On-Premises vs. Cloud Data Centre Cost Comparison

Additional On-Premises and Cloud-Based Data Centre Cost
Considerations
For determining data centre costs, the following cost
components would normally be considered –
1. For on-premises data centres:
A - Server costs
B - Storage costs
C - Network costs
D - Infrastructure software costs
E - Operational support personnel costs
F - Platform costs
G - Software maintenance costs (package software) including
back-up and archive costs
H - Backup and archive costs
I - Disaster recovery costs
J - Data centre infrastructure costs
K - Software maintenance costs (in-house software)
L - Help desk support costs
The total ownership cost (TOC) for a private on-premises data
centre is additive for the parameters –
TOC = A + B + C + D + E + F + G + H + I + J + K + L
2. For hybrid cloud-based data centres:

ABC - Data centre infrastructure costs (including server,
storage and network)
D - Operational support personnel costs will decrease for
private cloud data centre
E - Infrastructure software costs
F - Platform cost
G - Software maintenance costs (package software)
P - Management, of hybrid cloud and on-premises system
Q - Data transfer from premises to an application in a public
cloud
R - Storage costs for working data and for long-term storage
S - Customisation costs for applications to work effectively on
the cloud
T - Integration costs between off-premises and on-premises
applications
U - Platform compliance and certification costs:
The total ownership cost (TOC) for a hybrid private cloud with
on-premises data centre is similarly
additive for the parameters –
TOC = ABC + D + E + F + G + P + Q + R + S + T + U
The table below elaborates further on each of the cost
components and indicates whether they are
costs more applicable for private or public cloud schemes –

Cost Component Details For Private or
Public cloud
systems
Private Public
Data centre
infrastructure costs
(ABC)
These costs will typically remain the same for hybrid
cloud schemes. The floor space in the data centre will not
be reduced by the removal of a few servers and cooling
costs will not change much either.
X
Operational support
personnel costs (D)
Set by the cost of support staff – For cloud schemes
these are smaller. Staff effort freed from data centre
maintenance will be allocated to management of cloud-
based services.
X
Infrastructure
software costs (E)
This will still need infrastructure management software
even after moving part of workloads to the cloud.
X

Platform costs (F) For some application platforms, there is the
need to
maintain corresponding licenses to run applications in the
cloud.
X X
Software
maintenance costs
(package software)
(G)
This can be calculated for packaged software, in
particular if it is tied to processor pricing, but it may be
difficult to approximate it to the cloud, where CPU
performance is virtualised and elastic. The software
license can be region-specific, but cloud services may
run globally.
X X
Management (P) Multiple environments – on-premises, in
private cloud
and on one, if not multiple, public clouds. People,
processes and software can help with management, but
they each have their own costs involved.
X X

Data transfer (Q) Costs are involved with transferring data from
your
premises to an application in a public cloud. This
includes the fee to initially move your data to the
cloud, access and/or move data from the cloud.
X
Customisation costs
(R)
This applies if migrating an application to the public cloud
that was on premises.
X X
Integration costs (S) In a hybrid model, it is possible to
integrate various
applications.
X X
Data storage costs
(T)
As data and workloads are moved to a hybrid cloud, more
long-term planning is needed.
storage costs.
X X

Compliance costs
(U)
Compliance
(external or
internal)
Can be an increased cost when using the cloud. This is
in addition to the existing on-premises audits.
Compliance requirements might come from several
sources:
• Vendors and partners: An example would be
credit card companies requiring companies who
accept credit cards to comply with the Payment
Card Industry Data Security Standard (PCI
DSS).
• Customers: Customers may require production
of reports to prove various compliance
requirements.
• Governmental bodies: Such organisations
may need to comply with local, national or
international compliance standards. These

include Health Insurance Portability and
Accountability Act (HIPAA) and Sarbanes-
Oxley (SOX),
• Internal compliance: The organisation may
have established its own compliance
requirements.
X X
Table 1: Hybrid Cloud Cost Components
We can give specific cost estimates –
Traditional on-premises data centre costs:
The cost of running a traditional data centre for a medium-to-
large-size company is estimated
between USD $15 million and $25 million, where the costs
breakdown is as follows –
• 42 per cent of costs for: Hardware, software, disaster recovery
arrangements, uninterrupted
power supplies and networking. The costs are amortised or
spread over time, because they are a
combination of capital expenditures and regular payments.
• 58 per cent of costs for: Heating, air conditioning, property
and sales taxes and labour costs. (In
fact, as much as 40 per cent of annual costs are for labour

alone.)
Hybrid cloud-based data centre costs:
For hybrid cloud-based data centres, the following cost factors
are at play, with percent breakdowns
as shown:
• Labour costs – estimated as 6 per cent of the total costs of
operating the cloud data centre
• Power and cooling costs – estimated at 20 per cent
• Computing costs – estimated at 48 per cent
The cost of running a hybrid cloud-based data centre for a
medium-size company is quite variable,
depending on the CSP, the balance between on-premises/cloud
activity and the way the cloud
infrastructure is configured. Rough estimates would put the
figure for a mature hybrid cloud-based
data centre at somewhere between USD $5 million and $15
million, which is significantly less than
the on-premises data centre cost.
There are a variety of online cloud cost calculator tools that are
available for companies wishing to
estimate the comparative costs of having their data centre in the
cloud (e.g. Plan-Cloud – url:
http://www.planforcloud.com/ and its present replacement –
RightScale Optima). The projections

can be carried out for when cloud services are provided by
Amazon AWS, Microsoft Azure, Google
Cloud Services and other CSPs. AWS and other leading CSPs
also provide similar cloud cost
estimation tools.
Finally, the figure below provides a graphical comparison of
TOC (Total-Ownership-Cost) breakdowns
for different cloud deployment models –
Figure 1: TOC (Total-Ownership-Cost) breakdown for different
cloud deployment models
(Available from VMware Report)
http://www.planforcloud.com/Additional On-Premises and
Cloud-Based Data Centre Cost ConsiderationsTOC = A + B + C
+ D + E + F + G + H + I + J + K + LTOC = ABC + D + E + F +
G + P + Q + R + S + T + UTraditional on-premises data centre
costs:Hybrid cloud-based data centre costs:
Reference Notes – Additional AWS Cloud Management Tools
and Services
As part of the process of managing compliant and secure cloud
systems, AWS provides a number of
useful tools and services. The attributes of the prime ones are
outlined in the sections that follow.

