11. We Live in Hyped Times!
• “Amazon and PSN outages won't halt cloud revolution.” source The Register
• “SURVEY: Future-proofing the cloud.” source Network World
• “Virtualization, cloud computing to dominate Interop.” source Network World
• “Is Your Data Center Ready for Cloud Computing?” source Web Buyers Guide
• “Demystifying the Cloud – A Conversation with Dell’s CIO and CTO!” source Baseline Briefing
• “Cloud-enabled Wi-Fi: Less Dollars, More Sense” source Network World
• “Apple’s new services are expected to include a "digital locker" solution enabling consumers to
store their iTunes music, movie and television libraries on Apple servers for access on multiple
iOS-based devices.” source Fierce Mobile Content.
• “Brocade Unveils CloudPlex cloud architecture, an open framework for building virtualized data
centers, and offered a look at new technologies coming up in the near future to help make such
data centers possible. “ source CRN
• “CenturyLink goes from local to global player with Savvis acquisition.” source Fierce
Free Software Foundation founder Richard Stallman called cloud computing,
“worse than stupidity.”
Bottom-line: If you’re systems are down or you loose customer data its not the Cloud
Provider that suffers / goes out of business – they just issue a credit for the disruption.
12. First Phase of Cloud Consolidation
• Verizon acquired Terremark, a Infrastructure / Platform as a Service (I/PaaS)
provider, for $1.4 billion, to provide IT infrastructure services targeting the
enterprise market.
• Dell spent more than $2 billion in six months acquiring cloud technologies,
including PaaS provider Boomi, and is investing another $1 billion in a group of
global data centers.
• IBM acquired Cast Iron, Boomi’s competitor.
• Time Warner Cable acquired NaviSite.
• CenturyLink acquired Savvis
• Microsoft and Toyota forged a strategic partnership to build a global platform
for Toyota Telematics Services using Windows Azure.
• CA Technologies and Unisys entered into a joint venture that combines CA’s
virtualization and service management products with Unisys’ virtualization and
cloud advisory, planning, design and implementation services.
Likely see further consolidation as Telcos realizes their weaknesses in selling Cloud into
enterprise – particularly small medium enterprise
13. Telstra spending $600M on cloud-based UC for
businesses
• Telstra said it plans to invest $600 million to upgrade communications options
for 90 percent of the country's businesses and, in partnership with Microsoft and
Cisco, provide them with cloud-based unified communications.
• The QoS upgrades will encompass 1,6000 exchanges and take the telco until
September to complete.
• The Digital Business package will cost businesses $120 a month and include a
basic ADSL2+ connection to businesses, a Cisco Router and a Cisco digital
phone. Customers can pay an additional $15 a month to have their Internet and
voice connection switch over to the Telstra NextG network automatically if the
ADSL connection fails.
• Telstra said VoIP service would likely follow the QoS upgrade, once it "can give
all the reliability and also the technical backup we think the product needs, then
we will bring it to market."
Everything becomes labelled as Cloud. Really the $600M is on a network upgrade…
14.
15. Evolution
• Cloud computing has evolved through a number of
phases which include grid and utility computing,
application service provision (ASP), and Software as a
Service (SaaS).
• But the overarching concept of delivering computing
resources through a global network is rooted in the
sixties.
Those
Sixties!!!
17. The Dream of Cloud Computing
Integrated Circuit Utility Computing
Foundries
• Semiconductor Fabs Expensive • New Datacenters Very Expensive
– Typically > $1 Billion – Only a Few Companies Can
– Too Much for Most Designers Afford Huge Datacenters
• Fabs Take Outside Work • Utility Computing Datacenter
– Fabs Amortize Cost Owners Amortize Costs
– Other Designers Make Chips – Utility Computing Users Get
Advantages of Elasticity
• Allowed Explosion of Designs
– Datacenter Resources Shared
– More Players Afford Rented Fab Across Many Users
But a private cloud doesn’t deliver scale?
18. What is Cloud Computing?
• Wikipedia - Cloud computing is Internet ('Cloud') based development and use of computer technology ('Computing'). The
cloud is a metaphor for the Internet (based on how it is depicted in computer network diagrams) and is an abstraction for
the complex infrastructure it conceals[1]. It is a style of computing where IT-related capabilities are provided “as a
service”[2], allowing users to access technology-enabled services from the Internet ("in the cloud")[3] without knowledge
of, expertise with, or control over the technology infrastructure that supports them[4]. According to the IEEE Computer
Society "It is a paradigm in which information is permanently stored in servers on the Internet and cached temporarily on
clients that include desktops, entertainment centers, table computers, notebooks, wall computers, handhelds, etc."[5]. “
• No Consensus in the industry for a good definition of “Cloud computing” . Today anything and everything internet will
come with a cloud computing logo
• Simple Definition: If the time difference between - your application needs more capacity and gets more capacity is greater
than instantly it is not cloud computing. i.e. if there is no programmatic way to provision hardware, no pooled capacity and
even worst a purchase order to get new hardware/software.
