1 Cloud Services Common Assessment and Considerations Date: June 2011 Department: Technology and Systems Governance Version: 2.0 Unclassified Malta Information Technology Agency, Gattard House, National Road, Blata l-bajda HMR 9010 Malta Telephone: (+356) Facsimile: (+356) Web Site:
2 Document Control Information 01. Document reference 02. Document type Report 03. Security classification Public 04. Synopsis This report identifies key considerations that need to be taken into account before considering any cloud computing offerings including Software as a Service solutions. 05. Document control Author Change controller Distribution controller Technology and Systems Technology and Systems Technology and Systems Governance Governance Governance 06. Authorisation Issuing authority Technology and Systems Governance Approval authority Technology and Systems Governance Signature / Date Signature / Date 07. Modification history Version Date Comments Final Draft 17/09/2010 Draft Version for internal review Final 18/11/2010 Final Version following internal review Final Draft Ver 2 10/06/2011 Draft version for internal review Final Ver 2 13/06/2011 Final Version 08. Acknowledgements Technology and Systems Governance 09. References 1. Software as a Service (SaaS) paper 2. Cloud Computing Key Considerations for Adoption (Infosys)
3 Executive Summary MITA will be procuring a number of services which can be categorized as potential candidates to be rolled out as Cloud Based Services (or have strong Cloud Services attributes) more prominently Software as a Service (SaaS). There are a number of shortcomings and challenges that need to be addressed from an enterprise perspective prior to embarking on such type of implementation paradigms including but not limited to legal, procurement processes, business continuity, governance, etc. The scope of this paper is to identify and highlight key considerations that one (from an organisation perspective) needs to carefully assess prior to considering the procurement of cloud computing services.
4 Table of Contents 01. INTRODUCTION CONSIDERATIONS CONCLUSIONS... 5
5 01. Introduction The introduction of cloud computing technologies and services within an organisation will bring along a number of challenges together with the associated benefits. In this respect, it is pertinent that decision makers evaluate effectively the suitability and applicability of such technologies/ services in the context of the business needs, organisation boundaries and ultimately the intended projected benefits. The aim of this document is to highlight a number of considerations that should be carefully assessed prior to the procurement of cloud based services. It is important to highlight that the considerations listed in this document are not exhaustive, but do provide a good baseline for determining whether the desired solution fits the cloud based approach given the considerations presented herein.
6 02. Considerations While cloud based services promise to deliver many benefits and innovative ways of working, these might not be applicable or may be difficult to adopt in certain cases. The applicability of such services is dependent on a number of factors including but not limited to; nature of the organization, size of the organization, maturity of the organisation, intended audience of the service, criticality and security of the service, etc. For example, certain services may be applicable to a small organisation that may require little usage of a service, whilst the same service might not be applicable to a larger organisation that would require heavy usage of a service due to cost, service level agreements, performance, etc. Factors such as economies of scale play a major role in determining the viability of particular cloud services. Following are some key considerations that one needs to carefully assess prior to considering the procurement of cloud computing services. It is important to highlight that this list is not an exhaustive list of considerations, but does capture in our opinion the more prominent considerations. 1. What are the business continuity considerations in view of the scale and magnitude of the solution? What are the Exit Strategy considerations? Business continuity is of prime importance to Government, especially when considering that with such cloud services, Government will be bound to the terms and conditions of the service, with limited degree of flexibility and control. Therefore one needs to see that the necessary contractual / procedural obligations are in place in the event that the supplier goes out of business, breaches the service contract, does not meet SLAs or Government decides to move away from the service provider. Furthermore, Government would require an exit strategy which leads to the establishment of an exit plan which guarantees business continuity at the least cost and impact possible. 2. How do Government s high level technology and architecture building blocks impact the cloud service? For example Corporate identity needs to be serviced through the Corporate Directory, based on a claims based architecture; can such integration be offered by the cloud service? 3. What is MITA s experience in consuming (and eventually delivering) cloud based solutions? Does MITA have the capacity and knowledge (operational, legal, procurement, etc.) to manage such services on behalf of Government? Cloud services require new skill sets and procedures therefore training to build up such skills sets are mandatory. 4. How is demand for using the cloud services provided by the vendor? Is it mostly constant or widely varying? Cloud based services are more appropriate for varying demands than for constant demand as one of the benefits is a cost model based on usage. 5. What is the frequency of usage? How frequent is the usage of the service? In most cases very frequent usage makes less economic sense to go for Cloud based payper-use type of models. Similarly, cloud based models usually target varying demands whereby an enterprise may take advantage of variable costing models based on usage fluctuations. 6. Are customized services or interfaces to be exposed by the vendor required? Cloud vendors may not find it economically attractive to provide highly customized services and hence price for end users might also not be very attractive.