For a fuller treatment of these tools or services, you should
refer to the AWS User Guides.
AWS CloudFront:
CloudFront is a global Content Delivery Network (CDN)
service. It integrates with other AWS
products to give developers and businesses an easy way to
distribute content to end users with low
latency, high data transfer speeds and no minimum usage
commitments.
A Content Delivery Network (CDN) is a globally distributed
network of caching servers that speed up
the downloading of web pages and other content. CDNs use
Domain Name System (DNS) geo-
location to determine the geographic location of each request
for a web page or other content, then
they serve that content from edge caching servers closest to that
location instead of the original web
server. CDNs allow organisations to increase the scalability of
their websites or mobile applications
easily in response to peak traffic spikes.
Figure 1: Sample CloudFront Delivery-to-Edge Location Flows

In most cases, using a CDN is completely transparent – end
users simply experience better website
performance, while the load on the organisation’s original
website is reduced. Amazon CloudFront is
AWS’ CDN. It can be used to deliver web content using
Amazon’s global network of edge locations.
When a user requests content that is being served with Amazon
CloudFront, the user is routed to
the edge location that provides the lowest latency (time delay),
so content is delivered with the best
possible performance. If the content is already in the edge
location with the lowest latency, Amazon
CloudFront delivers it immediately.
If the content is not currently in that edge location, Amazon
CloudFront retrieves it from the origin
server, such as an Amazon Simple Storage Service (Amazon S3)
bucket or a web server, which stores
the original, definitive versions of the files. Amazon
CloudFront is optimised to work with other AWS
cloud services as the origin server, including Amazon S3
buckets, Amazon S3 static websites, Amazon

Elastic Compute Cloud (Amazon EC2) and Elastic Load
Balancing. Amazon CloudFront works
seamlessly with any non-AWS origin server, such as an existing
on-premises web server.
Figure 2: Sample CloudFront Edge Location Flows
Amazon CloudFront also integrates with Amazon Route 53.
Amazon CloudFront supports all content
that can be served over HTTP or HTTPS. This includes any
popular static files that are a part of web
applications, such as HTML files, images, JavaScript and CSS
files, and also audio, video, media files
or software downloads. Amazon CloudFront also supports
serving dynamic web pages, so it can
actually be used to deliver entire websites. Finally, Amazon
CloudFront supports media streaming,
using both HTTP and RTMP.
AWS Storage Gateway:
AWS Storage Gateway is a service connecting an on-premises

software appliance with cloud-based
storage to provide seamless and secure integration between an
organisation’s on-premises IT
environment and AWS storage infrastructure. The service
enables one to store data securely on the
AWS cloud in a scalable and cost-effective manner.
AWS Storage Gateway supports industry-standard storage
protocols that work with the
organisation’s existing applications. It provides low-latency
performance by caching frequently
accessed data on-premises while encrypting and storing all of
the data in Amazon S3 or Amazon
Glacier.
Figure 3: AWS Storage Gateway Scheme Components
AWS Storage Gateway’s software appliance is available for
download as a Virtual Machine (VM)
image that one installs on a host in the data center and then
registers with the site’s AWS account
through the AWS Management Console. The storage associated
with the appliance is exposed as an
iSCSI device that can be mounted by the organisation’s on-
premises applications.

There are three configurations for AWS Storage Gateway:
Gateway-Cached volumes, Gateway-
Stored volumes, and Gateway-Virtual Tape Libraries (VTL).
Gateway-Cached volumes allow expansion of local storage
capacity into Amazon S3. All data stored
on a Gateway-Cached volume is moved to Amazon S3, while
recently read data is retained in local
storage to provide low-latency access. While each volume is
limited to a maximum size of 32TB, a
single gateway can support up to 32 volumes for a maximum
storage of 1 PB. Point-in-time
snapshots can be taken to back up the AWS Storage Gateway.
These snapshots are performed incrementally, and only the data
that has changed since the last
snapshot is stored. All Gateway-Cached volume data and
snapshot data is transferred to Amazon S3
over encrypted Secure Sockets Layer (SSL) connections. It is
encrypted at rest in Amazon S3 using
Server-Side Encryption (SSE). However, the data cannot be
directly accessed with the Amazon S3 API
or other tools such as the Amazon S3 console; instead it must be
accessed through the AWS Storage
Gateway service.

Gateway-Stored volumes allow storage of data on the
organisation’s on-premises storage. The
stored data is then asynchronously backed up to Amazon S3.
This provides low-latency access to all
data, while also providing off-site backups taking advantage of
the durability of Amazon S3. The data
is backed up in the form of Amazon Elastic Block Store
(Amazon EBS) snapshots. While each volume
is limited to a maximum size of 16TB, a single gateway can
support up to 32 volumes for a maximum
storage of 512TB.
Gateway Virtual Tape Libraries (VTLs) offer a durable, cost-
effective solution to archive the
organisation’s data on the AWS cloud. The VTL interface
allows leveraging of existing tape-based
backup application infrastructure to store data on virtual tape
cartridges that are created on the
Gateway-VTL. A virtual tape is analogous to a physical tape
cartridge, except the data is stored on
the AWS cloud. Tapes are created blank through the console or
programmatically and then filled

with backed up data. A gateway can contain up to 1,500 tapes (1
PB) of total tape data.
Virtual tapes appear in the organisation’s gateway’s VTL, a
virtualised version of a physical tape
library. Virtual tapes are discovered by the backup application
using its standard media inventory
procedure. When the tape software ejects a tape, it is archived
on a Virtual Tape Shelf (VTS) and
stored in Amazon Glacier. A site is allowed 1 VTS per AWS
region, but multiple gateways in the same
region can share a VTS.
AWS CloudTrail:
AWS CloudTrail provides visibility into user activity by
recording API calls made on the organisation’s
account. AWS CloudTrail records important information about
each API call, including the name of
the API, the identity of the caller, the time of the API call, the
request parameters and the response
elements returned by the AWS service. This information helps
the organisation to track changes
made to AWS resources and to troubleshoot operational issues.
AWS CloudTrail makes it easier to ensure compliance with
internal policies and regulatory standards.

It captures AWS API calls and related events made by or on
behalf of an AWS account and delivers
log files to an Amazon S3 bucket that is pre-specified.
Optionally, one can configure AWS CloudTrail
to deliver events to a log group monitored by Amazon
CloudWatch Logs.
One can also choose to receive Amazon Simple Notification
Service (Amazon SNS) notifications each
time a log file is delivered to a specified bucket. One can create
a trail with the AWS CloudTrail
console, the AWS Command Line Interface (CLI) or the AWS
CloudTrail API. A trail is a configuration
that enables logging of the AWS API activity and related events
in the organisation’s account.
AWS CloudTrail typically delivers log files within 15 minutes
of an API call. In addition, the service
publishes new log files multiple times an hour, usually about
every five minutes. These log files
contain API calls from all of the account’s services that support
AWS CloudTrail.
AWS Kinesis:

Kinesis is a platform for handling massive streaming data on
AWS, offering services to make it easier
to load and analyse streaming data and also providing the
ability for one to build custom streaming
data applications for specialised needs. It has similar
functionality to Apache-Hadoop Kafka and
Storm.
Figure 4: AWS Kinesis Data Streams High-Level Architecture
Amazon Kinesis is a streaming data platform consisting of three
services addressing different real-
time streaming data challenges:
1. Kinesis Firehose: A service enabling the loading of massive
volumes of streaming data into AWS.
Kinesis Firehose receives stream data and stores it in Amazon
S3, Amazon Redshift or Amazon
Elasticsearch. One does not need to write any code – the client
just creates a delivery stream
and configures the destination for the data. Clients write data to
the stream using an AWS API
call, and the data is automatically sent to the proper destination.

