breaking through the hype

May 11th, 2011

11th Annual European Shared Services & Outsourcing Week

Breaking through the Hype: Cloud Computing Takes Shared Services to the Next Level

Krist Davood, Chief Information Officer

Introduction of speaker & topic

Introducing your speaker: Mr. Krist Davood, CIO of the Schiavello Group

What is the definition of Cloud Computing that will be used for this presentation?

Cloud computing is a model for enabling on-demand access to a shared pool of configurablecomputing resources (e.g., infrastructure, networks, servers, storage, applications, and services)that can be rapidly provisioned and released with minimal management effort or service providerinteraction.

What can you expect from this workshop? What shouldn’t you expect from this presentation?

Bullet Points What can I expect, what can I take away and what can I use when I get back

to the office?

a. you can expect to get a ‘checklist’ of evaluation criteria for cloud computing service providers so you can evaluate the effectiveness of the service provider;

b. you can expect to understand the benefits to the business of a Cloud Computing capability and understand the challenge you have before you to enjoy those benefits;

c. you shouldn’t expect to be sold any specific Cloud Computing offering; this presentation is ‘vendor sales agnostic’;

d. you shouldn’t expect to forego the rigor expected of you to plan for a successful IT Cloud Computing implementation i.e. the planning stages of your IT implementation needs to where 80% of your effort needs to be; and

e. you should expect to understand that to setup an effective Cloud Computing capability one needs to invest considerable time in planning the delivery phases and just as much time in planning the outcomes.

What is definition of Cloud Computing used in the context of this presentation?

Cloud computing is a mode of delivering IT Shared Services via the internet on apay-as-you-go basis.

Three Cloud Computing services will be explained:i. SaaS (Software as a Service)ii. IaaS (Infrastructure as a Service)iii. PaaS (Platform as a Service)

What are the benefits of Cloud Computing?

• Increasing the business’s agility through standardized IT-based capability.

• Quick implementation time.

• Reducing IT costs.

• Improving security and managing IT risk.

• Embedding sustainability in business strategy and operations (i.e. Relevant to IaaS).

• Significantly lower Total Cost of Ownership (TCO).

• Pay-as-you-go pricing (known as “consumption billing”) lets you pay only for what you use.

• Web-based accessibility and access robust ‘enterprise grade’ applications.

• Respond dynamically to marketplace opportunities.

• Frees up Shared Services staff for other high-value initiatives.

Cross-technical role of the IT Shared Services is made simpler with Cloud Computing

Applicationslayer

Applicationslayer

Database layerDatabase layer

Network/Support services layer

Network/Support services layer

Operating System layer

Operating System layer

Hardware/Communications

layer

Hardware/Communications

layer

Data Centre layer

Data Centre layer

As a Finance Director, what do I need to know about the Cloud?

From a Finance perspective (bullet points)

Finance Executives need to monitor the ongoing costs to ensure what is paid equals to what wasconsumed in the Cloud i.e. Pay-as-you-go pricing (known as “consumption billing”) lets you payonly for what you use.

Implementation of Cloud Services is not regarded as a capital investment.

Cloud investments offer a lower Total Cost of Ownership.

Review all benefits (upfront and ongoing) year on year after implementation to ensure the solutionis tracking to expectations. This review mechanism call occur through the SSMO (SharedServices Management Office).


From a Implementation perspective (bullet points)

Cloud implementations occur quicker than ‘in-house’ implementations.

Cloud solutions are designed to be configurable (SaaS).

The Cloud software is standardized so you won’t be able to request changes to the functionality.

The Cloud will effectively outsource your shared service to an external provider; a limited amountof in-house support is available for Cloud services.


From a Risk perspective (bullet points)

Cloud services assumes the availability of the internet; as a rule when the internet goes down sodoes your Cloud system.

You can be ‘locked in’ to your service provider as data portability is an issue i.e. the vendor has noincentive to let you go as a customer.

Data security is an issue because the vendor’s security systems will be in charge of your data andthe vendor is in charge of updating security protecting your data.

There is no effective regulatory body for Cloud Computing services so if you have a complaint thenyou won’t be able to resolve the issue using the authorities.


From a Governance perspective (bullet points)

The Cloud will store your data offsite; the data can be stored anywhere in Europe or in anotherregion. This means the data is subject to laws of the hosting country e.g. the U.S.’s Patriot Act.

