WHITEPAPER CLOUD. Possible Use of Cloud Technologies in Public Administration. Version Euritas

Transcription

1 WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version Euritas

2 THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2

3 PUBLISHER'S IMPRINT Publisher: Euritas (European Association of Public IT Service Providers) Contact: Toni Seifert, IT Dienstleistungszentrum Berlin, Berlin Berliner Str Berlin Authors: Wolfgang Danzinger, Bundesrechenzentrum GmbH, Vienna Biljana Skrbic, Bundesrechenzentrum GmbH, Vienna Uwe Brünnicke, Dataport AöR, Hamburg Christian Gebauer, Magistrat der Stadt Wien, Vienna Rudolf Hellerschmidt, Magistrat der Stadt Wien, Vienna Toni Seifert, IT Dienstleistungszentrum Berlin, Berlin Martin Swiderek, Hessische Zentrale f. Datenverarbeitung, Wiesbaden Editorial team: Manoela Bodiroza, Bundesrechenzentrum GmbH, Vienna Thomas Dickmann, IT Dienstleistungszentrum Berlin, Berlin Ingrid Götzl, Magistrat der Stadt Wien, Vienna Ulrike Schenk, Dataport AöR, Hamburg Jörn Oldag, DVZ Mecklenburg Vorpommern GmbH, Schwerin Peter Lacher, Hessische Zentrale f. Datenverarbeitung, Wiesbaden With the kind support of: Marianne Wulff, Vitako Bundes Arbeitsgemeinschaft der Kommunalen IT Dienstleister e.v., Berlin Design and printing: IT Dienstleistungszentrum Berlin AöR with the kind support of DVZ GmbH, Frau Becker Copyright: Euritas (European Association of Public IT Service Providers) 3

4 LIST OF ABBREVIATIONS CSP Euritas ICT IT ITIL ITSM IaaS PaaS SaaS Cloud Service Provider European Association of Public IT Service Providers Information and Communications Technology Information Technology IT Infrastructure Library IT Service Management Infrastructure as a Service Platform as a Service Software as a Service 4

5 CONTENTS 1 Introduction Objective Management Summary Introduction and definitions Introduction Cloud computing definition Service model types The service levels of a cloud Prerequisite for cloud use The underlying conditions and challenges of public administration Opportunities and potential of cloud computing in administration Compliance with legislation, standards and specifications IT security criteria and requirements Quality criteria for cloud offers and services in administration The challenges of using cloud technologies Possible use of cloud solutions in public administration in Europe Cloud aims and stages of development of public IT Factors encouraging the use of cloud technologies Closing remarks and outlook Appendices (Selected) legal questions for European cloud projects Project and solution reports of Euritas members

6 1 Introduction 1.1 Objective The aim set by the Euritas (European Association of Public IT Service Providers) cloud computing working group is to promote cross border exchange and networking among European public IT service providers. Within this context, the White Paper takes a look at the possible use of cloud technologies in public administration within the EU. In this respect, the first step will not differentiate between the position of a cloud service user and a cloud service provider, as the quality criteria are relevant both to the providers of cloud solutions and to their customers. Furthermore, one and the same organisation is quite likely to be in the position of service provider and service user, so they should be adequately prepared for both sides of the contract. The contents reflect the views and experiences of public IT service providers. General descriptions of the requirements and the current state of the market in Europe have been prepared, backed up by both abstract and specific examples. The Whitepaper Cloud presents the insights gained from technical and organisational specifications from the European public IT service provider viewpoint. A further section also describes in general terms how service providers interpret the following aspect: "We will evaluate which offers, services and functions can be usefully deployed and offered with cloud technologies". Presented in the appendix are specific solutions, as well as the current projects of Euritas members. The objective of the Whitepaper Cloud is to offer the decision makers in the public sector an overview of cloud services, to point out the risks as well as the need for action, and to encourage a mutual exchange of know how and experience throughout Europe. 1.2 Management Summary The New trends in technical innovation, development and implementation shape our daily lives as much as ongoing changes in administrative processes. Increasingly, these are digitised and electronically processed. Technical trends and corresponding regular updates of established procedures and the IT infrastructure are cornerstones in making even administrative work processes more economical and efficient. European public IT service providers will continue to work with different sovereign tasks, unequal basic infrastructures as well as varying stages of development in the optimised operation of computer centres. Yet together, the Euritas members can make a big difference: the different starting points of the public IT service providers involved in Euritas offer an ideal basis for establishing common best practices. This bundling of requirements and interests can influence both manufacturers and standards, and can thus shape the optimal operating environment for European public IT associations. 6

