Transcript
ITIL ON THE CLOUD
COMPUTING AGE
Luis LimaGALILEU
Cloud Computing Defined
NIST“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
GARTNER“A style of Computing where massively scalable, IT –enabled capabilities are provided “as a service” across the internet to multiple external customers”
Cloud Computing Vantages
• Cloud technology is paid incrementally, saving organizations money.
Reduced Cost
• Organizations can store more data than on private computer systems.
Increased Storage
• No longer do IT personnel need to worry about keeping software up to date.
Highly Automated
• Cloud computing offers much more flexibility than past computing methods. Flexibility
• Employees can access information wherever they are, rather than having to remain at their desks.
More Mobility
• No longer having to worry about constant server updates and other computing issues, government organizations will be free to concentrate on innovation.
Allows IT to Shift Focus
What is IT Service Management (ITSM)?
The origin of the term is generally unknown, but it has been in mainstream use during the 1990s, historically it has been associated with the introduction of, or improvement of existing IT operational practices through the adoption and adaptation of industry “best practices”
ITIL® defines ITSM as, “The implementation and management of quality IT services that meet the needs of the business...”
Wikipedia defines IT Service Management as, “a discipline for managinginformation technology (IT) systems, philosophically centered on thecustomer’s perspective of IT’s contribution to the business...
IT Service Management is also the term commonly used to describe theprocess centric effort of transforming an IT organization from one focused on managing the IT infrastructure, to managing the provision of information system services.
ITIL Service Management v2
ITILv2 – 10 processes
Serv
ice
Delivery
Service LevelManagement
IT FinancialManagement
AvailabilityManagement
CapacityManagement
Serv
ice
Su
pp
ort
IncidentManagement
ProblemManagement
ChangeManagement
ConfigurationManagement
ReleaseManagement
IT ContinuityManagement
5 Processes and a function (Service Desk)
5 Processes
ITIL Service Management v3
ITIL Service Management v3
Cont Service Improvemen
t
Service Strategy
Service Transition
ServiceDesign
CapacityManagement
AvailabilityManagement
ServiceContinuity
Management
InformationSecurity
Management
SupplierManagement
DemandManagement
StrategyGeneration
ServicePortfolio
Management
ServiceImprovement
TransitionPlanning &
Support
Asset &ConfigurationManagement
Release &DeploymentManagement
ServiceValidation &
Testing
Evaluation
Service Operation
EventManagement
RequestFulfillment
IncidentManagement
ProblemManagement
AccessManagement
IT FinancialManagement
Service LevelManagement
ChangeManagement
KnowledgeManagement
ServiceMeasurement
ServiceReporting
ServiceCatalog
Management
Processes ITILv3 Processes ITILv2Processes
ITILv2 + ITILv3
ITILv3 – 5 books and 27 processes
Core IT Management Disciplines Have Not ChangedITIL for the Organization lTlL. for the Cloud Provider
Service Strategy
Architect service solutions by piecing together Cloud service providers and their service offerings
Identify services provided, their value and costs, demand management is key for providing on-demand services
Service Design
Focus on integrating and securing services from suppliers
Bundle service packages for consumption- capacity management key to disruption free, on-demand delivery.
Service Transition
Manage and control a complex mix of releases /changes across a wide range of suppliers varying schedules and priorities
Provide customers with easy, smoothand state ways to transition and accessprovided services
Service Operation
Ensure expected value is being delivered, and service disruptions responses are coordinated across suppliers
Ensure that expected value is beingdelivered and that services are notdisrupted
Continual Service improvement
Provide the needed transparency of results and coordinated improvement efforts across many providers.
Provide a means for staying ahead ofcompetition and gauging customersatisfaction or business will be lost
Service Strategy
Process Purpose
Strategy Generation
Identify the IT services, investments partners and delivery channels to meet customer needs and outcomes
Service Portfolio Management
Manage the investment portfolio of all the services avaiable to customers and users
Demand Management
Identify patterns of bussiness activity that consume services and manage activities to influence demand.
IT Financial Management
Management accounting and chargeback for IT services
Service Strategy
Questions
What Cloud Operating Model(s) will be used?
What elements of services will be placed in the Cloud?
Which service partners will we utilize?
Who are my customers and what are they needs?
What services will need to be provided?
How will business demand consume services?
