Cloud computing can be safe, uncomplicated and move the organization forward IF YOU DO YOUR DUE DILIGENCE!! It's your data and your neck so don't be afraid to ask the right questions and get them in writing
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
webinars.plantemoran.com
Bringing the Cloud Back to Earth
webinars.plantemoran.com
Presenters
Sri Chalasani, Sr. Architect – Plante Moran, IT Consulting Sri has over twenty years of experience and specializes in the design, deployment, and troubleshooting of complex networks. He also has over fifteen years of experience in the design and implementation of broadband multimedia solutions across large networks. Sri has help many organization in the design and selection of data center including strategic sourcing of cloud based solutions. He has an MBA from Wayne State University, a MS in Computer Science from Western Michigan University and a BS in Electronics Engineering from Bangalore University..
Marv Sauer, Principal – Plante Moran, Education Consulting Marv has more than 25 years taking clients from initial strategic planning through the successful implementation of a variety of proven and leading edge technologies. He is a talented facilitator of small to large groups working with personnel ranging from end users to executive management. Marv has given presentations at local and national conferences on topics such as Building the Network of Tomorrow, Today and With Strategic Planning First, Successful Implementation Follows. Marv holds a Master of Business Administration in Finance from the University of Michigan and a Bachelor of Science in Math and Computer Science from the University of California, Los Angeles (UCLA).
Slides are available for download from your webcast console. A recording of today’s webinar will be added to our website in a few days.
We will allow time at the end of the presentation to respond to your questions, but please feel free to submit questions at any time.
webinars.plantemoran.com
Administration
This is a CPE-eligible webinar. Throughout the webcast, participation pop-ups will appear.
Participants must respond to at least 75% of these pop-ups in order to receive CPE credit.
To receive CPE credit, you need to be logged in individually to the webinar and meet the eligibility requirements (have an accrued viewing time of at least 50 minutes and 75% response to participation tracking), to receive CPE. Only attendees who are logged into the webinar will be eligible to earn CPE credit.
4
webinars.plantemoran.com
Overview
Kick it to the next level - move beyond the tutorials
• Review drivers, strategy and architectures for deploying a cloud
• Identify your risks
• Asking the right questions
• Selection criteria
• The T’s and C’s
5
webinars.plantemoran.com
Background
Gartner believes enterprises will spend $112 billion cumulatively on software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS), Part of the attraction is the promise of lower total cost of ownership but, with this comes higher risks some of which are not always immediately apparent.
6
Source: Gartner
webinars.plantemoran.com
Drivers of cloud computing - Recap
Drivers
• Data Center pressures – increased systems and data explosion
• Flexibility - system capacity (elasticity) and ubiquitous access
• Minimize risk – modernize to survive / keep up with the times
• Cost / predictable cash flow
• Reduced operational / systems management
• Accelerated access to complex applications
• Allow for focus on core competencies
7
Presenter
Presentation Notes
*) Cost / predictable cash flow = lower cost and/or convert CapEx to OpEx *) Bottom line - Save money Be efficient Increase availability and reliability Note: we did not necessarily include security in this – just yet!
webinars.plantemoran.com
IT Staff & skills
Business Process
Cur
rent
IT
Env
.
Agi
lity
Ris
ksR
eg. &
C
ompl
ianc
e
C.I.A Costs Governance
Use
rsTe
rms
&
Con
ditio
ns
App. Integ / Rearch
Technology
Secu
rity
Adm
inistration
Clo
ud S
trat
egy
Solutions
Roadmap
Strategy - Recap
8
CEO
* Reduce costs? TCO/ROI?* Distributed workforce? * Competitive advantages?* Risks?* Align with business goals?
