Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled.

Published byLillian Clark Modified over 10 years ago

Similar presentations

Presentation on theme: "Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled."— Presentation transcript:

1 Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled eConference 19 June 2012 http://www.rogerclarke.com/EC/CCEF {.html,.ppt} A Framework for the Analysis of Cloudsourcing Proposals

2 Copyright 2009-12 2 Framework for Analysis of Cloudsourcing Proposals AGENDA 1.Cloud Computing 2.Research Approach 3.Cloudsourcing Theory 4.Info & IT Security Theory Operational Disbenefits and Risks Contingent Risks Security Risks (Security in the Less Broad) Commercial Disbenefits and Risks Compliance Disbenefits and Risks 5. Preliminary Field Reports

3 Copyright 2009-12 3 The Gartner Hype-Cycle for Emerging Technologies "... a snapshot of the relative maturity of technologies... "They highlight overhyped areas against those that are high impact, estimate how long they will take to reach maturity, and help organizations decide when to adopt"

4 Copyright 2009-12 4 http://www.lostinthemagicforest.com/blog/......wp-content/uploads/2007/10/gartner2007.jpg 2007 ??

5 Copyright 2009-12 5 http://adverlab.blogspot.com/2008/08/......media-history-through-gartner-hype.html 2008

6 Copyright 2009-12 6 http://www.gartner.com/it/page.jsp?id=1124212 2009

7 Copyright 2009-12 7 http://www.gartner.com/it/page.jsp?id=1447613 2010

8 Copyright 2009-12 8 http://cgiorgi.tumblr.com/post/8732569499/gartner-hype-cycle-2011 2011

9 Copyright 2009-12 9 The Motivation Find Answers to These Questions Is each of the various forms of cloud computing ready for 'prime time'? Is it appropriate for organisations to rely on IaaS, PaaS and SaaS providers? On what basis can judgements be made as to whether cloud computing is sufficiently reliable? What complementary actions are needed by organisations that adopt it?

10 Copyright 2009-12 10 2.Research Approach

11 Copyright 2009-12 11 3.Categories of Outsourcing Domestic / Within-Nation cf. Cross-Border / 'Off-Shore' Hosting cf. 'Utility Computing' cf. Application Service Provision (ASP) IT (e.g. equipment hosting) cf. Business Process (e.g. call centres)

12 Copyright 2009-12 12 A 'Primary Drivers' Theme Cost Reduction Access to technological expertise Enabling focus on core competence, rather than sustaining and managing technical capabilities Few Demonstrated Cost-Savings Little Focus on Impact on Service-Quality Mis-fit, Lock-in, Lack of Adaptability And then the Myths Literature

13 Copyright 2009-12 13 Cloud Computing is a Form of Outsourcing How is it different from earlier forms? Scalability ('there when it's needed) Flexible Contractual Arrangements ('pay per use') Opaqueness ('let someone else worry about details') which means less user control: of the application, through commoditisation of service levels, through SLA dependence (assuming there's an SLA, and it's negotiable) of host location, through resource-virtualisation

14 Copyright 2009-12 14 From Insourcing to Cloudsourcing Off-Site Hosting Outsourced Facility

15 Copyright 2009-12 15 From Insourcing to Cloudsourcing Off-Site Hosting Outsourced Facility Multiple Outsourced Facilities

16 Copyright 2009-12 16 From Insourcing to Cloudsourcing Integrated Multi-Site Outsourced Facilities

17 Copyright 2009-12 17 From Insourcing to Cloudsourcing CloudSourced Facilities

18 Copyright 2009-12 18 From Insourcing to Cloudsourcing CloudSourced Facilities

19 Copyright 2009-12 19 Levels of Cloudsourcing Infrastructure as a Service (IaaS) Amazon EC2, Rackspace,... Platform as a Service (PaaS) MS Azure, Sware Dev Environments,... Software as a Service (SAAS) Google Gmail, Google Docs / Apps MS Live and Office 365 Dropbox Salesforce MYOB LiveAccounts, Intuit Online

