Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference.

Published byAvery Hess Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference."— Presentation transcript:

1 Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference Slovenia – 22 June 2010 http://www.rogerclarke.com/II/CCBR {.html,.ppt} Computing Clouds on the Horizon? Benefits and Risks from the User's Perspective

2 Copyright 2010 2 Cloud Computing son of Eric Schmidt, b. 2006 retro-fitted to SalesForce, 2006 adopted for IBM and Amazon, 2007 published in the academic literature: rarely in 2008 occasionally in 2009 frequently in 2010... d. ?

3 Copyright 2010 3

4 Copyright 2010 4

5 Copyright 2010 5 http://www.lostinthemagicforest.com/blog/wp-content/......uploads/2007/10/gartner2007.jpg

6 Copyright 2010 6 http://adverlab.blogspot.com/2008/08/......media-history-through-gartner-hype.html

7 Copyright 2010 7 The Gartner Hype-Cycle – 2009 http://www.gartner.com/it/page.jsp?id=1124212

8 Copyright 2010 8 Research Method An exegetic paper, armchair analysis Literature reviews Academic To November 2009: Google Scholar disclosed a few dozen articles with citations, all of which were evaluated the AIS eLibrary disclosed 0 articles During December 2009: 4 further conference papers appeared Very little attention to the user orgn perspective Commercial and Popular Application of prior bodies of theory and practice

9 Copyright 2010 9 Predecessor Terms Computing as a utility / 'computer service bureaux' / 'data centres' – 1960s, 1970s Application Service Providers (ASPs) – 1980s working from home / tele-work – 1980s working on the move / 'road warrior' – 1990s docking portables to corporate networks portable-to-desktop synchronisation Internet Service Providers (ISPs) – late 1980s Web Services – 2000 Service-Oriented Architecture (SOA) – early-to-mid-2000s

10 Copyright 2010 10 Predecessor Terms Computing as a utility / 'computer service bureaux' / 'data centres' – 1960s, 1970s Application Service Providers (ASPs) – 1980s working from home / tele-work – 1980s working on the move / 'road warrior' – 1990s docking portables to corporate networks portable-to-desktop synchronisation Internet Service Providers (ISPs) – late 1980s Web Services – 2000 Service-Oriented Architecture (SOA) – early-to-mid-2000s Software as a Service (SAAS) – late 1990s, e.g. Salesforce Cluster Computing – inter-connected stand-alone computers are managed as a single integrated computing resource Grid Computing – computational resources are assigned dynamically Peer-to-Peer (P2P) architectures Server-Virtualisation Infrastructure as a Service (IaaS) – 2006 Platform as a Service (PaaS) – 2006 Anything as a Service *aaS / AaaS Related Concepts

11 Copyright 2010 11 Cloud Computing Definitions "a large-scale distributed computing paradigm that is driven by economies of scale, in which a pool of abstracted, virtualized, dynamically-scalable, managed computing power, storage, platforms, and services are delivered on demand to external customers over the Internet" (Foster et al. 2008, at the Grid Computing Environments Workshop) five 'essential characteristics' (NIST, October 2009): on-demand self-service (i.e. automated response by servers to direct requests by clients) broad network access (i.e. from anywhere, using any device) resource pooling (i.e. the provider allocates resources according to demand, rather than assigning resources to particular clients) rapid elasticity (i.e. resources are scalable according to demand) measured service (i.e. resource usage is metered)

12 Copyright 2010 12 The User Organisation Perspective A Working Definition A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.Users place reliance on the service for data access and/or data processing 3.The data is under the legal control of the user 4.Some of the resources on which the service depends are virtualised, i.e. the user has no technical need to be aware which server running on which host is delivering the service, nor where the hosting device is located 5.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used

13 Copyright 2010 13 Cloud Computing is a Form of Outsourcing How is it different from earlier forms? Scalability ('there when it's needed) Flexible Contractual Arrangements ('pay per use') Opaqueness ('let someone else worry about details') which means less user control: of the application, through commoditisation of service levels, through SLA dependence (assuming there's an SLA, and it's negotiable) of host location, through resource-virtualisation

14 Copyright 2010 14 Sample Architectures CSA (2009) 'Security Guidance for Critical Areas of Focus in Cloud Computing' Cloud Security Alliance, April 2009 Youseff L., Butrico M. & Da Silva D. (2008) 'Toward a Unified Ontology of Cloud Computing' Proc. Grid Computing Environments Workshop, 2008

15 Copyright 2010 15 Buyya R., Yeo C.S., Venugopal S., Broberg J. & Brandic I. (2009) 'Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility' Future Generation Computer Systems 25 (January 2009) 599-616 Fig. 3 High-level market-oriented Cloud architecture