7 7. How mission critical is the application or service? A mission critical application would need very stringent Service Level Agreements (SLAs), which most probably cloud vendors will not be able to satisfy as yet. 8. What are the compliance requirements? The cloud vendor might not have support for the specific compliance needs enforced by Government. 9. What are the preferred technologies and development platforms? What are the long term plans in this regard? Vendor lock-in is one of the major issues in cloud based services. Migration from one cloud environment to another would be much more challenging than migrating within on-premise software up till now, as interoperability standards in this regard are still immature. 10. What are the integration requirements of the SaaS based solutions with other applications/processes within Government? The integration between SaaS offerings from different vendors is a challenge unless provided by the vendor out of the box through open standards such as web services. 11. What are the internal IT and industry regulations for sharing data outside of the enterprise and Government? Are there any legal jurisdictions in this regard? What is the security classification of the data in question and how does this impact the location of the data? Some industry segments have very stringent data privacy and security needs, whilst there are legal jurisdictions of where data resides based on data classification. What is the tolerance level of risk in this regard? 12. How are expenses preferred to appear in the balance sheet? As capital expenditure (CAPEX) or operating expenditure (OPEX)? From a procurement perspective is Government mature enough to support such a model? If Government s strategy is to prefer OPEX type of models, a cloud computing model would be more suitable. Having said this, is MITA s and Government s procurement process mature enough to handle such type of procurements? 13. What are the performance requirements and SLAs of applications and services that are required from the Cloud by Government? The reality is that performance levels of services will be impacted if cloud services are chosen as compared to on-premise implementations - even if they have distributed data centers. In spite of certain high performance SLAs, vendors may still not be able to satisfy the performance levels at all times due to inherent network latency of the Internet. Are the tolerance levels of the business processes far below-par performance levels? Does Government s infrastructure support the requirements to service such services such as bandwidth, latency, etc.? 14. What are Government s network and international bandwidth roadmaps and usage? In most cases cloud services mandate reliable levels of latency as well as reliability and capacity on the network and international bandwidth so as to provide a seamless user experience? Does Government have the appropriate mechanisms in place to cater for such needs? 15. Should a solution/service be implemented through an off-premise cloud service or should it be serviced through a Government on-premise cloud? Assuming Government has the necessary resources to service the solution within its onpremise cloud, the decision to host a solution on-premise or off-premise will depend on a number of risk factors which will be tackled on a case by case bases. These risk factors include but are not limited to proximity requirements, revenue generation, mission criticality, security classification, technology, European Union obligations, legal obligations and political sensitivity. 16. In the case a solution is to be migrated to a cloud platform, do the existing solution licensing models facilitate such a transition?
8 17. What are Government s security requirements? Do the cloud service providers and their service offerings meet Government s security requirements? When using off-premise cloud services, Government and its entities may have limited ability to define their security requirements, having said this Government still remains responsible for the information that is stored and processed in the cloud. Therefore one needs to make sure that the security provided by the cloud provider is in line with the security requirements of Government.
9 03. Conclusions Whilst there are a number of advantages and challenges in the adoption of cloud based services, the key considerations provided in this paper can be used as a starting point by MITA to assess the viability of such cloud services and the respective paradigm. There are surely other considerations which are specific and should be catered for on a case by case basis when analysing the viability of cloud based services.