20 Copyright 2009-12 20 Levels of Cloudsourcing Infrastructure as a Service (IaaS) 1960s on– Remote Application Hosting Platform as a Service (PaaS) 1990s on– Remote Servers Software as a Service (SAAS) 1980s– Application Service Providers (ASPs) 1990s– Hotmail => Webmail 2004– Gmail 2005– Zoho 2006– GDocs

21 Copyright 2009-12 21 Levels of Cloudsourcing and What is and isn't Outsourced

22 Copyright 2009-12 22 The Cloudsourcing Provider A Commercial Enterprise A Community Provider A Government Business Enterprise A Central Government Agency The User Organisation Itself The Location(s) Provider's Choice User Organisation's Choice User Organisation's Own Premises

23 Copyright 2009-12 23 Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.The service depends on virtualised resources i.e. the user has no technical need to be aware which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used

24 Copyright 2009-12 24 Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.The service depends on virtualised resources i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used 4.The user organisation places reliance on the service for data access and/or data processing 5.The user organisation has legal responsibilities

25 Copyright 2009-12 25 4.Information Security Data Secrecy Prevent access by those who should not see it Data Quality / Data Integrity Prevent inappropriate change and deletion Data Accessibility Enable access by those who should have it

26 Copyright 2009-12 26 IT Security Security of Service Integrity Reliability Robustness Resilience Accessibility Usability Security of Investment Assets The Business

27 Copyright 2009-12 27 The Conventional IT Security Model Threats impinge on Vulnerabilities, resulting in Harm

28 Copyright 2009-12 28 From Insourcing to Cloudsourcing Changes in Risk-Exposure Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilities in Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities

29 Copyright 2009-12 29 From Insourcing to Cloudsourcing Changes in Risk-Exposure Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilities in Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities Increasing: Component-Count Location-Count Complexity Dependencies Fragility Decreasing: Internal Expertise Internal Knowability ('set and forget')

30 Copyright 2009-12 30 2.Potential Benefits Technical Business Financial Enhanced Service Accessibility

31 Copyright 2009-12 31 Potential Benefits Technical Scalability Professionalised Backup and Recovery Copyright Convenience Collaboration Convenience...

32 Copyright 2009-12 32 Potential Benefits Business Rapid Prototyping Rapid Launch of New Services Rapid Scalability of Services that have Variable or Uncertain Demand Operational Costs that Reflect Usage...

33 Copyright 2009-12 33 Potential Benefits Financial Lower Investment / Up-Front Cost Lower Operational Costs Lower IT Staff Costs From Capital Budget (CAPEX) to Recurrent Budget (OPEX)? Escape from 'Whole of Life' Costing?...

34 Copyright 2009-12 34 Potential Benefits Enhanced Service Accessibility Access to Services that are otherwise unavailable from any location from multiple desktop devices from scaled-down devices from multiple device-types

35 Copyright 2009-12 35 Downsides from the User Perspective (Security in the Broad) (1)Operational Disbenefits and Risks Dependability on a day-to-day basis (2)Contingent Risks Low likelihood, but highly significant (3)Security Risks Security in the less broad (4)Commercial Disbenefits and Risks (5)Compliance Disbenefits and Risks

36 Copyright 2009-12 36 (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

37 Copyright 2009-12 37 (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

38 Copyright 2009-12 38 (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

39 Copyright 2009-12 39 (2)Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

40 Copyright 2009-12 40 (2)Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

41 Copyright 2009-12 41 (3)Security Risks Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

42 Copyright 2009-12 42 (3)Security Risks Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

43 Copyright 2009-12 43 (4)Commercial Disbenefits and Risks Acquisition Lack of information Non-Negotiability of Terms and SLA Ongoing Loss of Corporate Expertise re apps, IT services, costs to deliver Inherent Lock-In Effect from high switching costs, formats, protocols High-volume Data Transfers from large datasets, replication/synchronisation Service Levels to the Organisation's Customers