7 European public IT service providers can utilise cloud computing to offer their clients demand oriented and flexible sources of supply for ICT (information and communication technology) if the required basis is established in the years to come. For this reason, the Euritas Cloud Working Group has identified the following areas of action to promote the utilisation of cloud technologies across Europe in the future: Preparation and development of cross border standardised procedures and a legal framework for the European administrative environment Formulation of guidelines and manufacturer independent standards for the utilisation of cloud technologies in the European administrative environment Compiling best practices and economic indicators for public administrative IT services (planning, implementation and operation) Development of suitable benchmarks and bases of valuation to obtain cloud services and cloud operating environments from a cloud service provider Exchange of experience in the operation and design of service catalogues (cloud offers) for establishing suitable nationwide and cross border IT services Manufacturer independent cloud services are not available yet. They will, however, be a decisive factor in future investment decisions. Depending on the speed of development of standards, procedures and guidelines, cloud services will gain increasing importance for public administrations. The following factors have been identified for having an influence on the success of cloud initiatives in European administrations: Hardware oriented cloud technologies present a much lesser challenge than organisational structuring and the holistic implementation of processes for the provision and procurement of cross border cloud services. The larger the quantity of sales, the more cost savings and scaling effects can be achieved. European cloud initiatives require multidisciplinary teams of experts, providing specialist administration know how, legal expertise in the European environment, compliance knowledge regarding standards, guidelines, norms, technical expertise as well as organisational and standardisation knowledge. The standardisation of operational processes will enable cost savings once cloud technologies are introduced in public administrations. However, the real cost savings potential can only be proven upon the development, implementation and operation of joint solution scenarios. Nonetheless, the decision to implement cloud computing in public administrations must not be restricted to costs alone. Many other aspects and areas related to the complex operation of computer centres of non profit organisations such as the consolidation of servers and procedures affect the decision making process. Currently, many things are still difficult to 7

8 measure and cannot be compared (yet), given their heterogeneous structures. Numerous questions related to the complex field of cloud computing thus arise. For example: how can a public IT service provider use an economic efficiency model to transparently and comprehensibly transfer and evaluate, e.g., human resources which were displaced for other activities, accelerated processes, satisfied customers, faster product and service development cycles as well as shorter value added chains? It is the aim of the Euritas White Paper to offer initial guidance to these viewpoints. Given the various situations, sovereign tasks, political guidelines and interests of the different European public IT service providers, different cloud scenarios will also be used. This makes it even more important to counter the exuberance for cloud technologies with careful consideration for sustainability and value adding benefits. The results of this White Paper provide an overview of the future market demand and the frameworks required for an economically viable implementation of cloud technologies. In addition, the White Paper provides an overview of what needs to be done from a European perspective to enable the successful utilisation of cloud services. 2 Definitions 2.1 Introduction This section systematises (organises and defines) the technical terms used in a cloud environment. Many of the terms that have developed around cloud computing are not definitions in the technical sense, but marketing terms, that attribute features to the product that do not strictly exist in the technical sense. The areas of client, network connections and security are addressed from the technology viewpoint. Cloud computing is a development of familiar technologies and solutions, expanding them to include the concept of demand driven elasticity. The related topics here are grid computing, outsourcing and application service providing. Cloud computing is a particularly flexible form of outsourcing that involves shorter contract periods (hours or months), suitable elasticity (demand driven addition or reduction of resources) and lower or even non existent investment costs. 2.2 Cloud computing definition Cloud computing is now omnipresent in the ICT sector, and many companies and organisations are devoting their full attention to the opportunities and potential as well as the risks of this new technology. The basic features attributed to cloud solutions are very interesting in the pan European context, because in general, the provision of IT services can be handled less expensively and more efficiently with a maximum level of automation and a high level of flexibility. This is achieved by using visualisation technologies and abstraction mechanisms. Payment is made in accordance with individual consumption. 8