2. Kinesis Streams: A service enabling the building of custom
applications for more complex
analysis of streaming data in real time. Kinesis Streams enables
one to collect and process large
streams of data records in real time. Using AWS SDKs, one can
create an Amazon Kinesis Streams
application that processes the data as it moves through the
stream. Because response time for
data intake and processing is in near real time, the processing is
typically lightweight. Amazon
Kinesis Streams can scale to support nearly limitless data
streams by distributing incoming data
across a number of shards. If any shard becomes too busy, it can
be further divided into more
shards to distribute the load further. The processing is then
executed on consumers, which read
data from the shards and run the Amazon Kinesis Streams
application.
3. Kinesis Analytics: A service enabling analysis of streaming
data real time with standard SQL.
Each of these services can scale to handle virtually limitless
data streams.

AWS Elastic MapReduce (EMR):
EMS provides the organisation with a fully managed, on-
demand Hadoop framework. Amazon EMR
reduces the complexity and up-front costs of setting up Hadoop
and, combined with the scale of
AWS, gives the ability to spin up large Hadoop clusters
instantly and start processing within minutes.
When an AWS EMR cluster is launched, several options are
specified, the key ones being:
• The instance type of the nodes in the cluster
• The number of nodes in the cluster
• The version of Hadoop to be run (EMR supports several recent
versions of Apache Hadoop and
also several versions of MapReduce.)
• Additional tools or applications like Hive, Pig, Spark or Kafka
Figure 5: Typical EMR Cluster Master-Slave Node Layout
AWS EMR data can be stored in HDFS (Hadoop Distributed
Filesystem) or EMRFS (EMR File System).
EMRFS allows the data to be held in lower-cost Amazon S3
storage.
We will discuss more fully the attributes and operational

features of the Hadoop cluster and
supporting ecosystem in the Big Data Module.
AWS CloudFormation:
AWS CloudFormation is a service that helps one model and set
up AWS resources so that the
organisation can spend less time managing those resources and
more time focusing on the
applications that run in AWS. AWS CloudFormation allows
organisations to deploy, modify and
update resources in a controlled and predictable way, in effect
applying version control to AWS
infrastructure the same way one would do with software.
AWS CloudFormation gives developers and systems
administrators an easy way to create and
manage a collection of related AWS resources, provisioning and
updating them in an orderly and
predictable fashion. When AWS CloudFormation is used, cloud
administrators work with templates
and stacks. They create AWS CloudFormation templates to
define AWS resources and their

properties. A template is a text file whose format complies with
the JSON standard. AWS
CloudFormation uses these templates as blueprints for building
the organisations’s AWS resources.
When AWS CloudFormation is used, cloud administrators
manage related resources as a single unit
called a stack. They create, update and delete a collection of
resources by creating, updating and
deleting stacks. All of the resources in a stack are defined by
the stack’s AWS CloudFormation
template.
Figure 6: AWS CloudFormation Workflow
For example, one may set up a template that includes an Auto
Scaling group, Elastic Load Balancing
load balancer and an Amazon RDS database instance. To create
those resources, it will be necessary
to create a stack by submitting a template that defines those
resources, and AWS CloudFormation
handles all of the provisioning based on this.
After all the resources have been created, AWS CloudFormation
reports that the stack has been
created. One can then start using the resources in the stack. If
stack creation fails, AWS

CloudFormation rolls back the changes by deleting the
resources that it created. Often one will need
to launch stacks from the same template, but with minor
variations, such as within a different
Amazon VPC or using AMIs from a different region.
These variations can be addressed using parameters. One can
use parameters to customise aspects
of the template at runtime, when the stack is built. For example,
one can pass the Amazon RDS
database size, EC2 instance types, database and web server port
numbers to AWS CloudFormation
when the stack is being created. By leveraging template
parameters, one can use a single template
for many infrastructure deployments with different
configuration values.
AWS provides an extensive library of sample templates, which
cloud administrators and developers
can use as desired (viewable at url:
https://aws.amazon.com/cloudformation/aws-cloudformation-
templates/). The figure below shows CloudFormation template
library items for creating a variety of
VPCs –

Amazon Virtual Private Cloud
Template Name Description View View in
Designer
A single Amazon EC2 in an Amazon VPC Creates a VPC and
adds an Amazon EC2 instance
with an Elastic IP address and a security group.
View View in
Designer
Amazon VPC with static routing to an
existing VPN
Creates a private subnet with a VPN connection that
uses static routing to an existing VPN endpoint.
View View in
Designer
Autoscaling and load-balancing website
in an Amazon VPC
Creates a load balancing, auto scaling sample
website in an existing VPC.

View View in
Designer
Amazon VPC with DNS and public IP
addresses
Creates a VPC with DNS support and public IP
addresses enabled.
View View in
Designer
Publicly accessible Amazon EC2
instances that are in an Auto Scaling
group
Creates a load balancing, autoscaling group with
instances that are directly accessible from the
Internet.
View View in
Designer
Amazon EC2 with multiple dynamic IP
addresses in an Amazon VPC

Creates an Amazon EC2 instance with multiple
dynamic IP addresses in a VPC.
View View in
Designer
Amazon EC2 with multiple static IP
addresses in an Amazon VPC
Creates an Amazon EC2 instance with multiple static
IP addresses in a VPC.
View View in
Designer
Table 7: AWS CloudFormation Sample Templates
https://s3-us-west-2.amazonaws.com/cloudformation-templates-
us-west-2/VPC_Single_Instance_In_Subnet.template
https://console.aws.amazon.com/cloudformation/designer/home?
region=us-west-2&templateURL=https://s3-us-west-
2.amazonaws.com/cloudformation-templates-us-west-
2/VPC_Single_Instance_In_Subnet.template
2/VPC_Single_Instance_In_Subnet.template
us-west-2/VPC_With_VPN_Connection.template

2/VPC_With_VPN_Connection.template
2/VPC_With_VPN_Connection.template
us-west-2/VPC_AutoScaling_and_ElasticLoadBalancer.template
2/VPC_AutoScaling_and_ElasticLoadBalancer.template
2/VPC_AutoScaling_and_ElasticLoadBalancer.template
us-west-2/VPC_With_PublicIPs_And_DNS.template
2/VPC_With_PublicIPs_And_DNS.template
2/VPC_With_PublicIPs_And_DNS.template
us-west-2/VPC_AutoScaling_With_Public_IPs.template
2/VPC_AutoScaling_With_Public_IPs.template

2/VPC_AutoScaling_With_Public_IPs.template
us-west-
2/VPC_EC2_Instance_With_Multiple_Dynamic_IPAddresses.te
mplate
mplate
mplate
us-west-
2/VPC_EC2_Instance_With_Multiple_Static_IPAddresses.templ
ate
ate
ate
AWS Elastic Beanstalk:
AWS Elastic Beanstalk is the fastest and simplest way to get an
application up and running on AWS.