• The Bottom-line
o Changes the economics of Computing from being a Capital investment to Utilities (You buy electricity you don’t buy generators )
o Changes the way software is developed – Hardware provisioning , Deployment and Scaling now part of developer lifecycle as a
Program / script as compared to a Purchase order
o Automates a whole bunch of infrastructure related tasks and activities leading efficiencies and cost savings
19. What is Cloud Computing?
• A user experience and a business model
o Standardized offerings
o Rapidly provisioned
o Flexibly priced
• An infrastructure management and
services delivery method
Banking
o Virtualized resources
o Managed as a single large resource
o Delivering services with elastic scaling
IT
• Similar to Banking ATMs and Retail Point of
Sale, Cloud is Driven by:
o Self-Service
o Economies of Scale
Retail
o Technology Advancement
19 IBM Confidential
20. The NIST Definition of Cloud Computing
o Cloud computing is a model for enabling convenient, on-demand network access to a
shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. This cloud model promotes availability
and is composed of five essential characteristics, three service models, and four deployment
models.
Characteristics
1. On-demand self-service Service models
2. Broad network access 1. Cloud Software as a Service (SaaS)
3. Resource pooling 2. Cloud Platform as a Service (PaaS)
4. Rapid elasticity 3. Cloud Infrastructure as a Service (IaaS)
5. Measured service
Deployment models
1. Private cloud
2. Community cloud
3. Public cloud
4. Hybrid cloud
21. Why Now?
From T-Systems, who has delivered SAP dynamic services since 2004
22. NIST 3 Cloud Service Models
• Cloud Software as a Service (SaaS)
o Use provider’s applications over a network
• Cloud Platform as a Service (PaaS)
o Deploy customer-created applications to a cloud
• Cloud Infrastructure as a Service (IaaS)
o Rent processing, storage, network capacity, and other fundamental computing
resources
• To be considered “cloud” they must be deployed on top of cloud
infrastructure that has the key characteristics
22
23. Service Model Architectures
Cloud Infrastructure Cloud Infrastructure Cloud Infrastructure
IaaS Software as a Service
PaaS PaaS (SaaS)
SaaS SaaS SaaS Architectures
Cloud Infrastructure Cloud Infrastructure
IaaS Platform as a Service (PaaS)
PaaS PaaS Architectures
Cloud Infrastructure
IaaS Infrastructure as a Service (IaaS)
Architectures
23
24. Mapping the Cloud Types
I use this to simply show the lock-in nature of PaaS / SaaS providers model –
Amazon is more focused on a business model based on scale.
26. Cloud Computing Technologies
Technologies Cloud Services
Applications SaaS
Dev Platforms
Multi-Tenant, PaaS + Support
Deployment & Cluster services (Storage, DB,
Management Security, Aggregation)
Virtualization,
Infrastructure
Management and Grid
Engines IaaS
Processing Hardware
I use this to simply show technologies associated with each layer – when we discuss
data center design and architecture we’ll come back to these components.
27. The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models Private Community
Public Cloud
Cloud Cloud
Service Software as a Platform as a Infrastructure as a
Models Service (SaaS) Service (PaaS) Service (IaaS)
On Demand Self-Service
Essential
Broad Network Access Rapid Elasticity
Characteristics
Resource Pooling Measured Service
Massive Scale Resilient Computing
Common Homogeneity Geographic Distribution
Characteristics Virtualization Service Orientation
Low Cost Software Advanced Security
27
30. Elasticity, Risk, and User Incentives
Services Will Prefer Utility Computing to a Private Cloud When:
Demand Varies over Time Demand Unknown in Advance
Provisioning for Peak Leads to Web Startup May Experience a
Underutilization at Other Times Huge Spike If It Becomes Popular
Pay by the Hour Pay as You Go Does Not Require
(Even if the Hourly Rate is Higher) Commitment in Advance
The Value of Cost Associativity
UserHourscloud × (revenue – Costcloud) ≥
UserHoursdatacenter × (revenue – Costdatacenter )
Utilization
31. Cloud Is Mostly Driven by Money
Economics of Cloud Computing Are
Very Attractive to Some Users
Cloud Computing Will
Predicting Application
Track Cost Changes
Growth Hard
Better than In-House
Investment Risks May In-House, You Must
Be Reduced Provision for Peak
36. The 70/30 switch
30% 70%
On-Premise Your Managing All of the
Infrastructure Business “Undifferentiated Heavy Lifting”
37. Cloud’s goal: flip this equation
30% 70%
On-Premise Your Managing All of the
Infrastructure Business “Undifferentiated Heavy Lifting”
Configuring
Cloud-Based More Time to Focus on
Your Cloud
Infrastructure Your Business
Assets
70% 30%
38. Companies have different motivations for leveraging cloud
Analytics & Time to Value Employee Risk &
Security Productivity Compliance
Operations support 9
major commands, Creates an Enable collaboration 34,000-employee
nearly 100 bases, & ecosystem for PayPal across 300K global bank deploying a
700,000 active military 3rd Party developers employees as well as its private cloud from
personnel around the network of customers, IBM to centralize
world. Design secure Reduces developer partners and suppliers. management of
cloud infrastructure for effort to deploy a work Saving 30 minutes per desktops via an
defense & intelligence environment with day or 120hr per year enterprise class data
networks; insights seamless PayPal Test per person. center rather than at
about cyber attacks, Sandbox access
the user stations,
network, system or IBM LotusLive has 18 Gets greater remote
application failures, million users in 99 flexibility without
while automatically countries sacrificing control to
preventing disruptions. improve efficiency.
