Moving Enterprise Applications to the Cloud


Published on

Clint Harder, Vice President of Product Strategy for TDS HMS presents on "Cloud Services and Enterprise IT Applications: Are They a Match?". Clint Harder takes you through key decision points in selecting cloud services for enterprise applications.

This presentation was given at the Enterprise Cloud Summit on October 16, 2012 - presented by VISI.

Learn more about enterprise cloud computing at

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Bill and I may disagree on some points. That is good and healthy, and disagreement brings certain issues to forefront to be addressed.
  • When we were evaluating speakers, one of them would not call our cloud offering a cloud because in our first phase we did not bill hourly. It is a simply switch we can throw in our software, but we do not view that as compelling for production IT.
  • Going to break another PPT “rule:.Going to read (and print) 2 key takeaways.
  • Estimated time to maturity supports the stage of IaaS in the Gartner trough of disillusionment.Also indicates that if your organization has not done anything with IaaS, you are not behind.Important sidebar:Will you save money?Depends on how you measureDepends on what you measureDepends on your current IT investments, staffing models, business plans, etc.KEY: Depends on how much you value flexibility!
  • Legacy infrastructure. Legacy staffing models. Shrink time to deployment.
  • Let me expand on the top line of the previous “motivations” graph.In short, cloud drives top-line growth from:● Improved business speed, reach, and scalability, with faster provisioning● New services innovation, transforming IT from a cost center to an enabler of businessand competitive advantages● Competitive differentiation through adoption of new capabilities such as mobility andvideo● Improved business resiliency through better uptime● Competitive differentiation through adoption of new capabilities such as mobility andvideo● Improved business resiliency through better uptime
  • These roughly fall into the following categories:Security and ComplianceAvailability and PerformanceContracting and Ongoing Management
  • THE MAJOR FOCUS AREA. AND IT SHOULD BE.Security shouldn’t force youto avoid the cloudSecurity can force you to address the issues you’ve avoidedExclusive focus on IT Security (e.g. firewalls, anti-virus, encryption) overlooks people and processDefense in depth, layers of control with permission to failProgrammatic approach, security isn’t just the IT guys problemRole management, make sure both parties understand their obligationsTransfer responsibility, not accountability
  • Make sure you understand how the cloud environment is physically securedLook for multiple layers of access control to gain access to cloud infrastructurePeople traps, tail gating sensors to restrict improperly escorted accessCombination of something you have (e.g. proximity card) and something you are (e.g. fingerprint)Understand the electrical and cooling capabilities of the facilitiesKnow how the provider delivers electrical service redundancyAsk the provider to explain their philosophy on cooling Ensure provider has appropriate controls to monitor physical access to equipmentCamera placement at ingress/egress, visibility of equipmentRetention of video recordings based on your requirements (e.g. 180d, 1y, 2y)Verify whether your cloud provider own the facility, rents it or simply is one of several organizations located withinMake sure provider is separated from other organizations; physically and logicallyProviders policy on colocation of your equipment
  • Network security controls are the foundational set of logical or technical controlsMake sure the provider views network security the same way you doAdjust your expectations where necessaryHow are firewall services provided?Shared or dedicatedPhysical or virtualNumber of layers or segmentationHow is network based IDS/IPS handled?Internal or externalTypes of events (e.g. inbound, outbound or both)Frequency of signature updates and/or tuningHow is remote connectivity supplied?Site to site, remote access or bothStrong mechanisms for encryptionConnectivity to business partnersConnectivity to providers other servicesKnow what services are and are not includedDenial of service protectionLoad balancing, SSL acceleration
  • Cloud provider is always responsible for securing the hypervisorCloud provider may or may not be responsible for the OS even in an IaaS modelMake sure OS management responsibilities are clearly defined and have SLAs establishedIdentify escalation mechanisms to ensure finger pointing does not become a road blockLook for complementary support modelsMake sure you know how your data is Stored in relation to other customers’ dataPurged or removed when you no longer need it. Is there a decommissioning process?Just returned to storage poolsIf there are any doubts, encrypt the file system; retain key management
  • Managing the potential threats to your data and services is a joint effort with the providerCombination of oversight and operationsIdentify capabilities provided by the provider by default and as optional servicesLeverage cloud provider where you can and integrate where you mustCloud provider should have capabilities to collect log data and identify security eventsVerify how the cloud provider monitors the configuration of the environmentKnow whether you can conduct vulnerability and or penetration testingVaries by provider and by model (e.g. SaaS, IaaS)Ensure the provider has procedures on responding to security incident and conducting root cause analysis (e.g. digital forensic capabilities)
  • Select providers who undergo independent review of their security controlsAICPA (American Institute of Certified Public Accountants)SOC 1 recommended for controls around financial processingSOC 2 recommended and going forward (2013 or 2014)Consider attestations for cloud provider which related to your line of business or industryPCI – DSSISO 27001Establish your own framework to audit cloud providersDraw from existing assessment/audit materialsLeverage CSA STAR (Security, Trust and Assurance Registry) current regulatory frameworksAssess cloud provider regularlyFocus on key areas
  • Understand how cloud providers meet specific sections of regulatory and pseudo-regulatory requirements your organization facesAssessment and commitmentReview your providers controls for alignment with your compliance requirementsAcquire contractual commitments on compliance requirements from providersVerify which of the following your organization must comply with and how the provider addresses:HIPAAHITECHGLBAFISMAPCI – DSSEU Data Protection Directive
  • This is an evolving area, but is especially important for enterprise Apps.Especially the SLAs
  • Don’t gloss over support. Who can you reach, when, and how, when you are having issues?
  • Term can be a two edged sword:Month to month means:Prices can go up and downLikely to be more expensive than some level of commitmentCapacity is only guaranteed for the term of your contract.
  • Audit rightsHow often?How much notice?Against what standards/frameworks?How are findings remediated?Does auditing allow you to conduct vulnerability assessments and penetration tests?Incident notificationHow quickly are you notified?How does the provider handle notification of the media, law enforcement and your customers?RetentionHow do you ensure data is retained in the event of a litigation hold, what does it cost?What does the provider do to destroy data that you have decommissioned?Human resourcesWhat type of background checks and screens are performed?How does the provider terminate access when it is no longer required?BCP/DRWho is responsible for resumption of your operations at another location?What does the provider have in place to support you in the event of their own disaster?InsuranceDoes the provider have insurance to cover your losses based on the indemnification you’ve work out with them?Does the carrier agree to provide coverage based on the nature of the insurance (general liability vs e-commerce)?Don’t rely on contract breach as the only remediation; once you are there it costs you more than them to moveEstablish SLAs around security and controlsAttach financial penalties
  • Moving Enterprise Applications to the Cloud