• Questions and priorities may be different and often competing
Presenter
Presentation Notes
*) It is not uncommon that various roles have varying requirements, depending on their point of view *) The questions a CEO/CFO maybe asking maybe different than what the CIO could be asking – they may sometime be competing At the end of the day, as the organization develops a strategy for the organization, the business objectives and goals MUST be the center of focus The surrounding layers or decisions such as the cloud strategy, roadmap, type solution. The other factors of IT regarding Administration of IT (cost, governance, users, contracts), Security (risks, confidentiality / Integrity and availability of information and regulatory compliance), the technologies involved (current IT environment, application integration / re-architecting, IT staffing and skills refinement, re-valuation of the business process, and agility factors) need to be considered also. *) ALL of the decisions factors should lead to delivering the business goals and objectives – decisions cannot be made one certain criteria only – such as cost or agility.
webinars.plantemoran.com
Cloud S
ervices
Architectures - Recap
9
Four
maj
or b
uild
ing
bloc
ks fo
r IT
syst
em
Operating System and Back Office
Applications
Infrastructure
IT Staff
Applications
Servers
Storage
Network
Database
Operating System
System Software
Net. Admin, DBA, Programmer
IaaS
Paa
S
Saa
S
Managed services
IaaS: Infrastructure as a Service; PaaS: Platform as a Service; SaaS: Software as a Service
Presenter
Presentation Notes
*) Delineation of responsibilities of the provider and your organization e.g. IaaS – provider responsible for data center, network, storage, and servers PaaS – provider responsible for infrastructure components, operating systems, databases, patching of systems, and other system software SaaS – provider responsible for infrastructure, OS/back office components, and the actual application as well – pretty turnkey Irrespective of the type of model, there is a “managed services” component provided *) This is a “simplified” version. The stack can be further refined to: The following is a brief explanation of what each element in the stack is: Applications: built on the platforms described below, they use and/or produce data for some useful purpose. This can be anything from the GroupWise email client to database server software, Microsoft Word, or air traffic control software. Data: the pieces of information that applications use (i.e., documents, audio, video, database tables, emails, log files, etc.). Runtime (environment): another level of software platform that enables the creation and execution of standards-based applications (e.g., Sun Java and Microsoft .NET.). Middleware: software used to broker communication between other forms of software. A common example is a database connector that allows applications to transparently connect to any database[i]. Operating System (O/S): a software platform used to support middleware, runtime, and applications (e.g., MS-Windows, Unix, iOS). Virtualization: hardware and software that allows dynamic allocation of servers, storage, and networking. Servers: the actual computing hardware Storage: where data is actually stored (e.g., arrays of hard drives). Networking: transmission devices (cables or transmitters/receivers) and related routing equipment that enable data transfer between computers. *) With the intention of providing more flexibility /differentiated services, providers are services upto various layers e.g. Iaas+ - goes above IaaS, but not all the way up the PaaS stack, maybe provide the hypervisor layer and the organization is responsible for layers above that. Other examples are aPaaS or dbPaaS *) Depending on YOUR business requirements & internal IT capabilities, you can decide which of the building blocks are retained in house.
webinars.plantemoran.com
Deployment Models - Recap
10
Private Cloud Only your organization has access
to the resources. Hosted internally or hosted by a
provider
Public Cloud Multi-tenancy computing resources
(infrastructure, OS, applications are available to other tenants
Typically hosted at a provider
Hybrid Cloud Combination of Private and Public Most organizations
IaaS
/ P
aaS
/ S
aaS
Other: internal or external hosted
Community Cloud Collaboration between multiple org. Involvement by invitation only
Presenter
Presentation Notes
