This Keynote presentation was delivered by Rob Livingstone at the Inaugural Cloud Security Alliance NSW Chapter meeting. The primary focus of my presentation was to take a business / non-IT Executive's position on the whole topic. If anyone would like more information on my other presentations, please visit http://www.navigatingthroughthecloud.com/
2. Agenda
• Scope
• Theme
• Systemic Risks vs. Technical Risks
• Cloud Strategy? What Cloud Strategy?
• Risks of a fractured Cloud strategy
• From consumer to corporate – the leap of faith
• Recognise the forces behind Cloud adoption
• Orchestrating the Hybrid Cloud ecosystem
• Some risk mitigation approaches
navigatingthrougthecloud.com
3. Scope
HARDEST
Major enterprise instances, with
complexity, scale, risk, compliance,
deep integration, long term
Integration, enterprise
governance needed
Commodity /
Stand-alone
Cloud applications
EASIEST
navigatingthrougthecloud.com
4. Theme
Key Variable #1: SIZE
How big is the target organisation? A ‘no-brainer’
• Sole trader
• SME
• Mid sized
• Large
• Very large Eyes wide open
Broadly speaking, what is the ease of adoption and suitability of Cloud for
these organisations?
navigatingthrougthecloud.com
5. Theme
Key Variable #2: COMPLEXITY
How complex is your organisation? A ‘no-brainer’
• Simple – Can run it on a spreadsheet
• Somewhat complex
• Lots of moving parts
• Very sophisticated structure, processes, etc
• My head hurts thinking about it
Eyes wide open
Broadly speaking, what is the ease of adoption and suitability of Cloud for
these organisations?
navigatingthrougthecloud.com
6. Theme
Key Variable #3: FAULT TOLERANCE
How FAULT TOLERANT is your organisation? A ‘no-brainer’
• Pretty resilient – lots of workarounds
• Would get by in the event of a major fault
• Serious damage could result
• Organisation’s viability would be threatened
• High / extreme – people die, organisation Eyes wide open
ceases to exist, external liability, etc
Broadly speaking, what is the ease of adoption and suitability of Cloud for
these organisations?
navigatingthrougthecloud.com
8. Theme
Public Cloud : All You / Your Client have is a contract….
navigatingthrougthecloud.com
9. Systemic Risks vs. Technical Risks
• Most large organisations are:
– Complex systems
• Systemic Risks are inherent in Complex Systems
– Systems that are complex (discrete or non-linear) rather than linear
– Systems that are tightly coupled
– Systems that are time-dependent
– Systems that contain invariant processes (independent of change)
– Systems that contain little slack…….
…..are more prone to systemic failure, rather than component failure
• Technical Risks
– Failures associated with discrete elements of the overall system
‘Normal Accidents: Living With High-Risk Technologies’. Charles Perrow, New York: Basic Books,
Inc., 1984.
navigatingthrougthecloud.com
10. Cloud Strategy? What Cloud Strategy?
• In, and of itself a ‘Cloud Strategy’ means little
• If there is a coherent……
– Enterprise business strategy, supported by coherent..
– Business Plans, of which a key component is the …
– IT Business Plan, of which a key component may be …
– A Cloud Strategy…
… you minimise the risks of poorly defined /orphaned projects or
fractured Cloud strategy
• Let’s explore some of the risks associated with a Fractured Cloud
Strategy ….
navigatingthrougthecloud.com
11. Risks of a fractured Cloud Strategy
• Short term commercial imperatives trump all else
• Vendor predation
• Inappropriate reassignment of accountabilies from IT
• Dismembering of enterprise IT
• Federated Cloud solution selection without federating the risks
• Global Optimum vs. Local Optimum
• Increased TCO
• Inadequate procurement due diligence in key domains such as
cost, legal, governance, compliance, security, etc…
• Suboptimal architecture
• Proliferation of data silos
• Heightened information security vulnerability
navigatingthrougthecloud.com
12. From Consumer to Corporate – a step
of faith for some?
SMB Mid Market Big end of town
navigatingthrougthecloud.com
13. Recognise the forces behind Cloud adoption
• Identify the origins of the change driver from
Internally generated influences, which could
include....
o IT Department wanting to migrate to Cloud
o Business demanding IT move to the Cloud
o Compelling vendor offer (maybe yours?)
generates the demand to shift to the Cloud
o Need for an IT system – fast!
o IT just not meeting the organisation’s needs
o Perceived high comparative cost of internal IT
o .... And so on ....
navigatingthrougthecloud.com
14. Recognise the forces behind Cloud adoption
Identify the origins of the change driver from External
influences :
o New legislation
o Merger / Acquisition
o Margin / Profit squeeze
o Cut ‘Time to market’
o Need to drive innovation
o Mandate from overseas Headquarters
o ... And so on .....
navigatingthrougthecloud.com
15. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
navigatingthrougthecloud.com
16. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
• Who is in control – you or the Cloud vendor?
• Degree and scope of Integration
• Risk tolerance
• IT Architectural considerations
• Compliance, Regulatory and Audit load
• Disaster Recovery implications (Logical and Physical)
X
navigatingthrougthecloud.com
17. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
• Who is in control – you or the Cloud vendor?
• Degree and scope of Integration
• Risk tolerance
• IT Architectural considerations
• Compliance, Regulatory and Audit load
• Disaster Recovery implications (Logical and Physical)
• Size
navigatingthrougthecloud.com
18. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
• Who is in control – you or the Cloud vendor?