16 Copyright 2010 16 CC Architecture – The User Organisation Perspective

17 Copyright 2010 17 CC's Potential Benefits Enhanced Service Accessibility Access to Services that are otherwise unavailable Access to Services from multiple desktop devices Access to Services from scaled-down devices Access to Services from multiple device-types Other Technical Benefits Professionalised backup and recovery Scalability Collaboration convenience Copyright convenience Financial Benefits Lower Investment / up-front cost Lower Operational Costs Lower IT Staff Costs

18 Copyright 2010 18 Downsides – The User Perspective Operational Disbenefits and Risks Dependability on a day-to-day basis Contingent Risks Low likelihood / Potentially highly significant Security Risks Security in the broad Business Disbenefits and Risks Beyond the merely technical

19 Copyright 2010 19 Operational Disbenefits and Risks AS ISO/IEC 2000-2007, ITIL, Avizienis et al. (2004) Fit – to users' needs, and customisability Reliability – continuity of operation Availability – hosts/server/database readiness/reachability Accessibility – network readiness Robustness – frequency of un/planned unavailability (97% uptime = 5 hrs/wk offline) Resilience – speed of resumption after outages Recoverability – service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes, mods

20 Copyright 2010 20 Contingent Risks ISO/IEC 24762:2008 (Disaster Recovery Services) BS 25999:2006/07 and and BS 25777:2008 (Business continuity) Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring and accessibility Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-compatibility (to migrate to new levels) Backward compatibility (to protect legacy systems) Lateral compatibility (to enable escape)

21 Copyright 2010 21 Security Risks ISO/IEC 27002:2005, Hogben (2009) Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

22 Copyright 2010 22 Business Disbenefits and Risks Acquisition Lack of information, non-negotiability of terms of contract and SLA Ongoing Usage Loss of corporate knowledge about apps, IT services, costs to deliver Inherent lock-in effect, because of high switching costs High-volume data transfers (large datasets, replication/synch'n) Service Levels to the Organisation's Customers Legal Compliance – ** Data protection law, law of confidence, financial services regulations, evidence discovery law. Company Directors' obligations re asset protection, due diligence, business continuity, risk management Privacy Breach – ** Content Access, Use, Retention, Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

23 Copyright 2010 23 Some Risk Management Strategies Risk Assessment which depends on transparent information Contract Terms Service Level Agreement (SLA) Multi-Sourcing Parallel in-house service Several compatible suppliers

24 Copyright 2010 24 ITILv3 SLA Checklist – Edited Down! 1. Service name 2. Clearance information (with location and date) 1. Service Level Manager 2. Customer 3. Contract duration 1. Start and end dates 2. Rules regarding termination of the agreement 4. Description/ desired customer outcome 1. Business justification 2. Business processes/ activities oncust side supported by the service 3. Desired outcome in terms of utility 4. Desired outcome in terms of warranty 5. Service and asset criticality 1. Identification of business-critical assets connected with the service 1. Vital Business Functions (VBFs) supported by the service 2. Other critical assets used within the service 2. Estimation of the business impact caused by a loss of service or assets 6. Reference to further contracts which also apply (e.g. SLA) 7. Service times 1. Hours when the service is available 2. Exceptions (e.g. weekends, public holidays) 3. Maintenance slots 8. Required types and levels of support 1. On-site support 1. Area/ locations 2. Types of users 3. Types of infrastructure to be supported 4. Reaction and resolution times 2. Remote support 1. Area/ locations 2. Types of users (user groups granted access to the service) 3. Types of infrastructure to be supported 4. Reaction and resolution times 9. Service level requirements/ targets 1. Availability targets and commitments 1. Conditions under which the service is considered to be unavailable 2. Availability targets 3. Reliability targets (usually defined as MTBF or MTBSI ) 4. Maintainability targets (usually defined as MTRS) 5. Downtimes for maintenance 6. Restrictions on maintenance 7. Procedures for announcing interruptions to the service 8. Requirements regarding availability reporting 2. Capacity/ performance targets and commitments 1. Required capacity (lower/upper limit) for the service, e.g. 1. Numbers and types of transactions 2. Numbers and types of users 3. Business cycles (daily, weekly) and seasonal variations 2. Response times from applications 3. Requirements for scalability 4. Requirements regarding capacity and performance reporting 3. Service Continuity commitments 1. Time within which a defined level of service must be re-established 2. Time within which normal service levels must be restored 10. Mandated technical standards and spec of the technical service interface 11. Responsibilities 1. Duties of the service provider 2. Duties of the customer (contract partner for the service) 3. Responsibilities of service users (e.g. with respect to IT security) 4. IT Security aspects to be observed when using the service 12. Costs and pricing 1. Cost for the service provision 2. Rules for penalties/ charge backs 13. Change history 14. List of annexes http://wiki.en.it-processmaps.com/index.php/Checklist_SLA_OLA_UC

25 Copyright 2010 25 User Requirements Essential Features Assured Data Integrity Assured Service Integrity Assured Compliance with legal requirements within jurisdictions to which the user organisation is subject Warranties and indemnities in the contract, terms of service and SLA (if any) But who audits and certifies?

