2. 2.2.1 IT Service Management
Principles in a Cloud Environment
Outsourcing to the Cloud means that the provider needs to be in
control of the complete supply chain.
Key areas of control:
• IT governance; the customer needs to remain in control over
his/her business processes
• Business-IT alignment; the customer needs to make sure that
the Cloud IT processes support his/her business in the short
and long term
3. IT Governance
The following elements need to be in place:
• Good Service Level Management
• Different requirements for the different Cloud models
• Reporting system
• Clear SLA’s with ‘SMART’ performance criteria
• Proper audit standards and internal audit mechanisms
• Provider:
• ISO/IEC 20000:2011 (Service Management)
• ISO/IEC 27001-2 (Information Security)
• Customer:
• COBIT® or ISO/IEC 38500:2008 (corporate governance of IT)
(COBIT® is a registered trademark of the Information Systems Audit and Control Association (ISACA)/IT Governance Institute (ITGI))
4. 2.2.2 Managing Service Levels in a
Cloud Environment
ISO/IEC 20000:2011 quality specifications
Component Consisting of Purpose
Quality
specifications
Information
System
• People
• Processes
• Technology
• Partners
To manage
information
• Availability
• Capacity
• Performance
• Security
• Scalability
• Adjustability
• Portability
Support
• Changes,
system
restoration in
case of failure
• Maintenance
To ensure
performance
according to the
agreed
requirements
5. ISO/IEC 20000:2011 Processes
• The provider needs to conform to the process requirements.
• Its staff need to be familiar with the processes and adhere to the procedures
and instructions!
Process group Process
Service delivery
processes
− Service Level Management
− Service Reporting
− Service Continuity and Availability
Management
− Budgeting and Accounting for Services
− Capacity Management
− Information Security Management
Relationship processes
− Business Relationship Management
− Supplier Management
Control processes
− Configuration Management
− Change Management
Resolution processes
− Incident Management
− Problem Management
Release process − Release and Deployment Management
6. Questions to ask the Cloud provider
• How are audits performed?
• Where are the servers located, and which legislation
applies to the data?
• What are the provisions when a service changes or
ends (service life cycle and end of life)?
• What are the provisions if we want to migrate to
another provider (contract life cycle and end of life)?
9. 3.1.1 Accessing Web applications
through a Web Browser
• Basic ingredients:
- “any” web enabled device
- PC, laptop, tablet, smart phone, thin client
- Internet browser
- Internet connection
- Provider, IP-address
- Cloud based application
- SaaS solution
10. 3.1.2 Cloud Web Access
Architecture
Basic ingredients:
• Standard protocols (for each ISO-OSI layer)
• Web enabled device
• PC
• Laptop
• Tablet
• Smart phone
• And… (revival of the computer terminal) Thin Client
• Internet access
12. Examples of standard protocols
• HTTP
• VT
• RTSE
• API-sockets
• TCP and IP
• SSL
• Ethernet,
• IEEE 802.3,
• 10BASE-T
13. 3.1.3 The use of a Thin Client
• A simple network enabled computer
• No moving parts like a hard disk or DVD drive
• Boots from the network
• Benefits:
• Lower costs; initial price and running costs
• Simple; no moving parts
• Better for the environment; they produce less heat and need
less cooling, sometimes not even a fan
• Heightened security; booting from the network with controlled
access, no local data, etc.
• Less chance of user errors
14. Categories of Web applications …
for everyone
• Google Gmail
• Yahoo Mail
• Twitter
• Zimbra
• Salesforce
• Dropbox
• Skype
• …..
15. Categories of Web applications …
for business
• Customer Relationship
• Management (CRM)
• Enterprise Resource
Planning (ERP)
• HR solutions
• IT Service Management
• Finance & accounting
• Web design and
management
•Email (professional)
•Webmail
•Office suites
•E-Business
•Online Storage
•Collaboration
•Video conferencing
17. Mobile web enabled devices
• Tablet
• Smart phone
Platforms:
• Apple iPhone
• Google Android
• Blackberry
• Windows phone
+ interoperability between different cellphone networks
- no/low interoperability between platforms
18. Typical solutions for mobile devices
• Text messaging
• E-mail
• Apps
• Navigation
• Streaming radio
• TV
• Internet browser
• And …. Anything you
can imagine (or not)
20. 3.2.1 Impact of Cloud Computing on
primary business processes
• Primary processes are Purchasing, Manufacturing,
Sales, Advertising and Marketing
• Contribution of Public or Hybrid Cloud computing For
example:
• Purchasing and Manufacturing
• Collaboration with suppliers: Exchange and share platforms
• Sales, Advertising and Marketing
• Interaction with potential customers and the market: social media
• Communication with customers: social media
• Registration of customer contacts: CRM
21. 3.2.2 Role of standard applications
in collaboration
• Social Media (also for business use!)
