Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012


Published on

This presentation was delivered at the 2012 BankTech summit in Sydney, Australia by Rob Livingstone ( ). Topics included:

Exploring the real definition of Cloud
Interpreting the conflicting messages
Systemic vs. Technical risks in the Cloud
Hybrid Cloud is the reality
Importance of Cloud Computing Reference Architecture
Managing multiple parties in the Cloud ecosystem (Hybrid Cloud)
The challenge for Regulators
Standards? Which standards?
Some risk mitigation approaches

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012

  1. 1. Map of the minefieldAlleviating cloud risks inorder to reap the benefitsROB LIVINGSTONE- Fellow, University of Technology, Sydney, Australia, and- Principal, Rob Livingstone Advisory Pty Ltd 17th July 2012
  2. 2. What I’ll NOT be covering• Data Privacy• Data residency• International legal jurisdictional considerations• Vendor lock-in• Data extraction and ownership• Intellectual property considerations• Hacking, cybercriminals and cloud, data breaches• Total cost of Ownership• Single function enterprise Cloud (eg CRM, eMail, pure storage)• Consumerisation of IT• BYOD These are much discussed and (hopefully) should be well understood by all
  3. 3. What I WILL be covering• Exploring the real definition of Cloud• Interpreting the conflicting messages• Systemic vs. Technical risks in the Cloud• Availability• Hybrid Cloud is the reality• Importance of Cloud Computing Reference Architecture• Managing multiple parties in the Cloud ecosystem (Hybrid Cloud)• The challenge for Regulators• Standards? Which standards?• Some risk mitigation approaches
  4. 4. Exploring the real definition of Cloud The most quoted Definition of Cloud: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction • US National Institute of Standards and Technology‘s (NIST) definition
  5. 5. Exploring the real definition of Cloud The most sensible Definition of Cloud: ―Forget your technical definition of the Cloud, ask your mom what the Cloud is…. …And what your mother will tell you about the Cloud is that it means it’s not on my computer.”* Dave Asprey – Global VP, Cloud Security, Trend Micro* Navigating through the Cloud Podcast Episode 23 in iTunes
  6. 6. Exploring the real definition of Cloud Cloud-like Outsourcing: If you sign a standard outsourcing contract with an outsourcing vendor that has Cloud-like pricing (pay-as- you-go) and Cloud-like capabilities and whether or not it‘s Cloud is largely a matter of opinion.
  7. 7. Exploring the real definition of Cloud The 3 key ‘classic’ Ingredients of Cloud • You‘re counting on SaaS vendor in order to provide all the multi-tenancy for your data. • You hope they‘ve written their applications well, secure their databases, and so on …. • You‘re sharing the database with everyone else.
  8. 8. Exploring the real definition of Cloud Enterprise Cloud: The Inverted Risk Pyramid HI RISK presentaiton Major enterprise instances, with complexity, scale, risk, compliance, This deep integration, long term Integration, enterprise governance needed Commodity / non- integrated Cloud applications LOW RISK
  9. 9. Interpreting the conflicting messagesHas business lost patience with Enterprise IT? "Despite an abundance of IT Project Management (ITPM) resources, such as the PMI Body of Knowledge, IT standards and governance, a large percentage of IT projects continue to fail and ultimately get scrapped. Recent studies have shown an average of 66% IT project failure rate, with 52% of the projects being cancelled, and 82% being delivered late" Kraft (2008). The Importance of Business Process Alignment for IT Project Management of Commercial Software with Case Studies. Journal of Information Systems Applied Research, 1 (3)
  10. 10. Interpreting the conflicting messages A recent survey* referred to by Forbes claims that ―a meagre 3% of companies considering Cloud consider it to be too risky.‖ This was based on a survey of 785 companies, implying the inevitability of Cloud. Not atypical of research in Cloud, this survey was conducted by a firm that has investments in the Cloud industry, with 65% of respondents being vendors so one could say that the results were not totally unexpected.
  11. 11. Interpreting the conflicting messages Fear being left behind? "By 2015, nearly $1 of every $6 spent on packaged software, and $1 of every $5 spent on applications, will be consumed via the SaaS model." "By 2012, about 83% of all net-new software firms coming to market will be operationalized around creating, testing, selling, and provisioning a service versus a packaged product (CD)." "By 2015, about 24% of all new business software purchases will be of service-enabled software, and SaaS delivery will constitute about 13.1% of worldwide software spending across all primary markets and 14.4% of applications spending." ICD Dec 2011 Doc # 232239
