.What if the cloud could be used to distribute this critical data?Using the Aerlingus case study as an example, we explored the potential of distributing only the image portion of the files using the cloud, while keeping the patient data in the existing systems.This separation could speed the delivery of the image files across the country because to the capabilities of the cloud, while safeguarding the existing investment in the patient data systems.Of course this was a brainstorming session and any number of details would need to be worked out before this type of project would be launched, but I think it helps demonstrate the power of the cloud and the new flexible thinking and innovative services that it enables.

Ten Cloud Computing Myths

John.Weigelt

Published: November 4, 2010Posted in: Cloud, Privacy, Security

I’ve had the opportunity to talk to many people about cloud computing at a number of conferences across Canada. I have to say that there is considerable enthusiasm about the potential of the cloud and the many opportunities that it unlocks. Unfortunately there is a lot of uncertainty that accompanies this enthusiasm and perhaps rightly so given some of the game changing approaches that accompany the familiar. Where there is uncertainty, there are well-meaning groups and individuals who, perhaps resistant to change, paint fairly negative pictures of the cloud. I’ve collected this list of top ten myths that I have heard perpetuated at conferences and provided my thoughts on why these are indeed myths.

All cloud is on the Internet

Perhaps one of the most common myths is that for organizations to use cloud services they must use consumer oriented services available on web. It certainly doesn’t help that those companies with an internet-only service delivery model continue to push the message very hard.

In reality, cloud technologies and cloud services are available in a variety of formats: on the internet, on private networks and even within your own organizational boundaries. Many organizations are getting started with cloud technologies by building out their own “private cloud” services on their own internal networks. Even hosted cloud service providers often provide options where their services are provided over private networks to their customers. These non-internet dependent cloud services are especially important where internet connectivity may be intermittent or non-existent.

2. All cloud services are the same

Another common myth being perpetuated is the grouping of all forms of cloud services under a common umbrella and broadly applying the characteristics of one type of service to another completely different class of service. Perhaps the most common association is where consumer oriented cloud services are equated with enterprise grade cloud business services. I’ve seen music marketplaces lumped in with business collaboration sites, social networking with infrastructure services.

Not only is this broad brush approach unhelpful, it really (no, really, really) discredits any valid points made about the considerations needed for each category or class of cloud services. While admittedly the shorthand “Cloud” services has been applied across a wide variety of technologies in different ways by a variety of providers the broad-brush approach would be like describing, perhaps, the characteristics of a motorcycle (e.g. You can get wet when it rains) across all vehicles. Certainly the characteristic applies to some vehicles (bicycles, convertibles, pogo sticks) but not to others. The same is the case in cloud services. Cloud services vary considerably not only from how people consume the service (Infrastructure, Platform, Software as a service), from the business function of the service (search, database, collaboration), the business model (subscription, advertisement, licensed), from a service model (private, hosted and public) and more. Some cloud services oblige its users assemble their own functionality, where others are pre-packaged. As you look at any assessment on cloud services, be sure to explore a little further to make sure that you appreciate how that assessment applies to your particular business situation and use of cloud technologies.

3. You cannot mix and match cloud services

Modern organizations use a variety of best of class tools to address their business requirements. For some reason, a misperception that the move to the cloud is an all or nothing proposition, either from a bundling perspective or from a business application delivery perspective. This misinterpretation can hinder the adoption of cloud technologies by organizations as they look to move to these services.

Flexibility is one of the fundamental advantages of the cloud. Cloud services provide flexibility to use just what you require, when you require it. This flexibility extends into new programming models where developers have the flexibility to separate data and compute, leveraging the best locations for their operations. The interoperability built into cloud services also provides flexibility to organizations allowing reuse of internal systems, such as identity management, with external cloud services. As organizations make their move into the cloud they often adopt one or two services while keeping connections to their existing internal services.

4. Cloud Providers just toss the data into their data centers

Some presentations I’ve attended would lead you to believe that cloud service providers manage their data like an episode of the TLC’s Hoarders TV series, where data simply piles up and becomes lost.

Compliance audits, certifications, service level agreements, availability and reliability assertions all oblige enterprise grade cloud service providers to know where their customer’s data resides.

5. Cloud providers just shovel over data in response to lawful access requests

One myth that instills concern in people is the suggestion of a half hazard approach to responding to lawful access requests. Perhaps this misperception is coupled with the previous myth since naysayers could conclude that if organizations don’t know where the data is, they would simply hand over an arbitrary collection and let law enforcement sort through it.

Really? This is perhaps the stuff of movies. Enterprise grade cloud providers have considerable experience in responding to lawful access requests and strive to provide exactly the specific information being sought. And because close control is maintained over the data, cloud providers can separate only the information requested from the other data.

