Luis lima v3

ITIL ON THE CLOUD

COMPUTING AGE

Luis LimaGALILEU

Cloud Computing Defined

NIST“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

GARTNER“A style of Computing where massively scalable, IT –enabled capabilities are provided “as a service” across the internet to multiple external customers”

Cloud Computing Vantages

• Cloud technology is paid incrementally, saving organizations money.

Reduced Cost

• Organizations can store more data than on private computer systems.

Increased Storage

• No longer do IT personnel need to worry about keeping software up to date.

Highly Automated

• Cloud computing offers much more flexibility than past computing methods. Flexibility

• Employees can access information wherever they are, rather than having to remain at their desks.

More Mobility

• No longer having to worry about constant server updates and other computing issues, government organizations will be free to concentrate on innovation.

Allows IT to Shift Focus

What is IT Service Management (ITSM)?

The origin of the term is generally unknown, but it has been in mainstream use during the 1990s, historically it has been associated with the introduction of, or improvement of existing IT operational practices through the adoption and adaptation of industry “best practices”

ITIL® defines ITSM as, “The implementation and management of quality IT services that meet the needs of the business...”

Wikipedia defines IT Service Management as, “a discipline for managinginformation technology (IT) systems, philosophically centered on thecustomer’s perspective of IT’s contribution to the business...

IT Service Management is also the term commonly used to describe theprocess centric effort of transforming an IT organization from one focused on managing the IT infrastructure, to managing the provision of information system services.

ITIL Service Management v2

ITILv2 – 10 processes

Serv

ice

Delivery

Service LevelManagement

IT FinancialManagement

AvailabilityManagement

CapacityManagement

Serv

ice

Su

pp

ort

IncidentManagement

ProblemManagement

ChangeManagement

ConfigurationManagement

ReleaseManagement

IT ContinuityManagement

5 Processes and a function (Service Desk)

5 Processes

ITIL Service Management v3

ITIL Service Management v3

Cont Service Improvemen

t

Service Strategy

Service Transition

ServiceDesign

CapacityManagement

AvailabilityManagement

ServiceContinuity

Management

InformationSecurity

Management

SupplierManagement

DemandManagement

StrategyGeneration

ServicePortfolio

Management

ServiceImprovement

TransitionPlanning &

Support

Asset &ConfigurationManagement

Release &DeploymentManagement

ServiceValidation &

Testing

Evaluation

Service Operation

EventManagement

RequestFulfillment

IncidentManagement

ProblemManagement

AccessManagement

IT FinancialManagement

Service LevelManagement

ChangeManagement

KnowledgeManagement

ServiceMeasurement

ServiceReporting

ServiceCatalog

Management

Processes ITILv3 Processes ITILv2Processes

ITILv2 + ITILv3

ITILv3 – 5 books and 27 processes

Core IT Management Disciplines Have Not ChangedITIL for the Organization lTlL. for the Cloud Provider

Service Strategy

Architect service solutions by piecing together Cloud service providers and their service offerings

Identify services provided, their value and costs, demand management is key for providing on-demand services

Service Design

Focus on integrating and securing services from suppliers

Bundle service packages for consumption- capacity management key to disruption free, on-demand delivery.

Service Transition

Manage and control a complex mix of releases /changes across a wide range of suppliers varying schedules and priorities

Provide customers with easy, smoothand state ways to transition and accessprovided services

Service Operation

Ensure expected value is being delivered, and service disruptions responses are coordinated across suppliers

Ensure that expected value is beingdelivered and that services are notdisrupted

Continual Service improvement

Provide the needed transparency of results and coordinated improvement efforts across many providers.

Provide a means for staying ahead ofcompetition and gauging customersatisfaction or business will be lost

Service Strategy

Process Purpose

Strategy Generation

Identify the IT services, investments partners and delivery channels to meet customer needs and outcomes

Service Portfolio Management

Manage the investment portfolio of all the services avaiable to customers and users

Demand Management

Identify patterns of bussiness activity that consume services and manage activities to influence demand.

IT Financial Management

Management accounting and chargeback for IT services

Service Strategy

Questions

What Cloud Operating Model(s) will be used?

What elements of services will be placed in the Cloud?

Which service partners will we utilize?

Who are my customers and what are they needs?

What services will need to be provided?

How will business demand consume services?

