Clint Harder, Vice President of Product Strategy for TDS HMS presents on "Cloud Services and Enterprise IT Applications: Are They a Match?". Clint Harder takes you through key decision points in selecting cloud services for enterprise applications.
This presentation was given at the Enterprise Cloud Summit on October 16, 2012 - presented by VISI.
Learn more about enterprise cloud computing at http://www.reliacloud.com.
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Moving Enterprise Applications to the Cloud
1. Moving Enterprise
Applications to the Cloud
Clint Harder
VP of Product Strategy
2. About Me
• Responsible for product development
and operational integration at TDS HMS
• Recently developed strategy for
ReliaCloud offering
• Pragmatic business-oriented technician
• Warning: I am NOT a PowerPoint ninja
2
3. What are Enterprise Applications?
• Applications designed to solve enterprise-wide
problems
• Typically integrate with other applications in
the organization
• Have stringent security, availability, and
performance requirements
• Include:
– ERP, financial systems, email and
collaboration, data warehouses, line of business
applications, CRM, eCommerce, portals, etc.
4. What is Cloud Computing?
• Five characteristics according to NIST:
– On-demand self-service
– Broad network access
– Resource pooling
– Rapid elasticity
– Measured service
• My definition:
– IT infrastructure and/or applications delivered as
service and as an operating expense to the customer
• IaaS vs. PaaS vs. SaaS
– I prefer ITaaS (IT as a Service)
• Public vs. Private vs. Hybrid?
– Yes!
5. Key Study Takeaways
“As a first step, we as an industry must still work to provide a
clearer definition of what cloud is and how the many innovative
and secure services can help positively impact today’s
businesses,” said J.R. Santos, global research director at CSA.
“But, we need to start at the top and engage senior
management. Cloud needs can no longer be thought of as a
technical issue to address, but rather a business asset to
embrace.”
“For cloud to provide enterprise-changing capabilities and the
benefits that vendors have promised, it needs to transition from
a technology solution to a business resource. This entails
understanding what cloud is and what it promises, incorporating
business and technical requirements into contracts, monitoring
performance against requirements, and appreciating cloud-
related risk within the wider context of the business and
enterprise risk management.”
5
6. Key Study Findings
• Satisfaction Levels of Various Cloud Components
(Percent rating satisfaction as “4″ or “5″ on a scale of 1 to 5):
– Software as a Service (applications) 63%
– Infrastructure as a Service (compute power) 55%
– Platform as a Service (middleware) 43%
• Estimated Length of Time to Meet Maturity
– Software as a Service 2.73 years
– Infrastructure as a Service 3.02 years
– Platform as a Service 3.34 years
• Business enablers (score 4.08) rather than financial
considerations (score 3.5) are the primary factors in making
cloud decisions
• The business enablement factors that most influence cloud computing
decision making are related to the reliability and availability of
services (mean score 4.59) and quality of service (score 4.29).
6
8. Cloud Supports the Agile Business
Current State - IT Desired State - IT
Increase
20% Value
Innovating
Profit Generator
Creation
80%
Cost Center
Innovating
80%
Sustaining and
Running 20%
Decrease
Sustaining and
Low Value Running
Operations
‘Running in Place’ or ‘Innovating’?
8
9. Leading Constraints on Cloud
Adoption
• Information security (4.22)
• Data ownership/custodian responsibilities (4.12)
• Legal and contractual issues (4.04)
• Regulatory compliance (4.01)
• Information assurance (3.77)
• Longevity of suppliers (3.44)
• Contract lock-in (3.42)
• Performance standards (3.30)
• Disaster recovery/business continuity (3.25)
• Performance monitoring (3.21)
• Technology stability (3.10)
* Average score, based on a scale of 1 to 5
9
10. Evaluating Cloud Services
• Security Management
• Availability and Performance Management
• Contracting and Ongoing Management
• Big Bang vs. Evolving Adoption
10
11. Security Management
• Cloud computing requires a comprehensive
control framework
• Cannot focus solely on technology
• Build “Defense in Depth” which moves
beyond application of technical controls
• Establish programmatic security approach
drawing from key disciplines
• Understand Cloud provider and consumer
roles to manage risk
12. Physical security
Where does the Cloud provider host your data
and services?
• If an unauthorized party can gain physical
access, nothing else matters
– Access controls
– Environmental controls
– Surveillance controls
• Facility management and ownership
– Uptime Institute Tier 3
– Separation of Cloud services
13. Network security
Does the Cloud provider’s network security
strategy align with yours?
• Look for providers who approach network
security the same way you do
– Firewall management
– Intrusion detection and/or prevention
– Remote connectivity from offices and mobile
workforce
– Denial of service protection
– SSL acceleration
14. System security
What does the Cloud provider do to secure the
virtualization environment?
