This presentation was delivered at the 2012 BankTech summit in Sydney, Australia by Rob Livingstone (www.rob-livingstone.com ). Topics included:
Exploring the real definition of Cloud
Interpreting the conflicting messages
Systemic vs. Technical risks in the Cloud
Availability
Hybrid Cloud is the reality
Importance of Cloud Computing Reference Architecture
Managing multiple parties in the Cloud ecosystem (Hybrid Cloud)
The challenge for Regulators
Standards? Which standards?
Some risk mitigation approaches
Streamlining Python Development: A Guide to a Modern Project Setup
Map of the Cloud minefield - Banktech Sydney Summit 17 july 2012
1. Map of the minefield
Alleviating cloud risks in
order to reap the benefits
ROB LIVINGSTONE
- Fellow, University of Technology, Sydney, Australia, and
- Principal, Rob Livingstone Advisory Pty Ltd
17th July 2012
navigatingthrougthecloud.com
2. What I’ll NOT be covering
• Data Privacy
• Data residency
• International legal jurisdictional considerations
• Vendor lock-in
• Data extraction and ownership
• Intellectual property considerations
• Hacking, cybercriminals and cloud, data breaches
• Total cost of Ownership
• Single function enterprise Cloud (eg CRM, eMail, pure storage)
• Consumerisation of IT
• BYOD
These are much discussed and (hopefully) should be well
understood by all
navigatingthrougthecloud.com
3. What I WILL be covering
• Exploring the real definition of Cloud
• Interpreting the conflicting messages
• Systemic vs. Technical risks in the Cloud
• Availability
• Hybrid Cloud is the reality
• Importance of Cloud Computing Reference Architecture
• Managing multiple parties in the Cloud ecosystem
(Hybrid Cloud)
• The challenge for Regulators
• Standards? Which standards?
• Some risk mitigation approaches
navigatingthrougthecloud.com
4. Exploring the real definition of Cloud
The most quoted Definition of Cloud:
Cloud computing is a model for enabling convenient,
on-demand network access to a shared pool of
configurable computing resources (e.g. networks,
servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal
management effort or cloud provider interaction
• US National Institute of Standards and Technology‘s (NIST)
definition
navigatingthrougthecloud.com
5. Exploring the real definition of Cloud
The most sensible Definition of Cloud:
―Forget your technical definition of the
Cloud, ask your mom what the Cloud is….
…And what your mother will tell you about
the Cloud is that it means it’s not on
my computer.”*
Dave Asprey – Global VP, Cloud
Security, Trend Micro
* Navigating through the Cloud Podcast Episode 23 in iTunes
navigatingthrougthecloud.com
6. Exploring the real definition of Cloud
Cloud-like Outsourcing:
If you sign a standard outsourcing contract with an
outsourcing vendor that has Cloud-like pricing (pay-as-
you-go) and Cloud-like capabilities and whether or not it‘s
Cloud is largely a matter of opinion.
navigatingthrougthecloud.com
7. Exploring the real definition of Cloud
The 3 key ‘classic’ Ingredients of Cloud
• You‘re counting on SaaS vendor in order to
provide all the multi-tenancy for your data.
• You hope they‘ve written their applications
well, secure their databases, and so on ….
• You‘re sharing the database with everyone
else.
navigatingthrougthecloud.com
8. Exploring the real definition of Cloud
Enterprise Cloud: The Inverted Risk Pyramid
HI RISK
presentaiton
Major enterprise instances, with
complexity, scale, risk, compliance,
This
deep integration, long term
Integration, enterprise
governance needed
Commodity / non-
integrated Cloud
applications
LOW RISK
navigatingthrougthecloud.com
9. Interpreting the conflicting messages
Has business lost patience with Enterprise IT?
"Despite an abundance of IT Project Management
(ITPM) resources, such as the PMI Body of
Knowledge, IT standards and governance, a large
percentage of IT projects continue to fail and
ultimately get scrapped. Recent studies have
shown an average of 66% IT project failure rate,
with 52% of the projects being cancelled, and 82%
being delivered late"
Kraft (2008). The Importance of Business Process Alignment for IT Project Management of Commercial
Software with Case Studies. Journal of Information Systems Applied Research, 1 (3)
navigatingthrougthecloud.com
10. Interpreting the conflicting messages
A recent survey* referred to by Forbes
claims that ―a meagre 3% of companies
considering Cloud consider it to be too
risky.‖
This was based on a survey of 785
companies, implying the inevitability of
Cloud.
Not atypical of research in Cloud, this
survey was conducted by a firm that has
investments in the Cloud industry, with 65%
of respondents being vendors so one could
say that the results were not totally
unexpected.
http://www.forbes.com/sites/joemckendrick/2012/06/20/cloud-computing-simply-isnt-that-scary-anymore-survey/
navigatingthrougthecloud.com
11. Interpreting the conflicting messages
Fear being left behind?