Developers can simply upload their application code, and the
service automatically handles all of the
details, such as resource provisioning, load balancing, Auto
Scaling and monitoring.
Figure 8: AWS Elastic Beanstalk Multi-Programming Language
Support
AWS comprises dozens of building block services, each of
which exposes an area of functionality.
While the variety of services offers flexibility for how
organisations want to manage their AWS
infrastructure, it can be challenging to figure out which services
to use and how to provision them.
With AWS Elastic Beanstalk, one can quickly deploy and
manage applications on the AWS cloud
without worrying about the infrastructure that runs those
applications. AWS Elastic Beanstalk
reduces management complexity without restricting choice or
control.
There are key components that comprise AWS Elastic Beanstalk
and work together to provide the
necessary services to deploy and manage applications easily in
the cloud. An AWS Elastic Beanstalk
application is the logical collection of these AWS Elastic

Beanstalk components, which includes
environments, versions and environment configurations. In
AWS Elastic Beanstalk, an application is
conceptually similar to a folder.
An application version refers to a specific, labeled iteration of
deployable code for a web application.
An application version points to an Amazon S3 object that
contains the deployable code.
Applications can have many versions, and each application
version is unique. In a running
environment, organisations can deploy any application version
they already uploaded to the
application, or they can upload and immediately deploy a new
application version.
Organisations might upload multiple application versions to test
differences between one version of
their web application and another. An environment is an
application version that is deployed onto
AWS resources. Each environment runs only a single
application version at a time; however, the
same version or different versions can run in as many
environments at the same time as needed.
When an environment is created, AWS Elastic Beanstalk
provisions the resources needed to run the

application version that is specified.
An environment configuration identifies a collection of
parameters and settings that define how an
environment and its associated resources behave. When an
environment’s configuration settings are
updated, AWS Elastic Beanstalk automatically applies the
changes to existing resources or deletes
and deploys new resources depending on the type of change.
When an AWS Elastic Beanstalk environment is launched, the
environment tier, platform and
environment type are specified. The environment tier that is
chosen determines whether AWS
Elastic Beanstalk provisions resources to support a web
application that handles HTTP(S) requests or
an application that handles background-processing tasks.
An environment tier whose web application processes web
requests is known as a web server tier.
An environment tier whose application runs background jobs is
known as a worker tier. Currently,
AWS Elastic Beanstalk provides platform support for the

programming languages Java, Node.js, PHP,
Python, Ruby and Go with support for the web containers
Tomcat, Passenger, Puma and Docker.
AWS Config:
AWS Config is a fully managed service that provides cloud
administrators with an AWS resource
inventory, configuration history and configuration change
notifications to enable security and
governance. With AWS Config, one can discover existing and
deleted AWS resources, determine the
organisation’s overall compliance against rules and delve into
configuration details of a resource at
any point in time.
Figure 9: AWS Config Workflow
These capabilities enable compliance auditing, security
analysis, resource change tracking and
troubleshooting. AWS Config provides a detailed view of the
configuration of AWS resources in the
AWS account. This includes how the resources are related and
how they were configured in the past
so that one can see how the configurations and relationships
change over time. AWS Config defines

a resource as an entity that works within AWS, such as an
Amazon EC2 instance, an Amazon EBS
volume, a security group or an Amazon VPC.
When one turns on AWS Config, it first discovers the supported
AWS resources that exist in the
account and generates a configuration item for each resource. A
configuration item represents a
point-in-time view of the various attributes of a supported AWS
resource that exists in one’s
account. The components of a configuration item include
metadata, attributes, relationships,
current configuration and related events. AWS Config will
generate configuration items when the
configuration of a resource changes, and it maintains historical
records of the configuration items of
the resources from the time one starts the configuration
recorder. The configuration recorder stores
the configurations of the supported resources in the account as
configuration items.
By default, AWS Config creates configuration items for every
supported resource in the region. If it is
not wanted to have AWS Config create configuration items for

all supported resources, one can
specify the resource types to be tracked.
Organisations often need to assess the overall compliance and
risk status from a configuration
perspective, view compliance trends over time and pinpoint
which configuration change caused a
resource to drift out of compliance. An AWS Config Rule
represents desired configuration settings
for specific AWS resources or for an entire AWS account.
While AWS Config continuously tracks the
resource configuration changes, it checks whether these changes
violate any of the conditions in the
organisation’s rules.
If a resource violates a rule, AWS Config flags the resource and
the rule as noncompliant and notifies
the administrators through Amazon SNS. AWS Config makes it
easy to track resource configuration
without the need for up-front investments and while avoiding
the complexity of installing and
updating agents for data collection or maintaining large
databases. Once AWS Config is enabled,
organisations can view continuously updated details of all
configuration attributes associated with

AWS resources.
Reference Notes – Additional AWS Cloud Management Tools
and ServicesAmazon Virtual Private Cloud
Business Agility and
the True Economics
of Cloud Computing
B u s i n e s s W H i T e P A P e R
W H i T e P A P e R / 2
Business Agility and the True
Economics of Cloud Computing
Executive Summary
New groundbreaking global survey findings demonstrate
the true value of cloud computing to the business. While it is
understood in the industry that cloud computing provides
clear cost benefits, CIOs are having difficulty getting a true fix
on the business value that cloud might offer beyond cost
reduction. These survey results reveal a direct link between
cloud computing and business agility—how business outcomes
are associated with agility, the role of IT for agile companies
and the importance of cloud computing to business leaders.
Rebalancing the IT Equation
What drives IT in your organization—cost or agility? In
economics, it is a supply-and-demand equation. Within the IT
organization, it is a cost-agility equation with most discussions
today focused on cost controls rather than the greater potential

benefit—business agility. We hear “How much capital and
operational expense can I cut with cloud?” more often than
we hear “How will cloud improve revenue or my company’s
competitiveness?” Yet business decision makers outside of
the IT organization have a different perspective.
In a newly released business-agility survey, corporate decision
makers linked cloud computing directly to business agility. This
data is helpful in reevaluating the IT cost-agility equation,
looking at cloud approaches and reframing assessments of IT’s
value to the enterprise. It shows that the hype around cloud
computing is maturing into facts about what cloud can really
deliver to both IT and the business. Game-changing CIOs think
business transformation first, then how technology enables it.
They are the ones strategizing with their CEOs and other
business leaders to look beyond simple cost calculations to
the business agility that cloud computing can enable.
Defining Business Agility
Business agility is the ability of a business to adapt rapidly
and cost-efficiently in response to changes in the business
environment. According to McKinsey & Company, the leading
global management consulting firm, the benefits of agility
include
faster revenue growth, greater and more lasting cost reduction,
and more effective management of risks and reputational
threats.
Direct Link from Cloud to Business Agility
Forward-thinking CIOs are deploying cloud computing as a
strategic
weapon—not just for IT, but to enable full business
transformation,
eventually changing how they operate their business.