26 Copyright 2010 26 Categories of Use-Profile UP1: CC is completely inappropriate – business-critical apps 'mission-critical systems' systems embodying the organisation's 'core competencies' applications whose failure or extended malperformance would threaten the organisation's health or survival

27 Copyright 2010 27 Categories of Use-Profile UP1: CC is completely inappropriate 'mission-critical systems' systems embodying the organisation's 'core competencies' applications whose failure or extended malperformance would threaten the organisation's health or survival UP2: CC is very well-suited Uses of computing that are highly price-sensitive, and adjuncts to analysis and decision-making, not essential operations Trade off loss of control, uncertain reliability, contingent risks against cost-advantages, convenience, scalability, etc.

28 Copyright 2010 28 Categories of Use-Profile UP1: CC is completely inappropriate 'mission-critical systems' systems embodying the organisation's 'core competencies' applications whose failure or extended malperformance would threaten the organisation's health or survival UP2: CC is very well-suited Uses of computing that are highly price-sensitive, and adjuncts to analysis and decision-making, not essential operations Trade off loss of control, uncertain reliability, contingent risks against cost-advantages, convenience, scalability, etc. UP3: CC is applicable depending... can the risks be adequately understood and managed? trade-offs between potential benefits vs. uncontrollable risks

29 Copyright 2010 29 Implications for Cloud Computing Architectures 1.CCAs must be comprehensive, encompassing not only the server side, but also the client side and intermediating functions 2.Security Risk Assessments and Solutions must be end-to-end rather than limited to the server side 3.CCA designers must address the risks arising from vulnerable user devices and vulnerable clients 4.Client authentication must be achieved through components, APIs, and externally-managed identities (Shibboleth, OpenID) 5.Jurisdictional Locations of Hosts must be controlled 6.These all depend on CCAs including specs and implementation of multiple special-purpose components and features 7.Privacy management must go beyond 'privacy through policy' and 'privacy by design' to 'Privacy through Architecture'

30 Copyright 2010 30 User Requirements for Cloud Computing Architecture AGENDA Precursors / Related Concepts A Working Definition An Architectural Framework User Benefits Disbenefits and Risks Operational Contingent Security Business Implications

31 Copyright 2010 31 Conclusion "Past efforts at utility computing failed, and we note that in each case one or two... critical characteristics were missing" (Armbrust et al. 2008, p. 5 – UC Berekeley) CC may be just another marketing buzz-phrase that leaves corporate wreckage in its wake CC service-providers need to invest a great deal in many aspects of architecture, infrastructure, applications, and terms of contract and SLA

32 Copyright 2010 32 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference Slovenia – 22 June 2010 http://www.rogerclarke.com/II/CCBR {.html,.ppt} Computing Clouds on the Horizon? Benefits and Risks from the User's Perspective

Download ppt "Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference."

Similar presentations

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.

1/17/20141 Leveraging Cloudbursting To Drive Down IT Costs Eric Burgener Senior Vice President, Product Marketing March 9, 2010.
A Flexible Cloud-Computing Platform Focus on solving business problems

A Flexible Cloud-Computing Platform Focus on solving business problems
Copyright 2009-11 1 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,

Copyright Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,
Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled.

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled.
Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 2nd International.

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 2nd International.
Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Computer Science.

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Computer Science.
Chapter 1: The Database Environment

Chapter 1: The Database Environment
10-1 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.

10-1 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
The Managing Authority –Keystone of the Control System

The Managing Authority –Keystone of the Control System
Cloud Resource Broker for Scientific Community By: Shahzad Nizamani Supervisor: Peter Dew Co Supervisor: Karim Djemame Mo Haji.

Cloud Resource Broker for Scientific Community By: Shahzad Nizamani Supervisor: Peter Dew Co Supervisor: Karim Djemame Mo Haji.
IBM Corporate Environmental Affairs and Product Safety

IBM Corporate Environmental Affairs and Product Safety
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Effectively applying ISO9001:2000 clauses 6 and 7.

Effectively applying ISO9001:2000 clauses 6 and 7.
Grow your business with your head in the cloud. What is Cloud Computing ? Internet-based computing, whereby shared resources, software and information.

Grow your business with your head in the cloud. What is Cloud Computing ? Internet-based computing, whereby shared resources, software and information.
Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.

Pros and Cons of Cloud Computing Professor Kam-Fai Wong Faculty of Engineering The Chinese University of Hong Kong.
The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.

The Platform as a Service Model for Networking Eric Keller, Jennifer Rexford Princeton University INM/WREN 2010.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Taiwan ITQ.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Taiwan ITQ.
Cloud Computing for Education & Cloud Learning Minjuan Wang to BT Research Center (Abu Dhabi) Educational Technology San Diego State University

Cloud Computing for Education & Cloud Learning Minjuan Wang to BT Research Center (Abu Dhabi) Educational Technology San Diego State University

Similar presentations

Ads by Google