Bringing the Cloud Back to Earth

webinars.plantemoran.com

Bringing the Cloud Back to Earth


Presenters

Sri Chalasani, Sr. Architect – Plante Moran, IT Consulting Sri has over twenty years of experience and specializes in the design, deployment, and troubleshooting of complex networks. He also has over fifteen years of experience in the design and implementation of broadband multimedia solutions across large networks. Sri has help many organization in the design and selection of data center including strategic sourcing of cloud based solutions. He has an MBA from Wayne State University, a MS in Computer Science from Western Michigan University and a BS in Electronics Engineering from Bangalore University..

Marv Sauer, Principal – Plante Moran, Education Consulting Marv has more than 25 years taking clients from initial strategic planning through the successful implementation of a variety of proven and leading edge technologies. He is a talented facilitator of small to large groups working with personnel ranging from end users to executive management. Marv has given presentations at local and national conferences on topics such as Building the Network of Tomorrow, Today and With Strategic Planning First, Successful Implementation Follows. Marv holds a Master of Business Administration in Finance from the University of Michigan and a Bachelor of Science in Math and Computer Science from the University of California, Los Angeles (UCLA).

http://knowledgeshare.pmllp.com/Operations/Marketing/Photos/S/Sauer, Marvin.jpg


Administration

Slides are available for download from your webcast console. A recording of today’s webinar will be added to our website in a few days.

We will allow time at the end of the presentation to respond to your questions, but please feel free to submit questions at any time.


Administration

This is a CPE-eligible webinar. Throughout the webcast, participation pop-ups will appear.

Participants must respond to at least 75% of these pop-ups in order to receive CPE credit.

To receive CPE credit, you need to be logged in individually to the webinar and meet the eligibility requirements (have an accrued viewing time of at least 50 minutes and 75% response to participation tracking), to receive CPE. Only attendees who are logged into the webinar will be eligible to earn CPE credit.

4


Overview

Kick it to the next level - move beyond the tutorials

• Review drivers, strategy and architectures for deploying a cloud

• Identify your risks

• Asking the right questions

• Selection criteria

• The T’s and C’s

5


Background

Gartner believes enterprises will spend $112 billion cumulatively on software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS), Part of the attraction is the promise of lower total cost of ownership but, with this comes higher risks some of which are not always immediately apparent.

6

Source: Gartner


Drivers of cloud computing - Recap

Drivers

• Data Center pressures – increased systems and data explosion

• Flexibility - system capacity (elasticity) and ubiquitous access

• Minimize risk – modernize to survive / keep up with the times

• Cost / predictable cash flow

• Reduced operational / systems management

• Accelerated access to complex applications

• Allow for focus on core competencies

7

Presenter

Presentation Notes

*) Cost / predictable cash flow = lower cost and/or convert CapEx to OpEx *) Bottom line - Save money Be efficient Increase availability and reliability Note: we did not necessarily include security in this – just yet!


IT Staff & skills

Business Process

Cur

rent

IT

Env

.

Agi

lity

Ris

ksR

eg. &

C

ompl

ianc

e

C.I.A Costs Governance

Use

rsTe

rms

&

Con

ditio

ns

App. Integ / Rearch

Technology

Secu

rity

Adm

inistration

Clo

ud S

trat

egy

Solutions

Roadmap

Strategy - Recap

8

CEO

* Reduce costs? TCO/ROI?* Distributed workforce? * Competitive advantages?* Risks?* Align with business goals?

CIO

* Security & compliance* Impacts IT staff?* Performance & reliability?* Distributed workforce? * Agility & growth* Contract, SLA, & support?

Business objectives and goals

• Goals maybe the same

• Questions and priorities may be different and often competing

Presenter

Presentation Notes

*) It is not uncommon that various roles have varying requirements, depending on their point of view *) The questions a CEO/CFO maybe asking maybe different than what the CIO could be asking – they may sometime be competing At the end of the day, as the organization develops a strategy for the organization, the business objectives and goals MUST be the center of focus The surrounding layers or decisions such as the cloud strategy, roadmap, type solution. The other factors of IT regarding Administration of IT (cost, governance, users, contracts), Security (risks, confidentiality / Integrity and availability of information and regulatory compliance), the technologies involved (current IT environment, application integration / re-architecting, IT staffing and skills refinement, re-valuation of the business process, and agility factors) need to be considered also. *) ALL of the decisions factors should lead to delivering the business goals and objectives – decisions cannot be made one certain criteria only – such as cost or agility.