In a couple of years, many companies will talk about how
cloud helped them create a much tighter connection between
IT transformation and business transformation. That will be the
win in this cloud era.
Figure 1. Corporate decision makers linked cloud computing
directly to business agility in a recent survey.
The survey results show:
• More than 80 percent of respondents agree
that agility is
moderately or more than moderately linked to improving
corporate revenue, cost and risk profiles, with 66 percent
identifying business agility as a priority.
• “Extremely agile,” companies outperform
others across all
business-agility dimensions, particularly “recognizing shifts
in customer trends/demand,“ “launching new products or
functionalities,” “managing the execution of programs” and
“scaling resources in order to meet demand.”
Agility Critical to Achieving Key Business Outcomes
In February 2011, 600 corporate decision makers
participated
in a business-agility survey conducted for VMware® by
independent

market-research firm AbsolutData. The majority of respondents
(67 percent) camefrom companies with more than 5,000
employees, while 30 percent had more than 30,000
employees. The respondents participated from around the
world—37 percent from the United States, 27 percent from
Europe and 36 percent from Asia—and from 18
different
industries. Sixty-two percent of those surveyed were in
business management and 38 percent in IT
management.
Figure 2. ‘Extremely agile’ companies perform better across all
business agility strengths. (Based on McKinsey & Company’s
Business Agility Framework.)
Strong Links Between IT Agility and Agile Companies
It is often difficult to tell whether companies are agile because
IT is agile, or whether an agile business culture already in the
company is influencing IT. Regardless of origins, leaders in
agile
companies understand the importance of tightly coupling
business agility and IT agility.
• ‘Extremely agile’ companies report IT is
one of their top
two agile business functions.

• Companies that are not agile report IT is
among the two least
agile of their business functions.
Cloud Computing Enabling IT Agility
For companies with agile IT functions, business and IT leaders
agree that infrastructure and technology are the primary
drivers of that agility. The survey shows that agile companies
that have already adopted enterprise-wide cloud deployments
are paving the way for their IT organizations to become more
responsive and flexible to the demands of the business. In
contrast, in companies with non-agile IT organizations, a
fundamental disconnect exists between what IT and business
stakeholders see as the problem: IT cites money and skill sets,
while business cites a lack of infrastructure and technology to
meet its needs.
• Nearly two-thirds(65 percent) of respondents
believe that
cloud computing plays a key role in increasing IT agility.
• Almost three-quarters (72 percent) of respondents
who
have already deployed cloud enterprise-wide believe
cloud
plays a key role in IT agility.
• The majority of survey respondents (65
percent) agree that
cloud computing could help their organizations maintain a
flexible architecture to support changes
Business Leaders Linking Cloud Directly
to Business Outcomes
Software as a service (SaaS) grew quickly in popularity because
of its ability to rapidly satisfy the needs of business users, not

CIOs
or IT teams. When line-of-business leaders had difficulty
getting
into IT’s priority queue, they went to the cloud for software
solutions. Now cloud is fulfilling its promise to be more than
just
SaaS, but also infrastructure as a service (IaaS) and platform as
a
service (PaaS), and business users are taking advantage of these
new capabilities and going around IT again. Line-of-business
leaders now have good alternatives, and they are choosing
them because their businesses demand greater agility.
Business Transformation Across Industries
The importance of agility strengths can be seen in
different industries:
Healthcare organizations are in the midst of a major
business transformation as they adopt electronic health
records (EHR/EMR) to reduce risk of accidental deaths
and lawsuits, and to improve patient engagement with
improved safety and quality of care. To support those
business requirements, IT undertakes an overall IT
modernization effort to safely accelerate the EHR/EMR
transition from manual paper-based file systems to
computerized physician order entry (CPOE), so digital
information can follow the patient. With cloud
computing, healthcare organizations gain on-demand and
cost-effective delivery of patient records to any clinician,
in any hospital, in any location, with greater reliability,
resiliency and security of patient information.
Similarly, governments, schools and other public-sector
entities are being mandated to transformtheir cost
structures. In addition, they must respond to risk and crisis,

supporting citizens and providing services for disasters and
unforeseen events such as H1/N1, and adapt to external
constraints (e.g., dynamic changes in policy and
budgets). To support agency needs, IT begins a
transition that will enable it to rapidly deliver and scale
citizen services, as well as efficiently adapt to the
changing demands of government. Cloud computing
provides a variety of agencies with a dynamic, secure
and compliant solution that dramatically reduces IT
services delivery time.
Around the world, retail banks are seeking to grow their
customer bases and revenue by delivering new mobile
services to market faster, so that end users have greater
control of their finances. IT is aligning with business’s
goals, getting business-critical, customer facing mobile
applications into production faster, so that customers can
access them sooner. IT is enabling the transformation
using a cloud computing approach. This includes a
compliant, secure and controlled test and development
environment that IT can leverage quickly to provide
production applications that end users can access on
any device, at any time, anywhere.
• Cloud can make the entire organization
more “business
agile” and “responsive,” according to 63 percent of
business leaders that responded.