40. Why Be a Cloud Provider?
Huge datacenters cost 5-7X less for computation, storage, and
Make a Lot of
networking. Fixed software & deployment amortized over many users.
Money
Large company can leverage economies of scale and make money.
Leverage Existing Web companies had to build software and datacenters anyway. Adding
Investments a new revenue stream at (hopefully) incremental cost.
What happens as conventional server and enterprise apps embrace
Defend a
cloud computing? Application vendors will want a cloud offering. For
Franchise
example, MSFT Azure should make cloud migration easy.
Attack an A large company (with software & datacenter) will want a beachhead
Incumbent before someone else dominates in the cloud provider space.
Leverage For example, IBM Global Services may offer a branded Cloud
Customer Computing offering. IBM and their Global Services customers would
Relationships preserve their existing relationship and trust.
Become a
Facebook offers plug-in apps. Google App-Engine…
Platform
41. Full Cloud Taxonomy
Level Of
Sharing
Public IaaS PaaS SaaS BPaaS PURE
Cloud CLOUD
@ Global MARKET
Provider
Virtual
Private Dynamic Integration- Dynamic Dynamic
Cloud Infrastructure as-a-Service Apps BPO
@
Dedicated
Services Services Services
Provider
EXTENDED
CLOUD
Infrastructure Middleware Apps BP MARKET
Private
Cloud
Virtualization Virtualization Virtualization Virtualization
@ In-house Tools Tools Tools Tools
Data Center
Infrastructure Middleware Applications Business Business
Processes Value
42. Terminology on XaaS: SaaS, PaaS, IaaS, CaaS and EaaS
• SaaS a.k.a Software As A Service (wikipedia):
o “software that is deployed over the internet and/or is deployed to run behind a
firewall on a local area network or personal computer. With SaaS, a provider
licenses an application to customers as a service on demand, through a
subscription or a "pay-as-you-go" model.”
• SaaS can be seen as the end user consumable service, and
what is usually meant by “cloud computing”.
• Microsoft classifies SaaS into four "maturity levels," whose key
attributes are configurability, multi-tenant efficiency, and
scalability.
• The SaaS model maturity is usually vendor specific.
43. IaaS: Infrastructure As • IaaS is scalable IT infrastructure readily attached to
A Service a suitable communication media (Internet in case
of “public cloud” or corporate network in case of
“private cloud”), controlled through appropriate
APIs, and is available to its users in form of an on-
demand service typically with “pay-per-use”
charging model
• IaaS is a provision model in which an organization
outsources the equipment used to support
operations, including storage, hardware, servers
and networking components. The service provider
owns the equipment and is responsible for housing,
running and maintaining it.
• The consuming entity does not manage or control
the underlying cloud infrastructure but has control
over operating systems, storage, deployed
applications, and possibly limited control of select
networking components (e.g., host firewalls).
• IaaS: Amazon EC, IBM computing on demand,
Rackspace
44. IaaS bases on scale
• IaaS customer promise is about CAPEX and OPEX avoidance, streamlined operations, lower TCO
and lower entry barrier:
o Margins as per offered resources are usually pretty thin
o Revenue is generated by scale and volume
o Scale requires capability to economically cater for low-traffic customers and subsequently scale up to
high volumes
o Business processes for infrastructure operations and management needs to streamlined and mature
o Capability to obtain and cater for scale requirements issues a relatively high entry barrier for a new
entrant in IaaS offering business due to needed investments.
• Usually (but not necessarily always), IaaS players do have existing business, of which IaaS is a by-
plot:
o CSPs, ecommerce, SaaS providers, data-center and hosting business.
o The target is to create revenue from existing under-utilized data center resources.
• Additionally, with the ever-tightening legislation, competition, technology requirements,
efficiency requirements etc., operating own data center requires more and more of specific
competences (e.g. design for energy efficiency, design for compliancy, ...)
o Capability development requires investments and takes focus out of the core business of the company.
45. PaaS: Platform as a Service
• PaaS: a capability provided to the user to
deploy onto the cloud infrastructure user-
created or acquired applications created using
programming languages and tools supported
by the provider.
• All cloud computing characteristic apply.
• Usually PaaS model includes an application
level framework, e.g. plug-ins for IDE
o Easier application development
o Implied lock-in with the provider
• Focus of PaaS is the developer and respective
ecosystem: Successful PaaS offerings have
tendency of attracting loyal,
open communities of developers.
• PaaS implies leverage of domain specific value,
e.g. business applications and force.com.
• Example: Google Apps, force.com, Facebook
46. PaaS: an outsourced application server platform?
• It appears that the PaaS providers offering holds similarities to what an
application server stands for
o Obviously, an application server platform is part of PaaS, despite the proprietary nature of
implementations.
• PaaS can be seen as a service, where as an application server (“platform”) is
a technology to implement that service.
• PaaS can be regarded as a application development ecosystem:
o Implementation approach can vary and is not the core consideration: JEE, .NET, LAMP,
Python, Ruby...
o Middleware and connectivity services, elasticity, multi-tenancy
o Collaborative and integrated supporting ecosystem for the applications that are deployed on
PaaS platforms and need to be offered as services to the customers/consumers.
