1 GETTING YOUR HEAD IN THE CLOUD A PRIMER TO THE TYPES OF CLOUD COMPUTING SOLUTIONS
2 2 On June 3, 2009 Plante & Moran attended the Midwest Technology Leaders (MTL) Conference an event that brings together top technology professionals in the Midwest to share trends, best practices, and opportunities. With the help of MTL, Table Sponsors, CIOs, and additional conference attendees, we conducted 12 roundtable discussions on a variety of timely and important IT topics. As an outgrowth of the roundtable discussions, we produced a series of educational white papers. Contents Abstract 2 Introduction 2 Service Layers 3 Deployment Models 4 Why Choose SaaS 4 Security Risks 5 What the Shift Means 7 Conclusion 8 ABSTRACT Cloud computing is talked about extensively in the IT world. It enhances collaboration, agility, scaling, and availability, and provides the potential for cost reduction through optimized and efficient computing. However, there are many aspects of it that aren t completely understood, and there are important factors to consider based on specific business needs or requirements. Gaining a better understanding of cloud computing is the first step in knowing if it s right for you. INTRODUCTION Cloud computing ( cloud ) is an evolving term that describes the development of many existing technologies and approaches to computing into something different. Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them. More specifically, cloud describes the use of a collection of services, applications, information, and infrastructure comprised of pools of computing, network, information, and storage resources. These components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down providing for an on demand utility like model of allocation and consumption. The U.S. National Institute of Standards and Technology (NIST) defines cloud computing by describing five essential characteristics, three cloud service models, and four cloud deployment models.
3 3 ARCHITECTURAL SERVICE LAYERS OF CLOUD COMPUTING While the first evolution of the Internet saw the three tier (or n tier) model emerge as a general architecture, the use of virtualization in clouds has created a new set of layers: applications, services, and infrastructure. These layers don t just encapsulate on demand resources; they also define a new application development model. Within each layer of abstraction, there are a myriad of business opportunities for defining services that can be offered on a payper use basis. Software as a Service (SaaS): SaaS is at the highest layer and features a complete application offered as a service, ondemand, via multitenancy meaning a single instance of the software runs on the provider s infrastructure and serves multiple client organizations. The most widely known example of SaaS is Salesforce.com for customer resource management (CRM), but there are now many others, including Plex for enterprise resource planning (ERP) or Google Apps offering basic business services such as e mail. Of course, Salesforce.com s and Plex s multitenant application has preceded the definition of cloud computing by a few years. On the other hand, like many other players in cloud computing, Salesforce.com now operates at more than one cloud layer with its release of Force.com, a companion application development environment, or platform as a service. Platform as a Service (PaaS): The middle layer, or PaaS, is the encapsulation of a development environment abstraction and the packaging of a payload of services. The archetypal payload is a Xen image (part of Amazon Web Services) containing a basic Web stack (for example, a Linux distro, a Web server, and a programming environment such as Pearl or Ruby). PaaS offerings can provide for every phase of software development and testing, or they can be specialized around a particular area, such as content or document management. Commercial examples include Google App Engine, which serves applications on Google s infrastructure or Microsoft SharePoint 2010, which provides document management capabilities. PaaS services such as these can provide a great deal of flexibility but may be constrained by the capabilities that are available through the provider. Infrastructure as a Service (IaaS): IaaS is at the lowest layer and is a means of delivering basic storage and computing capabilities as standardized services over the network. Servers, storage systems, switches, routers, and other systems are pooled (through virtualization technology, for example) to handle specific types of workloads from batch processing to server/storage augmentation during peak loads. The best known commercial example is Amazon Web Services, whose EC2 and S3 services offer bare bones computing and storage services (respectively). Another example is Joyent whose main product is a line of virtualized servers which provide a highly scalable on demand infrastructure for running websites, including rich Web applications written in Ruby on Rails, PHP, Python, and Java.