• Companies with enterprise-wide deployments
believe cloud
can help achieve 10 percent greater business agility
outcomes,
such as key revenue growth and cost reduction.
• Companies with enterprise-wide cloud
deployments are
three times more likely to achieve business agility that is
“much better than the competition.”
Cloud Economics
With business agility established as the primary business
driver, the other half of the IT equation is cost. Virtualization—
the foundation for cloud—is well-documented to provide IT
cost savings. Funds can be redirected to IT innovation that
accelerates business, such as cloud.
Today, the availability of on-demand, inexpensive, self-service
computing capacity via public clouds is creating new
competition for internal IT organizations. Public cloud
providers
provide a pay-per-use model for IT and publish upfront rate
cards on using compute and storage resources. The cloud
industry rate card is so attractive that it is driving IT
organizations to try to improve services and service level
agreements (SLAs) at lower costs than those at which they
offer IT services today. In a sense, the public cloud has been a
wake-up call for IT organizations. They must now consider the
variety of cloud models—public, private and hybrid—with
different cost savings.
The beginning of the cloud era is the right time for IT to change
its own understanding and measurement of IT. This change is

long overdue, as many IT departments today do not know the
cost of IT for specific applications or line-of-business usage.
Costs are assumed to be “corporate taxes” spread across the
entire business. The cloud era dictates that IT departments will
have to become much more knowledgeable and accountable
for knowing, exact costs, allocation models, accurate
chargebacks, etc. This is an impossible task in an environment
of heterogeneous silos of technology.
Survey responses indicate that companies that hesitate to
embrace cloud because of perceived risks may actually be
hindering faster revenue growth, greater and more lasting
cost reduction, and more effective management of risks and
reputational threats. Looking ahead, many future business
leaders will be determined by how they embrace the cloud.
Figure 3. The majority of respondents agree that cloud can help
businesses improve the customer experience, accelerate the
operational execution of projects and quickly adapt to
market opportunities. Based on McKinsey & Company’s
Business Agility Framework
For most enterprises, the hybrid cloud is the most economical
model. According to recent VMware and EMC research, hybrid
cloud deployment would reduce typical total IT spend by
approximately 20 to 30 percent.
Hybrid clouds offer lower IT spend through virtualization
and consolidation, optimized workload sourcing, optimized

provisioning and higher productivity in application
development and maintenance
More than Economics: The Value of Hybrid Cloud
If you remember, not long ago IT decision makers had to
choose between deploying applications on an intranet or
extranet, and then most applications just ran on the internet. In
three years, the distinction between private and public clouds
will slowly dissipate, and the two will complement each other in
a way that leverages the best of both worlds—a hybrid cloud
that may simply be called the cloud. But the need for both will
remain, because there is so much investment in legacy
environments within the datacenter. That is not going away. It
would be nice to have it just run better and be more cost-
effective in someone else’s datacenter, but if that could
happen, everyone would have outsourced IT by now.
There are reasons (security, compliance, operational control,
etc.) why companies are continuing to maintain their
datacenters. So, we need to maintain those characteristics and
bring the benefits of cloud computing to the datacenter, or
we’re missing a large piece of the opportunity to drive greater
agility. That is why the emphasis on private cloud. But why
stop there? There is always going to be the need for more
resources. Think about demand that is spike-based by season
or event, or an acquisition requiring a company to ramp up and
then ramp down. Another case may be that the company just
does not know what the demand will be, so it needs to make
sure it has capacity for unpredictable situations. So stopping
at the boundaries of the datacenter does not make sense when
you have the rich public cloud option available that can be
integrated into the enterprise IT strategy. That is why hybrid
is such a valuable solution
The key to hybrid cloud is the standardization of frameworks

and infrastructure across public and private cloud, including
• A common platform
• Common management
• Common security
Standardization is what makes applications and data portable
and accessible across clouds. Given both the business and cost
benefits, it is clear that hybrid clouds are the deployment
model of the future.
Why VMware for Your Cloud?
By allowing enterprise IT to intelligently and dynamically
anticipate and respond to business needs, cloud computing
creates competitive advantage. If your business is thinking
about building for the cloud, why not build for your cloud?
Although true cloud computing is a standardized approach,
the way every individual business approaches cloud computing
is not. VMware is here to help you move beyond the limitations
of a one-cloud-fits-all approach.
How you will want to approach cloud computing depends on
your business. Do you want to begin with an internal (private)
cloud? Do you want to leverage public cloud services? Do you
want a combination?
In other words, it is not about the cloud, it is about your cloud.
With its unrivaled experience, large customer base and partner
ecosystem. VMware can help you move beyond current IT
limitations, to your cloud—where you can accelerate IT, which
in turn accelerates meaningful results for your business.
Your Cloud.
Accelerate IT. Accelerate Your Business.

Contact VMware today to accelerate IT and your organization’s
transformation to business agility through the cloud.
Resources: Download the Business Agility Survey,
Feb 2011 at
http://www.vmware.com/your-cloud.
Figure 4. The hybrid cloud is more economical than pure public
cloud or pure private
cloud models.
Customer Profile: Global Financial Services Company
This global asset management and advisory firm manages over
USD $50 billion in assets across five distinct asset classes:
commercial real estate, corporate loans, derivatives and capital
markets, private equity and principal investments, and
residential mortgages. Using VMware cloud solutions to drive
its IT transformation and cloud infrastructure, the company
recovered $20B+ in assets. The company’s IT organization is
recognized for fueling business responsiveness and the
company has saved $1M a month in IT costs
BUSINESS AGILITY
FOCUS AREA
BUSINESS AGILITY
STRENGTHS

AGILE BUSINESS
REQUIREMENTS
IT AGILITY REQUIREMENTS AND
CLOUD SOLUTION CAPABILITIES
Grow revenue Launch new products
or services
New portfolios for pricing, plus
flexibility in pricing and
management techniques
To accommodate extreme uncertainty,
company needed
- Highly elastic capacity, capable of rapidly scaling
up or down
- Public/private cloud integration for more
capacity on demand and to support workload
shifts for latency reasons
Reduce costs Execute programs
and projects
Quickly unwind 1.2M derivative
transactions. Accurate
intelligence and pricing.
Rapidly and efficiently establish
book value and dispose of
assets, under scrutiny
To deploy greenfield IT and reduce lead time
for deal closure, company needed
- Immediate access to IT infrastructure from

cloud services provider BlueLock (a certified
VMware vCloud™ Datacenter Services
partner); complete infrastructure and
application support planned in eight months,
rolled out in four
- Cloud-based data and applications hosting
for all workloads
To reduce lead time, company needed
- Dynamic provisioning enabling it to rapidly
scale resources to accelerate deal execution
Scale resources
with demand
Shed 50 percent of asset base
and scale operation over
unknown period.
To minimize expenditures, company began to
- Immediately reduce $1M in IT expenses
each month
- Outsource support personnel, managing with
a team of three what hundreds did before
- Use a pay-as-you-grow, OpEx-based
procurement model with minimal upfront
capital required
To increase transparency, company began
- Metering and chargeback to attribute

expenses
To further accommodate extreme uncertainty
in capacity requirements, company needed to
- Provide a standard service catalog with
known computing and pricing characteristics
Respond to risk Adapt to external
constraints
Prepare for and address
uncertain lawsuits, legal actions,
and government requirements
and regulations
VMware, inc. 3401 Hillview Avenue Palo Alto CA 94304 USA
Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright © 2011 VMware, Inc. All rights reserved. This
product is protected by U.S. and international copyright and
intellectual property laws. VMware products are covered by one
or more patents
listed at http://www.vmware.com/go/patents. VMware is a
registered trademark or trademark of VMware, Inc. in the
United States and/or other jurisdictions. All other marks and
names mentioned
herein may be trademarks of their respective companies. Item
No: VMW-WP-BUSINESS-AGILITY-CLOUD-COMPUTING-
A4-105
AWS Security and Compliance

