Cloud computing can be safe, uncomplicated and move the organization forward IF YOU DO YOUR DUE DILIGENCE!!
It's your data and your neck so don't be afraid to ask the right questions and get them in writing
2. Presenters
Marv Sauer, Principal – Plante Moran, Education Consulting
Marv has more than 25 years taking clients from initial strategic planning through
the successful implementation of a variety of proven and leading edge
technologies. He is a talented facilitator of small to large groups working with
personnel ranging from end users to executive management. Marv has given
presentations at local and national conferences on topics such as Building the
Network of Tomorrow, Today and With Strategic Planning First, Successful
Implementation Follows. Marv holds a Master of Business Administration in Finance
from the University of Michigan and a Bachelor of Science in Math and Computer
Science from the University of California, Los Angeles (UCLA).
Sri Chalasani, Sr. Architect – Plante Moran, IT Consulting
Sri has over twenty years of experience and specializes in the design, deployment,
and troubleshooting of complex networks. He also has over fifteen years of
experience in the design and implementation of broadband multimedia solutions
across large networks. Sri has help many organization in the design and selection of
data center including strategic sourcing of cloud based solutions. He has an MBA
from Wayne State University, a MS in Computer Science from Western Michigan
University and a BS in Electronics Engineering from Bangalore University..
webinars.plantemoran.com
3. Administration
Slides are available for download from your webcast
console. A recording of today’s webinar will be added to
our website in a few days.
We will allow time at the end of the presentation to
respond to your questions, but please feel free to submit
questions at any time.
webinars.plantemoran.com
4. Administration
This is a CPE-eligible webinar. Throughout the webcast,
participation pop-ups will appear.
Participants must respond to at least 75% of these popups in order to receive CPE credit.
To receive CPE credit, you need to be logged in
individually to the webinar and meet the eligibility
requirements (have an accrued viewing time of at least
50 minutes and 75% response to participation tracking),
to receive CPE. Only attendees who are logged into the
webinar will be eligible to earn CPE credit.
4
webinars.plantemoran.com
5. Overview
Kick it to the next level - move beyond the tutorials
• Review drivers, strategy and architectures for deploying a cloud
• Identify your risks
• Asking the right questions
• Selection criteria
• The T’s and C’s
5
webinars.plantemoran.com
6. Background
Gartner believes enterprises will spend $112 billion cumulatively
on software as a service (SaaS), platform as a service (PaaS)
and infrastructure as a service (IaaS), Part of the attraction is the
promise of lower total cost of ownership but, with this comes
higher risks some of which are not always immediately apparent.
Source: Gartner
6
webinars.plantemoran.com
7. Drivers of cloud computing - Recap
Drivers
• Data Center pressures – increased systems and data explosion
• Flexibility - system capacity (elasticity) and ubiquitous access
• Minimize risk – modernize to survive / keep up with the times
• Cost / predictable cash flow
• Reduced operational / systems management
• Accelerated access to complex applications
• Allow for focus on core competencies
7
webinars.plantemoran.com
8. Strategy - Recap
• Goals maybe the same
• Questions and priorities may be different and often competing
Current
IT Env.
Terms &
Conditions
Users
Cloud Strategy
Risks
Security
C.I.A
Business
objectives
and goals
Costs
Governance
* Security & compliance
* Impacts IT staff?
* Performance & reliability?
* Distributed workforce?
* Agility & growth
* Contract, SLA, & support?
Administration
* Reduce costs? TCO/ROI?
* Distributed workforce?
* Competitive advantages?
* Risks?
* Align with business goals?
Roadmap
Solutions
Reg. &
Compliance
Agility
Technology
Business IT Staff & App. Integ /
skills
Process
Rearch
CEO
CIO
8
webinars.plantemoran.com
9. IT Staff
Net. Admin, DBA,
Programmer
Applications
Applications
Managed services
Database
PaaS
Operating
System and
Back Office
Servers
Infrastructure
Storage
Network
IaaS
Operating
System
SaaS
System
Software
Cloud Services
Four major building blocks for IT system
Architectures - Recap
IaaS: Infrastructure as a Service; PaaS: Platform as a Service; SaaS: Software as a Service
9
webinars.plantemoran.com
10. Deployment Models - Recap
Multi-tenancy computing resources
(infrastructure, OS, applications are
available to other tenants
Typically hosted at a provider
Community Cloud
Collaboration between multiple org.
Involvement by invitation only
Private Cloud
Only your organization has access
to the resources.
Hosted internally or hosted by a
provider
Hybrid Cloud
IaaS / PaaS / SaaS
Public Cloud
Combination of Private and Public
Most organizations
Other: internal or external hosted
10
webinars.plantemoran.com
11. Examples of the cloud - Recap
IaaS
Source: Cloud Taxonomy
11
webinars.plantemoran.com
12. Examples of the cloud - Recap
PaaS
Source: Cloud Taxonomy
12
webinars.plantemoran.com
13. Examples of the cloud - Recap
SaaS
Source: Cloud Taxonomy
13
webinars.plantemoran.com
14. Examples of the cloud - Recap
Cloud
Software
Source: Cloud Taxonomy
14
webinars.plantemoran.com
15. What is at risk?
• Cloud computing inherently means trusting some of your most valuable assets
• Before you start – high level understanding of the risks
• Two key assets exposed to risk - Data and Applications/Process
• Evaluate the risk for Confidentiality, Integrity and Availability. Impact on
asset if it:
• Breached
• Accessed by provider(s)
• Process is manipulated by an outsider
• Unavailable for a while
15
webinars.plantemoran.com
16. What is at risk?
• Understand risk by mapping the asset to
• Possible deployment models
• The potential flow of data between your users and CSPs
• Assurances on safety of data?