• Cloud provider owns the servers, storage
and virtualization layer
• Know who owns the operating systems
– Provider, customer or both
– Document processes for
• OS hardening, patching
• Malware defense
• Data and system backups
• Data isolation and sanitization
15. Threat management
What visibility does the Cloud provider deliver
on activity within the environment?
• Capabilities will vary by Cloud provider
• Know what options are available
– Log collection and/or security event management
– Configuration, vulnerability and/or penetration
assessments
– Practices to respond and contain security
incidents; analysis for root cause
16. Risk management
How do you know the Cloud provider is
maintaining their controls?
• Insist on independent attestations from a
third party
– AICPA Service Organization Control Reports
• SOC 1
• SOC 2, SOC 3
– Industry related attestations
• Establish your own framework
17. Compliance
Is the Cloud provider enabling compliance with
regulatory drivers?
• Evaluate Cloud providers based on the
compliance obligations of your industry
– Health information
– Financial records
– Payment card data
18. Availability Management
What is the SLA for availability and what are
the remedies if not met?
• SLA for availablity
• Credits and other remedies for non-
performance
• Does the architecture actually support high
availability
• Do not expect to transfer all the risk
• Unlimited liability, lost profits, etc.
18
19. Performance Management
Can the cloud platform meet your performance
requirements?
• What is the cloud platform architecture?
– How does it align to your existing investments and skill
sets?
– Does it support high capacity and performance?
• High network throughput
• High IOPS
– Can it scale quickly with existing architecture and
capacity?
• Is there an SLA for performance metrics?
19
20. Support Options and Other
Services
How is support offered for ongoing issues?
• Voice
• Electronic
• Portal
What other services are available?
• Implementation and migration services
• Can you colocate dedicated infrastructure?
– Can you integrate into the cloud services?
• Can you directly connect (private connectivity)
into the cloud services?
• Are other managed services available?
20
21. Contracting
What are the important contractual terms to be
aware of?
• Term of contract
– Month to month vs. longer committments
• Costs and cost escalators
• SLAs
– What do they cover and how are they measured?
• Data ownership
21
22. More contracting
What guarantees the Cloud provider meets their
obligations?
• Key controls to strive for:
– Rights to audit and mitigate
– Security incident notification
– Retention and electronic discovery
– Human resource practices
– Business continuity and disaster recovery
– Liability insurance
• IMPORTANT: Does the cloud provider have the
resources to back their contract?
23. How to get started?
• Big Bang
• Evolve
• Public vs. Private vs. Hybrid
• Data migration
• Assign internal ownership for managing the
relationship
• Develop strong competencies in sourcing
management
23
24. In Closing
• Is the cloud ready for enterprise
applications?
– Yes, if providers are carefully evaluated and
contracts are carefully structured.
• Has cloud passed you by?
– No. Just entering the maturation stage.
• Will the cloud save me money?
– It depends.
– How much value do you put on flexibility and
speed?
– Apples vs. oranges
24
Editor's Notes
Bill and I may disagree on some points. That is good and healthy, and disagreement brings certain issues to forefront to be addressed.
When we were evaluating speakers, one of them would not call our cloud offering a cloud because in our first phase we did not bill hourly. It is a simply switch we can throw in our software, but we do not view that as compelling for production IT.
Going to break another PPT “rule:.Going to read (and print) 2 key takeaways.
Estimated time to maturity supports the stage of IaaS in the Gartner trough of disillusionment.Also indicates that if your organization has not done anything with IaaS, you are not behind.Important sidebar:Will you save money?Depends on how you measureDepends on what you measureDepends on your current IT investments, staffing models, business plans, etc.KEY: Depends on how much you value flexibility!
Legacy infrastructure. Legacy staffing models. Shrink time to deployment.