*) Very few organization will be able to “completely” deploy a “PRIVATE CLOUD” or a “PUBLIC CLOUD”. Most will have a combination of private (internal), maybe private (hosted) and a hybird *) There are several different aspects of Cloud Computing with associated implications that we’ll get into a bit later in the presentation. There are 4 different deployment models – Public, Private, Community and Hybrid Public Cloud - a service provider makes resources, such as applications and storage, available to the general public over the Internet. Public cloud services may be free or offered on a pay-per-usage model. The main benefits of using a public cloud service are: * Easy and inexpensive set-up because hardware, application and bandwidth costs are covered by the provider. * Scalability to meet needs. * No wasted resources because you pay for what you use. Examples of public clouds include Amazon Elastic Compute Cloud (EC2), IBM's Blue Cloud, Sun Cloud, Google AppEngine and Windows Azure Services Platform. Private Cloud: cloud infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally. Lacks the economic model that makes cloud computing such an intriguing concept. Community Cloud: Community cloud shares infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.), whether managed internally or by a third-party and hosted internally or externally. The costs are spread over fewer users than a public cloud (but more than a private cloud), so only some of the benefits of cloud computing are realized. Hybrid cloud: A composition of two or more clouds (private, community, or public) that remain unique entities but are bound together, offering the benefits of multiple deployment models
webinars.plantemoran.com
Examples of the cloud - Recap
11
IaaS
Source: Cloud Taxonomy
Presenter
Presentation Notes
*) May end up with different solutions – best of breed *) Cloud software allows the building of cloud computing environments, manage cloud environments, or software used to build highly scalable cloud applications. *) Products include both commercial and open source software
webinars.plantemoran.com
Examples of the cloud - Recap
12
PaaS
Source: Cloud Taxonomy
Presenter
Presentation Notes
*) May end up with different solutions – best of breed *) Cloud software allows the building of cloud computing environments, manage cloud environments, or software used to build highly scalable cloud applications. *) Products include both commercial and open source software
webinars.plantemoran.com
Examples of the cloud - Recap
13
SaaS Source: Cloud Taxonomy
Presenter
Presentation Notes
*) May end up with different solutions – best of breed *) Cloud software allows the building of cloud computing environments, manage cloud environments, or software used to build highly scalable cloud applications. *) Products include both commercial and open source software
webinars.plantemoran.com
Examples of the cloud - Recap
14
Cloud Software
Source: Cloud Taxonomy
Presenter
Presentation Notes
*) May end up with different solutions – best of breed *) Cloud software allows the building of cloud computing environments, manage cloud environments, or software used to build highly scalable cloud applications. *) Products include both commercial and open source software
webinars.plantemoran.com
What is at risk?
• Cloud computing inherently means trusting some of your most valuable assets
• Before you start – high level understanding of the risks
• Two key assets exposed to risk - Data and Applications/Process
• Evaluate the risk for Confidentiality, Integrity and Availability. Impact on asset if it:
• Breached
• Accessed by provider(s)
• Process is manipulated by an outsider
• Unavailable for a while
15
Presenter
Presentation Notes
*) Cloud computing means entrusting one of your most valuable assets – data and applications/processing to a third-party provider *) Service Organization Control (SOC) standards provide some level of assurances, currently there are no concrete laws or standards that can assure whether a particular CSP is “safe” or not. *) There are significant efforts by both the private and public sector such as CSA (Cloud Security Alliance), GSA (Government Security Agency), and NIST (National Institute for Standards Technology) to provide tools to assess and select cloud computing services that satisfy security requirements. *) The higher you go up the ladder (or layers) on the services model, the more you rely on the CSP to provide turnkey services .e.g. With a SaaS model, your understanding on how your data is secured and controlled must be higher.
webinars.plantemoran.com
What is at risk?
• Understand risk by mapping the asset to
• Possible deployment models
• The potential flow of data between your users and CSPs
• Assurances on safety of data?
• SOC standards provide some level of assurance – CSA, GSA, NIST
• Onus is still on you, do have to conduct your own due diligence
16
Presenter
Presentation Notes
*) Before you go too far down the road, understand the risks *) moving information into the cloud or transaction / processing into the cloud; *) With a Cloud model the data and transaction processing may not reside at the same location
webinars.plantemoran.com
Protect your assets – ask the questions
1. Who’s managing my data?
• Qualifications and backgrounds of staff
• Who else (partners/sub-contractors) can touch your data?