9 The following features are characteristic of a cloud service 1 : Virtual resources: The physical implementation of the service is hidden from its users. This allows the operator to optimise the service with regard to efficiency and standardisation. Multi tenancy capability: The individual resources serve several users in a shared environment, where mechanisms are applied to protect and isolate each tenant. Consumption dependent payment: Users only pay for the resources that have actually been utilised. User driven provision: Individual users can request resources which are then automatically provided, without interaction with the service provider. Elasticity: The services can respond spontaneously and quickly to load changes in virtualised environments. Resources seem to be infinite, as far as the user is concerned. Programmatic control: With the aid of a programming interface, users can configure, use and control the resources. This allows users to control consumption dynamically via the application and allows providers to automate resource management. The widely accepted definition by the American standardisation agency NIST expresses this as follows: "Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." 2 In addition to the regional definitions used in Germany, such as the one BITKOM uses in its publications, the cloud criteria specified internationally by the "National Institute of Standards and Technology (NIST)" can also be enlisted for the cloud definition, as well as for assessing whether or not a service complies with the requirements of cloud services. Measured services: The use of resources and services is measured and transparently monitored, controlled and charged, subject to use. Rapid elasticity: The service resources can be scaled up or down as required, at any time and to any extent. 1 See BITKOM guide, "Cloud Computing Evolution in der Technik, Revolution im Business", See The NIST Definition of Cloud Computing (National Institute of Standards and Technology, Information Technology Laboratory) 9

10 On demand customer self service: Procurement of services as called for by the user, without direct interaction with the provider (self service portal). Broad network access: Services can be reached via a network (Internet), standard access via a browser is possible from a wide variety of platforms. Resource pooling: Using a shared, location independent IT infrastructure resource pool of (multi )tenancy capable virtualised resources that are allocated dynamically. 2.3 Service model types The term "cloud computing" is used for a great many things in connection with information processing issues and the provision of IT services. Cloud computing is not a product, not a special technology and not a proprietary standard; it is a method of providing flexible, shared IT services. The typical distinguishing features and attributes of these forms are as follows: Public cloud: Cloud services offered over the Internet to vast numbers of users and available on the market to anyone. Private cloud: Private clouds are understood to mean cloud services provided over a private network, such as within a company Intranet. Hybrid cloud: Hybrid clouds combine the so called public cloud services with those of a private cloud. There are also some special forms. These are based on similar base architectures, but differ in terms of requirements, functionalities and service types. This is made clear in the examples below: European, national and regional cloud services (geographical limitation) Government clouds (networking between different authorities) Community clouds (sector specific clouds) 2.4 The service levels of a cloud If you take the most established definitions of cloud computing, cloud computing offers can be categorised into three basic service levels 3,4. These service levels and service platforms build on one another in a hierarchical structure, as shown in the illustration below: 3 See such as NIST, BITKOM, DMTF 4 See Höllwarth Tobias, Cloud Migration, mitp,

11 Figure 1: Cloud service levels (source: see EuroCloud) The business scenario uses a holistic strategy to determine which forms of cloud computing are referred to. It is generally true that the potential for standardisation increases, the closer you are to the infrastructure related cloud services (IaaS). The possible applications are also more universal on the basis of uniform infrastructure resources. The higher the level (PaaS and SaaS), the more specifically this environment is adapted to demand. So essentially, three service models have emerged in the references and are listed below: IaaS Infrastructure as a Service PaaS Platform as a Service SaaS Software as a Service Storage as a service is also frequently available in the cloud. Other services are regarded more as outsourced backup solutions, or as the provision of desktop environments (desktop as a service), based on the use of virtual desktops, for example. Cloud computing can also support "business process as a service" solutions, which outsource all the business processes of an organisation. 2.5 Prerequisite for cloud use To further develop existing IT and the use of cloud technologies, it is advisable to introduce a standardisation and centralisation process and, if necessary, to initialise an organisational development process as well. 11