Service Strategy

Strategic Objectiv

es

Additional

enterprise

stakeholders

Service Strategy

Organizational capability

Define market space

Strategic Asset

Drive Business value

Input Output

Cloud Services

Cloud Computing will not change The strategic objectives or the market spaces of a service

Service Strategy

Valued Service Partner

Provide understandi

ng of business

needs

Input Output

Cloud provider

sMeasure

and compare supplier

performance

Align contracts

with business

needs

Maximixe Return of Investment (ROI) by selectin

the right provider

Service DesignProcess Purpose

Service Catalog Management

Publish manage and communicate which services are available to customers and users

Service Level Management

Negotiate, monitor, report and measure SLA and OLAs

Availability Management

Define, measure, analyze and improve the availability of services

Capacity Management

Ensure appropriate infrastructure capacity in place to meet service demand volumes

Information Security Management

Protect the confidentiality, integrity and availability of services

IT Service continuity Management

Ensure services can be recovered in the event of a major business disruption

Supplier Management

Ensure suppliers support the needs of the business and meet their contractual obligations

Service Design

Questions

How will services be bundled and packaged for consumption?

What SLAs and OLAs will be needed to meet business objectives?

How will we ensure availability of services in the event of a major business?

How will we secure our services and data across the Cloud?

What supplier agreements and contracts need to be in place?

How will we communicate available services to the business?

What capacity needs to be in place to meet business demand?

How will services integrate and sit on the Cloud Operating Model?

Service TransitionProcess Purpose

TransitionPlanning andSupport

Plan and coordinate activities for transitioning services to te live production environement

ChangeManagement

Protect services while changes are being made

Release andDeployManagement

Manage releases and their deployment to live production

Service Asset &ConfigurationManagement

Maintain information about configuration items used to support services and their relationships

ServiceValidation andTesting

Validate that new services and changes will match design and business objectives

KnowledgeManagement

Gather, analise, store and share knowledge to reduce the need for rediscovery of information

Evaluation Ensure a service will meet intended business objectives when it is transitioned

Service Transition

Questions

How will services be transitionet to a live production state?

How will changes be managed across providers?

How will releases and deployments be coordinated across providers?

How will we test services across providers?

What operating information should we retain across providers?

Service Transition

Change Requests

Planed Changes

R - ResponsibleA - AccountableC - ConsultedI - Informed

Input Output

Cloud Services

Cloud Computing will not change The strategic objectives or the market spaces of a service

Cloud Providers

Organization

Change Management Support

R A, C

RFC classification

C R

Change Scheduling

R C

Service Operation

Process Purpose

Incident Management

Restore an IT service to normal state operations as quiet as possible

Problem Management

Prevent incidents from happening or minimize their impacts by identifying their root causes

Event Management

Manage operational events and communicate them to apropriate parties for further action

Access Management

Ensure only authorized users are allowed access to services

Request Fulfillment

Manage the lifecycle of all service requests

Service Operation

Questions

How will incidents and problems be managed across providers?

What events need to be generated and visible across and between providers?

How do we ensure only autorized users have access to services?

How will we prioritize and coordinate user service requests that may need proviser involvement?

How will we coordinate operational control activities across providers?

Continual Service Improvement

Process Purpose

7step improvement

Measure services to proactively identify opportunities for improvement

Service Reporting

Produce and communicate reports for achievements and trends against service levels

Service Measurement

Put appropriate metrics into place that provide information for proactive decision making

Questions

What key measurements will be needed to ensure services are working across the Cloud?

What measurements should be taken by suppliers to ensure service objectives will be met?

What information and reports will we require from our providers?

How will we work with our providers to proactively improve services?

Paradigm Shift

ConsistensyShare & Reuse

Security & PrivacyCustomizability

Control

Economy of ScaleEasy of ProvisoningGlobal reachPartitioning & RedundancyScalability & Availability

On-Premisses

Cloud

On Premisses vs. in the cloud

Challenges and risks

Security Concerns Lack of Standards Legal, Regulatory and/or Compliance Issues Lack of SLAs Performance concerns Commitment

Lack of Standards

Lack of Standards

SLA - Internal Computing

User

Custumer

Service Support

Service Delivery

Operational Organization

s

Service DeskBusiness

RelationshipManagemen

t

The Business

Internal IT

SLA

SLA

OLA

OLA

SLA - Cloud Computing

User

Custumer

Service Support

Service Delivery

Operational Organization

s

Service DeskBusiness

RelationshipManagemen

t

The Business

Internal IT

SLA

SLA

OLA

OLA

Service Support

Service Delivery

Operational Organization

s

Cloud Provider

UC

Service Desk

Suplier Management

Business Relacionshiop Management

Legal, Regulatory and/or Compliance Issues

Liability• What recourse actions (e.g., financial compensation, early exit of

contracts, etc.) can we agree on in the event of a security incidentor failures to meet SLAs?