4 4 CLOUD COMPUTING DEPLOYMENT MODELS Regardless of the service model used (SaaS, PaaS, or IaaS), there are four deployment models for cloud services, with derivative variations that address specific requirements: 1. Public Cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. 2. Private Cloud: The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on premises or off premises. 3. Community Cloud: The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party and may exist on premises or off premises. 4. Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). It s important to note that there are derivative cloud deployment models emerging due to the maturation of market offerings and customer demand. An example is virtual private clouds a way of using public cloud infrastructure in a private or semi private manner and interconnecting these resources to the internal resources of a consumers datacenter, usually via virtual private network (VPN) connectivity. WHY CHOOSE SOFTWARE AS A SERVICE (SAAS) The benefits of Software as a Service (SaaS) from ease of use to lower cost of ownership have been well publicized over the past few years, due in part to the success of companies like Salesforce.com. This increased attention has resulted in the SaaS model growing in both awareness and popularity among North American businesses. In fact, analyst firm Gartner Inc. is projecting a compound annual growth rate of 22.1 percent for the SaaS market as a whole through Despite this trend, not all applications are appropriate for the ondemand model, and IT departments should be aware of the downsides of SaaS as well as the benefits. The benefits of SaaS: To accurately assess the value that Software asa Service can offer, an understanding of the potential benefits and drawbacks of SaaS is required. When considering a specific solution, it s important to review each of these benefits and drawbacks against the solution under evaluation, as they won t apply in every case. A breakdown of common SaaS benefits follows: 1. Faster, less expensive deployments: With no underlying infrastructure to purchase and install, and minimal customization required, SaaS deployments typically take much less time to implement than in house solutions. 2. Lower up front capital investment: Acquiring software traditionally required significant infrastructure purchases (hardware, middleware, networks, etc). Through a SaaS
5 5 model, much of this investment is unnecessary and can be eliminated. SaaS solutions can also be treated as an operating expense, making it easier for departments to remain within their budgets. 3. Lower total cost of ownership (TCO), pay asyou go: SaaS solutions are typically less expensive than in house solutions for at least the first few years. When you take into consideration the considerable cost of software upgrades, a lower TCO can often be maintained for much longer periods of time. SaaS also allows companies to purchase only those services that are immediately required, with the option to expand services whenever needed. This can prevent big, up front purchases that often end up as shelf ware, going unused. 4. Reduced management overhead: SaaS solutions allow IT departments to offload time consuming operational activities, allowing them to focus on higher value added, more missioncritical tasks. 5. On demand access to powerful infrastructure: By sharing computing resources among customers, SaaS providers can provide a high level of computing performance ondemand, regardless of how frequently the customer requires access. Potential drawbacks of SaaS solutions: Though the benefits are great, the Software asa Service model can suffer from some serious drawbacks that are often overlooked. A quick overview of these drawbacks includes: 1. Limited customization and basic functionality: Since SaaS delivers the same general functionality to every customer, customization can sometimes be limited. As a result, there are fewer opportunities to use SaaS solutions to provide a competitive advantage. 2. Hidden costs: When evaluating SaaS solutions, be aware that some have hidden, add on costs for items such as testing, support, storage and integration that may not be apparent during the initial sales process. 3. Usage commitments: SaaS solutions often price in bundles, requiring the customer to commit to paying for a certain volume over a period of time, regardless of whether or not the actual volume usage goes down. 4. Less control for IT: With up to 85 percent of SaaS solutions being sold directly to business units today without the input of IT, there is a potential for businesses to make software decisions that cause problems in the long run in terms of integration with other systems, availability, and corporate security requirements. SECURITY RISKS FOR CLOUD COMPUTING Though cloud computing is often touted as a cost saver for companies, IT pros still have lingering concerns about the safety and security of working in the cloud. Around 45 percent of IT professionals recently surveyed by the ISACA (formerly known as the Information Systems Audit and Control Association) said the risks involved in cloud computing outshine any benefits. Questioning more than 1,800 IT professionals in the U.S. who are members of the group, the ISACA found that only 10 percent of them plan to use cloud computing for mission critical IT services, 15 percent will use it only for low risk services,
6 6 and 26 percent don't expect to tap into the cloud at all. "The cloud represents a major change in how computing resources are utilized, so it's not surprising that IT professionals have concerns about risk vs. reward," said Robert Stroud, vice president of ISACA, in a statement. "If cloud computing is treated as a major initiative involving many stakeholders, it has the potential to yield benefits that can equal or outweigh the risks." Cloud computing is fraught with security risks. Smart customers will ask tough questions and consider getting a security assessment from a neutral third party before committing to a cloud vendor. Cloud computing has "unique attributes that require risk assessment in areas such as data integrity, recovery, and privacy, and an evaluation of legal issues in areas such as e discovery, regulatory compliance, and auditing. Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Here are seven of the specific security issues customers should raise with vendors before selecting a cloud vendor. 1. Privileged user access: Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical, and personnel controls" IT departments exert over in house programs. Get as much information as you can about the people who manage your data. Ask providers to supply specific information on the hiring and oversight of privileged administrators and the controls over their access. 2. Regulatory compliance: Customers are ultimately responsible for the security and integrity of their own data, even when it s held by a service provider. Traditional service providers are subjected to external audits and security certifications, such as a SAS 70. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions. 3. Data location: When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, and if they abide by federal government requirements, such as PCI, HPAA, etc. 4. Data segregation: Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure all. Find out what is done to segregate your data from the rest of their customers. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. Encryption accidents can make data totally unusable, and even normal encryption can complicate availability. 5. Recovery: Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure. Ask your provider if it has the ability to do a complete restoration and how long it will take.
