1. Cloud in 2013
The Future is, well, Cloudy
Dr. Joseph Williams
Senior Director – Cloud Connect Strategies
Microsoft Corporation
josephwi@microsoft.com

2. It is the wild, wild west out there…
• Search with Google shows
• 41,300 references to “Cloud
Economics”
• 48,500 references to “Cloud
Business”
• 60,800 references to “Cloud Issues”
• 111,000 references to “Cloud
Management”
• 438,000 references to Cloud
“Security”
• 25,700 references to “Cloud Summit”

3. What is Cloud Computing (and how often
will this question be asked through 2013?)
• Common: Cost-effective and reliable services delivered
through someone else’s data centers.
• European Union: “Elastic execution environment of
resources involving multiple stakeholders and providing a
metered service at multiple granularities for a specified
level of quality (of service).”
• National Institute of Standards and Technology:
“Cloud computing is a model for enabling convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal management
effort or service provider interaction.”
• Gartner: “A style of computing whose massively scalable
and elastic IT-related capabilities are provided as a
service to external customers using Internet
technologies.”
• Each individual definition is
relatively unimportant
• What is important is that we do
not yet have convergence on
what cloud “is”
• We probably won’t by 2013
• Businesses invest in certainty
• Consumers may be more
attracted to trendy and may
accept less certainty
• Underlying all is cost,
performance, reliability, and risk

4. The Cloud and the Analysts: Good News in 2013
• IDC
• In 2009, ~$17 billion was spent on cloud-related technologies.
By 2013, that spending is expected to grow to $45 billion.
• Gartner
• 25% of all software delivery is expected be via SaaS platform by
year 2011
• Private Cloud Computing…will be a significant strategic
investment for businesses.
• Forrester
• Less than 10% of enterprises are leveraging IaaS today, more
than half plan to do so in the next 2-3 years.

5. Why Enterprise Customers are Embracing the
Cloud in 2013
Nicholas Carr, “every enterprise
around the globe spends huge
sums of money on high
availability and disaster recovery
capacity that collectively stands
idle … as Enterprise leaders
become increasingly comfortable
with co-location of commodity
services, fantastic
transformations in global IT
spending will follow.”
Geoffrey Moore, “enterprise
leaders ought to shed their
organizations of non-
differentiated staffs and
services and focus their staffs
solely on services unique to
their businesses.”

6. • 9.9 billion messages a day via Windows Live Messenger
• 600 million unique users every month on Windows Live & MSN
• 500 million active Windows Live IDs
• 40M paid MS Online Services (BPOS, CRM online, etc.) in 36 Countries
• 5 petabytes of content served by Xbox Live during last year’s Christmas
week
• 1 Petabyte+ of updates served every month by Windows Update to
millions of servers and hundreds of millions of PCs worldwide
• 2000 Azure applications available at initial release
• 5 Million LiveMeeting conference minutes per year
• Forefront for Exchange filters 1 billion emails per month
QuickAside: Why Microsoft is “All-in” for the Cloud in 2013

7. Goldman Sachs May 2010 CIO Survey –
Enteprises are trending towards the Cloud
• CIOs are becoming more comfortable with the stability and
reliability of shared resources. 55% of survey respondents plan to
virtualize their production server environment by CY11, up from 42%
today
• Data centers are gradually moving off-premise despite CIOs
ongoing concerns over data security and control, respondents
intend to move an average ~3% of their IT infrastructure from
private clouds to managed hosting/public clouds in each of the next
two years
• CIOs intend to host email in the cloud, indicating growing
confidence in the Cloud's ability to host critical applications

8. SaaS is currently being adopted and
perceived to be “proven”
IaaS appears to be the next category to
mature and gain acceptance
PaaS is the farthest away in terms of
acceptance and adoption
Current 2013 5+ Years
Infrastructure as a Service (IaaS) Platform as a Service
(PaaS)
The benefits are easier to understand and resonated well among
those who had or foresaw issues with exceeding infrastructure
capabilities.
Platform as a Service, as a true development platform situated in the Cloud,
appears to be the most problematic concept in terms of both comprehension
and appeal.
It will take several years to differentiate IaaS from existing Cloud-like
offerings, such as co-location solutions, infrastructure hosters, and so
forth.
For most, the obvious downsides (e.g., need to re-write and test, or to create
apps from scratch utilizing Cloud APIs) outweighed potential gains (e.g.,
infinite scalability, which most enterprises don’t need).
Thinking in terms of an adoption pathway, IaaS will be the next after
SaaS (in the next 2 years or so)
Thinking in terms of an adoption pathway, true PaaS (i.e., DevPlat in the
Cloud) appears to be the farthest away.
IaaS will arrive in 2013

9. 2013 will Have Intense Competition!