• IaaS scales the infrastructure, whereas PaaS scales the application
development ecosystem.
• For PaaS a key consideration is the risk of lock-in.
47. CaaS and EaaS
• CaaS a.k.a Communications As A Service (zimbio.com)
o “Delivering telecommunications, instant messaging etc. as a service over
the Internet. Telephony as a service, also known as “Voice as a service”,
employs VOIP (Voice Over Internet Protocol). Software and hardware can
be provided as a service by providers.”
o CaaS is specialized SaaS.
• EaaS a.k.a Everything As A Services
o Another buzz-word, and to some extent even more marketing spin: SaaS,
PaaS and IaaS bundled together as multiple instances.
49. Framing for cloud computing delivery model
User interface layer
instances
Application
management
application
Partners’ Third party Third party
Shared
Customized
Applications standard standard customized
applications
applications applications applications
Application integration layer
SAAS
Platform abstraction layer
platform
Middleware
Platform O&M
Content Web Identity Dev. Protocol UI
BPMS etc.
services portal services tools stacks frame.
tools
High availability framework
PAAS
Application server containers and database management systems
Infrastructure
Computing
Operating system
management
IAAS
Computing and storage virtualization
System
tools
Physical computing and storage environment
Connectivity and access
The service models are separate: e.g. creating a SaaS offering
by no means requires bundling IaaS or PaaS with it.
50. Some Myth’s and perceptions
• Isn’t it all about hardware provisioning?
o Not Really – It is also about changing of Software Development Lifecycle
with scaling up , hardware provisioning and deployment all under the
control of developer written programs
• What about Security and Enterprise Adoption ?
o Two answers
• Private Clouds – Starting seeing the adoption of the cloud computing
paradigm come into the corporate data center. Big iron vendors are selling
Private Cloud Products and Hybrid Solutions.
• The Question: “Just as Banks became a safe place to keep your money away
from your safe-box in your grandfathers home , The Cloud will become the
default place to keep your data in the future.” – an analogy I prefer is home
security, you can outsource to ADT, but in the limit you still need to do some
of it yourself.
51. Some Myth’s and perceptions
• Isn’t this similar to Time Sharing?
o Yes to some extent.
o But it is not all about sharing of resources. It really boils down to cost savings
as a result of automation and changing the software development lifecycle
• How is it different from ASP?
o The ASP value-add was the typical value you get from an outsourcing
company. Leverage knowledge base, trained manpower and some shared
infrastructure to guarantee reliability of operations and potential cost savings
o Cloud Computing is taking the ASP concept to the next level with zero to little
amount of “People Services” and focus on the computing as a utility.
52. Public Clouds
• Public Clouds are good when
o Have low bandwidth and latency requirements
o Starting with test or development workloads
o Running collaboration applications
o Don’t have an upfront capital budget
Committing tightly to a
• Not so good when single provider without a
o You need strict performance SLAs proper plan B is a no-go.
o Uptime is critical – no control over recovery
o Privacy or security is a concern, i.e.
• 3rd party has your data, auditors complain
• Can you review vendor’s security procedures?
o Costs per CPU hour can be larger than that of in-house server deployments.
53. Internal Private Clouds
• Positives of internal private clouds • Negatives vs. public clouds
o Anticipated reduction of TCO o Requires up front capital
o Better hardware capacity expenditure due to IT investments
utilization in own CAPEX
o Elasticity o Not as useful for small and
• Easy self service provisioning medium businesses and
• More efficient system
management departmental solutions due to
o IT retains control of SLAs needed investments
• Data security and privacy
• High performance
• High availability • Negatives vs. dedicated hardware
o Capability to provide spot-on o Performance tax
chargeback reports as per need o Not capable for massive parallel
processing
54. Cost elements: SaaS versus traditional on-premises SW
• On-premises / in-house • SaaS
o License payments at acquisition o Configuration and systems
phase and recurring fees integration costs
o Customization and systems o Business process adaptation costs
integration costs
o Sign-up fees
o Implementation and deployment
o Recurring subscription fees
costs for roll-out
o Care and support fees
o Local IT and systems support
o Training costs (of a standard
arrangements, either own head-
application)
count or outsourced
o Training costs for end users o Internet connectivity costs
o Computing, storage, backup and o (undefined price tag for potential
network costs strategic transition costs)
o Support and maintenance costs
55. Cloud service provider space remains fragmented
Cloud
native
players
Amazon,
Salesforce;
Google
Telecom IT Service
providers Cloud providers
AT&T, BT,
FT, DT/ T-
based Accenture,
Systems, services Capgemini,
Wipro
Verizon
Large tech
vendors
Cisco, Dell
HP, IBM
56. Why CSPs have a strategic fit for cloud computing
• Shared infrastructure
• CSPs have long history of infrastructure, which is networked and
interoperable via well-defined interfaces.
• Managed and hosted IT and communications services
• For a longer time CSPs have relied on vendors’ managed services type of
professional services, which means that there is no inherent fear of
outsourcing operative responsibilities.
• Data centers
• Data centers operations have been for long time the core of CSP production
machines.
• Security, data integrity and trust
• These are the traditional key characteristics of telco business.
• Managed network services and end-to-end SLAs.
• CSPs are familiar with end-to-end SLA thinking and KPI based operations.