• LinkedIN, Facebook, Twitter
• Email/Webmail
• Google Gmail, Yahoo Mail
• Videoconferencing
• Skype
• File sharing
• Dropbox
• Sales and CRM
• Salesforce
22. Application Example: Content
Management Systems
• Large numbers of people contribute and share stored
data
• Controlled access to data, based upon user roles
• Easy storage and retrieval of data
• Reduction of repetitive duplicate input
• Easier report writing & communication between
users: previous versions are accessible
• Access is location independent
24. 3.3.1 Impact on Relationship Vendor
Customer
• The relationship between provider and customer changes
• Customer intimacy: running the customer’s business
• Running the whole supply chain
• Requirement to demonstrate performance and compliance
• New and clear SLA’s
• Audit trail
• Compliance to legislation, regulations and international
audit standards
25. 3.3.2 Benefits and Risks of providing
Cloud based Services
• Benefits: business opportunities
• New lease of life for “old” data centers (IaaS)
• Better use of resources because of multi-tenancy
• Economics of scale
• Quickly develop and run applications in the same environment (PaaS)
• Risks: challenges
• Compliance
- Standards, legislation and regulations
• Performance
- Availability, capacity, flexibility, scalability
• Security
• Privacy
29. 4.1.1 Security risks in the Cloud
• Data breaches / loss
• Shared technology vulnerabilities
• Insecure application interfaces
• Malicious insiders
• Abuse of Cloud Services
• Denial-of-Service
• Account, service and traffic hijacking
• Insufficient Due Diligence
Copyright & Source: Cloud Security Alliance (CSA), paper: “Cloud Security Alliance The Notorious Nine: Cloud Computing Top
Threats in 2013”.
30. 4.1.2 Measures mitigating Security
Risks
• Risk:
• Data breaches/loss
• Shared technology vulnerabilities
• Insecure application interfaces
• Malicious insiders
• Abuse of Cloud Services
• Unknown risk profile and account
• Account, service and traffic
hijacking
• Insufficient Due Diligence
• Mitigation:
• Authentication, audit, authorization, etc.
• Operations procedures, operational security
practices, etc.
• Design for security, etc.
• HR vetting procedures, etc.
• Validation of credentials, active monitoring of
traffic, etc.
• SLA structures, Cloud provider compliance
audits
• Strong authentication, active monitoring, etc.
• Assess the financial health of the Cloud service
provider
Copyright & Source: Cloud Security Alliance (CSA), paper: ‘Cloud Security Alliance “Top Threats to Cloud Computing” Version 1.0
(2010)’ and “Cloud Security Alliance The Notorious Nine: Cloud Computing Top Threats in 2013” Controls are added in the
Notorious Nine instead of mitigating measures.
33. 4.2.1 Authentication
• Non-Cloud authentication
• Simple authentication using user-id and password
• Active directory authentication
• Uses your active directory account credentials
• Uses Kerberos protocol (no transmission of readable data)
• Authentication in the Cloud
• Active directory authentication (VMware plays the role of
the domain controller and/or security server)
• LDAP (Lightweight Directory Access Protocol) or Kerberos
34. Triple-A Authentication
• Authentication
• Triple identification, what/who you
• Know (password)
• Have (token/smart card)
• Are (fingerprint or retina scan)
• Authorization
• leveled
• Accountability
• periodic logs & audit data
35. 4.2.2. Main aspects of Identity
Management
• Typical characteristics of an Identity Management system
are:
• Role management; IT implementation of a business role.
• Role hierarchy; a representation of an organization chart.
• Separation of duties.
• Group management; permissions are not given to people but to
roles.
• Self-service functions.
• Password synchronization.
• Digital Identity; presence and location determine available
services and capabilities.
