Infrastructure in the Cloud: Getting the Right Deal By Marc Lindsey Agenda • Cloud Computing Overview • Infrastructure, Risks and Responsibilities • Deal Tips • Closing Thoughts • Open Discussion and Questions Overview Defining Cloud Computing • The essential characteristics – Made available to users remotely via an IP- based network – Employs “virtualization” technology – High elasticity and scalability – Automated self-service provisioning tools – Metered usage Defining Cloud Computing “SPI” Service Delivery Framework Obtained via Creative Commons license Defining Cloud Computing • Deployment models – Public – Multi-tenancy with shared resources available over the Web – Private – Data center infrastructure dedicated to a single company that uses virtualization technology, and provisioning/self-service automation – Community – A special purpose private cloud serving multiple organizations. – Public-Private Hybrid • Private cloud used to host business critical applications and sensitive data • Public cloud for non-core applications and generic data Hybrid Cloud Illustration Public Cloud PublicPublic Cloud Cloud Computing Computing Services Services Database Storage Database Storage service service Enterprise IAM Apps Servers Database Storage Public Cloud Drivers • Done right, public cloud computing can yield – Reduced implementation effort and cost – No lump sum licensing fees or equipment purchases – Rapid transition to new technologies and processes – Lower total cost of usage – Better resource elasticity and scalability – Improved availability of applications to mobile/remote workers – More efficient and effective management of technology resources by vendors with specialized skills – Fewer IT management-maintenance-upgrade hassles Enterprise Use Cases • SaaS – CRM & ERP (e.g., Salesforce.com, Netsuite, RightNow) – UC & Collaboration (e.g., Microsoft Office 365, Vz UUCaaS, Cisco WebEx) – Service management (e.g., SecureWorks, RightScale) – Email (e.g., Microsoft and Google) • PaaS (e.g., Force.com, Google App Engine, Microsoft Azure, VMForce) – Organizations develop, test and put into production custom apps • Iasi – Sharing computational workloads during peak usage – Hosting third-party, custom applications and eCommerce sites – On-line storage – Application development and testing Some Leading Infrastructure Providers • Public Iasi – Amazon • Innovator that leads the back • Struggling to win over large enterprises – Verizon / Terremark • Service offerings and processes are evolving rapidly • Demonstrated willingness to make deals to win enterprise business – Rackspace – AT&T (Synaptic Compute) • Long-term experience with enterprise hosting • Telco deal approach is less than nimble and flexible – GoGrid – IBM (Iasi for development and test, mostly) – Savvis/CenturyLink • Private Cloud (too many to list) – VCE – Joynet – CSC (BizCloud) – IBM Public Iasi Risks & Responsibilities Risks • Familiar IT risks apply to services in the cloud • Some risks are heightened – Vendor lock-in / lack of standards – Security and privacy Vendor Lock-In • Three primary concerns – Data portability – Application portability – Infrastructure interoperability Vendor Lock-In • Data portability – Customer controls logical access to the applications, database and storage so data access isn’t a problem – But vendor tools and assistance to extract and transfer data are still desirable • Application portability – Applications are customer-provided, but server VM images may be locked-up or configured uniquely for the vendor’s infrastructure • Infrastructure interoperability – How portable are the server VM images, and how unique is your vendor’s virtualization layer? – Can you bring your own server software and licenses? Information Security • Linking control and responsibility can be challenging – Start with solution/vendor selection and evaluation – Specify obligations and consequences in the contract – Incident monitoring and management – Auditing, validation testing, and process improvements • Three layers to consider – Infrastructure – Application – Data Information Security Primary Threats • Infrastructure – Logical – Host and network intrusion, DDoS, etc. – Physical – Unauthorized access or destruction • Applications – Programming errors, back doors, poor patch management, hackers, viruses • Data – Unauthorized access or disclosure – Loss or corruption – Impaired data lineage (where has it been?) – Concerns about data processing accuracy (provenance) – Data remnants (gone but not forgotten) Information Security Typical Countermeasures • Business continuity and DR processes – Resiliency is implied, but caveat emptor – Continuity processes should satisfy business requirements • Incident avoidance, detection and mitigation tools • Mature service management – Automation orchestration occurs in the cloud – Streamline (but don’t ignore) change management • Secure code design, and periodic code review • Data encryption – but it has limits • Data clearing and sanitizing • Avoid placing sensitive data in public clouds • Solid identity and access management (IdAM) Information Security Infrastructure Responsibilities • Vendor secures from virtualization layer down • Customer is typically responsible for logical host security – Monitoring the O/S and application for intrusions and attacks – Encrypting in-transit and stored data • Some Iasi vendors offer optional security services Information Security Application and Data Responsibilities • Applications – Customer fully owns all aspects of app and database security management – But some vendors offer security management options for common apps – Extra concerns when providers have application-layer access • Data – Customer is primarily responsible for data security, but clearing and sanitizing infrastructure components is a vendor responsibility Information Security User Access and Authentication • Key identity and access management (IdAM) tasks – Identification and authentication – Role based authorization – Monitoring and auditing access • Federated single sign on (SSO) is IAM nirvana • Standards and best practices are emerging, e.g., – SAML and WS Federation for ID and authentication – XACML for access • IdAM as a Service (e.g., Ping Identity, Symplified) • Application management appliances (e.g., VMware’s Horizon App Manager) Privacy and Information Security Compliance • You can assign privacy responsibility to vendors, but you can’t delegate accountability through contracts • Extend the enterprise security / compliance program to the cloud – Identify and classify information assets / data, and risk levels – Identify / develop appropriate key controls – Map controls to vendor (and vendor sub) responsibilities – Key controls are derived from various sources – Monitoring, management and audit – Impose limits on subcontractors (watch out for stealth subs) – Regionalize solutions as required • Don’t let the contract fine print undermine the program Public IaaS Deal Tips Term and Commitments • Term – There is no need to commit to a term, but vendors may try to make a term financially attractive – Anything longer than 1-year should be scrutinized – Renewals at the customer’s option • Revenue or resource minimum commitments – There shouldn't be any, but – Vendors offer better unit pricing in exchange for minimum subscription levels over fixed terms • Commitments may be hidden in termination fees Pricing • Pricing model – Per resource / per hour, day, month – Charges for upgraded support, and perhaps implementation – Subscription levels with “penalties” – Change charges • Standard self-service changes / provisioning incur fixed charges • Non-standard changes are ICB • The difference is often defined in the vendor’s on-line service catalog, which it can change at any time • Expect an uplift for expedites • Should you include a benchmarking clause? Service Levels • Public IaaS cloud deals must include SLAs • Key SLA metrics – System availability/uptime – Management portal/tools availability/uptime – Incident response and resolution times – Resource deployment timeliness – Configuration change timeliness – Back up success rate, and restoration times after a data loss event – Service restoration times in response to disasters Standard Terms of Use • Cloud providers often try to push click-wrap agreements onto individual end users that access the cloud (EULAs) – Who do they bind? – What about subsequent changes to the EULA? • Taking service via click-wrap and a credit card – It is not the value of the services that matters; beware the seduction of the free trial offer – Use enterprise agreements whenever real information assets or consumer data will touch -- or be accessible from -- the cloud Intellectual Property Matters • 3rd party consents for customer-provided software • Infringement indemnifications – Geographic limits on covered claims – Carve-outs for combinations and modifications – Exclusion from limits on liability • Incorporation of third-party licenses for vendor-provided software – Try to avoid entering into direct contracts with the vendor’s suppliers – Vendors will attempt to disclaim responsibility for their third-party licensors Closing Thoughts Cloud Roadmap • Involve cross-disciplinary teams • Identify use cases that are right for your business • Match use cases to delivery / deployment models • Lay out practical milestones • Treat in-house IT resources, managed services, and outsourcing as competitive alternatives • Employ sourcing, service management and security programs tuned for the cloud’s unique challenges Questions? Speaker Information Marc Lindsey Levine, Blaszak, Block & Boothby, LLP (202) 857-2546 [email protected] www.lb3law.com .