Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled.

Similar presentations


Presentation on theme: "Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled."— Presentation transcript:

1 Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled eConference 19 June {.html,.ppt} A Framework for the Analysis of Cloudsourcing Proposals

2 Copyright Framework for Analysis of Cloudsourcing Proposals AGENDA 1.Cloud Computing 2.Research Approach 3.Cloudsourcing Theory 4.Info & IT Security Theory Operational Disbenefits and Risks Contingent Risks Security Risks (Security in the Less Broad) Commercial Disbenefits and Risks Compliance Disbenefits and Risks 5. Preliminary Field Reports

3 Copyright The Gartner Hype-Cycle for Emerging Technologies "... a snapshot of the relative maturity of technologies... "They highlight overhyped areas against those that are high impact, estimate how long they will take to reach maturity, and help organizations decide when to adopt"

4 Copyright ??

5 Copyright

6 Copyright

7 Copyright

8 Copyright

9 Copyright The Motivation Find Answers to These Questions Is each of the various forms of cloud computing ready for 'prime time'? Is it appropriate for organisations to rely on IaaS, PaaS and SaaS providers? On what basis can judgements be made as to whether cloud computing is sufficiently reliable? What complementary actions are needed by organisations that adopt it?

10 Copyright Research Approach

11 Copyright Categories of Outsourcing Domestic / Within-Nation cf. Cross-Border / 'Off-Shore' Hosting cf. 'Utility Computing' cf. Application Service Provision (ASP) IT (e.g. equipment hosting) cf. Business Process (e.g. call centres)

12 Copyright A 'Primary Drivers' Theme Cost Reduction Access to technological expertise Enabling focus on core competence, rather than sustaining and managing technical capabilities Few Demonstrated Cost-Savings Little Focus on Impact on Service-Quality Mis-fit, Lock-in, Lack of Adaptability And then the Myths Literature

13 Copyright Cloud Computing is a Form of Outsourcing How is it different from earlier forms? Scalability ('there when it's needed) Flexible Contractual Arrangements ('pay per use') Opaqueness ('let someone else worry about details') which means less user control: of the application, through commoditisation of service levels, through SLA dependence (assuming there's an SLA, and it's negotiable) of host location, through resource-virtualisation

14 Copyright From Insourcing to Cloudsourcing Off-Site Hosting Outsourced Facility

15 Copyright From Insourcing to Cloudsourcing Off-Site Hosting Outsourced Facility Multiple Outsourced Facilities

16 Copyright From Insourcing to Cloudsourcing Integrated Multi-Site Outsourced Facilities

17 Copyright From Insourcing to Cloudsourcing CloudSourced Facilities

18 Copyright From Insourcing to Cloudsourcing CloudSourced Facilities

19 Copyright Levels of Cloudsourcing Infrastructure as a Service (IaaS) Amazon EC2, Rackspace,... Platform as a Service (PaaS) MS Azure, Sware Dev Environments,... Software as a Service (SAAS) Google Gmail, Google Docs / Apps MS Live and Office 365 Dropbox Salesforce MYOB LiveAccounts, Intuit Online

20 Copyright Levels of Cloudsourcing Infrastructure as a Service (IaaS) 1960s on– Remote Application Hosting Platform as a Service (PaaS) 1990s on– Remote Servers Software as a Service (SAAS) 1980s– Application Service Providers (ASPs) 1990s– Hotmail => Webmail 2004– Gmail 2005– Zoho 2006– GDocs

21 Copyright Levels of Cloudsourcing and What is and isn't Outsourced

22 Copyright The Cloudsourcing Provider A Commercial Enterprise A Community Provider A Government Business Enterprise A Central Government Agency The User Organisation Itself The Location(s) Provider's Choice User Organisation's Choice User Organisation's Own Premises

23 Copyright Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.The service depends on virtualised resources i.e. the user has no technical need to be aware which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used

24 Copyright Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.The service depends on virtualised resources i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used 4.The user organisation places reliance on the service for data access and/or data processing 5.The user organisation has legal responsibilities

25 Copyright Information Security Data Secrecy Prevent access by those who should not see it Data Quality / Data Integrity Prevent inappropriate change and deletion Data Accessibility Enable access by those who should have it

26 Copyright IT Security Security of Service Integrity Reliability Robustness Resilience Accessibility Usability Security of Investment Assets The Business

27 Copyright The Conventional IT Security Model Threats impinge on Vulnerabilities, resulting in Harm

28 Copyright From Insourcing to Cloudsourcing Changes in Risk-Exposure Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilities in Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities

29 Copyright From Insourcing to Cloudsourcing Changes in Risk-Exposure Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilities in Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities Increasing: Component-Count Location-Count Complexity Dependencies Fragility Decreasing: Internal Expertise Internal Knowability ('set and forget')

30 Copyright Potential Benefits Technical Business Financial Enhanced Service Accessibility

31 Copyright Potential Benefits Technical Scalability Professionalised Backup and Recovery Copyright Convenience Collaboration Convenience...