12 Standardisation must be applied to the applications and also some of the infrastructure, as this is the only way that a centrally operated service can be used cost effectively. Centralised data management is also an important prerequisite, as usually the computing power has to be generated where the data is stored. A prerequisite for the use of these services is the structuring and classification of the data and information used in the organisation, so that it will be possible to outsource the less sensitive data to a cloud environment. The other selected prerequisites for using a cloud service concern the terminal, the network connection, IT security and the manageability of the cloud services. Consistent standardisation of the organisational procedures and processes is also required in addition to this technical standardisation. This is essential for operation, use, fault management, billing, and setting the performance level for service use from the cloud. It may be necessary to realign the organisation, or individual areas. As well as these standardisation issues, it must also be possible to access the cloud services. All devices capable of establishing a network connection to the service provider and which have integrated an application (browser, client) that can process the service data, can normally gain access. Especially with private cloud services, which usually make classic computer services available to users in a company Intranet, the operation and capacity of the terminal must bear comparison with a standard PC. The "bring your own device" approach is a currently discernible trend being considered in the design of notebooks, tablets and smartphones (mobile devices), as well as the user's own terminals. Cloud services are provided online, either on the Intranet, via VPN or on the Internet. So the essential technical basis for using centrally provisioned cloud services is an adequate and stable network connection that complies with and ensures data security. As the industrialisation of information processing, cloud computing tries to see the entire process as a service, from ordering, provisioning and using to setting the performance level and automatic billing over the entire usage time of the IT. The holistic view of the core business process of a public IT service provider (from procurement to automated billing) should optimise the use of the existing resources as much as possible. There are many aspects to consider in preparatory planning. The following perspectives are a basic selection: What is required of the cloud infrastructure Depending on the individual situation of the particular public IT service provider, a cost/benefit analysis should be carried out to cover the possible use of cloud computing, to serve as the basis for the other decisions that need to be made about cloud. When commencing cloud service implementation, the specific requirements of the application scenarios, a review of the market and the environment that takes customers as future users into account, and an economic feasibility study should all be carried out. This study can then be helpful for the basic selection of suitable cloud services and of a cloud provisioning model. Modifying your own IT services 12

13 A further step is to isolate and separate the different functional elements as much as possible. This is done by consolidating and virtualising the basic technologies (networks, storage, servers, software and public IT procedures). The use of a central infrastructure for each cloud method is a key factor, so particular care and attention must be devoted to building up these resources, to ensure that the system being operated is robust and readily available. Automation and provisioning Once successful system management has been introduced, further steps can be taken towards automating the IT services, such as the automatic provisioning of infrastructure resources and services. Taking such steps can reduce the cost of manual labour and the associated error rates. Service management An important function in complex cloud infrastructures is universal, consistent and central service management, that must ensure that the desired infrastructure is reliably available for the agreed service level agreements. Service management should ideally be supported by a service management tool. This makes it possible to monitor operating standards, automate event handling, be strict about change management, record billing data and ultimately, ensure stable and successful operation. The aim of each cloud solution integration is not only to benefit from the economic advantages and the provision of services with attractive and effective content, but ultimately to increase customer satisfaction. This correlates closely with the performance of the individual applications, service availability and simple operating and provisioning mechanisms. For cloud offers to be acceptable, pre defined, protected and abstracted infrastructures must be set up that are reusable and modular, as the underlying conditions and requirements for the operation of cloud computing solutions. The focus here is heavily on the virtualisation and security of the ICT systems. The availability, integrity, reliability and confidentiality of the data and information processed within the cloud infrastructure must also be ensured. The IT infrastructure, modern monitoring and surveillance tools and dynamic software, supported by self service mechanisms for the service users, ensure flexibility, scalability and automation of the IT services on offer. 3 The underlying conditions and challenges of public administration 3.1 Opportunities and potential of cloud computing in administration Current cloud considerations focus heavily on reducing costs and on efficient service provision, while striving to keep the same level of security and quality for the services that 13