44 Copyright 2009-12 44 (4)Commercial Disbenefits and Risks Acquisition Lack of information Non-Negotiability of Terms and SLA Ongoing Loss of Corporate Expertise re apps, IT services, costs to deliver Inherent Lock-In Effect from high switching costs, formats, protocols High-volume Data Transfers from large datasets, replication/synchronisation Service Levels to the Organisation's Customers

45 Copyright 2009-12 45 (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

46 Copyright 2009-12 46 (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

47 Copyright 2009-12 47 (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

48 Copyright 2009-12 48 (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Services Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

49 Copyright 2009-12 49 Risk Management Strategies Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Multi-Sourcing Several Suppliers Of necessity compatible Parallel, In-House Redundancy – Multiple and Independent Processing Facilities Hot/Warm-Site Data Storage

50 Copyright 2009-12 50 Testing Needed Is this Framework relevant, understandable, practicable and comprehensive? Approaches Review of its Rationale Pilot-Testing in various settings Deep case studies A Preliminary Test of the Checklist Media Reports of Cloud Outages

51 Copyright 2009-12 51 5.Preliminary Field Reports 105 relevant articles 49 relevant events: 26 related to 10 SaaS providers 7 events related to 5 PaaS providers 16 events related to 5 IaaS providers Clarke R. (2012) 'How Reliable is Cloudsourcing? A Review of Articles in the Technical Media 2005-11' Comp. Law & Security Review 28, 1 (Feb 2012) 90- 95, http://www.rogerclarke.com/EC/CCEF-CO.html

52 Copyright 2009-12 52 Inferences from the Reports (1) Outages are not Uncommon (2) Outages Arise from Multiple Causes (3) Providers' Safeguards are Sometimes Ineffective (4) Failure Cascades are Prevalent (5) Providers have had to be Forced to be Responsive (6) Providers have often been Uninformative (7) Outages may Affect Important Ancillary Services (8) The Direct Impacts have sometimes been Significant (9) Indirect Impacts have often been Even More Significant (10) Few Customers are Recompensed

53 Copyright 2009-12 53 Conclusions Cloudsourcing can be better understood and better managed, by drawing on prior knowledge of: Outsourcing Security and Risk Management Theoretical Risks have been identified Evidence shows that they are real, and even common Organisation often adopt services without evaluation Directors have legal responsibilities re business risk assessment and management The framework provides a basis for executives to assist Directors in fulfilling their responsibilities

54 Copyright 2009-12 54 Framework for Analysis of Cloudsourcing Proposals AGENDA 1.Cloud Computing 2.Potential Benefits 3.Cloudsourcing Theory 4.Info & IT Security Theory Operational Disbenefits and Risks Contingent Risks Security Risks (Security in the Less Broad) Commercial Disbenefits and Risks Compliance Disbenefits and Risks 5. Preliminary Field Reports

55 Copyright 2009-12 55 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled eConference 19 June 2012 http://www.rogerclarke.com/EC/CCEF {.html,.ppt} A Framework for the Analysis of Cloudsourcing Proposals

Download ppt "Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled."

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.

Symantec 2010 Windows 7 Migration Global Results.
Variations of the Turing Machine

Variations of the Turing Machine
Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference.

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference.
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Copyright 2000-12 1 COMP 3410 – I.T. in Electronic Commerce E-Trading 5. Alternative Architectures Roger Clarke Xamax Consultancy, Canberra Visiting Professor,

Copyright COMP 3410 – I.T. in Electronic Commerce E-Trading 5. Alternative Architectures Roger Clarke Xamax Consultancy, Canberra Visiting Professor,
Copyright 2009-11 1 Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,

Copyright Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,
Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 2nd International.

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 2nd International.
Copyright 2010 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Computer Science.

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Computer Science.
Select from the most commonly used minutes below.

Select from the most commonly used minutes below.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
10-1 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.

10-1 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.

Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
CALENDAR.

CALENDAR.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

Similar presentations

Ads by Google