Service Strategy
Strategic Objectiv
es
Additional
enterprise
stakeholders
Service Strategy
Organizational capability
Define market space
Strategic Asset
Drive Business value
Input Output
Cloud Services
Cloud Computing will not change The strategic objectives or the market spaces of a service
Service Strategy
Valued Service Partner
Provide understandi
ng of business
needs
Input Output
Cloud provider
sMeasure
and compare supplier
performance
Align contracts
with business
needs
Maximixe Return of Investment (ROI) by selectin
the right provider
Service DesignProcess Purpose
Service Catalog Management
Publish manage and communicate which services are available to customers and users
Service Level Management
Negotiate, monitor, report and measure SLA and OLAs
Availability Management
Define, measure, analyze and improve the availability of services
Capacity Management
Ensure appropriate infrastructure capacity in place to meet service demand volumes
Information Security Management
Protect the confidentiality, integrity and availability of services
IT Service continuity Management
Ensure services can be recovered in the event of a major business disruption
Supplier Management
Ensure suppliers support the needs of the business and meet their contractual obligations
Service Design
Questions
How will services be bundled and packaged for consumption?
What SLAs and OLAs will be needed to meet business objectives?
How will we ensure availability of services in the event of a major business?
How will we secure our services and data across the Cloud?
What supplier agreements and contracts need to be in place?
How will we communicate available services to the business?
What capacity needs to be in place to meet business demand?
How will services integrate and sit on the Cloud Operating Model?
Service TransitionProcess Purpose
TransitionPlanning andSupport
Plan and coordinate activities for transitioning services to te live production environement
ChangeManagement
Protect services while changes are being made
Release andDeployManagement
Manage releases and their deployment to live production
Service Asset &ConfigurationManagement
Maintain information about configuration items used to support services and their relationships
ServiceValidation andTesting
Validate that new services and changes will match design and business objectives
KnowledgeManagement
Gather, analise, store and share knowledge to reduce the need for rediscovery of information
Evaluation Ensure a service will meet intended business objectives when it is transitioned
Service Transition
Questions
How will services be transitionet to a live production state?
How will changes be managed across providers?
How will releases and deployments be coordinated across providers?
How will we test services across providers?
What operating information should we retain across providers?
Service Transition
Change Requests
Planed Changes
R - ResponsibleA - AccountableC - ConsultedI - Informed
Input Output
Cloud Services
Cloud Computing will not change The strategic objectives or the market spaces of a service
Cloud Providers
Organization
Change Management Support
R A, C
RFC classification
C R
Change Scheduling
R C
Service Operation
Process Purpose
Incident Management
Restore an IT service to normal state operations as quiet as possible
Problem Management
Prevent incidents from happening or minimize their impacts by identifying their root causes
Event Management
Manage operational events and communicate them to apropriate parties for further action
Access Management
Ensure only authorized users are allowed access to services
Request Fulfillment
Manage the lifecycle of all service requests
Service Operation
Questions
How will incidents and problems be managed across providers?
What events need to be generated and visible across and between providers?
How do we ensure only autorized users have access to services?
How will we prioritize and coordinate user service requests that may need proviser involvement?
How will we coordinate operational control activities across providers?
Continual Service Improvement
Process Purpose
7step improvement
Measure services to proactively identify opportunities for improvement
Service Reporting
Produce and communicate reports for achievements and trends against service levels
Service Measurement
Put appropriate metrics into place that provide information for proactive decision making
Questions
What key measurements will be needed to ensure services are working across the Cloud?
What measurements should be taken by suppliers to ensure service objectives will be met?
What information and reports will we require from our providers?
How will we work with our providers to proactively improve services?
Paradigm Shift
ConsistensyShare & Reuse
Security & PrivacyCustomizability
Control
Economy of ScaleEasy of ProvisoningGlobal reachPartitioning & RedundancyScalability & Availability
On-Premisses
Cloud
On Premisses vs. in the cloud
Challenges and risks
Security Concerns Lack of Standards Legal, Regulatory and/or Compliance Issues Lack of SLAs Performance concerns Commitment
Lack of Standards
Lack of Standards
SLA - Internal Computing
User
Custumer
Service Support
Service Delivery
Operational Organization
s
Service DeskBusiness
RelationshipManagemen
t
The Business
Internal IT
SLA
SLA
OLA
OLA
SLA - Cloud Computing
User
Custumer
Service Support
Service Delivery
Operational Organization
s
Service DeskBusiness
RelationshipManagemen
t
The Business
Internal IT
SLA
SLA
OLA
OLA
Service Support
Service Delivery
Operational Organization
s
Cloud Provider
UC
Service Desk
Suplier Management
Business Relacionshiop Management
Legal, Regulatory and/or Compliance Issues
Liability• What recourse actions (e.g., financial compensation, early exit of
contracts, etc.) can we agree on in the event of a security incidentor failures to meet SLAs?