10. An Idealized 2013 Cloud EnterpriseSales
Operations
HR
Marketing
Accounting
R&D
Collaboration
For all employees

11. Reality in 2013: Forecasts for the UK*
• Spending on Cloud Computing will be worth £76 billion in 2010
• Spending will grow to £119 billion in 2013
• Consumers and small business will spend more than medium and large
companies throughout the forecast period
• Issues of compliance, governance, security and data protection will act as a
break on spending for medium and large companies
* Source: http://martinhingley.wordpress.com/2010/05/05/uk-cc-forecast-q210

13. Regulatory and Jurisdictional Challenges for
the Cloud in 2013 are the same as always
10 years ago…
• Security and privacy top of mind
• Hacking, virus propagation,
cyber-espionage and cyber-
warfare on the rise
• Enforcement officials need tools
& training
• Vehicles for cross-border
collaboration inadequate
Today…
• Security and privacy top of mind
• Hacking, virus propagation,
cyber-espionage and cyber-
warfare on the rise
• Enforcement officials need tools
& training
• Vehicles for cross-border
collaboration inadequate

14. Still Unresolved in 2013: Jurisdictional Tensions
• Inadequacies of ownership of IP created in the Cloud
• Newly generated information in the cloud creates uncertainties
• What kinds of IP rights?
• Which national law applies to creation?
• Ownership doesn’t control use adequately
• Nature of relationship licenses provider and customer to use information
• Main use of IP rights is against third parties
• Tensions created by different countries asserting jurisdiction over data
• Tension between privacy rules requiring minimization of data retention
obligations
• Law enforcement access
• Human rights concerns
• How much should the location of the data matter?

15. Data Sovereignty
A Serious Problem in 2013
Singapore
Hong Kong
Netherlands
Ireland
United States
• Efficiencies and benefits of
cloud computing are best
achieved when data flows
freely across borders
• Privacy laws that restrict
such flows will continue to
be an impediment
• European restrictions
• Canadian provincial rules
• Australia National Privacy
Principle #9
• Blackberry problems of 2010

16. By 2013 Governments Will Also Have
Woken up to the Economic Benefits of
Cloud Computing

17. 2013 will be the year for
Governments to Unwind the Cloud
For Legal, Political, Economic, Social, Taxation Issues

18. Military Example of Cloud Services in 2013Build

19. 2013 Will Bring A Shift in Skills Focus
Infrastructure
Database
Middle Tier
Applications
ManagementDevelopment
Client
On Premises Cloud
TODAY
TOMORROW

20. The Big Battles of 2013
• Service descriptions do not rise to legal clarity
• Need for standardization
• Need for clear articulation (service catalog)
• OpEx is not always preferable to CapEx, contradicting
one of the generally assumed benefits of Cloud Computing
• For many, CapEx is perceived as an easier and faster expense
to justify, and OpEx is something they’re continually pushed to
reduce.
• A new type of complexity in Cloud Connect

21. Final Thoughts – The Good News
Workforce mobility, supporting branch locations, and granting partners access to
enterprise resources will be real in 2013
2013 will bring significant Cloud benefits and revenues, including flexibility,
resiliency (i.e., failover / DR), reduced internal management burden, faster
provisioning, pay-as-you go, and anywhere access.
Licensing complexity will be reduced in 2013:
• Subscription easier than perpetual
• Compliance is much simpler
• Underutilization and undeployed software easier to manage
In 2013 centralized “Cloud IT” will enhance collaboration and reduce complexity
Ease and speed to deployment are benefits that will be common from the Cloud in
2013

22. Final Thoughts – The Grim News
Internet has enjoyed ‘light touch’ regulation – That will end by 2013
Data is becoming ‘stateless’:
• Cross platforms
• Cross providers Governments and Enterprises will be very worried about this in 2013
• Cross borders
By 2013 “Best of Breed” Clouds will need to integrate:
• Developers need certainty to build globally relevant applications
• Customers need confidence that their data is protected
• Service providers need clarity to build the platform and infrastructure for the cloud
How legal and regulators frameworks ‘interoperate’ will not be defined yet in 2013
Taxation will have caught up with the Cloud by 2013

23. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Questions?
Appendix A Contains a Business view of what needs to be
addressed by 2013
Appendix B Contains a Security and Audit view of what must be
addressed by 2013

24. Appendix A: A Business View of
Questions To Be Answered by 2013
• The next few slides contain questions that really need to be
addressed by 2013
• Most enterprises will seek satisfying answers before
deciding to move significant workloads to the cloud
• Ultimately there is no right or wrong answer, there is just an
answer which reflects the enterprise, its business values,
and its requirements

25. Compliance and Risk Management
• What certifications does your provider possess?
• ISO 27001:2005
• How often do they re-certify?
• Do you have access to the audit reports?
• Who conducts the audits?
• How seamless are the processes to move in to the cloud and back?
• How is the collaboration between the cloud provider and you with regards to essential
processes like:
• Incident Response
• Forensic Analysis
• Risk Management
• Breach Notification
• Law Enforcement Enquiries?

26. Compliance and Risk Management
• How do you handle dispute resolution and liability issues?
• How can you ensure policy compliance?
• How can you prove that you follow your internal policies in the cloud as well? What is needed?
• What is needed to prove policy compliance towards any regulation you have to follow?
• What industry or government standards do you comply with?
• How is your infrastructure and processes audited and by whom? Do I have access to audit
summaries?
• How are you able to monitor your risks all across your infrastructure?
• Are there clearly defined metrics for the cloud service to be monitored?
• How are eDiscovery and criminal compliance requests handled?
• Are the audit logs forensically and legally sound?

27. Identity and Access Control
• How can you integrate the provider’s identity metasystem with your identity management
processes?
• Who owns your identity?
• Is there an in-person proofing for identities you will trust (if this is necessary from your risk
assessment)?
• How can identities federate across different services and from your internal environment to the
cloud?
• How do I federate with my partners, vendors, and other enterprises?
• Is the application writer responsible for access controls or is there a service to do that?
• How are the databases protected for access?
• Do the software API’s have cryptographic keys in use?
• Is all of your software signed?

28. Service Integrity
• How does your provider ensure the security of the written code?
• Have they implemented a Security Development Lifecycle?
• How do they do Threat Modeling?
• How do they test against their Threat Model?
• How is process consistency ensured?
• What is the hiring process for the personal doing administrative operations?
• Are they background checked?
• What levels of access do they have?

29. Service Integrity
• How is the software protected from corruption (malicious or accidental)?
• Is there a secure development and software integrity process enforced for all
the code within the responsibility of the provider?
• Who does the cloud supplier use as their critical suppliers and transparency
into how those relationships are managed for security and availability?
• What is the Security Update strategy of the cloud provider?
• How does the cloud provider manage vulnerabilities? Including incident
response and triaging?

30. Other Integrity
• End-Point Integrity
• How is the client integrated into the trust relationship with the cloud (e.g. Cardspace)?
• Information Protection and Transaction Integrity
• Who owns your data?
• Can it be encrypted?
• Who has access to encryption keys?
• Where is the backup located and do you have an on-premise backup? How is
the backup purged?
• Where is your data stored? What requirements do you have with regards to the
physical location of your data?

31. Appendix B: A Security View of
Questions To Be Answered by 2013
• The next few slides contain questions that really need to be
addressed by 2013
• Most procurement and audit groups within enterprises will
demand precise answers before deciding to move
significant workloads to the cloud
• Ultimately there is a “right answer” for these stakeholders

32. Cloud Security Governance and Legal
Issues - How do you Manage the Contract?
There should be a standard contract for Customers to start from
- This assumes there is one
- Work with customer security people before signing
• Don’t give the customer nasty surprises after they have signed
The contract should cover areas including the following:
- Data and Data Retention
- Service Level Agreement
- Liability
- Jurisdiction Issues
- Privacy
- Information Security Laws – breach notifications etc
- Information Requests
- Electronic Discovery
- Compliance and Audit

33. Cloud Security Governance and Legal
Issues – Data Governance
How is data stored?
Where is data stored?
Is it possible to export? What is the cost for this?
Does the provider claim any ownership rights to customer data?
What data security measures are implemented by default and
what additional measures are available?
What type of encryption is supported?
Who has access to customer data?
- Will third party contractors have access?
How to enforce data retention policies under third party control?