2. Where’s my data actually located?
• Regulatory and compliance requirements for data export
• Primary and secondary (replication sites)
• Conformance to local laws – data discovery
• Map how data is stored and handled
17
Presenter
Presentation Notes
Who’s managing my data? Ask about the qualifications and backgrounds of the cloud company’s staff. These administrators have privileged access to your data; you should know who they are. Also ask about how new hires are screened and ongoing checks (such as random testing and background checks). Ask about other business partners that may have direct or indirect access to your data. For example, if they’re outsourcing their systems backup to someone else, what controls are in place secure your data? Where’s the data actually located, and will the data be replicated at other data centers? Many enterprises must comply with regulations that are based on the data’s geographic location. Based on your regulatory requirements, are there requirements regarding where in the world your data may be stored? Compliance requirements may restrict how data is exported to other countries and dictate what security measures need to be in place and what auditing standards you need to comply with. You should also be familiar with local privacy laws and regulations where the data is going to be stored. Local laws may provide for a government or litigant's right to inspect data being stored by the CSP. Can you take that chance?
webinars.plantemoran.com
Protect your assets – ask the questions
18
• Why does location matter? - Country Risk Ratings for Security and Privacy
Source:
Presenter
Presentation Notes
*) Green – low risk *) Red – high Risk *) No surprise that China and Russia present the highest risk for security and privacy
webinars.plantemoran.com
Protect your assets – ask the questions
3. What access controls are in place?
• What are the physical controls and logical controls?
• CSPs disclose data access control processes in place
• Frequency of testing of access controls
4. How will my data be physically secured & separated from other customers?
• Common hardware or applications with logical controls?
• Testing of data encryption / data leakage
5. How’s my data encrypted?
• Understand security for data at rest and data in transit
• Data at rest - encryption types
• Data in transit - encrypted, authenticated and integrity protected 19
Presenter
Presentation Notes
3. What access controls are in place? Just because physical control is being transferred doesn’t mean you’re giving up your right to know what controls are in place to limit risk. CSPs need to disclose the exact data access control processes that dictate their administrators’ actions, and you should have a full understanding of who can access what data and under what conditions. Ask how the access controls are tested and how frequently. 4. How will my data be physically secured and separated from other customers? Typically, in a cloud environment, there are some areas where resources can be shared by multiple clients of the CSP. A good CSP needs to clearly explain how your vital business data is segregated and secured from other clients. Some CSPs place all of their clients’ programs and data in one big application instance and use custom-built code to prevent customers from seeing each other's data; this is unacceptable, as custom code creates too much of a risk. It’s critical that CSPs use standard proven practices, namely data encryption. When CSPs use encryption, however, they must also provide evidence that their encryption and other security methods have been tested, fine-tuned, and proven to be effective. Be sure to question the level and type of encryption algorithms. In addition, in scenarios where common hardware resources are used by the CSP, the use of Virtual LAN (VLAN), VPN (Virtual Private Networks), and Virtual Machines (VM) are preferred. 5. How’s my data encrypted? More important than physical security is data encryption. There are two types of data—data at rest, and data in transit. You need to be aware of how both types are secured. The questions to ask are: How does the CSP secure data at rest? The CSP should always encrypt data on storage devices (e.g., hard drives and back-ups) to avoid data breaches. How secure is the data while it’s in transit within the cloud (system-to-system) and between the users and the CSP? Data in transit should always be encrypted, authenticated, and its integrity protected. This ensures that nobody can read or modify the data as it passes through the potential dangers of both public and private networks. There are very well established standards (TLS, IPsec, AES) for doing this that should be in practice by the CSP
webinars.plantemoran.com
Protect your assets – ask the questions
• Map the potential flow of data between your users (internal and external), other providers and the cloud service
20
Users App Data
Backup Backup Backup
Servers
CSP1 CSP2
CSP3
Organization
Users
Presenter
Presentation Notes
Moving information into the cloud could mean moving the data and or transaction / processing into the cloud With a cloud model the data and transaction processing may not reside at the same location Understand the flow of data and the potential risk points along the way
webinars.plantemoran.com
Protect your assets – ask the questions 6. What authentication mechanisms are supported by the CSP?