As was previously mentioned, AWS uses a shared responsibility
model in which AWS and its
customers share control over the IT environment, so both
parties have responsibility for managing
that environment.
AWS’ role, in this shared responsibility approach, includes
providing its services on a highly secure
and controlled platform and providing a wide array of security
features customers can use. The
customer is responsible for configuring their IT environment in
a secure and controlled manner for
their purposes.
AWS advises customers about any changes to its security and
control environment, as appropriate,
and works to obtain industry certifications and independent
third-party attestations. AWS publishes
information about its security and control practices openly. It
also provides website content,
certificates, reports, and other documentation directly to its
customers under Non-Disclosure
Agreements (NDAs).
When a customer moves their production workloads to the AWS
cloud, responsibility for the

management of the IT environment falls to both AWS and the
customer. The customer is responsible
for establishing their environment in a secure and controlled
manner. The customer is also required
to maintain acceptable governance over the whole of their IT
control environment.
The shared responsibility model helps reduce the customer’s IT
operational burden, as it is AWS’
responsibility to manage the components from the host
operating system and virtualisation layer
down to the physical security of the data centers in which these
services operate. The customer is
responsible for the components from the guest operating system
upwards (including updates,
security patches and antivirus software).
The customer is also responsible for any other application
software, as well as the configuration of
security groups, Virtual Private Clouds (VPCs) and so on.
While AWS manages the security of the
cloud, security in the cloud is the responsibility of the
customer. Customers retain control of what
security they choose to implement to protect their own content,
platform, applications, systems and

networks, no differently than they would for applications in an
on-site data center.
The figure below illustrates the allocation of responsibilities to
roles, in AWS’ shared responsibility
model –
Figure 1: AWS’ shared responsibility model
The customer-AWS shared responsibility model is not just
limited to security considerations, but it
also extends to IT controls. For example, the management,
operation and verification of IT controls
are shared between AWS and the customer.
Before moving to the AWS Cloud, customers were responsible
for managing all of the IT controls in
their environments. AWS manages the controls for the physical
infrastructure, thereby allowing
customers to focus on managing the relevant IT controls.
Because every customer is deployed differently in AWS,
customers can shift management of certain
IT controls to AWS. This change in management of IT controls
results in a new, distributed control
environment. Customers can then use the AWS control and

compliance documentation available to
them to perform their control evaluation and verification
procedures as required.
It is still the customers’ responsibility to maintain adequate
governance over the entire IT control
environment, regardless of how their IT is deployed (whether it
is on-premises, on the cloud or part
of a hybrid environment). By deploying to the AWS Cloud,
customers have options to apply different
types of controls and various verification methods.
AWS Controls:
AWS provides customers with a wide range of information
regarding its IT control environment
through whitepapers, reports, certifications, and other third-
party attestations. This documentation
assists customers in understanding the controls in place relevant
to the AWS Cloud services they use
and how those controls have been validated.
The information also assists customers in accounting for and
validating that controls in their
extended IT environment are operating effectively.
Traditionally, the design and operating

effectiveness of controls and control objectives are validated by
internal and/ or external auditors
via process walkthroughs and evidence evaluation. Direct
observation and verification, by the
customer or customer’s external auditor, is generally performed
to validate controls.
In cases where service providers such as AWS are used,
companies request and evaluate third-party
attestations and certifications to gain reasonable assurance of
the design and operating
effectiveness of controls and control objectives. As a result,
although a customer’s key controls may
be managed by AWS, the control environment can still be a
unified framework in which all controls
are accounted for and are verified as operating effectively.
AWS third-party attestations and certifications not only provide
a higher level of validation of the
control environment, but may also relieve customers of the
requirement to perform certain
validation work themselves.
AWS Key Controls –
AWS customers can identify key controls managed by AWS.
Key controls are critical to the

customer’s control environment and require an external
attestation of the operating effectiveness of
these key controls in order to meet compliance requirements
(for example, an annual financial
audit).
For this purpose, AWS publishes a wide range of specific IT
controls in its Service Organisation
Controls 1 (SOC 1) Type II report. The SOC 1 Type II report,
formerly the Statement on Auditing
Standards (SAS) No. 70, is a widely recognised auditing
standard developed by the American
Institute of Certified Public Accountants (AICPA).
The SOC 1 audit is an in-depth audit of both the design and
operating effectiveness of AWS-defined
control objectives and control activities (which include control
objectives and control activities over
the part of the infrastructure that AWS manages). ‘Type II’
refers to the fact that each of the controls
described in the report are not only evaluated for adequacy of
design, but are also tested for
operating effectiveness by the external auditor. Because of the
independence and competence of
AWS external auditor, controls identified in the report should

provide customers with a high level of
confidence in AWS control environment.
AWS controls can be considered effectively designed and
operating for many compliance purposes,
including Sarbanes-Oxley (SOX) Section 404 financial
statement audits. Leveraging SOC 1 Type II
reports is also generally permitted by other external certifying
bodies. For example, International
Organization for Standardization (ISO) 27001 auditors may
request a SOC 1 Type II report in order to
complete their evaluations for customers.
General AWS Controls based on Compliance with Industry-wide
Standards –
If AWS customers require a broad set of control objectives to be
met, evaluation of AWS industry
certifications may be performed. With the ISO 27001
certification, AWS complies with a broad,
comprehensive security standard and follows best practices in
maintaining a secure environment.
With the Payment Card Industry (PCI) Data Security Standard
(DSS) certification, AWS complies with
a set of controls important to companies that handle credit card

information.
AWS compliance with Federal Information Security
Management Act (FISMA) standards means
that AWS complies with a wide range of specific controls
required by U.S. government agencies.
AWS compliance with these general standards provides
customers with in-depth information on the
comprehensive nature of the controls and security processes in
place in the AWS Cloud.
AWS’ Structured Approach to Risk Management:
AWS has a strategic business plan that includes risk
identification and the implementation of
controls to mitigate or manage risks, similar to the risk-
management framework presented in an
earlier lecture. An AWS management team re-evaluates the
business risk plan at least twice a year.
As a part of this process, management team members are
required to identify risks within their
specific areas of responsibility and implement controls designed
to address and perhaps even
eliminate those risks. The AWS control environment is subject
to additional internal and external risk
assessments.

