Your SlideShare is downloading. ×
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012

473
views

Published on

This presentation was delivered at the 2012 BankTech summit in Sydney, Australia by Rob Livingstone (www.rob-livingstone.com ). Topics included: …

This presentation was delivered at the 2012 BankTech summit in Sydney, Australia by Rob Livingstone (www.rob-livingstone.com ). Topics included:

Exploring the real definition of Cloud
Interpreting the conflicting messages
Systemic vs. Technical risks in the Cloud
Availability
Hybrid Cloud is the reality
Importance of Cloud Computing Reference Architecture
Managing multiple parties in the Cloud ecosystem (Hybrid Cloud)
The challenge for Regulators
Standards? Which standards?
Some risk mitigation approaches

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
473
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Map of the minefieldAlleviating cloud risks inorder to reap the benefitsROB LIVINGSTONE- Fellow, University of Technology, Sydney, Australia, and- Principal, Rob Livingstone Advisory Pty Ltd 17th July 2012 navigatingthrougthecloud.com
  • 2. What I’ll NOT be covering• Data Privacy• Data residency• International legal jurisdictional considerations• Vendor lock-in• Data extraction and ownership• Intellectual property considerations• Hacking, cybercriminals and cloud, data breaches• Total cost of Ownership• Single function enterprise Cloud (eg CRM, eMail, pure storage)• Consumerisation of IT• BYOD These are much discussed and (hopefully) should be well understood by all navigatingthrougthecloud.com
  • 3. What I WILL be covering• Exploring the real definition of Cloud• Interpreting the conflicting messages• Systemic vs. Technical risks in the Cloud• Availability• Hybrid Cloud is the reality• Importance of Cloud Computing Reference Architecture• Managing multiple parties in the Cloud ecosystem (Hybrid Cloud)• The challenge for Regulators• Standards? Which standards?• Some risk mitigation approaches navigatingthrougthecloud.com
  • 4. Exploring the real definition of Cloud The most quoted Definition of Cloud: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction • US National Institute of Standards and Technology‘s (NIST) definition navigatingthrougthecloud.com
  • 5. Exploring the real definition of Cloud The most sensible Definition of Cloud: ―Forget your technical definition of the Cloud, ask your mom what the Cloud is…. …And what your mother will tell you about the Cloud is that it means it’s not on my computer.”* Dave Asprey – Global VP, Cloud Security, Trend Micro* Navigating through the Cloud Podcast Episode 23 in iTunes navigatingthrougthecloud.com
  • 6. Exploring the real definition of Cloud Cloud-like Outsourcing: If you sign a standard outsourcing contract with an outsourcing vendor that has Cloud-like pricing (pay-as- you-go) and Cloud-like capabilities and whether or not it‘s Cloud is largely a matter of opinion. navigatingthrougthecloud.com
  • 7. Exploring the real definition of Cloud The 3 key ‘classic’ Ingredients of Cloud • You‘re counting on SaaS vendor in order to provide all the multi-tenancy for your data. • You hope they‘ve written their applications well, secure their databases, and so on …. • You‘re sharing the database with everyone else. navigatingthrougthecloud.com
  • 8. Exploring the real definition of Cloud Enterprise Cloud: The Inverted Risk Pyramid HI RISK presentaiton Major enterprise instances, with complexity, scale, risk, compliance, This deep integration, long term Integration, enterprise governance needed Commodity / non- integrated Cloud applications LOW RISK navigatingthrougthecloud.com
  • 9. Interpreting the conflicting messagesHas business lost patience with Enterprise IT? "Despite an abundance of IT Project Management (ITPM) resources, such as the PMI Body of Knowledge, IT standards and governance, a large percentage of IT projects continue to fail and ultimately get scrapped. Recent studies have shown an average of 66% IT project failure rate, with 52% of the projects being cancelled, and 82% being delivered late" Kraft (2008). The Importance of Business Process Alignment for IT Project Management of Commercial Software with Case Studies. Journal of Information Systems Applied Research, 1 (3) navigatingthrougthecloud.com
  • 10. Interpreting the conflicting messages A recent survey* referred to by Forbes claims that ―a meagre 3% of companies considering Cloud consider it to be too risky.‖ This was based on a survey of 785 companies, implying the inevitability of Cloud. Not atypical of research in Cloud, this survey was conducted by a firm that has investments in the Cloud industry, with 65% of respondents being vendors so one could say that the results were not totally unexpected.http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/ navigatingthrougthecloud.com
  • 11. Interpreting the conflicting messages Fear being left behind? "By 2015, nearly $1 of every $6 spent on packaged software, and $1 of every $5 spent on applications, will be consumed via the SaaS model." "By 2012, about 83% of all net-new software firms coming to market will be operationalized around creating, testing, selling, and provisioning a service versus a packaged product (CD)." "By 2015, about 24% of all new business software purchases will be of service-enabled software, and SaaS delivery will constitute about 13.1% of worldwide software spending across all primary markets and 14.4% of applications spending." ICD Dec 2011 Doc # 232239 navigatingthrougthecloud.com