• SOC standards provide some level of assurance – CSA, GSA, NIST
• CSA / GSA / NIST - tools to assess security requirements & services
• Onus is still on you, do have to conduct your own due diligence
16
webinars.plantemoran.com
17. Protect your assets – ask the questions
1. Who’s managing my data?
• Qualifications and backgrounds of staff
• Who else (partners/sub-contractors) can touch your data?
2. Where’s my data actually located?
• Regulatory and compliance requirements for data export
• Primary and secondary (replication sites)
• Conformance to local laws – data discovery
• Map how data is stored and handled
17
webinars.plantemoran.com
18. Protect your assets – ask the questions
• Why does location matter? - Country Risk Ratings for Security and Privacy
Source:
18
webinars.plantemoran.com
19. Protect your assets – ask the questions
3. What access controls are in place?
• What are the physical controls and logical controls?
• CSPs disclose data access control processes in place
• Frequency of testing of access controls
4. How will my data be physically secured & separated from other customers?
• Common hardware or applications with logical controls?
• Testing of data encryption / data leakage
5. How’s my data encrypted?
• Understand security for data at rest and data in transit
• Data at rest - encryption types
• Data in transit - encrypted, authenticated and integrity protected
19
webinars.plantemoran.com
20. Protect your assets – ask the questions
• Map the potential flow of data between your users (internal and external),
other providers and the cloud service
CSP2
Organization
CSP1
Data
App
Users
Servers
CSP3
Backup
Backup
Backup
Users
20
webinars.plantemoran.com
21. Protect your assets – ask the questions
6. What authentication mechanisms are supported by the CSP?
• 2-pass authentication - passwords with tokens and certificates
• Integration using LDAP and SAML with Dir. Svcs or Identity Mgmt. systems
7. What happens if there’s a data breach?
• Incident Response Plan (IRP) - proactive processes and technologies in
place to detect if an application or data is under attack. Create your own too
• Response times and notification process; request history
• Technology Errors & Omissions policy and/or Cyber Liability coverage
21
webinars.plantemoran.com
22. Protect your assets – ask the questions
8. Can the CSP pass muster with the auditors?
• Security assessment by a 3rd party or accreditation process
• Process for accommodating the needs of the your auditors
• Conduct a forensic investigation?
9. Is your cloud computing service SOC 2/SSAE16 (formerly SAS 70) compliant?
• No assurances but a step in the right direction
• Demonstrates methodical and repeatable process
• Security certification and other regulatory requirements HIPAA, FERPA etc.
10. What is CSP’s stability factor?
• CSP acquired or out of business?
• Timely transition, removal and destruction of your data
22
webinars.plantemoran.com
23. Protect your assets – ask the questions
11. Does the CSP offer backup and recovery services?
• Data retention, backup and recovery
• Backed up to where. Basic backup services or beyond?
• Recovery process from an outage
• What is included in your service – does this match you RPO/RTO?
12. What are the contract terms?
• SLA, breach notification, intellectual properties, limitation of liability, etc.
• More on this later
23
webinars.plantemoran.com
24. Eeny, meeny, miny, moe – Picking a CSP
No different than any other selection project
• Identify what is important to you
• Identify what “must haves” and “like to have”
• Don’t ignore security and growth
• For each of the identified areas, assign weightage
• Seek “written” answers you are looking for
• When in doubt err on the conservative side
• Reference – ask for a list of clients, not just references
• Not to be taken lightly – your data, your neck
• Add skill sets to the IT mix to manage and administer vendor contracts
• Viewed as a partnership - cannot abdicate management of the vendor
/ service though they provide the service
webinars.plantemoran.com
24
26. Eeny, meeny, miny, moe – picking a CSP
Reference: Intel’s Intel Cloud Finder
26
webinars.plantemoran.com
27. Contractual considerations
Negotiate key terms and conditions to mitigate risk and cost
exposure:
• Uptime Guarantees
• SLA penalties
• SLA penalty exclusions
• Security
• Business Continuity and Disaster recovery
27
webinars.plantemoran.com
28. Contractual considerations
Negotiate key terms and conditions to mitigate risk and cost
exposure:
• Data privacy conditions
• Suspension of service
• Termination
• Liability
28
webinars.plantemoran.com
29. Where’s my checklist?
Do I have a “strategy” or am I “piecemealing this”?
Have a process for identifying suitable applications / systems /
workloads ideal for “cloudifying” – business objective first
Define your selection criteria - requirements for security, compliance,
growth, performance, etc.
Identify issues around migrating existing workloads
Identify vendor(s), vendor lock-ins and flexibilities
Identify the costs? CapEx, OpEx, sunk costs, staff retraining
Identify your questions - have written responses, talk to existing clients
Determine the impact on your IT staff (skills and headcount)?
Understand your contract – have your requirements clearly identified
It is not an all or nothing proposition – think hybrid
29
webinars.plantemoran.com
31. Thank you for attending
Marv Sauer, Principal
248.223. 3120
Sri Chalasani, Sr. Architect
248.223.3707
marv.sauer@plantemoran.com
sri.chalasani@plantemoran.com
To view a complete calendar of upcoming Plante Moran webinars, visit webinars.plantemoran.com
webinars.plantemoran.com