6. Operators casually browse the data sets in their custody

I get the impression that some people think of a data centre operator’s job as a boring day, spent in front of a relatively blank screen perhaps playing solitaire. The reason that this comes through is because of false assertion that cloud operators casually browse customer data sets.

Well, if you have a single operator and a single server it could be a rather long day. But the business of cloud computing is a business of scale. To be successful, cloud service providers need to be able to operate their computing resources at a massive scale http://tinyurl.com/2622zqt. One example of this scale is in the coverage model of operators to servers. In world class enterprise data centers the ratio of operators to servers is around 1-140. For cloud service providers that ratio jumps by an order of magnitude. I think that you can all appreciate that in today’s economic reality, enterprises can ill afford to have employees that just sit around, so one could expect that the data center operators have gainful work expected of them throughout the day. Simply put, the operators are kept busy enough maintaining the high operational availability of the cloud services that they provide that they simply would not have the time to browse the data sets. And even if they did, there are a number of internal safeguards that have been implemented to prevent this sort of misuse.

7. Law enforcement browses the cloud at service provider’s locations

Much like the aforementioned myth, a number of individuals make assertions that every use of the cloud is automatically accessed by law enforcement. There is no mention of differentiation of services, no mention of safeguards applied by consumers, no mention of the need for warrants, just a presumption of almost casual access.

Let’s take a closer look at the reality. Yes, law enforcement agencies worldwide have procedures that they can use to obtain data from cloud services providers as part of an investigation. At this year’s Federal Privacy Commissioner’s consultation on the Cloud, David Fraser highlighted the equivalences between Canadian and US lawful access procedures. Input to the Trilateral Committee on Cross Border Data flows noted that the possibility of US law enforcement using their access to obtain Canadian data is “vanishingly small”. Perhaps it’s simply “System 1” getting the best of the pundits.

8. The cloud exposes your data to incidental access

Perhaps it’s from the olden days when the high tech crime investigators literally used yellow tape, chalk lines and computer confiscation to start their investigation, but there is a myth that investigations of cloud services providers begins with wholesale confiscation of hardware.

Cloud services have been around for many years, many for well over 10 years. Both law enforcement and cloud services providers have worked together to build effective processes to provide the data required for investigation support. These processes emphasize close cooperation to provide only the data required and respect the privacy and SLAs of other customers.

9. It’s against the law in Canada to use international Cloud services

There is a common misunderstanding that there are a large number of Canadian laws that prevent the transfer of data outside of Canada extending across different business sectors both public sector and private sector.

Let me start off with a disclaimer that I am not a lawyer, so all organizations should seek competent legal advice about the compliance requirements that their organization must abide by. That said I have been deeply involved with the deployment of broad consumer cloud services in Canada, assisted Industry Canada and the Federal Privacy Commissioner in their consultations on cloud security and privacy and helped deploy cloud based services in provinces, municipalities and private sector. There is one Canadian jurisdiction with a prohibition on the storage of a specific category of data outside of Canada. The British Columbia Freedom of Information Privacy Protection Act prohibits storage or access of personal information in its custody or under its control outside of Canada. Note that this is a subset of the information held by governments in BC and doesn’t apply to the information that private sector uses for their own services. I’ve highlighted a few of the organizations that have provided advice and guidance on considerations and safeguards for use of the cloud in a previous blog post.

10. The Cloud will displace all other technologies

Rounding out the group is the myth that everything will move to the cloud and that all other technologies will be replaced. Some suggest that mainframe computers will magically disappear, local servers and internal corporate networks will vanish, and that all applications will reside in the cloud leaving local devices a shadow of their current self; supporting perhaps no more than a browser.

If we were to look at the stepwise shifts in technology in the past, for example the rise of the PC, client server computing, the advent of the web, the adoption of services oriented architecture we see how the technological shifts were additive to the existing technologies. While some workloads moved away from the previous paradigm, after an adoption period equilibrium was reached where the old and the new coexisted. Looking broadly at the cloud technologies, we see that one of the key principles behind the cloud is ubiquitous network connectivity. As cell phone users we recognize quite well the connectivity dead zones that can exist for universal coverage (ever tried to take a call from the ice rink) Certainly as we look at the broad expanse of Canada we can see that while tremendous progress is being made, there are still some regions without broadband access. Consumers and businesses need to be able to use their computing resources even when connections are not available. Apps that are only available via the web might not be the ideal solution for individuals that find themselves beyond a connection from time to time. A more realistic scenario is where your devices will be able to work regardless of location and connect when available or convenient to synchronize.

As organizations explore the opportunities of cloud computing it is critically important that they look beyond the myths and begin to focus on the specifics on the which services they are looking to use, for which data in which way.