  • 12. Interpreting the conflicting messages 24% of CEOs surveyed in the 2012 PWC CEO Survey 75% of CEOs plan to change innovation capacity in 2012, of which 24% expect ‗major change‘, underpinned in part by technology. The eighth annual KPMG 2012 Audit Institute Report identified ―IT Risk and Emerging Technologies‖ as the second-highest concern for audit committees, which is unprecedented in the history of the report. navigatingthrougthecloud.com
  • 13. Interpreting the conflicting messages • So, in a nutshell, there are mixed messages out there at this point in time. • On the one hand organisations demand speed, innovation, agility and value, largely facilitated by technology. • Organisations that adopt new ‗transformational‘ technologies, Cloud in particular, without effective consideration of the enterprise wide, systemic and longitudinal risks, are potentially either setting themselves up for future problems, or not maximising the opportunities, or both. • This last point is the focus of my presentation navigatingthrougthecloud.com
  • 14. Systemic vs. Technical Risks in the Cloud Systemic Risks • Systemic risk is highly relevant to Hybrid Cloud – which we‘ll discuss in a few minutes… • Systemic risks are those with the greatest potential impact as they affect the entire system (ie: Organisation, government, country, world…) • Case in point: How is that the finance industry, which is one of the more regulated, and invests heavily in risk identification, mitigation and transference could be the cause of the current global financial problems? • Systemic risk for the enterprise is the silent killer and is often the hardest to identify as only a few have a complete, transparent and objective overview of the overall enterprise. • Mitigation through approaches such as Enterprise Risk Management (ERM), origins in fraud, organisational governance, and underpins the insurance industry • Applicability to IT – Cloud especially – not often discussed navigatingthrougthecloud.com
  • 15. Systemic vs. Technical Risks in the Cloud Technical (or functional) Risk • Identifying, categorising and ranking technical and functional risks is core to conventional IT risk assessment approaches: o Risk of a specific event = (Impact x Probability of that event occurring) + Risk Adjustment • Underpins conventional risk certification frameworks e.g. ISO2700X • Compliance does not necessarily equal security or effectiveness of your risk management model • The categorisation of risks into functional and technical categories does not help in the identification of systemic risk • Focusing on the diverse range of technical or functional risks, does not account for the interaction between risks. • Systemic risks are mostly more significant than the sum of the individual risks navigatingthrougthecloud.com
  • 16. Availability What‘s your downtime cost?Fundamental question: Is Cloudyour default position? "What they don‘t usually tell you about the Cloud is that the SLA or the uptime SLA for Cloud providers is not nearly as good as it is for co-location.....So, if you‘re looking for five 9s, you‘re going to need several Clouds and a lot of zeros on the cheque that you write.― Dave Asprey – Global VP, Cloud Security, Trend Micro Navigating through the Cloud Podcast Episode 23 in iTunes navigatingthrougthecloud.com
  • 17. Hybrid Cloud is the reality ―Within five years, it will be primarily deployed by enterprises working in a hybrid mode‖. - Gartner Gartner "Predicts 2012: Cloud Computing Is Becoming a Reality‖ (Published: 8 December 2011 ID:G00226103) navigatingthrougthecloud.com
  • 18. Hybrid Cloud is the reality Cloud 101: The 4 flavours of cloud computing Public Private Hybrid Community /Internal• No control • You control all • Combination of 2 • Multiple• No ownership • You may own or more models organisatons share• You own data • You define • Can be more same private cloud• Apps stay behind architecture complex infrastructure • You determine • Need to manage your own security interfaces, position integration navigatingthrougthecloud.com
  • 19. Importance of Cloud Computing Reference ArchitectureReview, define and assign key roles in your Cloud environment. – Define your Cloud Reference Architecture by reviewing applicability against published models (Eg NIST*, IBM, etc) – Ensure you do not miss important roles (Eg: IBM CCRA does not include Cloud Broker, Cloud Auditor yet included in NIST CCRA) navigatingthrougthecloud.com * National Institute of Standards and Technology
  • 20. Importance of Cloud Computing Reference Architecture Who is accountable for what in your Cloud? It’s YOUR brand at stake, not the vendors! navigatingthrougthecloud.com
  • 21. Importance of Cloud Computing Reference Architecture The emergence of the ‘Cloud Broker’ navigatingthrougthecloud.com