    1. 1. Moving Enterprise Applications to the CloudClint HarderVP of Product Strategy
    2. 2. About Me• Responsible for product development and operational integration at TDS HMS• Recently developed strategy for ReliaCloud offering• Pragmatic business-oriented technician• Warning: I am NOT a PowerPoint ninja 2
    3. 3. What are Enterprise Applications?• Applications designed to solve enterprise-wide problems• Typically integrate with other applications in the organization• Have stringent security, availability, and performance requirements• Include: – ERP, financial systems, email and collaboration, data warehouses, line of business applications, CRM, eCommerce, portals, etc.
    4. 4. What is Cloud Computing?• Five characteristics according to NIST: – On-demand self-service – Broad network access – Resource pooling – Rapid elasticity – Measured service• My definition: – IT infrastructure and/or applications delivered as service and as an operating expense to the customer• IaaS vs. PaaS vs. SaaS – I prefer ITaaS (IT as a Service)• Public vs. Private vs. Hybrid? – Yes!
    5. 5. Key Study Takeaways“As a first step, we as an industry must still work to provide aclearer definition of what cloud is and how the many innovativeand secure services can help positively impact today’sbusinesses,” said J.R. Santos, global research director at CSA.“But, we need to start at the top and engage seniormanagement. Cloud needs can no longer be thought of as atechnical issue to address, but rather a business asset toembrace.”“For cloud to provide enterprise-changing capabilities and thebenefits that vendors have promised, it needs to transition froma technology solution to a business resource. This entailsunderstanding what cloud is and what it promises, incorporatingbusiness and technical requirements into contracts, monitoringperformance against requirements, and appreciating cloud-related risk within the wider context of the business andenterprise risk management.” 5
    6. 6. Key Study Findings• Satisfaction Levels of Various Cloud Components (Percent rating satisfaction as “4″ or “5″ on a scale of 1 to 5): – Software as a Service (applications) 63% – Infrastructure as a Service (compute power) 55% – Platform as a Service (middleware) 43%• Estimated Length of Time to Meet Maturity – Software as a Service 2.73 years – Infrastructure as a Service 3.02 years – Platform as a Service 3.34 years• Business enablers (score 4.08) rather than financial considerations (score 3.5) are the primary factors in making cloud decisions• The business enablement factors that most influence cloud computing decision making are related to the reliability and availability of services (mean score 4.59) and quality of service (score 4.29). 6
    7. 7. Motivations to OutsourceSource: Savvis 2012 Global IT Leadership ReportSurvey of 550 IT Execs 7
    8. 8. Cloud Supports the Agile Business Current State - IT Desired State - IT Increase 20% Value Innovating Profit Generator Creation 80%Cost Center Innovating 80% Sustaining and Running 20% Decrease Sustaining and Low Value Running Operations ‘Running in Place’ or ‘Innovating’? 8
    9. 9. Leading Constraints on Cloud Adoption• Information security (4.22)• Data ownership/custodian responsibilities (4.12)• Legal and contractual issues (4.04)• Regulatory compliance (4.01)• Information assurance (3.77)• Longevity of suppliers (3.44)• Contract lock-in (3.42)• Performance standards (3.30)• Disaster recovery/business continuity (3.25)• Performance monitoring (3.21)• Technology stability (3.10)* Average score, based on a scale of 1 to 5 9
    10. 10. Evaluating Cloud Services• Security Management• Availability and Performance Management• Contracting and Ongoing Management• Big Bang vs. Evolving Adoption 10
    11. 11. Security Management• Cloud computing requires a comprehensive control framework• Cannot focus solely on technology • Build “Defense in Depth” which moves beyond application of technical controls • Establish programmatic security approach drawing from key disciplines • Understand Cloud provider and consumer roles to manage risk