• Communications as a service
• Communications and connectivity is the bread and butter of CSPs.
• SME customer base
• The customer base of CSPs does cover SME, which means that they are
familiar with the problems and issue within the segment.
57. What is Cloud Computing For Telcos
New
consumer-
centric Cloud
Services
Delivery
Cloud
Strength of
trusted
Computing Infra-
structure
services
e.g. Billing
Engagement Network-
Centric
for Telcos
Where Is The Cloud Opportunity For
Mass Telcos?
Adoption
Consumer
Reach CONSUMER vs ENTERPRISE
58. Telco’s Enterprise – Consumer Pendulum
Consumer Enterprise
• 65’s:
Mainframes in Data Centers
75’s: • Enterprise drives Tech Awareness
ISDN Telephony
1st Gen. Remote Home Workers
• 80’s:
PC on corporate desktop
90’s: • IT education of working
Multimedia PCs, Cell Phones generation
Digital Kids, Consumerization IT • 2005’s:
Cloud Computing/SaaS
2010’s: • Tech. Populism, Pay/Use, Web 2.0
Managed Devices, Media
Convergence • 2015’s:
Managed Desktops, X-Internet Enterprise 3.0
Collaborative Business Models
Cloud federated master data and
Innovators distributed business transactions
Converged Personas
Mass Adoptors
Consumer Specific Personas Enterprise
61. Security Trend – Virtual Firewalls and Additional
Procedures Part 1
• Virtualization is essentially adding an operating system.
– So there are now two operating systems to monitor and patch, instead of one. This
increases the chances of patches not being up to date creating security risks
– Procedures within the data centers running cloud services must be stricter then regular
data center procedures
• Traditional intrusion detection doesn’t work on virtual servers.
– Intrusion detection (and intrusion prevention) monitors network traffic (between physical
servers) and raises a red flag if there’s a traffic spike or type of traffic not explained by
legitimate operations.
– But there’s no way to monitor traffic between virtual servers on one physical host, -
emergence of virtual firewalls
• Malware can spread among virtual servers.
– Traditional intrusion detection is blind to activity between virtual servers, it’s easy for a
virus or other malignant software to spread from one virtual server to another.
– And beyond -- because virtualization is often used in conjunction with clustering that
moves data and applications among two or more physical servers, to provide load-
balancing and “failover” in case one server in the cluster encounters a problem.
– A network monitoring system can not analyze this threat. Emergence of virtual firewalls
that protect virtual servers.
– VMWare and Citrix have created Hypervisor based solutions that work with existing
security vendor solutions
• Confidential data can be compromised because there’s no way to monitor traffic flow
between virtual servers sharing the same physical server,
– There’s no way to tell whether confidential or legally protected data (such as medical
records or credit card numbers) have been compromised.
– Today this is managed by segregating data on a separate physical sever – and generally not
allowed outside of the internal corporate cloud.
62. Security Trend – Virtual Firewalls and Additional
Procedures Part 2
• Malware is now virtual-aware.
– “Virtual-aware” viruses can tell when they’re running in a virtual
environment. Though they’ve mostly used this knowledge to hide so far, they
could easily be adjusted to attack virtual servers’ vulnerabilities instead.
– According to research by the antivirus company ESET, more than 200,000
virtual-aware malwares were at large in November 2008.
• Other methods of security management include structuring the resource
pools to match network segments, and force traffic among pools to pass
through the existing network security infrastructure.
– Generally use virtual LANs to achieve this, which results in lower resource
utilization and less flexibility in matching workloads to resources.
• VM Ware publishes security guidelines
– Limiting VM functionality to only those capabilities required by the
application
– General access controls to virtual console and management functions
– Quite complex and generally push operators towards partnering with an
established IT integrator in the virtualization space, e.g. HP or IBM
• A Cloud Service is only as strong as its weakest link
– Must ensure all VMs implement extra protections – recent Gartner surveys
show less than 20% of enterprise implementations include additional
protections for security in virtualization implementations
63. Security Standards: SAS 70
• SAS 70 is the most commonly adopted security standard among
cloud service providers.
• Roughly 67 percent of cloud service providers follow SAS 70
(Statement on Auditing Standards No. 70), which is an
internationally recognized auditing standard developed by the
American Institute of Certified Public Accountants (AICPA) that
defines the standards an auditor must employ in order to assess the
contracted internal controls of a service organization like a hosted
data center, insurance claims processor or credit processing
company, or a company that provides outsourcing services that can
affect the operation of the contracting enterprise.
64. Security Standards: PCI DSS & SOX
• PCI DSS
o About 42 percent of cloud service providers follow the PCI DSS (Payment Card Industry Data Security
Standard) standard, a global security standard that applies to all organizations that hold, process or
exchange credit card or credit card holder information.
o The standard was created to give the payment card industry increased controls around data and to
ensure it is not exposed. It is also designed to ensure that consumers are not exposed to potential
financial or identity fraud and theft when using a credit card.
• Sarbanes-Oxley
o Sarbanes-Oxley (SOX) is a security standard that defines specific mandates and requirements for
financial reporting. SOX spanned from legislation in response to major financial scandals and is
designed to protect shareholders and the public from account errors and fraudulent practices.
o Administered by the SEC, SOX dictates what records are to be stored and for how long. It affects IT
departments that store electronic records by stating that all business records, which include e-mails
and other electronic records, are to be saved for no less than five years. Failure to comply can result in
fines and/or imprisonment.
o About 33 percent of cloud service providers follow SOX.