"By 2015, nearly $1 of every $6 spent on packaged software, and $1 of
every $5 spent on applications, will be consumed via the SaaS model."
"By 2012, about 83% of all net-new software firms coming to market
will be operationalized around creating, testing, selling, and
provisioning a service versus a packaged product (CD)."
"By 2015, about 24% of all new business software purchases will be of
service-enabled software, and SaaS delivery will constitute about
13.1% of worldwide software spending across all primary markets and
14.4% of applications spending."
ICD Dec 2011 Doc # 232239
navigatingthrougthecloud.com
12. Interpreting the conflicting messages
24% of CEOs surveyed in the 2012 PWC CEO
Survey 75% of CEOs plan to change innovation
capacity in 2012, of which 24% expect ‗major
change‘, underpinned in part by technology.
The eighth annual KPMG 2012 Audit
Institute Report identified ―IT Risk
and Emerging Technologies‖ as the
second-highest concern for audit
committees, which is unprecedented in
the history of the report.
navigatingthrougthecloud.com
13. Interpreting the conflicting messages
• So, in a nutshell, there are mixed messages out there at this
point in time.
• On the one hand organisations demand speed, innovation,
agility and value, largely facilitated by technology.
• Organisations that adopt new ‗transformational‘
technologies, Cloud in particular, without effective
consideration of the enterprise wide, systemic and
longitudinal risks, are potentially either setting themselves
up for future problems, or not maximising the opportunities,
or both.
• This last point is the focus of my presentation
navigatingthrougthecloud.com
14. Systemic vs. Technical Risks in the Cloud
Systemic Risks
• Systemic risk is highly relevant to Hybrid Cloud – which we‘ll
discuss in a few minutes…
• Systemic risks are those with the greatest potential impact as they
affect the entire system (ie: Organisation, government, country,
world…)
• Case in point: How is that the finance industry, which is one of the
more regulated, and invests heavily in risk identification,
mitigation and transference could be the cause of the current
global financial problems?
• Systemic risk for the enterprise is the silent killer and is often the
hardest to identify as only a few have a complete, transparent and
objective overview of the overall enterprise.
• Mitigation through approaches such as Enterprise Risk
Management (ERM), origins in fraud, organisational governance,
and underpins the insurance industry
• Applicability to IT – Cloud especially – not often discussed
navigatingthrougthecloud.com
15. Systemic vs. Technical Risks in the Cloud
Technical (or functional) Risk
• Identifying, categorising and ranking technical and functional risks
is core to conventional IT risk assessment approaches:
o Risk of a specific event = (Impact x Probability of that event
occurring) + Risk Adjustment
• Underpins conventional risk certification frameworks e.g. ISO2700X
• Compliance does not necessarily equal security or effectiveness of
your risk management model
• The categorisation of risks into functional and technical categories
does not help in the identification of systemic risk
• Focusing on the diverse range of technical or functional risks, does
not account for the interaction between risks.
• Systemic risks are mostly more significant than the sum of the
individual risks
navigatingthrougthecloud.com
16. Availability
What‘s your downtime cost?
Fundamental question: Is Cloud
your default position?
"What they don‘t usually tell you about the Cloud is that the SLA or
the uptime SLA for Cloud providers is not nearly as good as it is for
co-location.....So, if you‘re looking for five 9s, you‘re going to need
several Clouds and a lot of zeros on the cheque that you write.―
Dave Asprey – Global VP, Cloud Security, Trend Micro
Navigating through the Cloud Podcast Episode 23 in iTunes
navigatingthrougthecloud.com
17. Hybrid Cloud is the reality
―Within five years, it will be primarily deployed by
enterprises working in a hybrid mode‖. - Gartner
Gartner "Predicts 2012: Cloud Computing Is Becoming a Reality‖
(Published: 8 December 2011 ID:G00226103)
navigatingthrougthecloud.com
18. Hybrid Cloud is the reality
Cloud 101: The 4 flavours of cloud computing
Public Private Hybrid Community
/Internal
• No control • You control all • Combination of 2 • Multiple
• No ownership • You may own or more models organisatons share
• You own data • You define • Can be more same private cloud
• Apps stay behind architecture complex infrastructure
• You determine • Need to manage
your own security interfaces,
position integration
navigatingthrougthecloud.com
19. Importance of Cloud Computing Reference Architecture
Review, define and assign key roles in your Cloud environment.
– Define your Cloud Reference Architecture by reviewing applicability
against published models (Eg NIST*, IBM, etc)
– Ensure you do not miss important roles (Eg: IBM CCRA does not
include Cloud Broker, Cloud Auditor yet included in NIST CCRA)
navigatingthrougthecloud.com
* National Institute of Standards and Technology
20. Importance of Cloud Computing Reference Architecture
Who is accountable for what in your Cloud?