Cloud S

ervices

Architectures - Recap

9

Four

maj

or b

uild

ing

bloc

ks fo

r IT

syst

em

Operating System and Back Office

Applications

Infrastructure

IT Staff

Applications

Servers

Storage

Network

Database

Operating System

System Software

Net. Admin, DBA, Programmer

IaaS

Paa

S

Saa

S

Managed services

IaaS: Infrastructure as a Service; PaaS: Platform as a Service; SaaS: Software as a Service

Presenter

Presentation Notes

*) Delineation of responsibilities of the provider and your organization e.g. IaaS – provider responsible for data center, network, storage, and servers PaaS – provider responsible for infrastructure components, operating systems, databases, patching of systems, and other system software SaaS – provider responsible for infrastructure, OS/back office components, and the actual application as well – pretty turnkey Irrespective of the type of model, there is a “managed services” component provided *) This is a “simplified” version. The stack can be further refined to: The following is a brief explanation of what each element in the stack is: Applications: built on the platforms described below, they use and/or produce data for some useful purpose. This can be anything from the GroupWise email client to database server software, Microsoft Word, or air traffic control software. Data: the pieces of information that applications use (i.e., documents, audio, video, database tables, emails, log files, etc.). Runtime (environment): another level of software platform that enables the creation and execution of standards-based applications (e.g., Sun Java and Microsoft .NET.). Middleware: software used to broker communication between other forms of software. A common example is a database connector that allows applications to transparently connect to any database[i]. Operating System (O/S): a software platform used to support middleware, runtime, and applications (e.g., MS-Windows, Unix, iOS). Virtualization: hardware and software that allows dynamic allocation of servers, storage, and networking. Servers: the actual computing hardware Storage: where data is actually stored (e.g., arrays of hard drives). Networking: transmission devices (cables or transmitters/receivers) and related routing equipment that enable data transfer between computers. *) With the intention of providing more flexibility /differentiated services, providers are services upto various layers e.g. Iaas+ - goes above IaaS, but not all the way up the PaaS stack, maybe provide the hypervisor layer and the organization is responsible for layers above that. Other examples are aPaaS or dbPaaS *) Depending on YOUR business requirements & internal IT capabilities, you can decide which of the building blocks are retained in house.


Deployment Models - Recap

10

Private Cloud Only your organization has access

to the resources. Hosted internally or hosted by a

provider

Public Cloud Multi-tenancy computing resources

(infrastructure, OS, applications are available to other tenants

Typically hosted at a provider

Hybrid Cloud Combination of Private and Public Most organizations

IaaS

/ P

aaS

/ S

aaS

Other: internal or external hosted

Community Cloud Collaboration between multiple org. Involvement by invitation only

Presenter

Presentation Notes

*) Very few organization will be able to “completely” deploy a “PRIVATE CLOUD” or a “PUBLIC CLOUD”. Most will have a combination of private (internal), maybe private (hosted) and a hybird *) There are several different aspects of Cloud Computing with associated implications that we’ll get into a bit later in the presentation. There are 4 different deployment models – Public, Private, Community and Hybrid Public Cloud - a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model. The main benefits of using a public cloud service are: * Easy and inexpensive set-up because hardware, application and bandwidth costs are covered by the provider. * Scalability to meet needs. * No wasted resources because you pay for what you use. Examples of public clouds include Amazon Elastic Compute Cloud (EC2), IBM's Blue Cloud, Sun Cloud, Google AppEngine and Windows Azure Services Platform. Private Cloud: cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally. Lacks the economic model that makes cloud computing such an intriguing concept. Community Cloud: Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the benefits of cloud computing are realized. Hybrid cloud: A composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models


Examples of the cloud - Recap

11

IaaS

Source: Cloud Taxonomy

Presenter

Presentation Notes

*) May end up with different solutions – best of breed *) Cloud software allows the building of cloud computing environments, manage cloud environments, or software used to build highly scalable cloud applications. *) Products include both commercial and open source software



12

PaaS


Presenter

Presentation Notes




13

SaaS Source: Cloud Taxonomy

Presenter

Presentation Notes




14

Cloud Software


Presenter

Presentation Notes



What is at risk?