65. Security Standards: ISO 27001 and Safe Habor
• ISO 27001
o About 33 percent of cloud service providers adhere to ISO 27001, a standard published in 2005 that is
the specification for an Information Security Management System (ISMS).
o The objective of ISO 27001 is to provide a model for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving ISMS, which is a framework of policies and
procedures that includes all legal, physical and technical controls involved in an organization's
information risk management processes.
• Safe Harbor
o About one-fourth of cloud service providers adhere to Safe Harbor principles, a process for
organizations in the U.S. and European Union that store customer data.
o Safe Harbor was designed to prevent accidental information disclosure or loss. Companies are certified
under Safe Harbor by following seven guidelines: Notice, through which individuals must be informed
that their data is being collected and how it will be used; choice, that individuals have the ability to opt
out of data collection and transfer data to third parties; onward transfer, or transfer data to third parts
that can only occur to organizations that follow adequate data protection principles; security, or
reasonable efforts to prevent loss of collected data; data integrity, that relevant data is collected and
that the data is reliable for the purpose for which it was collected; access, which gives individuals
access to information about themselves and that they can correct and delete it if it is inaccurate; and
enforcement, which requires the rules are enforced.
66. Security Standards: NIST and HIPAA
• NIST
o National Institute of Standards and Technology (NIST) standards, originally designed for
federal agencies, emphasize the importance of security controls and how to implement them.
The NIST standards started out being aimed specifically at the government, but have recently
been adopted by the private sector as well.
o NIST covers what should be included in an IT security policy and what can be done to boost
security, how to manage a secure environment, and applying a risk management framework.
The goal is to make systems more secure. About 25 percent of cloud service providers adhere to
NIST standards.
• HIPAA
o The U.S. Health Insurance Portability and Accountability Act (HIPAA) is followed by roughly
16 percent of cloud service providers.
o The HIPAA standard seeks to standardize the handling, security and confidentiality of health-
care-related data. It mandates standard practices for patient health, administrative and
financial data to ensure security, confidentiality and data integrity for patent information.
67. Security Standards: FISMA and COBIT
• FISMA
o FISMA, or the Federal Information Security Management Act, was passed in 2002 and created
process for federal agencies to certify and accredit the security of information management
systems.
o FISMA certification and accreditation indicate that a federal agency has approved particular
solutions for use within its security requirements. In its research. About 16 percent of cloud
service providers have obtained FISMA certifications.
• COBIT
o Control Objectives for Information Related Technology is an international standard that
defines the requirements for the security and control of sensitive data. It also provides a
reference framework.
o COBIT is a set of best practices for controlling and security sensitive data that measures
security program effectiveness and benchmarks for auditing. The open standard comprises an
executive summary, management guidelines, a framework, control objectives, an
implementation toolset and audit guidelines. About 8 percent of cloud service providers follow
the COBIT security standard.
68. Security Standards: Data Protection Directive
• The Data Protection Directive is a directive adopted by the European
Union that was designed to protect the privacy of all personal data
collected for or about EU citizens, especially as it relates to
processing, using or exchanging that data.
• Similar to Safe Harbor in the U.S., Data Protection Directive makes
recommendations based on seven principles: Notice, purpose,
consent, security, disclosure, access and accountability. About 8
percent of cloud service providers adhere to the Data Protection
Directive.
69. In Some Ways, "Cloud Computing Security"
Is No Different Than "Regular Security"
• For example, many applications interface with end users via the web. All the
normal OWASP (Open Web Application Security Project) web security
vulnerabilities
-- things like SQL injection, cross site scripting, cross site request forgeries,
etc., -- all of those vulnerabilities are just as relevant to applications running
on the cloud as they are to applications running on conventional hosting.
• Similarly, consider physical security. A data center full of servers supporting
cloud computing is internally and externally indistinguishable from a data
center full of "regular" servers. In each case, it will be important for the data
center to be physically secure against unauthorized access or potential natural
disasters, but there are no special new physical security requirements which
suddenly appear simply because one of those facilities is supporting cloud
computing
73. It's Not Just The Network: Storage Is Key, Too
See http://www.engadget.com/2009/10/10/t-mobile-we-probably-lost-all-your-sidekick-data/
However, see also: Microsoft Confirms Data Recovery for Sidekick Users
http://www.microsoft.com/Presspass/press/2009/oct09/10-15sidekick.mspx
73
76. Today’s IT infrastructure is under tremendous pressure and is
finding it difficult to keep up…
It will reach a breaking point
In distributed computing Percentage of executives who report
environments, up to 85 percent a security breach and aren’t confident
of computing capacity sits idle they can prevent future breaches
70 percent is spent on Percentage of CIOs who want
maintaining current IT to improve the way they use
infrastructures versus adding and manage their data
new capabilities
76
77. Create a roadmap for cloud as part of the existing IT
optimization strategy
Standardize
and automate
Standardize services
Virtualize Reduce deployment
cycles
Remove physical Enable scalability
resource boundaries Flexible delivery
Consolidate Increase hardware
Reduce infrastructure utilization
complexity Reduce hardware
Reduce staffing costs
requirements Simplify deployments
Manage fewer things
better
Lower operational costs
78. Adoption of cloud computing will be workload driven
• Workload characteristics determine standardization
Test for Standardization Examine for Risk Explore New Workloads
Web infrastructure Database High volume, low cost
applications Transaction processing analytics
Collaborative infrastructure ERP workloads Collaborative Business
Development and test Networks
Highly regulated workloads
High Performance Industry scale “smart”
Computing ... applications
... ...