34. Cloud Security Governance and Legal
Issues - Service Level Agreements (SLA)
What level of availability (“uptime”) is promised and how is it
defined (i.e. four 9s)?
What are the Recover Time Objectives (RTO) and Recovery Point
Objectives (RPO)?
What backup and restoration procedures are performed to ensure
availability?
How is performance benchmarking defined and implemented?
Can the cloud provider change terms and policies of service at
will?
- Can the provider’s vendors do this?

35. Cloud Security Governance and Legal
Issues - Liability
The customer is legally liable for misuse or inappropriate use of
their information by a third party
The contract with any third party provider should be carefully
scrutinized for potential conflicts of interest where the provider
exercises its contractual rights over customer data.

36. Cloud Security Governance and Legal
Issues – Jurisdiction Issues
Customer data will reside on a physical machine belonging to a
third party and become subject to local laws.
The customer should be aware of what, if any, control can be
exercised over the physical location where their data resides.
- Where are datacenters located?
• Can the customer choose the locations where data is housed?
- How does the provider ensure that cross-border legal requirements on
data storage are met?
- What restrictions can the customer place on vendor initiated transfers of
information between storage locations?

37. Cloud Security Governance and Legal
Issues - Privacy
Does the provider collect and analyze information about
customer data for the provider’s own use?
- Is the data anonymized?
- Is any of this data provided to third parties?
Are customers notified about such data collection?
- Are customers able to opt-out of such data collection?
- Can customers restrict what data can be provided to third parties and/or
limit its use?
Does the provider have a privacy policy prohibiting the transfer
of personally identifiable information to unaffiliated persons?

38. Cloud Security Governance and Legal
Issues - Information Security Laws – breach
notifications
The customer is liable for a breach of sensitive data even when it occurs
on a third party system.
The customer must enact legally required security and client notification
procedures.
The customer should understand how the provider handles security
incidents and protects data.
- What measures are in place to restrict access to customer data?
- How is access to customer data tracked and how are users positively identified?
- How is the customer notified of inappropriate data access?
- What steps are taken to contain and mitigate inappropriate access once discovered?

39. Cloud Security Governance and Legal
Issues – Information Requests
Customers should be aware of the laws and the provider policies
surrounding requests for information about customer data.
Providers may be under no legal obligation to notify customers when the
provider receives an information request - In some cases, the provider
may not legally notify the customer about a request for information about
customer data.
- What notifications will be given the customer regarding subpoenas that the provider
receives from the government requesting production of customer information?
- In what situations would the provider produce customer information to the government
without a subpoena or warrant?
- In what situations would the provider produce customer information to a third party
without notification to the customer?

40. Cloud Security Governance and Legal
Issues – Electronic Discovery
In the event of litigation hold the customer must be able to preserve pertinent data.
Customers should understand what actions may be necessary by the provider in order to meet
litigation hold requirements.
The customer should also know any provider assistance that may be required to produce data in
order to meet discovery requests.
- What steps does the provider take to assist when litigation hold is needed?
- Can the customer perform all litigation hold steps, or is provider action necessary?
- How soon can the provider implement litigation hold after a request is submitted?
- Can transactions related to litigation hold be logged?
- What metadata does the provider keep about customer data?
- How does thec provider and produce system metadata for documents stored on the system?
- What kind of user and document logging does the provider track? Are there additional options?
- How is data collection to be done if the customer needs to produce data during litigation? Can the customer
– or their third party expert - do it all? Must the provider do some parts?
- Is there a fee for the provider activities in meeting production requests?
- How soon after receiving the production request will the provider be able to produce the data – or give an
estimate of the time to complete the task?

41. Cloud Security Governance and Legal
Issues – Compliance and Audit
The processing and/or storage of customer financial
data, health information, or credit card data on a third
party system may violate contractual agreements or
regulatory requirements.
Are the customer’s use of the provider’s services
compliant with:
- Graham Leach Bliley Act (GLBA)?
- Health Insurance Portability and Accountability Act (HIPAA)?
- Payment Card Industry Data Security Standard (PCI-DSS)?