• Cloud computing inherently means trusting some of your most valuable assets

• Before you start – high level understanding of the risks

• Two key assets exposed to risk - Data and Applications/Process

• Evaluate the risk for Confidentiality, Integrity and Availability. Impact on asset if it:

• Breached

• Accessed by provider(s)

• Process is manipulated by an outsider

• Unavailable for a while

15

Presenter

Presentation Notes

*) Cloud computing means entrusting one of your most valuable assets – data and applications/processing to a third-party provider *) Service Organization Control (SOC) standards provide some level of assurances, currently there are no concrete laws or standards that can assure whether a particular CSP is “safe” or not. *) There are significant efforts by both the private and public sector such as CSA (Cloud Security Alliance), GSA (Government Security Agency), and NIST (National Institute for Standards Technology) to provide tools to assess and select cloud computing services that satisfy security requirements. *) The higher you go up the ladder (or layers) on the services model, the more you rely on the CSP to provide turnkey services .e.g. With a SaaS model, your understanding on how your data is secured and controlled must be higher.


What is at risk?

• Understand risk by mapping the asset to

• Possible deployment models

• The potential flow of data between your users and CSPs

• Assurances on safety of data?

• SOC standards provide some level of assurance – CSA, GSA, NIST

• CSA / GSA / NIST - tools to assess security requirements & services

• Onus is still on you, do have to conduct your own due diligence

16

Presenter

Presentation Notes

*) Before you go too far down the road, understand the risks *) moving information into the cloud or transaction / processing into the cloud; *) With a Cloud model the data and transaction processing may not reside at the same location


Protect your assets – ask the questions

1. Who’s managing my data?

• Qualifications and backgrounds of staff

• Who else (partners/sub-contractors) can touch your data?

2. Where’s my data actually located?

• Regulatory and compliance requirements for data export

• Primary and secondary (replication sites)

• Conformance to local laws – data discovery

• Map how data is stored and handled

17

Presenter

Presentation Notes

Who’s managing my data? Ask about the qualifications and backgrounds of the cloud company’s staff. These administrators have privileged access to your data; you should know who they are. Also ask about how new hires are screened and ongoing checks (such as random testing and background checks). Ask about other business partners that may have direct or indirect access to your data. For example, if they’re outsourcing their systems backup to someone else, what controls are in place secure your data? Where’s the data actually located, and will the data be replicated at other data centers? Many enterprises must comply with regulations that are based on the data’s geographic location. Based on your regulatory requirements, are there requirements regarding where in the world your data may be stored? Compliance requirements may restrict how data is exported to other countries and dictate what security measures need to be in place and what auditing standards you need to comply with. You should also be familiar with local privacy laws and regulations where the data is going to be stored. Local laws may provide for a government or litigant's right to inspect data being stored by the CSP. Can you take that chance?



18

• Why does location matter? - Country Risk Ratings for Security and Privacy

Source:

Presenter

Presentation Notes

*) Green – low risk *) Red – high Risk *) No surprise that China and Russia present the highest risk for security and privacy



3. What access controls are in place?

• What are the physical controls and logical controls?

• CSPs disclose data access control processes in place

• Frequency of testing of access controls

4. How will my data be physically secured & separated from other customers?

• Common hardware or applications with logical controls?

• Testing of data encryption / data leakage

5. How’s my data encrypted?

• Understand security for data at rest and data in transit

• Data at rest - encryption types

• Data in transit - encrypted, authenticated and integrity protected 19

Presenter

Presentation Notes

3. What access controls are in place? Just because physical control is being transferred doesn’t mean you’re giving up your right to know what controls are in place to limit risk. CSPs need to disclose the exact data access control processes that dictate their administrators’ actions, and you should have a full understanding of who can access what data and under what conditions. Ask how the access controls are tested and how frequently. 4. How will my data be physically secured and separated from other customers? Typically, in a cloud environment, there are some areas where resources can be shared by multiple clients of the CSP. A good CSP needs to clearly explain how your vital business data is segregated and secured from other clients. Some CSPs place all of their clients’ programs and data in one big application instance and use custom-built code to prevent customers from seeing each other's data; this is unacceptable, as custom code creates too much of a risk. It’s critical that CSPs use standard proven practices, namely data encryption. When CSPs use encryption, however, they must also provide evidence that their encryption and other security methods have been tested, fine-tuned, and proven to be effective. Be sure to question the level and type of encryption algorithms. In addition, in scenarios where common hardware resources are used by the CSP, the use of Virtual LAN (VLAN), VPN (Virtual Private Networks), and Virtual Machines (VM) are preferred. 5. How’s my data encrypted? More important than physical security is data encryption. There are two types of data—data at rest, and data in transit. You need to be aware of how both types are secured. The questions to ask are: How does the CSP secure data at rest? The CSP should always encrypt data on storage devices (e.g., hard drives and back-ups) to avoid data breaches. How secure is the data while it’s in transit within the cloud (system-to-system) and between the users and the CSP? Data in transit should always be encrypted, authenticated, and its integrity protected. This ensures that nobody can read or modify the data as it passes through the potential dangers of both public and private networks. There are very well established standards (TLS, IPsec, AES) for doing this that should be in practice by the CSP



• Map the potential flow of data between your users (internal and external), other providers and the cloud service

20

Users App Data

Backup Backup Backup

Servers

CSP1 CSP2

CSP3

Organization

Users

Presenter

Presentation Notes

Moving information into the cloud could mean moving the data and or transaction / processing into the cloud With a cloud model the data and transaction processing may not reside at the same location Understand the flow of data and the potential risk points along the way


Protect your assets – ask the questions 6. What authentication mechanisms are supported by the CSP?