Let me expand on the top line of the previous “motivations” graph.In short, cloud drives top-line growth from:● Improved business speed, reach, and scalability, with faster provisioning● New services innovation, transforming IT from a cost center to an enabler of businessand competitive advantages● Competitive differentiation through adoption of new capabilities such as mobility andvideo● Improved business resiliency through better uptime● Competitive differentiation through adoption of new capabilities such as mobility andvideo● Improved business resiliency through better uptime
These roughly fall into the following categories:Security and ComplianceAvailability and PerformanceContracting and Ongoing Management
THE MAJOR FOCUS AREA. AND IT SHOULD BE.Security shouldn’t force youto avoid the cloudSecurity can force you to address the issues you’ve avoidedExclusive focus on IT Security (e.g. firewalls, anti-virus, encryption) overlooks people and processDefense in depth, layers of control with permission to failProgrammatic approach, security isn’t just the IT guys problemRole management, make sure both parties understand their obligationsTransfer responsibility, not accountability
Make sure you understand how the cloud environment is physically securedLook for multiple layers of access control to gain access to cloud infrastructurePeople traps, tail gating sensors to restrict improperly escorted accessCombination of something you have (e.g. proximity card) and something you are (e.g. fingerprint)Understand the electrical and cooling capabilities of the facilitiesKnow how the provider delivers electrical service redundancyAsk the provider to explain their philosophy on cooling Ensure provider has appropriate controls to monitor physical access to equipmentCamera placement at ingress/egress, visibility of equipmentRetention of video recordings based on your requirements (e.g. 180d, 1y, 2y)Verify whether your cloud provider own the facility, rents it or simply is one of several organizations located withinMake sure provider is separated from other organizations; physically and logicallyProviders policy on colocation of your equipment
Network security controls are the foundational set of logical or technical controlsMake sure the provider views network security the same way you doAdjust your expectations where necessaryHow are firewall services provided?Shared or dedicatedPhysical or virtualNumber of layers or segmentationHow is network based IDS/IPS handled?Internal or externalTypes of events (e.g. inbound, outbound or both)Frequency of signature updates and/or tuningHow is remote connectivity supplied?Site to site, remote access or bothStrong mechanisms for encryptionConnectivity to business partnersConnectivity to providers other servicesKnow what services are and are not includedDenial of service protectionLoad balancing, SSL acceleration
Cloud provider is always responsible for securing the hypervisorCloud provider may or may not be responsible for the OS even in an IaaS modelMake sure OS management responsibilities are clearly defined and have SLAs establishedIdentify escalation mechanisms to ensure finger pointing does not become a road blockLook for complementary support modelsMake sure you know how your data is Stored in relation to other customers’ dataPurged or removed when you no longer need it. Is there a decommissioning process?Just returned to storage poolsIf there are any doubts, encrypt the file system; retain key management
Managing the potential threats to your data and services is a joint effort with the providerCombination of oversight and operationsIdentify capabilities provided by the provider by default and as optional servicesLeverage cloud provider where you can and integrate where you mustCloud provider should have capabilities to collect log data and identify security eventsVerify how the cloud provider monitors the configuration of the environmentKnow whether you can conduct vulnerability and or penetration testingVaries by provider and by model (e.g. SaaS, IaaS)Ensure the provider has procedures on responding to security incident and conducting root cause analysis (e.g. digital forensic capabilities)
Select providers who undergo independent review of their security controlsAICPA (American Institute of Certified Public Accountants)SOC 1 recommended for controls around financial processingSOC 2 recommended and going forward (2013 or 2014)Consider attestations for cloud provider which related to your line of business or industryPCI – DSSISO 27001Establish your own framework to audit cloud providersDraw from existing assessment/audit materialsLeverage CSA STAR (Security, Trust and Assurance Registry)https://cloudsecurityalliance.org/star/Leverage current regulatory frameworksAssess cloud provider regularlyFocus on key areas
Understand how cloud providers meet specific sections of regulatory and pseudo-regulatory requirements your organization facesAssessment and commitmentReview your providers controls for alignment with your compliance requirementsAcquire contractual commitments on compliance requirements from providersVerify which of the following your organization must comply with and how the provider addresses:HIPAAHITECHGLBAFISMAPCI – DSSEU Data Protection Directive
This is an evolving area, but is especially important for enterprise Apps.Especially the SLAs
Don’t gloss over support. Who can you reach, when, and how, when you are having issues?
Term can be a two edged sword:Month to month means:Prices can go up and downLikely to be more expensive than some level of commitmentCapacity is only guaranteed for the term of your contract.
Audit rightsHow often?How much notice?Against what standards/frameworks?How are findings remediated?Does auditing allow you to conduct vulnerability assessments and penetration tests?Incident notificationHow quickly are you notified?How does the provider handle notification of the media, law enforcement and your customers?RetentionHow do you ensure data is retained in the event of a litigation hold, what does it cost?What does the provider do to destroy data that you have decommissioned?Human resourcesWhat type of background checks and screens are performed?How does the provider terminate access when it is no longer required?BCP/DRWho is responsible for resumption of your operations at another location?What does the provider have in place to support you in the event of their own disaster?InsuranceDoes the provider have insurance to cover your losses based on the indemnification you’ve work out with them?Does the carrier agree to provide coverage based on the nature of the insurance (general liability vs e-commerce)?Don’t rely on contract breach as the only remediation; once you are there it costs you more than them to moveEstablish SLAs around security and controlsAttach financial penalties