• Degree and scope of Integration
• Risk tolerance
• IT Architectural considerations
• Compliance, Regulatory and Audit load
• Disaster Recovery implications
• Size
• System volatility
navigatingthrougthecloud.com
19. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
• Who is in control – you or the Cloud vendor?
• Degree and scope of Integration
• Risk tolerance
• IT Architectural considerations
• Compliance, Regulatory and Audit load
• Disaster Recovery implications
• Size
• System volatility
• Systemic complexity
navigatingthrougthecloud.com
20. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
• Who is in control – you or the Cloud vendor?
• Degree and scope of Integration
• Risk tolerance
• IT Architectural considerations
• Compliance, Regulatory and Audit load
• Disaster Recovery implications
• Size
• System volatility
• Systemic complexity
• Security and privacy
navigatingthrougthecloud.com
21. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
• Who is in control – you or the Cloud vendor?
• Degree and scope of Integration
• Risk tolerance
• IT Architectural considerations
• Compliance, Regulatory and Audit load
• Disaster Recovery implications
• Size
• System volatility
• Systemic complexity
• Security and privacy
• Budgetary / cost
navigatingthrougthecloud.com
22. Orchestrating the Hybrid Cloud ecosystem
1. Key drivers of integration effort:
• Number of systems to be connected
• Who is in control – you or the Cloud vendor?
• Degree and scope of Integration
• Risk tolerance 1 Yr 2 Yrs
• IT Architectural considerations
• Compliance, Regulatory and Audit load
3 Yrs
• Disaster Recovery implications
6 Mths
• Size 5 Yrs
• System volatility
• Systemic complexity
• Security and privacy
• Budgetary / cost
• Life expectancy of the system(s)
navigatingthrougthecloud.com
23. Orchestrating the Hybrid Cloud ecosystem
2. Blending legacy, on premise and other IT systems
• The cost of building the integration points may exceed the
cost of your Cloud application
• What are the business requirements for:
• Data integration
Drives enterprise data matching
Dashboards and ‘Business Intelligence’
...... And so on
• Application integration
Do you want to create an integrated user
experience? – ie: Single screen rather than having a
use a myriad of screens from different systems
navigatingthrougthecloud.com
24. Orchestrating the Hybrid Cloud ecosystem
3. Localised Clouds leading to federated IT / Cloud Silos
• Organisations with poor ITBusiness engagement and
alignment facilitate the growth of local cloud applications
that:
• Meet a local business need
• Are easily managed by the local ‘owner’
navigatingthrougthecloud.com
25. Orchestrating the Hybrid Cloud ecosystem
4. Local optimum vs. Global optimum
• What’s good for a local instance may be save time, cost, etc
• Does this approach scale?
• Factored in costs, effort and risks of Administering multiple systems?
• Centralise Decentralise discussion starts all over again
• Take an evolutionary approach?
• Do you only mandate in the case of risk, privacy, security?
navigatingthrougthecloud.com
26. Orchestrating the Hybrid Cloud ecosystem
5. Hybrid architectures including hybrid security model
• How do you manage security in a federated, distributed
model?
navigatingthrougthecloud.com
27. Orchestrating the Hybrid Cloud ecosystem
6. Potential points of conflicts with CSO / CFO / CIO /
COO
• Gain consensus from all stakeholders in your
organisation on the settings for enterprise risk,
governance including
• Compliance, discovery, forensics, logging and fault
finding challenges
7. Enterprise data warehousing and integration
• Network speeds and related considerations
8. Enterprise data warehousing and ‘Big Data’
• Quo Vadis?
navigatingthrougthecloud.com
28. Some risk mitigation approaches
• Be crystal clear on the drivers behind Cloud for the
organisation.
• Understand and accurately map the solution to the
organisation’s legislative, regulatory and compliance
environment
• Know the minimum privacy, security and data jurisdictional
needs clearly.
• Map to the organisation’s potential client’s regulatory
environments if needed
• Resolve integration complexities
– Map cost exposures in cloud brokerage and integration
environments
navigatingthrougthecloud.com
29. Some risk mitigation approaches
• Assess the volatility of your cloud provider’s ecosystem
– What will your provider look like in 2 years time?
• Delivery through Service Value Chains means that the weakest
link effect is to be recognised and managed
• Identify inconsistencies in Security, Privacy, Governance,
Regulatory compliance through the Cloud provider’s chain
• Confirm executive accountabilies for risk!
Reshape the role of your IT Department
• Shift from a technology provider to a Services broker
• Differing skills mix for in-house IT
• Technology enabled business services is the direction to
take for enterprise IT
navigatingthrougthecloud.com
30. Some risk mitigation approaches
• Perform your own due diligence, and seek absolutely
independent, experienced, financially disinterested advice if
needed
• Stress test your business case by:
– Conducting a sensitivity analysis for feasible business,
legal and operational scenarios
– Pricing in risk
– Defining and costing your exit strategy for each stage of
the life cycle in your Cloud
– Defining the Cloud roles and accountabilities clearly. E.g.
How do they compare to the roles defined in the NIST
CCRA?
navigatingthrougthecloud.com
31. Subscribe to my Podcast Channel – Interviews,
Discussions and independence + PDF Transcripts
navigatingthrougthecloud.com