36. Single sign-on (SSO) for web services
• Problem: Security infrastructure in the Cloud is
distributed
• Solution: Single sign-on (SSO)
• All distributed elements consolidated on an SSO-server
• Credentials are offered by AD-account, token or smart card
• Uses SOAP protocol
37. 4.2.3 Privacy, compliance issues
and safeguards in Cloud Computing
• Issues
• Handling of Personal Identifiable Information (PII)
• Compliance to international privacy legislation and
regulations
• Safeguards
• Effective Access Control and Audit
• Secure Cloud Storage
• Secure Network Infrastructure
38. Personal Identifiable Information
(PII)
• Forms of identification: SSN, passport, fingerprints
• Occupational: job title, company name
• Financial: bank numbers, credit records
• Health care: insurance, genetic
• Online activity: log-ins
• Demographic: ethnicity
• Contact: phone, e-mail
39. International Privacy/Compliance
• USA: the Privacy Act 1974, federal laws HIPAA & GLBA and
Safe harbor
• Japan: Personal Information Protection Law and Law for
Protection of Computer Processed Data Held by
Administrative Organs (1988)
• Canada: PIPEDA (Personal Information Protection and
Electronic Data Act 2008) and Privacy Act (1983)
• EU: Laws and privacy standards of the member countries,
EU Internet Privacy Law (DIRECTIVE 2002/58/EC, 2002) and
EU Data Protection Directive (1998)
40. Safeguards
• Effective Access Control and Audit
• Single sign-on (SSO)
• Strong authentication: password & biometric measure
• Review on audit logs
• Secure Cloud Storage
• Encryption
• Integrity by mechanisms as hashing
• Secure Network Infrastructure
• Encryption protocols against leakage
• Integrity protocols (digital signatures) against modification
• Consult a lawyer, specialized in international legislation
• Know where (which country) your data is
45. Compelling feature: quicker time-to-
market
But…
• Can the cloud provide the resources faster than when
hosted locally in your company?
• What do we give up?
• What do we gain?
• Is your organization willing to compromise?
• Are the organization, employees, IT staff, other
interested parties willing to make the change without
delay?
46. TCO ‘and all that stuff’
Statement: into the Cloud lowers your TCO of IT
• Is this true or are you just redistributing costs?
• Capital costs are lowered significantly, but are replaced by
subscriptions, pay-per-use, expensive support contracts,
etc.
(CAPEX becomes OPEX)
• We need to compare what we are paying now to the
Cloud scenario
• Not only as a snap-shot, bu also as a long term video
47. Example: Total cost of application ownership
(TCAO)
• Server costs
• Storage costs
• Network costs
• Backup and archive costs
• Disaster recovery costs
• Data center infrastructure costs
• Platform costs
• Software maintenance costs (package software)
• Software maintenance costs (in-house software)
• Help desk support costs
• Operational support personnel costs
48. 5.1.2 Operational and staffing benefits
• Operational benefits (examples):
• Managed services
• Self-service (unmanaged services)
• instant server deployment
• software licensing without impact on CAPEX
• uptimes are guaranteed
• Backups as a service (always off-site)
• Staffing benefits (examples):
• Less IT staff (less wages to be paid)
• Lower recruitment, HR and training costs
• Lower employee benefits
51. 5.2.1 The evaluation of performance
factors, management requirements and
satisfaction factors
Typical questions to be asked are:
• How long does it take to resolve incidents and
problems?
• How good is the security of the Cloud data center?
• How does system performance; i.e., connection and
transaction speeds, compare to your own data center
and private network?
Advice: It makes sense to do a comparative study of
several providers before you sign a contract.
52. Evaluating Cloud Implementations
• Power savings
• Floor space savings
• Network infrastructure
• Maintenance
• Software licensing
• Time to value
• Trial period
• Service
• Wiser investment
• Security
• Compliance
• Faster delivery of what
you want
• Less CAPEX
• Short-term needs
53. Performance, Requirements and
Satisfaction
Try before you buy!
• Demand a trial period!
• Do not commit until you are certain it works the way
you want, especially when considering a completely
new software package or completely new service!
54. 5.2.2 Evaluation of service providers
and services:
what you get for your money
You need a Governance framework!
• Performance
• monthly technical performance reports;
• exception reports;
• quarterly management reviews.
• Compliance
• Third party statements for:
• SAS70, ISAE3402
• ISO/IEC 20000, 27001, 9001, etc.