79. Workloads ready for cloud computing
• Analytics • Desktop and devices
– Data mining, text mining or – Desktop
other analytics – Service/help desk
– Data warehouses or data marts • Development and test
– Transactional databases – Development environment
• Business services – Test environment
– Customer relationship • Infrastructure
management – Application servers
(CRM) or sales force automation – Application streaming
– E-mail – Business continuity/
– Enterprise resource planning disaster recovery
(ERP) applications – Data archiving
– Industry-specific applications – Data backup
• Collaboration – Data center network capacity
– Audio/video/Web conferencing – Security
– Unified communications – Servers
– VoIP infrastructure – Storage
– Training infrastructure
– Wide area network (WAN)
capacity
Source: IBM Market Insights, Cloud Computing Research, July 2009.
80. Public and Private Clouds are preferred for different workloads
Top private workloads Top public workloads
Data mining, text mining, or other analytics Audio/video/Web conferencing
Security Service help desk
Data warehouses or data marts Infrastructure for training and
Business continuity and disaster recovery demonstration
Test environment infrastructure WAN capacity, VOIP Infrastructure
Long-term data archiving/preservation Desktop
Transactional databases Test environment infrastructure
Industry-specific applications Storage
ERP applications Data center network capacity
Server
Database- and application-oriented Infrastructure workloads
workloads emerge as most appropriate emerge as most appropriate
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
81. There is a spectrum of deployment options for cloud computing
Third-party Third-party hosted
operated and operated
Enterprise Enterprise Enterprise
Enterprise Enterprise Users
A B
data center data center A B
Private cloud Managed Hosted private Shared cloud Public cloud
private cloud cloud services services
Private Hybrid Public
IT capabilities are Internal and IT activities /
provided “as a service,” external service functions are
over an intranet, within delivery provided “as a
the enterprise and methods are service,” over the
behind the firewall integrated Internet
82. There is a spectrum of deployment options for cloud computing
Third-party Third-party hosted
operated and operated
Enterprise Enterprise Enterprise
Enterprise Enterprise Users
A B
data center data center A B
Private cloud Managed Hosted private Shared cloud Public cloud
private cloud cloud services services
Private Third-party Third-party Mix of shared Shared
Implemented operated owned and and dedicated resources
on client Enterprise operated resources Elastic scaling
premises owned Standardization Shared facility Pay as you go
Client runs/ Mission critical Centralization and staff
Public Internet
manages Packaged Security Virtual private
applications Internal network (VPN)