• What conditions under which. . .?
Intellectual Property• Can we stipulate in the SLA that all my data (or applications),
including all replicated and redundant copies, are owned by me?• Ensure your service agreement does not lead you to relinquish
any IP rights• Scrutinize the language in the terms of service that governs the
ownership of and rights to information that you place in the cloud.
Legal, Regulatory and/or Compliance Issues
Business Continuity / Disaster Recovery• Do you have any DR and BC planning documents, and can we
review them?• Can we do a BC audit?• Where are your recovery data centers located?• What service-level guarantee can you offer under DR conditions?
Logs and audit trails• Can they accommodate timely forensic investigation?• How do we access logs and audit trails?• How long do you keep logs and audit trails?• Can e have dedicated storage of logs and audit trails, how?• Show evidence of tamper proofing for logs and audit trails
Legal, Regulatory and/or Compliance Issues
Specific compliance requirements• Are your data centers under local compliance? If so,
which ones?• Do the local compliance requirements violate our
own?• Are you SAS 70-compliant (if applicable)?• Are you ISO 27001-compliant (if desired)?• Can you prove that you are compliant for:
• PCI?• S0X?• HIPAA?
It recently found a flaw that inadvertently shares users’ docs (March 2009).
A Salesforce.com employee fell victim to a phishing attack and leaked a customer list, which generated further targeted phishing attacks (October 2007).
It lodged a formal complaint to the FTC against Google for its privacy practices (March 2009).EPIC was successful in an action against Microsoft Passport.
Security Concerns
Security Concerns
Data Protection• Data segregation• How do you separate my data from other customers?• Data-at-rest protection
Were do you store my data?Encryption and data integrityAccess control and authenticationIs there documentation for auditors?
• Data-in-motion protectionHow do you transfer data from one place to another?Can any third party access my data (your SPs). and how?Can you ensure all my data is erased at the end of
service?
Vulnerability Management• Show evidence of your Vulnerability management program.• How often do you scan for vulnerabilities?• Can I conduct an external vulnerability assessment on your
network?• What’s your vulnerability remediation process?
Security Concerns
Personal and physical security• Do you have restricted and monitored access to critical assets
24x7?If dedicated infrastructure is desired, ensure that it’s isolated.
• How often do you scan for vulnerabilities on your network andapplications?
• Do you do background checks for all relevant personnel? How extensive? SAS 70, ISO 27001.
Application Security• Do you follow OWASP guidelines for application development?• Do you have a rigorous testing and acceptance procedure for
outsourced and packaged application code?• What about third-party apps (components) used in your
services?• What application security measures (if any) do you use in your
production environment (application-level firewall, database auditing)?
Security Concerns
Incident Response• What is your procedure in handling a da breach?
Can notification occur within a specified time period?In what form at do notifications go out? What info do they
contain?• Can you ensure that vendors incidence response procedures do
not violate our own requirements?
Identity Management• Can you integrate directly with directories, and how?• Review the architecture of integration.• Ensure it doesn’t create a security risk for my own infrastructure.
• If not, how do you secure user IDs and access credentials?• If not, how do you handle user provisioning?
• Can you support single sign-on (SSO), and which standards?• Can you support federation, and which standards?
Commitment
End of Service Support• Specify what the cloud vendor will deliver at the
end-of-service period:• Will data be packaged and delivered back to me?
If so, in what End-of-service format?• How soon will I have all my data back?• Will any remaining copies of data be erased
completely from your network? If so, how soon will it happen?
• Specify any fees that may incur at the end of the service.
Lack of SLAs
Make sure any framework compliance requirements (i.e. Federal Enterprise Architecture, SOA, etc.) are
documented and agreed within the Contract.
Include a formal Change Control process in the Contract and declare the cloud provider’s
architectural framework within the scope of the Change Control.
Treat cloud provider contract as you would an underpinning contract.
Document expected service levels, audit process and reporting requirements.
Thank youhttp://pt.linkedin.com/in/luisaalima
top related