14 public IT service providers produce for their customers and the citizens in general. The cloud operator and the cloud provider should therefore be looked at individually, as the level of maturity achieved by each public IT service provider with regard to optimised computing centre operation already differs in the classic issues of centralisation, consolidation and virtualisation. The potential for optimisation and saving in the cloud context depends on the level of maturity that has already been achieved (see figure 5, section 4.2). The IT services to be provided for a larger user community are standardised, in order to achieve the expected economies of scale. A number of small service units can be combined by a central shared service centre, where similar processes and procedures are brought together. The shared use of these service offers allows public agencies and public IT service providers to organise their IT infrastructure more efficiently, optimise their procedures and reduce their costs. The European public IT service providers can expect to achieve the greatest benefits by consistently implementing a holistic internal visualisation and standardisation strategy. This is regarded as a basic prerequisite for cloud offers, and implementation can then form the basis for considering whether in a subsequent step, service offers can be provided from the cloud with self service options for users, or used by other cloud service providers (CSP). So whatever the cloud issue, the following advantages can be achieved by pooling know how and by centralising and virtualising the IT infrastructures: Accelerating the complete procedure and shortening turnaround times when implementing projects and customer orders, Simplification and transparency, as well as improving the handling and comprehensibility of complex IT systems and solutions, Standardisation and flexibility, as well as interoperability and the integration of processes and concepts, Optimised sizes for standard products thanks to the fixed cost degression effects, Optimised utilisation of the centrally operated IT systems (Green IT), Removing avoidable interfaces, data redundancies, departmental boundaries, Increasing employee motivation with defined and more simple procedures, Achieving increased reusability thanks to standardisation, Future viability and scalability. Cloud computing is therefore an opportunity to support these processes for establishing shared service centres. The potential and the increased possible uses for cloud services should be seen in addition to the hardware oriented offers in web based services and systems. This is enough to ensure that what are currently individual operations (areas of technical specialisation), such as servers, storage and network, must and will be brought together in future. The opportunities and potential listed below can be achieved in the short and medium term through cloud computing, by consistently automating processes, subject to the current level of maturity of computing centre organisation: 14

15 Reducing production and development times, as well as production start up costs, Increasing IT capacity, competitiveness and the quality of products and solutions, Increasing customer satisfaction. The essential factor for success when bringing together different areas based on the division of labour, is consistent alignment to the value creation processes of the public IT service providers for planning, implementation and productive operation. In summary, this means: providing "IT on tap", an implementation and service model that is attractive to customers and which meets their needs. Taking the viewpoint that automatically provided IT services are more economically efficient if high sales volumes and large quantities make economies of scale possible, it is also attractive to analyse the cross border EU wide potential and to exploit this once it proves to be economical. However, to do this, it is necessary to resolve all the technical, organisational, administrative and legal questions in order to create uniform, EU wide underlying conditions, by establishing standards, specifications and guidelines, for example. 3.2 Compliance with legislation, standards and specifications It is crucial for European public IT service providers that the use of public cloud services is currently excluded for many government IT procedures because the legal situation has yet to be finally resolved. This applies in particular to services where the protection requirements of the data and information are high or very high, or that involve classified data. This inevitably produces market restriction with regard to the use of the commercial cloud solutions of third party suppliers. In many European countries, the principles of power separation and federalist structures also exist (e.g. separating the legislative, executive and judicial areas of responsibility), with their distribution also being reflected in operation and in the supporting provision of IT services in major public IT associations. Among the most important underlying legal conditions are compliance with the data protection act and maintaining the integrity of data from sensitive areas or even classified data. This starts with testing the reliability criteria for data use and also includes ensuring appropriate IT data security. Checks to ensure compliance with official notification and licensing obligations are also included, as is compliance with the legal licensing issues for the use of dynamic cloud solutions. Suitable licensing models and ensuring compliance are essential factors for the acceptance of cloud solutions. As well as these typical issues, there are legal, regulatory and sector specific requirements throughout Europe that must also be followed. Typical of these special features in the public sector are central security guidelines, accountability and due diligence, as well as precautionary measures in the context of comprehensive risk and IT emergency management throughout the company. The agreed classic service level agreements provide the opportunity to define availability, reliability and performance promises in the contractual relationships, as well as to measure 15