• 2-pass authentication - passwords with tokens and certificates

• Integration using LDAP and SAML with Dir. Svcs or Identity Mgmt. systems

7. What happens if there’s a data breach?

• Incident Response Plan (IRP) - proactive processes and technologies in place to detect if an application or data is under attack. Create your own too

• Response times and notification process; request history

• Technology Errors & Omissions policy and/or Cyber Liability coverage

21

Presenter

Presentation Notes

6. What authentication mechanisms are supported by the CSP? The most common form of providing access to data is via the use of passwords. If sensitive data is at stake, a 1-pass authentication such as a password only will not be adequate. A 2-pass authentication such as the use of passwords along with tokens and certificates is recommended. For larger organizations, the CSP should be able to use standards such as LDAP (Lightweight Directory Access Protocol) and SAML (Security Assertion Markup Language) to integrate with your directory services or identity management systems prior to authenticating users and determining their permissions. Using these tools ensures that the CSP always has up-to-date information on authorized users to prevent unauthorized access. 7. What happens if there’s a data breach? You should always be prepared for a data breach. The CSP should have appropriate proactive processes and technologies in place to detect if an application or data is under attack; this means an Incident Response Plan (IRP) should be in place. What are the CSP’s response times if there’s a security breach, and what’s its notification process? Request a history of security breaches and how they were handled by the CSP. How transparent was the organization with their responses? Even if you’re satisfied with the CSP’s IRP, as an organization, you should plan for how you’d respond to your clients in the event of a security breaches at the CSP. There may be a misconception that as you transfer computing resources and responsibilities, you’re also transferring financial liabilities for data loss, corruption, or business interruption. This is rarely the case unless you’ve explicitly addressed these items during your contract negotiations, making the CSP responsible for such losses. One thing to check on is the CSP’s Technology Errors & Omissions policy and/or Cyber Liability coverage, typically a part of its primary insurance policy. The Technology Errors and Omissions insurance provides coverage for costs associated with the malfunction of a policyholder's (CSP) product or service, including the cost of fixing the error, replacing the product, and the lost business clients may experience because of the product's/service’s failure.



8. Can the CSP pass muster with the auditors?

• Security assessment by a 3rd party or accreditation process

• Process for accommodating the needs of the your auditors

• Conduct a forensic investigation?

9. Is your cloud computing service SOC 2/SSAE16 (formerly SAS 70) compliant?

• No assurances but a step in the right direction

• Demonstrates methodical and repeatable process

• Security certification and other regulatory requirements HIPAA, FERPA etc.

10. What is CSP’s stability factor?

• CSP acquired or out of business?

• Timely transition, removal and destruction of your data 22

Presenter

Presentation Notes

8. Can the CSP pass muster with the auditors? Every business has certain conditions they must meet for regulatory compliance. Depending upon the type of data that you will store at the CSP, it may be a requirement to locate a provider that has undergone a security assessment by a third party. For example, FedRAMP (Federal Risk and Authorization Management Program), although still in its infancy, will require any organization that wishes to store federal government-related data to undergo an accreditation process to ensure proper security controls are in place to protect that data. Customers need to find out whether the cloud CSP conducts regular security audits and what its processes are for accommodating the needs of the customer’s auditors as well. Ask whether you’ll be able to conduct your own security audit (penetration testing). Can you audit the CSP’s data security control? In the event of a security breach, will you be able conduct a forensic investigation to determine what caused the incident? How does the CSP respond to requests for data from the FBI, CIA, SEC, or corporate legal counsel? 9. Is your cloud computing service SOC/SSAE16 (formerly SAS 70) compliant? Eventhough the SOC/SSAE16 does not offer assurances from all aspects, it is certainly a step in the right direction. Cloud users should be wary of cloud CSPs that claim an SOC/SSAE16 report as proof that its offerings are secure. The SOC/SSAE16 only demonstrates that the CSP has a methodical and repeatable process to its operations and appropriate safeguards to protect its IT assets. Either through a comprehensive due diligence effort or the use of a third-party service are currently the primary means of validating the security offerings of the CSP. 10. What is CSP’s stability factor? What happens to your data if your cloud service CSP goes out of business or is bought out by another company? What guarantees can your cloud CSP give regarding its long-term viability? What mechanisms are in place to guarantee the return of your data in the event of a bankruptcy or other business shutdown or turnover? At the termination of the contract, what guarantees does the CSP provide for the timely transition, removal, and destruction of your data? These must explicitly be addressed in your contract.


