A Vendor s Journey to SaaS & the Cloud

Transcription

1 A Vendor s Journey to SaaS & the Cloud

2 Mark Sherry Partner Marval North America ITIL Expert ISO Consultant MBA, MA, BComm 25+ ITIL implementations Trained Service Managers Globally 10 Years in Industry Actively involved in five independent businesses 1

3 Spollock April 27,

4 Cloud Computing Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). Wikipedia

5 Hosted Environments IaaS PaaS SaaS Infrastructure as a Service offers computers (physical and virtual) in the cloud, e.g., servers, load balancers, network, storage Platform as a Service offers operating system, databases, web servers, and development capabilities Software as a Service offers applications in the cloud along with the corresponding infrastructure 4

6 SaaS Variations Offers application in the cloud vendor performs upgrades only customer administers the product Offers application in the cloud vendor performs upgrades, and administers the product on the client's behalf 5

7 Advantages of SaaS Potential costs savings for vendor can be one application to maintain and upgrade (only multi-tenant) Potentially shorter time to deploy depends on application Less up-front capital costs Risk mitigation Easier scalability Operational budget verses capital budget Allows small- and medium-size businesses to use applications that traditionally were too expensive to acquire independently 6

8 Disadvantages SaaS Long term costs Data Security questions and confidentiality concerns Dependence on network and internet speed Business needs driven by technology trends versus real business needs Not all applications are available in a SaaS model Integration challenges with other client applications Increased upgrade risk, as many clients may be upgraded at the same time. Client's may be forced to upgrade on vendor s schedule. 7

9 Multitenancy Usually defined as a single instance of software supporting multiple customers. Each customer can perform the administrative functions of the software for their organization. 8

10 Types of Data Centres 9

11 Types of Data Centres Tier 1 = Non-redundant capacity components (single uplink and servers). Guaranteeing % availability. Tier 2 = Tier 1 + Redundant capacity components. Tier 2: Guaranteeing % availability. Tier 3 = Tier 1 + Tier 2 + Dual-powered equipment and multiple uplinks. Tier 3: Guaranteeing % availability. Tier 4 = Tier 1 + Tier 2 + Tier 3 + all components are fully faulttolerant including uplinks, storage, chillers, HVAC systems, servers etc. Everything is dual-powered. Tier 4: Guaranteeing % availability *nixcraft

12 Security 11

13 Security Certifications In practice, two ISO standards are usually used together: ISO27001 Objective: "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Process approach: "The application of a system of processes within an organization, together with the identification and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Check-Act model, to structure the processes, and reflects the principles set out in the OCEG guidelines. ISO/IEC Provides additional information and implementation advice on the controls. The domains covered by ISO include: Security policy Asset management Human resources security Physical and environmental security Communications and operations management Access control Organization of information security Information systems acquisition, development and maintenance Information security incident management Business continuity management Regulatory compliance 12

14 Security Certifications SAS 70 American Institute of Certified Public Accountants (AICPA) Widely recognized: it represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over IT and related processes. SSAE 16 American Institute of Certified Public Accountants (AICPA) Effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. Service Organization Control (SOC) 1 - related to the effectiveness of controls at a service organization that impact their clients internal controls over financial reporting. SOC 2 & 3 - related to information privacy, security, confidentiality, availability and processing integrity. CICS 5970 Developed by the Canadian Institute of Chartered Accountants (CICA) in 2004, the audit largely adopted its guidelines from an already established American equivalent (SAS 70). In practice, most SaaS host providers with customers in Canada and the United States acquire both US and Canadian Certifications 13

15 Security Certifications Payment Card Industry (PCI) Data Security Standard Defined by a Council to increase controls around cardholder data to reduce credit card fraud via its exposure Validation of compliance: Done by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes. Internet-based merchants must undergo a quarterly vulnerability scan performed by an approved scanning vendor. Though some PCI Compliance Level 1 internet-based merchants may be able to perform annual self-assessments (with the permission of their processor and card brand), the vast majority of internet-based merchants will be held to these PCI Compliance expectations. 14

16 Security Certifications Payment Card Industry (PCI) Data Security Standard Merchants fall under four categories of PCI compliance, depending on the number of transactions they process each year, and whether those transactions are performed from a brick and mortar location or over the Internet. All merchants that process credit cards whether small or large must be PCI compliant. PCI Compliance Levels are based on several criterion. 15

17 Security Certifications All merchants that process credit cards whether small or large must be PCI compliant. PCI Compliance Levels are based on several criterion: PCI Compliance Level 1 over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region PCI Compliance Level 2 1 million to 6 million Visa transactions annually (all channels) PCI Compliance Level 3 20,000 to 1 million Visa e-commerce transactions annually PCI Compliance Level 4 less than 20,000 Visa e-commerce transactions annually and all processing up to 1 million Visa transactions annually 16

18 Data Security Issues Where is the database located Canada, US or other country? What countries would your data flow through, and can you control it? What are the consequences if the vendor uses or sells your data? Is the data centre backed up at a remote location? Where is that location? 17