• 2-pass authentication - passwords with tokens and certificates
• Integration using LDAP and SAML with Dir. Svcs or Identity Mgmt. systems
7. What happens if there’s a data breach?
• Incident Response Plan (IRP) - proactive processes and technologies in place to detect if an application or data is under attack. Create your own too
• Response times and notification process; request history
6. What authentication mechanisms are supported by the CSP? The most common form of providing access to data is via the use of passwords. If sensitive data is at stake, a 1-pass authentication such as a password only will not be adequate. A 2-pass authentication such as the use of passwords along with tokens and certificates is recommended. For larger organizations, the CSP should be able to use standards such as LDAP (Lightweight Directory Access Protocol) and SAML (Security Assertion Markup Language) to integrate with your directory services or identity management systems prior to authenticating users and determining their permissions. Using these tools ensures that the CSP always has up-to-date information on authorized users to prevent unauthorized access. 7. What happens if there’s a data breach? You should always be prepared for a data breach. The CSP should have appropriate proactive processes and technologies in place to detect if an application or data is under attack; this means an Incident Response Plan (IRP) should be in place. What are the CSP’s response times if there’s a security breach, and what’s its notification process? Request a history of security breaches and how they were handled by the CSP. How transparent was the organization with their responses? Even if you’re satisfied with the CSP’s IRP, as an organization, you should plan for how you’d respond to your clients in the event of a security breaches at the CSP. There may be a misconception that as you transfer computing resources and responsibilities, you’re also transferring financial liabilities for data loss, corruption, or business interruption. This is rarely the case unless you’ve explicitly addressed these items during your contract negotiations, making the CSP responsible for such losses. One thing to check on is the CSP’s Technology Errors & Omissions policy and/or Cyber Liability coverage, typically a part of its primary insurance policy. The Technology Errors and Omissions insurance provides coverage for costs associated with the malfunction of a policyholder's (CSP) product or service, including the cost of fixing the error, replacing the product, and the lost business clients may experience because of the product's/service’s failure.
webinars.plantemoran.com
Protect your assets – ask the questions
8. Can the CSP pass muster with the auditors?
• Security assessment by a 3rd party or accreditation process
• Process for accommodating the needs of the your auditors
• Conduct a forensic investigation?
9. Is your cloud computing service SOC 2/SSAE16 (formerly SAS 70) compliant?
• No assurances but a step in the right direction
• Demonstrates methodical and repeatable process
• Security certification and other regulatory requirements HIPAA, FERPA etc.
10. What is CSP’s stability factor?
• CSP acquired or out of business?
• Timely transition, removal and destruction of your data 22
Presenter
Presentation Notes
8. Can the CSP pass muster with the auditors? Every business has certain conditions they must meet for regulatory compliance. Depending upon the type of data that you will store at the CSP, it may be a requirement to locate a provider that has undergone a security assessment by a third party. For example, FedRAMP (Federal Risk and Authorization Management Program), although still in its infancy, will require any organization that wishes to store federal government-related data to undergo an accreditation process to ensure proper security controls are in place to protect that data. Customers need to find out whether the cloud CSP conducts regular security audits and what its processes are for accommodating the needs of the customer’s auditors as well. Ask whether you’ll be able to conduct your own security audit (penetration testing). Can you audit the CSP’s data security control? In the event of a security breach, will you be able conduct a forensic investigation to determine what caused the incident? How does the CSP respond to requests for data from the FBI, CIA, SEC, or corporate legal counsel? 9. Is your cloud computing service SOC/SSAE16 (formerly SAS 70) compliant? Eventhough the SOC/SSAE16 does not offer assurances from all aspects, it is certainly a step in the right direction. Cloud users should be wary of cloud CSPs that claim an SOC/SSAE16 report as proof that its offerings are secure. The SOC/SSAE16 only demonstrates that the CSP has a methodical and repeatable process to its operations and appropriate safeguards to protect its IT assets. Either through a comprehensive due diligence effort or the use of a third-party service are currently the primary means of validating the security offerings of the CSP. 10. What is CSP’s stability factor? What happens to your data if your cloud service CSP goes out of business or is bought out by another company? What guarantees can your cloud CSP give regarding its long-term viability? What mechanisms are in place to guarantee the return of your data in the event of a bankruptcy or other business shutdown or turnover? At the termination of the contract, what guarantees does the CSP provide for the timely transition, removal, and destruction of your data? These must explicitly be addressed in your contract.
webinars.plantemoran.com
Protect your assets – ask the questions 11. Does the CSP offer backup and recovery services?