    12. 12. Physical securityWhere does the Cloud provider host your dataand services?• If an unauthorized party can gain physical access, nothing else matters – Access controls – Environmental controls – Surveillance controls• Facility management and ownership – Uptime Institute Tier 3 – Separation of Cloud services
    13. 13. Network securityDoes the Cloud provider’s network securitystrategy align with yours?• Look for providers who approach network security the same way you do – Firewall management – Intrusion detection and/or prevention – Remote connectivity from offices and mobile workforce – Denial of service protection – SSL acceleration
    14. 14. System securityWhat does the Cloud provider do to secure thevirtualization environment?• Cloud provider owns the servers, storage and virtualization layer• Know who owns the operating systems – Provider, customer or both – Document processes for • OS hardening, patching • Malware defense • Data and system backups • Data isolation and sanitization
    15. 15. Threat managementWhat visibility does the Cloud provider deliveron activity within the environment?• Capabilities will vary by Cloud provider• Know what options are available – Log collection and/or security event management – Configuration, vulnerability and/or penetration assessments – Practices to respond and contain security incidents; analysis for root cause
    16. 16. Risk managementHow do you know the Cloud provider ismaintaining their controls?• Insist on independent attestations from a third party – AICPA Service Organization Control Reports • SOC 1 • SOC 2, SOC 3 – Industry related attestations• Establish your own framework
    17. 17. ComplianceIs the Cloud provider enabling compliance withregulatory drivers?• Evaluate Cloud providers based on the compliance obligations of your industry – Health information – Financial records – Payment card data
    18. 18. Availability ManagementWhat is the SLA for availability and what arethe remedies if not met?• SLA for availablity• Credits and other remedies for non- performance• Does the architecture actually support high availability• Do not expect to transfer all the risk • Unlimited liability, lost profits, etc. 18
    19. 19. Performance ManagementCan the cloud platform meet your performancerequirements?• What is the cloud platform architecture? – How does it align to your existing investments and skill sets? – Does it support high capacity and performance? • High network throughput • High IOPS – Can it scale quickly with existing architecture and capacity?• Is there an SLA for performance metrics? 19
    20. 20. Support Options and Other ServicesHow is support offered for ongoing issues?• Voice• Electronic• PortalWhat other services are available?• Implementation and migration services• Can you colocate dedicated infrastructure? – Can you integrate into the cloud services?• Can you directly connect (private connectivity) into the cloud services?• Are other managed services available? 20
    21. 21. ContractingWhat are the important contractual terms to beaware of?• Term of contract – Month to month vs. longer committments• Costs and cost escalators• SLAs – What do they cover and how are they measured?• Data ownership 21
    22. 22. More contractingWhat guarantees the Cloud provider meets theirobligations?• Key controls to strive for: – Rights to audit and mitigate – Security incident notification – Retention and electronic discovery – Human resource practices – Business continuity and disaster recovery – Liability insurance• IMPORTANT: Does the cloud provider have the resources to back their contract?
    23. 23. How to get started?• Big Bang• Evolve• Public vs. Private vs. Hybrid• Data migration• Assign internal ownership for managing the relationship• Develop strong competencies in sourcing management 23
    24. 24. In Closing• Is the cloud ready for enterprise applications? – Yes, if providers are carefully evaluated and contracts are carefully structured.• Has cloud passed you by? – No. Just entering the maturation stage.• Will the cloud save me money? – It depends. – How much value do you put on flexibility and speed? – Apples vs. oranges 24