It’s YOUR brand at stake, not the vendors!
navigatingthrougthecloud.com
21. Importance of Cloud Computing Reference Architecture
The emergence of the ‘Cloud Broker’
navigatingthrougthecloud.com
22. Importance of Cloud Cloud
The real definition of Computing Reference Architecture
IT Department in the Cloud?
navigatingthrougthecloud.com
23. Managing multiple parties in the Cloud ecosystem
"Cloud consumers should budget for additional
integration costs which can range from 10% to 30% —
and sometimes as high as 50% — of the total cost of
cloud IT projects.―
Gartner Predicts 2012: Cloud Services Brokerage Will Bring New
Benefits and Planning Challenges - Published: 22 November 2011
G00227370
Let‘s explore the reasons why in a bit more detail …..
navigatingthrougthecloud.com
24. Managing multiple parties in the Cloud ecosystem
Why is brokerage a real consideration?
Orchestrating versioning, change control and rollback
V1.2 V2.3.1
V2.4
V3.5
V5.3
navigatingthrougthecloud.com
25. Managing multiple parties in the Cloud ecosystem
Why is brokerage a real consideration?
Life expectancy……
4 Years 6 Months
1 Year
3.5 Years
4.5 years
navigatingthrougthecloud.com
26. Managing multiple parties in the Cloud ecosystem
Why is brokerage a real consideration?
Business continuity…….
X
navigatingthrougthecloud.com
27. Managing multiple parties in the Cloud ecosystem
Why is brokerage a real consideration?
Also:
• Security
• Identity Management
• Due diligence
• ‗Big-Data‘
• Business Intelligence –
Dashboards and drilldowns
• Forensics / eDiscovery
• BYOD
• Mobility
• Legislative / Jurisdictional
• Contractual complexity
….. To name but a few
navigatingthrougthecloud.com
28. The challenge facing regulators
• Various industry regulators are also working hard to keep up with the
fast moving Cloud and technology environments, however keeping
up with the rate of change presents a challenge.
• Case in point relates to the wording contained in the current National
Privacy Principles (NPPs). The word ‗reasonable‘ is used in the
NPPs to describe measures and controls that should be applied in
the implementation of privacy controls. Whilst the intention is clear,
the interpretation of ‗reasonable‘ is fertile grounds for contention on
individual cases.
• APRA‘s new standards that came into effect on July 1, 2012
(CPS231, 231 in particular) refer to appropriate risk management
processes. Many of the standards are dated. Two such examples of
such standards are AS/ISO 31000 (Risk management), where the
current revision is dated 2009, and AS/ISO 27001 (Information
security management systems), where the current revision is dated
2006.
navigatingthrougthecloud.com
29. Cloud standards? Which standards?
• Emerging Standards
– Open Virtalisation Format ISO/IEC DIS 17203 or ANSI
INCITS 469 2010
– ISO/IEC WD TS 27017 (Guidelines on information
security controls for the use of cloud computing
services based on ISO/IEC 27002 - Under
development )
– ISO/IEC DIS 17826 - Cloud Data Management
Interface (CDMI)
navigatingthrougthecloud.com
30. Cloud standards? Which standards?
Plethora of forums, industry groups and associations
– Cloud Security Alliance
– Cloud Standards Customer Council
– Distributed Management Task Force (DMTF)
– Cloud Management Working Group (CMWG)
– The European Telecommunications Standards Institute (ETSI)
– National Institute of Standards and Technology (NIST)
– Open Grid Forum (OGF)
– Object Management Group (OMG)
– Open Cloud Consortium (OCC)
– Organization for the Advancement of Structured Information Standards (OASIS)
– Storage Networking Industry Association (SNIA)
– The Open Group
– Association for Retail Technology Standards (ARTS)
– TM Forum‘s Cloud Services Initiative
Source: cloud-standards.org
navigatingthrougthecloud.com
31. Some risk mitigation approaches
Some risk mitigation approaches
• Be crystal clear on the drivers behind Cloud for the organisation
– do not make Cloud your default position!
• Understand and accurately map the solution to the your
legislative, regulatory and compliance environment
• Predict and budget for integration complexities
• Know your exist strategy before you sign up
Reshape the role of your IT Department
• Shift from a technology provider to a Services broker
• Differing skills mix for in-house IT
• Technology enabled business services is the direction to
take for enterprise IT
• If IT have concerns, don‘t dismiss is as ‗job protection‘..
scrutinise these. Remember the ‗O‘ ring and the Challenger?
navigatingthrougthecloud.com
32. Some risk mitigation approaches
Due diligence is crucial
• Perform your own due diligence, and seek absolutely
independent, experienced, financially disinterested
advice if needed
• Stress test your business case:
– Test your Cloud contract to a variety of scenarios
– Conducting a sensitivity analysis for feasible
changes in your commercial environment, regulatory
and operational scenarios
– Pricing in risk
– Understand the volatility of the cloud market
– Identify the systemic risks
navigatingthrougthecloud.com