32 Copyright Potential Benefits Business Rapid Prototyping Rapid Launch of New Services Rapid Scalability of Services that have Variable or Uncertain Demand Operational Costs that Reflect Usage...

33 Copyright Potential Benefits Financial Lower Investment / Up-Front Cost Lower Operational Costs Lower IT Staff Costs From Capital Budget (CAPEX) to Recurrent Budget (OPEX)? Escape from 'Whole of Life' Costing?...

34 Copyright Potential Benefits Enhanced Service Accessibility Access to Services that are otherwise unavailable from any location from multiple desktop devices from scaled-down devices from multiple device-types

35 Copyright Downsides from the User Perspective (Security in the Broad) (1)Operational Disbenefits and Risks Dependability on a day-to-day basis (2)Contingent Risks Low likelihood, but highly significant (3)Security Risks Security in the less broad (4)Commercial Disbenefits and Risks (5)Compliance Disbenefits and Risks

36 Copyright (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

37 Copyright (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

38 Copyright (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

39 Copyright (2)Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

40 Copyright (2)Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

41 Copyright (3)Security Risks Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

42 Copyright (3)Security Risks Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

43 Copyright (4)Commercial Disbenefits and Risks Acquisition Lack of information Non-Negotiability of Terms and SLA Ongoing Loss of Corporate Expertise re apps, IT services, costs to deliver Inherent Lock-In Effect from high switching costs, formats, protocols High-volume Data Transfers from large datasets, replication/synchronisation Service Levels to the Organisation's Customers

44 Copyright (4)Commercial Disbenefits and Risks Acquisition Lack of information Non-Negotiability of Terms and SLA Ongoing Loss of Corporate Expertise re apps, IT services, costs to deliver Inherent Lock-In Effect from high switching costs, formats, protocols High-volume Data Transfers from large datasets, replication/synchronisation Service Levels to the Organisation's Customers

45 Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

46 Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

47 Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

48 Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Services Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

49 Copyright Risk Management Strategies Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Multi-Sourcing Several Suppliers Of necessity compatible Parallel, In-House Redundancy – Multiple and Independent Processing Facilities Hot/Warm-Site Data Storage

50 Copyright Testing Needed Is this Framework relevant, understandable, practicable and comprehensive? Approaches Review of its Rationale Pilot-Testing in various settings Deep case studies A Preliminary Test of the Checklist Media Reports of Cloud Outages

51 Copyright Preliminary Field Reports 105 relevant articles 49 relevant events: 26 related to 10 SaaS providers 7 events related to 5 PaaS providers 16 events related to 5 IaaS providers Clarke R. (2012) 'How Reliable is Cloudsourcing? A Review of Articles in the Technical Media ' Comp. Law & Security Review 28, 1 (Feb 2012) ,

52 Copyright Inferences from the Reports (1) Outages are not Uncommon (2) Outages Arise from Multiple Causes (3) Providers' Safeguards are Sometimes Ineffective (4) Failure Cascades are Prevalent (5) Providers have had to be Forced to be Responsive (6) Providers have often been Uninformative (7) Outages may Affect Important Ancillary Services (8) The Direct Impacts have sometimes been Significant (9) Indirect Impacts have often been Even More Significant (10) Few Customers are Recompensed

53 Copyright Conclusions Cloudsourcing can be better understood and better managed, by drawing on prior knowledge of: Outsourcing Security and Risk Management Theoretical Risks have been identified Evidence shows that they are real, and even common Organisation often adopt services without evaluation Directors have legal responsibilities re business risk assessment and management The framework provides a basis for executives to assist Directors in fulfilling their responsibilities

54 Copyright Framework for Analysis of Cloudsourcing Proposals AGENDA 1.Cloud Computing 2.Potential Benefits 3.Cloudsourcing Theory 4.Info & IT Security Theory Operational Disbenefits and Risks Contingent Risks Security Risks (Security in the Less Broad) Commercial Disbenefits and Risks Compliance Disbenefits and Risks 5. Preliminary Field Reports

55 Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled eConference 19 June {.html,.ppt} A Framework for the Analysis of Cloudsourcing Proposals


Download ppt "Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled."

Similar presentations


Ads by Google