19 Data Security Issues There is a cost to using the SaaS service provider's security facilities. However orders of magnitude can actually reduce security costs for small organizations while adding otherwise unattainable security features. Few of us can afford a vault at our home office that rivals a bank vault. Many organizations believe that their critical data must remain in-house. Security is simply another feature or service that can be provided by the SaaS supplier. Very elaborate monitoring and services can be purchased or basic services can be acquired. Your choice. Effective network security requires a firewall / IPS / IDS mechanism that is usually very expensive and specialized. Data centers can protect hundreds of servers making this technology more affordable, even for relatively small organizations who have not the time or the manpower to monitor it. 18

20 Data Security Issues China-based hackers broke into the computer systems of at least three federal departments, seven Bay Street law firms, and two multinational corporations all involved in the ultimately unsuccessful corporate takeover of Saskatchewan s Potash Corporation. s on Jan. 31 indicated the Finance Department and Treasury Board were both being slammed with severe cyber attacks, including significant volumes of sensitive government data being stolen by computers in China. CBC News Feb 22,

21 Privacy 20

22 Privacy Issues What are the privacy laws of the data centre? Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them. 21

23 Privacy Laws and SaaS Providers Electronic Communications Privacy Act Applies to any transfer of signals, images, sounds, data, or intelligence of any nature transmitted in whole or in part by any means that affects interstate or foreign commerce. Stored Communications Act Addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers (ISPs). USA Patriot Act The act significantly reduced restrictions in law enforcement agencies' gathering of intelligence within the United States; expanded the Secretary of the Treasury s authority to regulate financial transactions, particularly those involving foreign individuals and entities. 22

24 WhatsApp WhatsApp allows users worldwide to use their phones to text message friends over the internet without incurring SMS text messaging charges. The popular mobile messaging app WhatsApp breaches Canadian and Dutch privacy laws by forcing many of its users to grant access to their entire address book in order to use it, Canada's privacy watchdog has found in a joint investigation with Dutch authorities. It is currently the third-most popular paid app in the itunes store, where it sells for 99 cents, and surpassed 100 million downloads on Google Play in November. CBC News Jan 28,

25 Backups and Recovery Options Things to consider: What needs to be backed up (files, database, etc.)? How much storage space is needed? How quickly the application needs to be available (immediately, hours, etc.)? Most Common Options: Virtual Machine snapshots Entire server can roll-back to the point of time (4 hours, 1 day, etc.) of the snapshot. Does not avoid downtime or protect data changed after the snapshot is restored. Full Backup Specific files and databases are backed up at a specific time. Requires downtime to restore the server and data loss will occur without replay. Cluster or Replica Fail Over Application and database are replicated real time (cluster) or with an offset of no more than five minutes (replica) to a secondary server Negligible downtime or data loss. 24

26 Vendor Options SaaS off site SaaS on site Minimum term contracts Conditions to limit price increases What is included in SaaS modules, support, upgrades, administration Support hours 25

27 Licensing Implications Named or Concurrent licenses or both Option to convert SaaS to On Premise Option to convert On Premise to SaaS What type of licensing is available? 26

28 Integration with Other Products Many SaaS offerings provide: The ability to integrate with the customer Corporate apps or services which are installed on a server somewhere on the customer s network on a server or cluster of servers which may be in-house, at another outsourced Data Centre, or at another SaaS provider. Information should be communicated between apps encrypted and using a very secure approach. Commonly available services integrate SaaS apps with Corporate apps such as: Active Directory or other Directory information Creation or update of accounts and contacts Asset discovery and management Creation or update of Configuration Items (CIs) Network monitoring events Creation of requests based on network events Other service management or event apps 27

29 Service Level Agreement Uptime Penalties Response times Maintenance schedules (do they follow your change management process) Adding an SaaS environment will add one or more third party suppliers to the service chain In the absence of true certification the SLA-enabled contract is still the best way to ensure vendors deliver the features they promise. 28

30 Flexibility and SaaS Some SaaS hosting organizations may impose certain standards that may limit flexibility. However, the orders of magnitude created by SaaS environments often afford more flexibility as a result of multitenancy. In order to survive, it is essential that SaaS hosting services provide a great deal of flexibility to its customers. Such is not always the case in an in-house monopoly environment. Organizations using most common industry infrastructures, services and products will likely have the most flexibility in SaaS environments. SaaS products and concepts are based on volume sales. It only makes sense that SaaS vendors will cater to the needs of the most common. 29

31 Cloud Perception 30

32 Long Term Cost / Benefit of SaaS A Pay as You Go service may start out relatively inexpensive until usage grows. "Break even" points and volume agreements should be considered before signing up. The environments for SaaS apps is usually more advanced and robust than all but the biggest of in-house environments. If your organization is small but requires environmental sophistication and robustness in Service Management, the ROI on an SaaS application may prove very attractive. Do the math. Produce a 5-year ROI for SaaS vs. other options, as you should for any technology plan. 31

33 SaaS and Service Delivery 32

34 Legal Considerations Underpinning Contract should be in place. Contract needs to be managed. SLA should be part of the contract. Need to manage KPIs to ensure vendor is managing according to contract. Supplier Management process should be in place. Insurance. 33

35 Will SaaS Improve Service Delivery? No, it is just a technology Pick what technology fits your needs Most vendors offer both options SaaS and in-house Need to work with a vendor that understands and can deliver on your service management goals When selecting a new tool, focus on Service Management requirements to deliver outstanding service first, and then the technology remember a fool with a shiny new tool is still a fool! 34

36 Questions 35

37 The End