Protect your assets – ask the questions 11. Does the CSP offer backup and recovery services?

• Data retention, backup and recovery

• Backed up to where. Basic backup services or beyond?

• Recovery process from an outage

• What is included in your service – does this match you RPO/RTO?

12.What are the contract terms?

• SLA, breach notification, intellectual properties, limitation of liability, etc.

• More on this later

23

Presenter

Presentation Notes

11. Does the CSP offer backup and recovery services? If the provider offers back-up services, what type of services are offered— just data recovery, or is the CSP able to offer up more, such as spinning up virtual machines and providing access to both applications and data? Do you have a say in where the data is backed up to? (See data encryption and regulatory/compliance requirements.) 12. What are the contract terms? Contract terms generally favor the CSP. Unlike typical contracts where there’s a partnership-style relationship between companies, cloud services are different due to the high degree of contract standardization and services being delivered. An unlikely but possible scenario: what happens to your data and services if the CSP’s assets are frozen by law enforcement or regulatory authorities due to CSP or a CSP client’s activities? This situation has happened and put some organizations out of business when the FBI seized the servers of the CSP for fraud investigation, rendering its clients’ data inaccessible. Beyond the standard terms and conditions typically found in most contracts, a cloud service contract should address at a minimum the following: service levels, data security breach notification, legal process notification, use of customer data, confidentiality and security requirements, intellectual property rights, compliance with European data protection laws, limitation of liability and damages, indemnity, representations and warranties, terms for renewal of the contract or termination, termination assistance, and secure destruction of customer data at termination.


Eeny, meeny, miny, moe – Picking a CSP

24

No different than any other selection project

• Identify what is important to you

• Identify what “must haves” and “like to have”

• Don’t ignore security and growth

• For each of the identified areas, assign weightage

• Seek “written” answers you are looking for

• When in doubt err on the conservative side

• Reference – ask for a list of clients, not just references

• Not to be taken lightly – your data, your neck

• Add skill sets to the IT mix to manage and administer vendor contracts

• Viewed as a partnership - cannot abdicate management of the vendor / service though they provide the service

Presenter

Presentation Notes

*) Before you go too far down the road, understand the risks *) moving information into the cloud or transaction / processing into the cloud; *) With a Cloud model the data and transaction processing may not reside at the same location


Eeny, meeny, miny, moe – Picking a CSP

25


Eeny, meeny, miny, moe – picking a CSP

26

Reference: Intel’s Intel Cloud Finder


Contractual considerations

Negotiate key terms and conditions to mitigate risk and cost exposure:

• Uptime Guarantees

• SLA penalties

• SLA penalty exclusions

• Security

• Business Continuity and Disaster recovery

27


Contractual considerations

Negotiate key terms and conditions to mitigate risk and cost exposure:

• Data privacy conditions

• Suspension of service

• Termination

• Liability

28


Where’s my checklist?

Do I have a “strategy” or am I “piecemealing this”?

Have a process for identifying suitable applications / systems / workloads ideal for “cloudifying” – business objective first

Define your selection criteria - requirements for security, compliance, growth, performance, etc.

Identify issues around migrating existing workloads

Identify vendor(s), vendor lock-ins and flexibilities

Identify the costs? CapEx, OpEx, sunk costs, staff retraining

Identify your questions - have written responses, talk to existing clients

Determine the impact on your IT staff (skills and headcount)?

Understand your contract – have your requirements clearly identified

It is not an all or nothing proposition – think hybrid 29

Presenter

Presentation Notes

Current investments may be a sunk cost


Q&A

Q&A


Thank you for attending

Marv Sauer, Principal 248.223. 3120

[email protected]

To view a complete calendar of upcoming Plante Moran webinars, visit webinars.plantemoran.com

Sri Chalasani, Sr. Architect 248.223.3707

[email protected]

http://knowledgeshare.pmllp.com/Operations/Marketing/Photos/S/Sauer, Marvin.jpg

Bringing the Cloud Back to Earth

Technology

Transcript of Bringing the Cloud Back to Earth