  12. 12. Interpreting the conflicting messages 24% of CEOs surveyed in the 2012 PWC CEO Survey 75% of CEOs plan to change innovation capacity in 2012, of which 24% expect ‗major change‘, underpinned in part by technology. The eighth annual KPMG 2012 Audit Institute Report identified ―IT Risk and Emerging Technologies‖ as the second-highest concern for audit committees, which is unprecedented in the history of the report.
  13. 13. Interpreting the conflicting messages • So, in a nutshell, there are mixed messages out there at this point in time. • On the one hand organisations demand speed, innovation, agility and value, largely facilitated by technology. • Organisations that adopt new ‗transformational‘ technologies, Cloud in particular, without effective consideration of the enterprise wide, systemic and longitudinal risks, are potentially either setting themselves up for future problems, or not maximising the opportunities, or both. • This last point is the focus of my presentation
  14. 14. Systemic vs. Technical Risks in the Cloud Systemic Risks • Systemic risk is highly relevant to Hybrid Cloud – which we‘ll discuss in a few minutes… • Systemic risks are those with the greatest potential impact as they affect the entire system (ie: Organisation, government, country, world…) • Case in point: How is that the finance industry, which is one of the more regulated, and invests heavily in risk identification, mitigation and transference could be the cause of the current global financial problems? • Systemic risk for the enterprise is the silent killer and is often the hardest to identify as only a few have a complete, transparent and objective overview of the overall enterprise. • Mitigation through approaches such as Enterprise Risk Management (ERM), origins in fraud, organisational governance, and underpins the insurance industry • Applicability to IT – Cloud especially – not often discussed
  15. 15. Systemic vs. Technical Risks in the Cloud Technical (or functional) Risk • Identifying, categorising and ranking technical and functional risks is core to conventional IT risk assessment approaches: o Risk of a specific event = (Impact x Probability of that event occurring) + Risk Adjustment • Underpins conventional risk certification frameworks e.g. ISO2700X • Compliance does not necessarily equal security or effectiveness of your risk management model • The categorisation of risks into functional and technical categories does not help in the identification of systemic risk • Focusing on the diverse range of technical or functional risks, does not account for the interaction between risks. • Systemic risks are mostly more significant than the sum of the individual risks
  16. 16. Availability What‘s your downtime cost?Fundamental question: Is Cloudyour default position? "What they don‘t usually tell you about the Cloud is that the SLA or the uptime SLA for Cloud providers is not nearly as good as it is for co-location.....So, if you‘re looking for five 9s, you‘re going to need several Clouds and a lot of zeros on the cheque that you write.― Dave Asprey – Global VP, Cloud Security, Trend Micro Navigating through the Cloud Podcast Episode 23 in iTunes
  17. 17. Hybrid Cloud is the reality ―Within five years, it will be primarily deployed by enterprises working in a hybrid mode‖. - Gartner Gartner "Predicts 2012: Cloud Computing Is Becoming a Reality‖ (Published: 8 December 2011 ID:G00226103)
  18. 18. Hybrid Cloud is the reality Cloud 101: The 4 flavours of cloud computing Public Private Hybrid Community /Internal• No control • You control all • Combination of 2 • Multiple• No ownership • You may own or more models organisatons share• You own data • You define • Can be more same private cloud• Apps stay behind architecture complex infrastructure • You determine • Need to manage your own security interfaces, position integration
  19. 19. Importance of Cloud Computing Reference ArchitectureReview, define and assign key roles in your Cloud environment. – Define your Cloud Reference Architecture by reviewing applicability against published models (Eg NIST*, IBM, etc) – Ensure you do not miss important roles (Eg: IBM CCRA does not include Cloud Broker, Cloud Auditor yet included in NIST CCRA) * National Institute of Standards and Technology
  20. 20. Importance of Cloud Computing Reference Architecture Who is accountable for what in your Cloud? It’s YOUR brand at stake, not the vendors!
  21. 21. Importance of Cloud Computing Reference Architecture The emergence of the ‘Cloud Broker’