7 7 6. Investigative support: Investigating inappropriate or illegal activity is very challenging in cloud computing. Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co located and may also be spread across an ever changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible. 7. Long term viability: Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data and perhaps the software will remain available even after such an event. Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application. WHAT DOES A SHIFT TOWARD CLOUD COMPUTING MEAN? So who is affected by a paradigm shift in the computing industry? The shift would affect companies in a few different sub industries, including software companies, Internet service providers, and hardware manufacturers. Companies in each of these industries will face significant change if cloud computing is to be the next step for the industry. While it s relatively easy to see how the main software and Internet companies will be affected by such a shift, to know how other Internet companies and hardware manufacturers will be affected, it is slightly more difficult. Who gains? Consulting/Software/Hardware and Services companies that could gain from a shift towards cloud computing include: IBM Software producers that could gain from a shift toward cloud computing include: NetSuite (Financial) Salesforce.com (CRM) Taleo (TLEO) RightNow Technologies (RNOW) Concur Technologies (CNQR) Omniture (OMTR) Plex (ERP) Hyperic Quest Software (QSFT) Disney (DIS) Internet based companies that could gain from a shift towards cloud computing include: Cloud Technology Partners SAVVIS (SVVS) Who loses out? Traditional software producers that could have some catching up to do if cloud computing ultimately wins out include: ORACLE (ORCL) SAP AG (SAP) Blackbaud (BLKB) Lawson Softwares (LWSN)
8 8 CONCLUSION Cloud computing is attractive, seductive, and perhaps irresistible. The benefits are compelling, particularly the pay as you go model that has been likened to buying electricity (or, if you prefer, buying your drinks by the glass rather than the bottle). Enterprises that have been considering the use of the cloud in their environment should determine whether the solution meets their current and future business needs, calculate what cost savings the cloud can offer them, and consider what additional risks are incurred. Once potential cost savings and risks are identified, enterprises will have a better understanding of how they can leverage cloud services. There s a powerful business case for buying computational power, disk storage, collaboration, application development resources, ERP, CRM, and on demand. Rather than buying more servers and disks or expanding or deploying expensive infrastructure and programs, cloud computing is flexible and scalable. It can meet short term initiatives and requirements and deal with peaks and valleys in business cycles. Sources Cited 1 Take Your Business to a Higher level 2 CSA Guidance 3 Cloud Computing Business Benefits with Security Governance and Assurance Perspectives m?contentid= Archiving: To SaaS or Not to SaaS? archivingsaas/index.php 5 Cloud Computing risks outweigh reward 1001_ html ISACA IT Risk/Reward Barometer US Edition te=/contentmanagement/contentdisplay.cfm&contentid= Seven Cloud computing security risks central/gartner sevencloud computing security risks 853?page=0,0 THANK YOU Plante & Moran would like to thank Pat McQueen, Table Sponsor from Salesforce.com, Joe Drouin, CIO from Kelly Services, Inc., and all roundtable participants for their contributions. For more information, please contact: Doug Wiescinski
Proofpoint Email Archiving Whitepaper: A look at the pros and cons of Software-as-a-Service and how they apply to email archiving. threat protection compliance archiving & governance secure communication
Proofpoint Email Archiving Whitepaper: A look at the pros and cons of Software-as-a- Service and how they apply to email archiving Proofpoint, Inc. 892 Ross Drive Sunnyvale, CA 94089 P 408 517 4710 F 408
Kent State University s Cloud Strategy Table of Contents Item Page 1. From the CIO 3 2. Strategic Direction for Cloud Computing at Kent State 4 3. Cloud Computing at Kent State University 5 4. Methodology
The cloud - ULTIMATE GAME CHANGER =========================================== When it comes to emerging technologies, there is one word that has drawn more controversy than others: The Cloud. With cloud
Reprinted from PHARMACEUTICAL ENGINEERING THE OFFICIAL TECHNICAL MAGAZINE OF ISPE JULY/AUGUST 2013, VOL 33, NO 4 Copyright ISPE 2013 www.pharmaceuticalengineering.org information systems Managing the Risks
Moving from Legacy Systems to Cloud Computing A Tata Communications White Paper October, 2010 White Paper 2010 Tata Communications Table of Contents 1 Executive Summary... 4 2 Introduction... 5 2.1 Definition
Cloud Storage Positioning Paper A guide to understanding cloud storage services created by SNIA, the Storage Networking Industry Association (Australia & New Zealand) SNIA Cloud Storage Special Interest
Introduction to Cloud Computing architecture White Paper 1st Edition, June 2009 Abstract Cloud computing promises to increase the velocity with which applications are deployed, increase innovation, and
Red Hat Cloud Foundations: Cloud 101 Table of contents 2 Executive summary 3 Introduction 3 Clouds today and tomorrow 5 The cloud taxonomy 7 What cloud computing isn t 7 Why cloud computing 8 Who creates
Sun Cloud Computing TABLE OF CONTENTS Table of Contents Cloud Computing at a Higher Level............................................... 4 Why Cloud Computing?.......................................................