• What conditions under which. . .?

Intellectual Property• Can we stipulate in the SLA that all my data (or applications),

including all replicated and redundant copies, are owned by me?• Ensure your service agreement does not lead you to relinquish

any IP rights• Scrutinize the language in the terms of service that governs the

ownership of and rights to information that you place in the cloud.

Legal, Regulatory and/or Compliance Issues

Business Continuity / Disaster Recovery• Do you have any DR and BC planning documents, and can we

review them?• Can we do a BC audit?• Where are your recovery data centers located?• What service-level guarantee can you offer under DR conditions?

Logs and audit trails• Can they accommodate timely forensic investigation?• How do we access logs and audit trails?• How long do you keep logs and audit trails?• Can e have dedicated storage of logs and audit trails, how?• Show evidence of tamper proofing for logs and audit trails

Legal, Regulatory and/or Compliance Issues

Specific compliance requirements• Are your data centers under local compliance? If so,

which ones?• Do the local compliance requirements violate our

own?• Are you SAS 70-compliant (if applicable)?• Are you ISO 27001-compliant (if desired)?• Can you prove that you are compliant for:

• PCI?• S0X?• HIPAA?

It recently found a flaw that inadvertently shares users’ docs (March 2009).

A Salesforce.com employee fell victim to a phishing attack and leaked a customer list, which generated further targeted phishing attacks (October 2007).

It lodged a formal complaint to the FTC against Google for its privacy practices (March 2009).EPIC was successful in an action against Microsoft Passport.

Security Concerns

Security Concerns

Data Protection• Data segregation• How do you separate my data from other customers?• Data-at-rest protection

Were do you store my data?Encryption and data integrityAccess control and authenticationIs there documentation for auditors?

• Data-in-motion protectionHow do you transfer data from one place to another?Can any third party access my data (your SPs). and how?Can you ensure all my data is erased at the end of

service?

Vulnerability Management• Show evidence of your Vulnerability management program.• How often do you scan for vulnerabilities?• Can I conduct an external vulnerability assessment on your

network?• What’s your vulnerability remediation process?

Security Concerns

Personal and physical security• Do you have restricted and monitored access to critical assets

24x7?If dedicated infrastructure is desired, ensure that it’s isolated.

• How often do you scan for vulnerabilities on your network andapplications?

• Do you do background checks for all relevant personnel? How extensive? SAS 70, ISO 27001.

Application Security• Do you follow OWASP guidelines for application development?• Do you have a rigorous testing and acceptance procedure for

outsourced and packaged application code?• What about third-party apps (components) used in your

services?• What application security measures (if any) do you use in your

production environment (application-level firewall, database auditing)?

Security Concerns

Incident Response• What is your procedure in handling a da breach?

Can notification occur within a specified time period?In what form at do notifications go out? What info do they

contain?• Can you ensure that vendors incidence response procedures do

not violate our own requirements?

Identity Management• Can you integrate directly with directories, and how?• Review the architecture of integration.• Ensure it doesn’t create a security risk for my own infrastructure.

• If not, how do you secure user IDs and access credentials?• If not, how do you handle user provisioning?

• Can you support single sign-on (SSO), and which standards?• Can you support federation, and which standards?

Commitment

End of Service Support• Specify what the cloud vendor will deliver at the

end-of-service period:• Will data be packaged and delivered back to me?

If so, in what End-of-service format?• How soon will I have all my data back?• Will any remaining copies of data be erased

completely from your network? If so, how soon will it happen?

• Specify any fees that may incur at the end of the service.

Lack of SLAs

Make sure any framework compliance requirements (i.e. Federal Enterprise Architecture, SOA, etc.) are

documented and agreed within the Contract.

Include a formal Change Control process in the Contract and declare the cloud provider’s

architectural framework within the scope of the Change Control.

Treat cloud provider contract as you would an underpinning contract.

Document expected service levels, audit process and reporting requirements.

Thank youhttp://pt.linkedin.com/in/luisaalima