  22. 22. Importance of Cloud CloudThe real definition of Computing Reference Architecture IT Department in the Cloud?
  23. 23. Managing multiple parties in the Cloud ecosystem "Cloud consumers should budget for additional integration costs which can range from 10% to 30% — and sometimes as high as 50% — of the total cost of cloud IT projects.― Gartner Predicts 2012: Cloud Services Brokerage Will Bring New Benefits and Planning Challenges - Published: 22 November 2011 G00227370 Let‘s explore the reasons why in a bit more detail …..
  24. 24. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Orchestrating versioning, change control and rollback V1.2 V2.3.1 V2.4 V3.5 V5.3
  25. 25. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Life expectancy…… 4 Years 6 Months 1 Year 3.5 Years 4.5 years
  26. 26. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Business continuity……. X
  27. 27. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Also: • Security • Identity Management • Due diligence • ‗Big-Data‘ • Business Intelligence – Dashboards and drilldowns • Forensics / eDiscovery • BYOD • Mobility • Legislative / Jurisdictional • Contractual complexity ….. To name but a few
  28. 28. The challenge facing regulators• Various industry regulators are also working hard to keep up with the fast moving Cloud and technology environments, however keeping up with the rate of change presents a challenge.• Case in point relates to the wording contained in the current National Privacy Principles (NPPs). The word ‗reasonable‘ is used in the NPPs to describe measures and controls that should be applied in the implementation of privacy controls. Whilst the intention is clear, the interpretation of ‗reasonable‘ is fertile grounds for contention on individual cases.• APRA‘s new standards that came into effect on July 1, 2012 (CPS231, 231 in particular) refer to appropriate risk management processes. Many of the standards are dated. Two such examples of such standards are AS/ISO 31000 (Risk management), where the current revision is dated 2009, and AS/ISO 27001 (Information security management systems), where the current revision is dated 2006.
  29. 29. Cloud standards? Which standards?• Emerging Standards – Open Virtalisation Format ISO/IEC DIS 17203 or ANSI INCITS 469 2010 – ISO/IEC WD TS 27017 (Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 - Under development ) – ISO/IEC DIS 17826 - Cloud Data Management Interface (CDMI)
  30. 30. Cloud standards? Which standards?Plethora of forums, industry groups and associations – Cloud Security Alliance – Cloud Standards Customer Council – Distributed Management Task Force (DMTF) – Cloud Management Working Group (CMWG) – The European Telecommunications Standards Institute (ETSI) – National Institute of Standards and Technology (NIST) – Open Grid Forum (OGF) – Object Management Group (OMG) – Open Cloud Consortium (OCC) – Organization for the Advancement of Structured Information Standards (OASIS) – Storage Networking Industry Association (SNIA) – The Open Group – Association for Retail Technology Standards (ARTS) – TM Forum‘s Cloud Services Initiative Source:
  31. 31. Some risk mitigation approaches Some risk mitigation approaches• Be crystal clear on the drivers behind Cloud for the organisation – do not make Cloud your default position!• Understand and accurately map the solution to the your legislative, regulatory and compliance environment• Predict and budget for integration complexities• Know your exist strategy before you sign up Reshape the role of your IT Department • Shift from a technology provider to a Services broker • Differing skills mix for in-house IT • Technology enabled business services is the direction to take for enterprise IT • If IT have concerns, don‘t dismiss is as ‗job protection‘.. scrutinise these. Remember the ‗O‘ ring and the Challenger?
  32. 32. Some risk mitigation approachesDue diligence is crucial• Perform your own due diligence, and seek absolutely independent, experienced, financially disinterested advice if needed• Stress test your business case: – Test your Cloud contract to a variety of scenarios – Conducting a sensitivity analysis for feasible changes in your commercial environment, regulatory and operational scenarios – Pricing in risk – Understand the volatility of the cloud market – Identify the systemic risks
  33. 33. ThankYou! ROB LIVINGSTONE - Fellow, University of Technology, Sydney - Principal, Rob Livingstone Advisory Pty Ltd W1: W2: E: P: +61 2 8005 1972 P: +1 609 843 0349 M: +61 419 632 673 F: +61 2 9879 5004 rladvisory© All rights reserved. Rob Livingstone Advisory Pty Ltd ABN 41 146 643 165.Unauthorized redistribution prohibited without prior approval. ‗Navigatingthrough the Cloud‘ is a Trademark of Rob Livingstone Advisory Pty Ltd.