Special Publication 800-146 DRAFT Cloud Computing Synopsis and Recommendations Recommendations of the National Institute of Standards and Technology Lee Badger Tim Grance Robert Patt-Corner Jeff Voas NIST
Arbeitsberichte der Hochschule für Wirtschaft FHNW Nr. 28 Enterprise Architectures for Cloud Computing Laura Aureli, Arianna Pierfranceschi, Holger Wache ISSN Nr. 1662-3266 (Print) Nr. 1662-3274 (Online)
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Cloud-Based ICT Services Checklist Guideline A non-exhaustive list of considerations to be made when evaluating, purchasing, implementing and managing cloud-based ICT services. Keywords: Cloud-based ICT
Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service A joint publication of the In coordination with the Federal Cloud Compliance Committee
Exploiting the Experience of Transformation IT Outsourcing 2006 IT World Limited on behalf of the BuyIT Best Practice Network Page 1 P12 IT Outsourcing May 2006 Forewords One of the prime objectives of
White paper Fujitsu Hybrid Cloud Services White paper Reaping Business Value from a Hybrid Cloud Strategy How to embrace a hybrid cloud model to maximize the benefits of public and private cloud services
FRAUNHOFER RESEARCH INSTITUTION AISEC CLOUD COMPUTING SECURITY PROTECTION GOALS.TAXONOMY.MARKET REVIEW. DR. WERNER STREITBERGER, ANGELIKA RUPPEL 02/2010 Parkring 4 D-85748 Garching b. München Tel.: +49
Cloud Computing: Transforming the Enterprise Cloud computing is not just a trend. It is changing the way IT organizations drive business value. THINK SMART. ACT FAST. FLEX YOUR BUSINESS. EXECUTIVE SUMMARY
An introduction to Service Integration and Management and ITIL Kevin Holland AXELOS.com White Paper January 2015 Contents Foreword 3 Introduction 4 Models for SIAM 7 Principles and considerations 9 The
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
The National Cloud Computing Strategy May 2013 dbcde.gov.au/cloud nbn.gov.au Commonwealth of Australia 2013 The material in this paper is licensed under a Creative Commons Attribution 3.0 Australia license,
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
Will Cloud Computing Work for the Life Sciences Industry? Even in a regulated industry there are many opportunities to start seeding the Clouds Cloud computing refers to the idea of delivering information
Identity and access management as a driver for business growth February 2013 Identity and access management (IAM) systems are today used by the majority of European enterprises. Many of these are still
The Massachusetts Open Cloud (MOC) October 11, 2012 Abstract The Massachusetts open cloud is a new non-profit open public cloud that will be hosted (primarily) at the MGHPCC data center. Its mission is
WHITE PAPER Managed Services for Mission Critical Communications Introduction Much has been written about Managed Services in the communications industry, initially in the IT sector and more recently in
White Paper Creating and Implementing an Enterprise Cloud Strategy David Linthicum Blue Mountain Labs Introduction Cloud computing is about the ability to share IT resources more efficiently. Thus, the
WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version 1.0.0 2012 Euritas THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2 PUBLISHER'S IMPRINT Publisher:
Best practice in the cloud: an introduction Using ITIL to seize the opportunities of the cloud and rise to its challenges Michael Nieves AXELOS.com White Paper April 2014 Contents 1 Introduction 3 2 The
IT service management and cloud computing AXELOS.com White Paper September 2014 Contents 1 Overview 3 2 What is ITIL? 3 3 What is cloud computing? 3 4 Why is cloud computing important? 4 5 Why is IT service
Hybrid Cloud: A Strategic Roadmap Executive summary Cloud is here to Stay Strong uptake of cloud services BT finds that its enterprise customers are showing increasing interest in cloud services. Yet the
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
Hybrid Cloud: A Strategic Roadmap Executive summary The cloud is here to stay. Investments in cloud services are expected to continue growing at double digits over the coming years. Nevertheless, obstacles
JANUARY 2013 REPORT OF THE DEFENSE SCIENCE BOARD TASK FORCE ON Cyber Security and Reliability in a Digital Cloud JANUARY 2013 Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the