access
High network
compliancy Subscription or
Internal network membership
based
83. Security is among a top concern with cloud computing...
Security Framework provides a structure to address this concern
Application and process
People and identity Help keep applications secure,
Mitigate the risks protected from malicious or
associated with user fraudulent use, and hardened
access to corporate against failure
resources Network, server and end point
Optimize service availability by
Data and information mitigating risks to network
Understand, deploy and components
properly test controls for
access to and usage of Physical infrastructure
sensitive data Provide actionable intelligence on the
desired state of physical infrastructure
security and make improvements
Professional Managed services Hardware and
services software
84. Movement from Traditional Environments to Cloud Can be
in One Step or an Evolution
Clients will make workload-driven
trade offs among functions such as
security, degree of customization,
control and economics
85. Businesses that implement cloud computing are seeing
significant results
Reduced IT labor cost by 50
percent in configuration,
operations, management and
monitoring
Improved capital utilization by
75 percent, significantly
reducing license costs
Reduced provisioning cycle
times from weeks to minutes
Improved quality, eliminating
30 percent of software defects
Reduced end user IT support
costs by up to 40 percent
Simplified security
management
88. But it does make sense for some functions within some organizations….
89. The NIST Cloud Definition Framework
Hybrid Clouds
Deployment
Models Private Community
Public Cloud
Cloud Cloud
Service Software as a Platform as a Infrastructure as a
Models Service (SaaS) Service (PaaS) Service (IaaS)
On Demand Self-Service
Essential
Broad Network Access Rapid Elasticity
Characteristics
Resource Pooling Measured Service
Massive Scale Resilient Computing
Common Homogeneity Geographic Distribution
Characteristics Virtualization Service Orientation
Low Cost Software Advanced Security
89
90. Elasticity, Risk, and User Incentives
Services Will Prefer Utility Computing to a Private Cloud When:
Demand Varies over Time Demand Unknown in Advance
Provisioning for Peak Leads to Web Startup May Experience a
Underutilization at Other Times Huge Spike If It Becomes Popular
Pay by the Hour Pay as You Go Does Not Require
(Even if the Hourly Rate is Higher) Commitment in Advance
The Value of Cost Associativity
UserHourscloud × (revenue – Costcloud) ≥
UserHoursdatacenter × (revenue – Costdatacenter )
Utilization
91. Cloud Is Mostly Driven by Money
Economics of Cloud Computing Are
Very Attractive to Some Users
Cloud Computing Will
Predicting Application
Track Cost Changes
Growth Hard
Better than In-House
Investment Risks May In-House, You Must
Be Reduced Provision for Peak
92. Cloud’s goal: flip this equation
30% 70%
On-Premise Your Managing All of the
Infrastructure Business “Undifferentiated Heavy Lifting”
Configuring
Cloud-Based More Time to Focus on
Your Cloud
Infrastructure Your Business
Assets
70% 30%
93. IBM Cloud Business Model
ROI Analysis Impact:
Reduction of Total Cost of Ownership of
Data Center Infrastructure
New
100% Development Liberated Reduced Capital Expenditure
funding for - Improved utilization reduces requirement for
Software new new capital purchases
Costs development, Strategic
transformatio Change Reduced Operations Expenditure
n investment Capacity - Lower facilities, maintenance, energy, IT
Power or direct service delivery and labor costs
Costs
saving
Additional Benefits
Deployment (1- - Reduced risk, less idle time, more efficient
Curren time) use of energy, acceleration of innovation
t IT Labor Costs
projects, enhanced customer service
Spend (Operations Software
and Costs
Maintenance)
Business Case Results
Power Costs Hardware,
labor &
Annual savings: $3.3M (84%)
(88.8%)
power from $3.9M to $0.6M
Hardware Labor Costs savings
Costs ( - 80.7%) reduced
Payback Period: 73 days
(annualized) annual cost
Hardware Costs of operation Net Present Value (NPV): $7.5M
( - 88.7%) by 83.8% Internal Rate of Return (IRR): 496%
Note: 3-Year Depreciation Period with 10% Discount Return On Investment (ROI): 1039%
Rate
94. CSPs and cloud computing
• The large CSPs have long history in running large scale data-centers and
respective operations.
• Hence, it is natural for CSPs to offer services via cloud paradigm, and
enter into the domain of providing enterprise grade cloud computing
services.
o From history perspective the focus has been in IaaS.
o This will most probably continue, since the infrastructure services continue to be a lucrative
necessity.
• Analyst (e.g. Ovum) reports indicate that SaaS/CaaS roadmaps are
evolving within major telco CSPs.
o This is logical growth path, as cloud computing model leverages the telco core competences.
o CSPs already have strong foothold on connectivity, which is essential for XaaS.
o Trend seems to be that IaaS remains the core focus, and SaaS is developed in an opportunistic
way, i.e. develop a solution to a problem, and see whether it could be reapplied for a general
business case according to SaaS.
• Most often CaaS appears to represent communication as a service or
collaboration as a service or unified communications as a services.
95. Why CSPs have a strategic fit for cloud computing
• Shared infrastructure
• CSPs have long history of infrastructure, which is networked and
interoperable via well-defined interfaces.
• Managed and hosted IT and communications services
• For a longer time CSPs have relied on vendors’ managed services type of
professional services, which means that there is no inherent fear of
outsourcing operative responsibilities.
• Data centers
• Data centers operations have been for long time the core of CSP production
machines.
• Security, data integrity and trust
• These are the traditional key characteristics of telco business.
• Managed network services and end-to-end SLAs.
• CSPs are familiar with end-to-end SLA thinking and KPI based operations.
• Communications as a service
• Communications and connectivity is the bread and butter of CSPs.
• SME customer base
• The customer base of CSPs does cover SME, which means that they are
familiar with the problems and issue within the segment.
96.
97. Workloads ready for cloud computing
• Analytics • Desktop and devices
– Data mining, text mining or – Desktop
other analytics – Service/help desk
– Data warehouses or data marts • Development and test
– Transactional databases – Development environment
• Business services – Test environment
– Customer relationship • Infrastructure
management – Application servers
(CRM) or sales force automation – Application streaming
– E-mail – Business continuity/
– Enterprise resource planning disaster recovery
(ERP) applications – Data archiving
– Industry-specific applications – Data backup
• Collaboration – Data center network capacity
– Audio/video/Web conferencing – Security
– Unified communications – Servers
– VoIP infrastructure – Storage
– Training infrastructure
– Wide area network (WAN)
capacity
Source: IBM Market Insights, Cloud Computing Research, July 2009.
98. Enterprise Cloud Computing
Consumption, EA & DCA Portfolio of
Planning, Standards &
Improvements Policies Virtualized
System Lifecycles APPLICATION Private Clouds
Hyperlinked Models RESOURCES
IT OPS MGT APP ARCH
& Metadata
Improved End-to-End Policies
Service Delivery OPS Policy-Based
IT Design with
with Control
Flexibility Dynamic Availability Public Clouds
Efficient Consumption
Metering Servers Application
& Billing Storage VMs
IT-CONTROLLED CLOUD COMPUTING
• Accelerate application delivery
• Improve IT service management
• Business obtains flexibility while IT maintains control
Treat Cloud just like any IT project: focus, don't believe the hype, and take it step by step
101. Conclusions
Business
Applications Mobile CRM
Analytics Data
Center
VPN
Email
Infrastructure Desktop
Software
Its what your mother told you, “Don’t put all your eggs in one basket”