The Impact of Cloud Computing on Organizations in Regard to Cost and Security Mihail Dimitrov Ibrahim Osman Department of informatics IT Management Master thesis 1-year level, 15 credits SPM 2014.22 Abstract
FRAUNHOFER RESEARCH INSTITUTION AISEC CLOUD COMPUTING SECURITY PROTECTION GOALS.TAXONOMY.MARKET REVIEW. DR. WERNER STREITBERGER, ANGELIKA RUPPEL 02/2010 Parkring 4 D-85748 Garching b. München Tel.: +49
Cloud Computing: Transforming the Enterprise Cloud computing is not just a trend. It is changing the way IT organizations drive business value. THINK SMART. ACT FAST. FLEX YOUR BUSINESS. EXECUTIVE SUMMARY
Masaryk University Faculty of Informatics Master Thesis Database management as a cloud based service for small and medium organizations Dime Dimovski Brno, 2013 2 Statement I declare that I have worked
Competition and Challenge on Adopting Cloud ERP Fumei Weng and Ming-Chien Hung Abstract ERP provides businesses flow management and includes manufacturing, accounting, sales and customer relationship management.
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
The 2012 Cloud Networking Report Part 1: The Emergence of Cloud Computing and Cloud Networking By Dr. Jim Metzler Ashton Metzler & Associates Distinguished Research Fellow and Co-Founder Webtorials Analyst
Compliments of IBM Limited Edition Private Cloud Learn to: Make cloud computing an integral part of your business Perform in a smart and proactive manner Support collaboration between business and IT Leverage
Investigation of IT Auditing and Checklist Generation Approach to Assure a Secure Cloud Computing Framework Rajni Maheshwari M.Tech (Computer) College of Engineering, Bharati Vidyapeeth Deemed University
Office of the Chief Information Security Officer Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, Maryland 21244-1850 Risk Management Handbook Volume III Standard 3.2 FINAL Version
Guidelines for Building a Private Cloud Infrastructure Zoran Pantić and Muhammad Ali Babar Tech Report TR-2012-153 ISBN: 978-87-7949-254-7 IT University of Copenhagen, Denmark, 2012 ITU Technical Report
The Definitive Guide tm To Cloud Computing Ch apter 10: Key Steps in Establishing Enterprise Cloud Computing Services... 185 Ali gning Business Drivers with Cloud Services... 187 Un derstanding Business
DoD ESI White Paper Best Practices for Negotiating Cloud-Based Software Contracts Guidance on the differences between purchasing perpetual software and renting Software as a Service About DoD ESI The DoD
Architectural Spotlight The Best Cloud Architecture for Your Contact Center Richard Snow VP & Research Director Customer Engagement Ventana Research Jason Alley Solutions Marketing Interactive Intelligence,
The Massachusetts Open Cloud (MOC) October 11, 2012 Abstract The Massachusetts open cloud is a new non-profit open public cloud that will be hosted (primarily) at the MGHPCC data center. Its mission is
The Microsoft Office 365 Buyer s Guide for the Enterprise Guiding customers through key decisions relative to online communication and collaboration solutions. Version 2.0 April 2011 Note: The information
This ebook will help you: Understand the benefits of cloud computing Determine which cloud solution is best for your business needs Discover what to look for in a prospective cloud provider 877.843.7627