  • 22. Importance of Cloud CloudThe real definition of Computing Reference Architecture IT Department in the Cloud? navigatingthrougthecloud.com
  • 23. Managing multiple parties in the Cloud ecosystem "Cloud consumers should budget for additional integration costs which can range from 10% to 30% — and sometimes as high as 50% — of the total cost of cloud IT projects.― Gartner Predicts 2012: Cloud Services Brokerage Will Bring New Benefits and Planning Challenges - Published: 22 November 2011 G00227370 Let‘s explore the reasons why in a bit more detail ….. navigatingthrougthecloud.com
  • 24. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Orchestrating versioning, change control and rollback V1.2 V2.3.1 V2.4 V3.5 V5.3 navigatingthrougthecloud.com
  • 25. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Life expectancy…… 4 Years 6 Months 1 Year 3.5 Years 4.5 years navigatingthrougthecloud.com
  • 26. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Business continuity……. X navigatingthrougthecloud.com
  • 27. Managing multiple parties in the Cloud ecosystem Why is brokerage a real consideration? Also: • Security • Identity Management • Due diligence • ‗Big-Data‘ • Business Intelligence – Dashboards and drilldowns • Forensics / eDiscovery • BYOD • Mobility • Legislative / Jurisdictional • Contractual complexity ….. To name but a few navigatingthrougthecloud.com
  • 28. The challenge facing regulators• Various industry regulators are also working hard to keep up with the fast moving Cloud and technology environments, however keeping up with the rate of change presents a challenge.• Case in point relates to the wording contained in the current National Privacy Principles (NPPs). The word ‗reasonable‘ is used in the NPPs to describe measures and controls that should be applied in the implementation of privacy controls. Whilst the intention is clear, the interpretation of ‗reasonable‘ is fertile grounds for contention on individual cases.• APRA‘s new standards that came into effect on July 1, 2012 (CPS231, 231 in particular) refer to appropriate risk management processes. Many of the standards are dated. Two such examples of such standards are AS/ISO 31000 (Risk management), where the current revision is dated 2009, and AS/ISO 27001 (Information security management systems), where the current revision is dated 2006. navigatingthrougthecloud.com
  • 29. Cloud standards? Which standards?• Emerging Standards – Open Virtalisation Format ISO/IEC DIS 17203 or ANSI INCITS 469 2010 – ISO/IEC WD TS 27017 (Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 - Under development ) – ISO/IEC DIS 17826 - Cloud Data Management Interface (CDMI) navigatingthrougthecloud.com
  • 30. Cloud standards? Which standards?Plethora of forums, industry groups and associations – Cloud Security Alliance – Cloud Standards Customer Council – Distributed Management Task Force (DMTF) – Cloud Management Working Group (CMWG) – The European Telecommunications Standards Institute (ETSI) – National Institute of Standards and Technology (NIST) – Open Grid Forum (OGF) – Object Management Group (OMG) – Open Cloud Consortium (OCC) – Organization for the Advancement of Structured Information Standards (OASIS) – Storage Networking Industry Association (SNIA) – The Open Group – Association for Retail Technology Standards (ARTS) – TM Forum‘s Cloud Services Initiative Source: cloud-standards.org navigatingthrougthecloud.com
  • 31. Some risk mitigation approaches Some risk mitigation approaches• Be crystal clear on the drivers behind Cloud for the organisation – do not make Cloud your default position!• Understand and accurately map the solution to the your legislative, regulatory and compliance environment• Predict and budget for integration complexities• Know your exist strategy before you sign up Reshape the role of your IT Department • Shift from a technology provider to a Services broker • Differing skills mix for in-house IT • Technology enabled business services is the direction to take for enterprise IT • If IT have concerns, don‘t dismiss is as ‗job protection‘.. scrutinise these. Remember the ‗O‘ ring and the Challenger? navigatingthrougthecloud.com
  • 32. Some risk mitigation approachesDue diligence is crucial• Perform your own due diligence, and seek absolutely independent, experienced, financially disinterested advice if needed• Stress test your business case: – Test your Cloud contract to a variety of scenarios – Conducting a sensitivity analysis for feasible changes in your commercial environment, regulatory and operational scenarios – Pricing in risk – Understand the volatility of the cloud market – Identify the systemic risks navigatingthrougthecloud.com
  • 33. ThankYou! ROB LIVINGSTONE - Fellow, University of Technology, Sydney - Principal, Rob Livingstone Advisory Pty Ltd W1: www.rob-livingstone.com W2: www.navigatingthroughthecloud.com E: rob@rob-livingstone.com P: +61 2 8005 1972 P: +1 609 843 0349 M: +61 419 632 673 F: +61 2 9879 5004 rladvisory© All rights reserved. Rob Livingstone Advisory Pty Ltd ABN 41 146 643 165.Unauthorized redistribution prohibited without prior approval. ‗Navigatingthrough the Cloud‘ is a Trademark of Rob Livingstone Advisory Pty Ltd. navigatingthrougthecloud.com

×