AWS compliance and security teams have established
information security frameworks and policies
based on the Control Objectives for Information and Related
Technology (COBIT) framework, and
they have effectively integrated the ISO 27001 certifiable
framework based on ISO 27002 controls,
AICPA Trust Services Principles, PCI DSS v3.1, and the
National Institute of Standards and Technology
(NIST) Publication 800-53, Revision 3, Recommended Security
Controls for Federal Information
Systems.
AWS maintains the security policy and provides security
training to its employees. Additionally, AWS
performs regular application security reviews to assess the
confidentiality, integrity and availability
of data, and conformance to the information security policy.
The AWS security team regularly scans
any public-facing endpoint IP addresses for vulnerabilities.
Note that these scans do not include
customer instances.
AWS security notifies the appropriate parties to remediate any
identified vulnerabilities. In addition,
independent security firms regularly perform external

vulnerability threat assessments. Findings and
recommendations resulting from these assessments are
categorised and delivered to AWS
leadership. These scans are done in a manner for the health and
viability of the underlying AWS
infrastructure and are not meant to replace the customer’s own
vulnerability scans that are required
to meet their specific compliance requirements (based on local
regulations).
AWS Security and ComplianceFigure 1: AWS’ shared
responsibility modelAWS Controls:AWS Key Controls –General
AWS Controls based on Compliance with Industry-wide
Standards –AWS’ Structured Approach to Risk Management:
Cloud Services Compliance Issues
Compliance is a system or organisation’s accreditation for
meeting the conditions of particular
standards, recognised legislation, regulatory guidelines or
industry best practices that can be jointly
classified as a compliance framework.
A compliance framework can include business processes and
internal controls the organisation has
in place to adhere to these standards and requirements. The
compliance framework should also map
different requirements to internal controls and processes to
eliminate redundancies.

Why is compliance important for the cloud? When moving to
the cloud, the organisation moves
from an internal security and operational environment (that may
not be formally defined) to
external operational security that will become a part of an SLA
(or business requirement) with the
CSP. Compliance in this case will imply a defined, expected
level of security and assurance for the
cloud-based system.
The table below depicts a set of standards and regulatory
requirements that are commonly
considered for cloud compliance. They are separated into two
groups: ‘General standards &
recommendations’ and ‘Sectoral ones related to industry and
government’ –
Standards/Regulation Name (with Description)
Acronym
(if applicable)
General standards and recommendations
ISO/IEC 27001:2005 Certification on security infrastructure
Industry standard: the risk-based information security
management program that follows a plan-do-check-act process
ISO/IEC 27001
Service Organization Control SOC 1 (SSAE 16/ISAE 3402) and
SOC 2 and
3 (AT 101)

• SOC 2 is a new attestation report for service organisations that
contains rigorous standards for security, availability, processing
integrity, confidentiality and privacy.
• SOC 3 report which summarizes the SOC 2 audit
SOC 1 (SSAE
16/ISAE 3402)
SOC 2
SOC 3
NIST SP 800-144 Guidelines for Security and Privacy in Cloud
Computing NIST SP 800-144
Cloud Security Alliance, Security Guidance for Critical Area of
focus in
Cloud Computing
ENISA Cloud Computing Security Risk Assessment ENISA
European Union Data Protection Directive
Content Protection and Security Standard (CPS) is sponsored by
the
Content Delivery & Security Association (CDSA).
The CPS framework focuses primarily on the security
management of
media content in all of its forms across the entire supply chain.
It is
composed of an independent and impartial audit of risk

management,
personnel resources, asset management, logical and physical
security
and disaster recovery planning.
CPS CDSA
Industry and government related (Sectoral)
Payment Card Industry Data Security Standard (PCI-DSS)
PCI DSS Cloud Addendum
PCI-DSS
Sarbanes-Oxley Act (SOX)
‘Public Company Accounting Reform and Investor Protection
Act’ and
‘Corporate and Auditing Accountability and Responsibility Act’
SOX
HIPAA/HITECH - The US Health Insurance Portability and
Accountability
Act (HIPAA) and HITECH (Health Information Technology for
Economic
and Clinical Health)
Act created by the US federal government includes provisions
to protect
patients' private information.

HIPAA/HITECH
FISMA Certification and Accreditation - The Federal
Information Security
Management Act of 2002 (FISMA)
Describes security requirements which US federal agencies
expect to be in
place for the protection of information and information systems.
FISMA
Gramm-Leach-Bliley Act (FGLBA) FGLBA
Federal Risk and Authorization Management Program
(FedRAMP) FedRAMP
Department of Defense Information Certification Accreditation
Process
(DIACAP)
DIACAP
DOD
Table 1: Major cloud compliance standards and regulations
All of the major CSPs provide indications of the various
standards that they comply with, as follows –
AWS cloud certification and compliance:

The AWS cloud infrastructure has been designed and managed
in alignment with regulations,
standards and best practices, including:
• ISO/IEC 27001:2005
• SOC 1, SOC2, SOC3
• FIPS 140-2
• CSA
• PCI DSS Level 1
• HIPAA
• ITAR
• DIACAP and FISMA
• FedRAMP (SM)
• MPAA
Amazon AWS Cloud is also certified for hosting US
governmental services.
Microsoft Azure cloud certification and compliance:
Microsoft services/infrastructure meets the following key
certifications, attestations and compliance
capabilities:
• ISO/IEC 27001:2005 certification on security infrastructure
• SOC 1 (SSAE 16/ISAE 3402) and SOC 2 and 3 (AT 101);
obtained in 2008 and 2012
• Cloud Security Alliance (CSA) Cloud Controls Matrix
• NIST SP 800-144 Guidelines for Security and Privacy in
Cloud Computing
• PCI Data Security Standard Certification level 1
• HIPAA and HITECH
• FISMA Certification and Accreditation – since 2010
• Various state, federal, and international Privacy Laws
(95/46/EC, e.g. EU Data Protection
Directive, California SB 1386, etc.)
Rackspace Open Cloud certification and compliance:
Rackspace lists the following standards compliance:
• ISO 27001

• ISO 27002
• PCI-DSS SSAE16
• SOC 1
• SOC 2
• SOC 3
• Safe Harbor
• Content Protection and Security Standard (CPS)
Verizon Terremark:
Verizon Terremark lists the following standards compliance:
• ISO 27000
• NIST 800-53
• FIPS
• PCI DSS
• HIPAA
• SAS70 Type II
• HB 1386
Cloud Services Compliance IssuesTable 1: Major cloud
compliance standards and regulationsAWS cloud certification
and compliance:Microsoft Azure cloud certification and
compliance:Rackspace Open Cloud certification and
compliance:Verizon Terremark:

On-Premises vs. Cloud Data Centre Cost Comparison

Recommended

Recommended

More Related Content

Similar to On-Premises vs. Cloud Data Centre Cost Comparison

Similar to On-Premises vs. Cloud Data Centre Cost Comparison (20)

More from coubroughcosta

More from coubroughcosta (20)

Recently uploaded

Recently uploaded (20)

On-Premises vs. Cloud Data Centre Cost Comparison