16 and assess them. However, this is not currently creating a pan European and mandatory legal framework for cross border IT service provision and use. An overview of the relevant legal areas and the (selected) questions that have been identified is given below, with detailed supporting information in the appendix: Data protection legislation regarding personal data (EU data protection regulation), Public procurement law and IT contractual legislation (EU public procurement directive), Liability and warranty, Business, commercial and criminal procedure legislation, Jurisdiction in all liability and warranty questions, Compliance, IT security (compliance with legislation, standards and specifications) Licensing conditions and compliance with copyright law, Standard terms and conditions and "take it or leave it" agreements, Obligation to record and provide information in traffic data (access protocols). If a cloud project is implemented throughout Europe, or shared use of a cloud infrastructure is intended, the different legal requirements and repercussions must be examined and if necessary optimised and brought together, to ensure legally enforceable implementation of the project. Because the issues involved are so highly complex and business models have yet to be established, basic legal frameworks should be created for cross border pan European service offers and their use. The different legal areas and instances, as well as the implementations in the individual countries throughout Europe, must be taken into consideration. Errors in these areas can quickly lead to considerable financial losses for the cloud service provider and those involved in general. It is therefore absolutely essential that there is careful, legal support to the project, right from the start. The legal assessment will resolve a great many individual aspects and detailed questions and must include a detailed examination of the initial legal situation in the countries involved. At the present moment, the content of the requisite legal advice services cannot be definitively described, as the business models and the specific services to be offered throughout Europe have yet to be developed. These legal considerations on practically feasible and implementable business models for a pan European cloud, as well as working out the advantages and disadvantages of the models from a purely legal viewpoint (contractual relationships, questions of liability, sub contractors, accepting and excluding providers), are absolutely essential for the initial analyses when considering EU wide cloud solutions. The formulation of the individual legal provisions and problem areas in the context of the platform operator as supplier, as well as legal problem areas from the viewpoint of the user of the services, must be included in the study. 16

17 Euritas would like to suggest that these investigations and considerations continue logically and that the unresolved issues and questions are dealt with gradually in structured projects 3.3 IT security criteria and requirements Questions relevant to security keep emerging directly in cloud projects and cloud environments. Fundamentally influential here are quality, timeframes and costs, subject to the selected or stipulated level of security. Public IT service providers in particular must also take into account this interaction between cost and expenditure, quality and security requirements and timeframes and the associated duration of the project. The basic paradigm for data and information protection used to be classic perimeter protection. The starting point in the past was the assumption that there was a clearly defined boundary between network segments with regard to "internal and external access". This ensured that it was possible to have central checkpoints (firewalls) for all data and communications traffic. Actually, however, the development of IT in recent years, particularly the new cloud computing trend, has been taking a quite different direction. Mobility, the dynamic approach to terminals and IT infrastructures, the large numbers of mobile and private devices (e.g. notebooks, USB sticks, MP3 players, PDAs, mobile phones) and the increasing interaction between the various networks, all make it clear that progressive and distributed checks, as well as additional data security, are necessary. So it is essential to implement another approach to the protection of data and information, namely protecting the data and information itself. This protection mechanism must also be taken into account in a safe cloud environment, as different user groups with different authorisations will be acting and interacting simultaneously. In an open structure, elementary protection of data and information applies. This particularly includes especially in the public sector the protection of personal data by encrypted data transmission, as well as safe data storage and data management. So, subject to the particular need for protection of the data and information being processed, a combination of the two approaches, i.e. perimeter protection (e.g. firewalls, intrusion detection) protection of data and information (e.g. encrypting the data) must be implemented in practice. In this context, it is necessary to undertake security analyses to ponder the fact that the elementary data and information security aims in data and information processing, i.e. availability (the capacity of information to be accessible and useful for an authorised person on request) integrity (the capacity that ensures the accuracy, completeness and credibility of the information) confidentiality (protection of the capacity of the information to only be accessible or made known to authorised natural or legal persons or processes) 17