• Data retention, backup and recovery
• Backed up to where. Basic backup services or beyond?
• Recovery process from an outage
• What is included in your service – does this match you RPO/RTO?
12.What are the contract terms?
• SLA, breach notification, intellectual properties, limitation of liability, etc.
• More on this later
23
Presenter
Presentation Notes
11. Does the CSP offer backup and recovery services? If the provider offers back-up services, what type of services are offered— just data recovery, or is the CSP able to offer up more, such as spinning up virtual machines and providing access to both applications and data? Do you have a say in where the data is backed up to? (See data encryption and regulatory/compliance requirements.) 12. What are the contract terms? Contract terms generally favor the CSP. Unlike typical contracts where there’s a partnership-style relationship between companies, cloud services are different due to the high degree of contract standardization and services being delivered. An unlikely but possible scenario: what happens to your data and services if the CSP’s assets are frozen by law enforcement or regulatory authorities due to CSP or a CSP client’s activities? This situation has happened and put some organizations out of business when the FBI seized the servers of the CSP for fraud investigation, rendering its clients’ data inaccessible. Beyond the standard terms and conditions typically found in most contracts, a cloud service contract should address at a minimum the following: service levels, data security breach notification, legal process notification, use of customer data, confidentiality and security requirements, intellectual property rights, compliance with European data protection laws, limitation of liability and damages, indemnity, representations and warranties, terms for renewal of the contract or termination, termination assistance, and secure destruction of customer data at termination.
webinars.plantemoran.com
Eeny, meeny, miny, moe – Picking a CSP
24
No different than any other selection project
• Identify what is important to you
• Identify what “must haves” and “like to have”
• Don’t ignore security and growth
• For each of the identified areas, assign weightage
• Seek “written” answers you are looking for
• When in doubt err on the conservative side
• Reference – ask for a list of clients, not just references
• Not to be taken lightly – your data, your neck
• Add skill sets to the IT mix to manage and administer vendor contracts
• Viewed as a partnership - cannot abdicate management of the vendor / service though they provide the service
Presenter
Presentation Notes
*) Before you go too far down the road, understand the risks *) moving information into the cloud or transaction / processing into the cloud; *) With a Cloud model the data and transaction processing may not reside at the same location
webinars.plantemoran.com
Eeny, meeny, miny, moe – Picking a CSP
25
webinars.plantemoran.com
Eeny, meeny, miny, moe – picking a CSP
26
Reference: Intel’s Intel Cloud Finder
webinars.plantemoran.com
Contractual considerations
Negotiate key terms and conditions to mitigate risk and cost exposure:
• Uptime Guarantees
• SLA penalties
• SLA penalty exclusions
• Security
• Business Continuity and Disaster recovery
27
webinars.plantemoran.com
Contractual considerations
Negotiate key terms and conditions to mitigate risk and cost exposure:
• Data privacy conditions
• Suspension of service
• Termination
• Liability
28
webinars.plantemoran.com
Where’s my checklist?
Do I have a “strategy” or am I “piecemealing this”?
Have a process for identifying suitable applications / systems / workloads ideal for “cloudifying” – business objective first
Define your selection criteria - requirements for security, compliance, growth, performance, etc.
Identify issues around migrating existing workloads
Identify vendor(s), vendor lock-ins and flexibilities
Identify the costs? CapEx, OpEx, sunk costs, staff retraining
Identify your questions - have written responses, talk to existing clients
Determine the impact on your IT staff (skills and headcount)?
Understand your contract – have your requirements clearly identified
It is not an all or nothing proposition – think hybrid 29