18 obviously have to be guaranteed in cloud offers. It is necessary in the context of a European cloud to make sure that additional security aims are derived from the three main categories. Also necessary are keeping to the compliance requirements (conformity with legislation, guidelines and standards) and fulfilling the basic principle of effective, efficient and economical information processing and of course, the demands for obligation and nonrepudiation of information interactions (e.g. in legally binding online business transactions and for the purposes of evidence preservation). Figure 2: The triangle of conflict and IT security aims in the context of cloud computing (Source: ITDZ Berlin, Toni Seifert, July 2012) The issue of virtualisation and platform independence, which is the basic technology for cloud services, has organisational prerequisites that have to be implemented and also included in the descriptions of standards that have yet to be developed. Virtualisation combines the risks and threats from the physical and virtual server worlds. Firewalls placed in front of a server system or network as a protective barrier may not always provide sufficient protection within the virtualised server world, as the separation between the hardware systems is no longer clear. This brings additional risks, which have to be resolved both from a technical and from an organisational viewpoint. The following seven (representative) examples illustrate the difference of operating a virtualised cloud solution: Administration of the server and application virtualisation environment and configuration of the various network segments, become more complex. Formerly 18

19 separate tasks and specialisations, such as server administration and network management are combined (new employee qualifications). Consolidation of several servers within virtual environments must also take into consideration the various confidentiality and security zones of the formerly physical servers (new security requirements). Virtual servers exist as file images that can be quickly set up, copied, relocated and restored, which produces higher risks, as well as various advantages (new organisational rules). The basic updating of virtual server systems in cloud environments means new requirements to keep the system up to date and to protect it. Setting up a virtual system based on protection that was provided at an earlier stage may also result in patch levels that are no longer up to date (increased patch management demands). Higher standards are required in productive operation with regard to the organisational arrangements for the server lifecycle of virtual systems (e.g. set up, support, updates, loading patches, configuration or end of usage time), because setup is so simple and quick (new models of product and service provision). To ensure safe communication to the cloud and within the cloud, the definition and maintenance of all identities, rights and roles are one of the central tasks of security management. Higher standards must also be implemented for access control, as well as administration and the separation of data and applications (new technologies). Dynamic IT services as a cloud service require all the processes of service management and central monitoring of service level agreements to be changed (new operational and service management processes). When setting up and developing a cloud environment, these must be regarded as underlying conditions and implemented accordingly. The organisation of the company must also be adapted to these new and dynamic approaches, especially with the cross divisional provisioning of IT services across technical boundaries. Safe access to a cloud service is dependent on many technical as well as organisational measures. It is important to establish first where the access is coming from and then to implement relevant security measures, based on the need for protection of the data and information and the system of authentication that is being used. This makes it clear that the extensive combination of technical and organisational IT data security measures that has to be implemented for productive operation when provisioning cloud services does not just apply to "public clouds" but is also relevant within a "private cloud". It is therefore advisable to carry out a risk analysis tailored to public IT service providers for the respective cloud service offers and then based on this, to create the service catalogue, so 19

20 that customers have a data and information sensitivity classification to help them to select suitable IT services. A technical and organisational cloud security policy must also be established. This allows requirement and indicator based monitoring and control, which is the basis for carrying out regular audits. This can also be the basis for verifying that the underlying conditions have been observed and for identifying potential improvements. 3.4 Quality criteria for cloud offers and services in administration In the cloud computing context, it is primarily a service that is rented, and the way in which the provider produces the service can be very complex and totally detached from regional considerations. The selected aspects shown below allow you to assess the quality of a cloud service or as a cloud service provider, to be guided by the high standard of quality required for service provision. These criteria are geared to the EuroCloud criteria catalogue, which is applicable throughout Europe. As a general requirement, a weighting should be given with regard to the necessary level of accomplishment of the areas given below by way of example 5 : IT and data security, control possibilities and compliance, Flexibility, transparency and scalability, Service quality and its measurability, Integration capability and expenditure, as well as economic efficiency, Cost structures for long term planning, Possibility of integration with existing IT infrastructure, Access technologies (inc. access management), Data import and export, secure data deletion (e.g. when services are discontinued). Requirements can be viewed differently, depending on the risk assessment and specialist use of the managed data. For each suitable IT service to be purchased or offered from the cloud, it is advisable to develop a system of indicators, to help in the risk analysis. The technical requirements vary greatly and have specific effects on the assessment of risk. 5 See termine/zertifizierung.html 20