Effective ‘Cross-jurisdiction’ legislation hasn’t been developed to mitigate all the issues associatedwith cross border data security.

A service provider can restrict access to your data when there is a dispute.

A service provider has service level agreements however they do not have compensation clauses.

Kindly note the vendor doesn’t have to give you your data back i.e. data portability is an issue aswell as ‘vendor locking’.

What are the three parts of Cloud Computing (a simplified definition)?

SaaS

With SaaS, the provider's applications run on the cloud service provider’s infrastructure andare accessible via a Web browser. The consumer does not manage or control the network,servers, operating systems, storage or even individual application capabilities.

For this reason, the SaaS model integrates the most functionality directly into the offering, with theleast consumer extensibility. Please note "security responsibilities are almost entirely up to thevendor therefore is the vendor doesn't encrypt data, it's not encrypted. If there isn't activitymonitoring, you won't get any monitoring."

Examples of Service Providers include SalesForce, SageCRM, Google and Microsoft


IaaS

With IaaS, consumers can provision processing, infrastructure, storage, networks and otherfundamental computing resources, as well as deploy and run operating systems. Whilethey don't manage or control the underlying cloud infrastructure, they do have control overoperating systems, storage and deployed applications, and (in some instances) limited control ofselect networking components, such as host firewalls.

With IaaS, there are few integrated security capabilities beyond protecting the infrastructure itselfbut there's enormous extensibility. This indicates users need to manage and secure operatingsystems, applications and content, typically through an API.

With IaaS, virtualisation is a big concern particularly when it comes to intrusion detection and theintegrity of partitioning virtual machines. You need to mediate separation and make sure theinstances don‘t interact with each other.

Examples of Service Providers include Amazon and Telstra.


PaaS

With PaaS, consumers create applications using programming languages and developmenttoolkits supported by the vendor and then deploy these onto the cloud infrastructure. As with

SaaS,the consumer does not manage or control the infrastructure, the network, servers, operatingsystems or storage devices but does have control over the deployed applications.

There are fewer customer-ready (or built-in) security features with PaaS than with SaaS and thosethat do exist are less complete, but there is more flexibility to layer on additional security. Thismeans users need to pay attention to application security, as well as security issues surroundingthe management APIs, such as authentication, authorization and auditing in particular.

Examples of Service Providers include Google Code, Azure and developerForce.

What were our requirements for Cloud Computing?

• we needed to put our network infrastructure out in the Cloud to facilitate our growing number ofremote offices and sites.

How did we come to the conclusion we wanted Cloud Computing?

• we wanted a ‘pay as you go’ capability to reflect our actual usage.*

• we needed a rapid deployment.*

• we recognized our business need to be agile and responsive.

• we recognized our international network complexity was growing.

• we realized we had a ‘sense of urgency’ in getting our network right otherwise we would not becompetitive in the market.

* this reflects Frost & Sullivan’s survey which found just under 33% of Australian enterprises hadadopted cloud computing due to dispersed staff locations and relatively high labor costs.

How did we implement Cloud Computing?

• We chose the right vendor for us. We needed an IaaS service specializing in networks.• Replaced network architecture with our provider’s MLAN capability (refer to the example diagrambelow).• Increased bandwidth and speed upload and download times.• Increased scope to include mobile sites as well as fixed sites locally and overseas.• 19 Domains down to 1 globally (Exchange server simplicity).

What are the technical Risks we faced in implementing Cloud Computing? How do you mitigate those risks?

• Provider’s cable network goes down for more than 40secWireless PtP (switch over to wireless comms line capability)

• Upstream Internet capability is hacked by cyber-criminalsAs of 2005 there were 20 ‘upstream’ internet providers servicing ISPs globally; in the event of anattack on these providers internet capability globally will be compromised to downstream providerse.g. the Schiavello Group is drawing up a proposal to have a physical cable laid between essentialsites to ensure business continuity.

• Malware attacks on our Cloud Computing capabilityEnsure your provider has malware scanning tools; for instance, malware scanning tools will needto look specifically for emerging malware that targets virtual platforms; identity managementsystems will need to authenticate not just users but also devices and applications by region; andSecurity information management (SIM) systems will need to log all events to help isolate attacks.

How we selected the most appropriate ‘Shared Services Cloud Computing’ partner/provider (SaaS, IaaS and PaaS considerations are included below)

a. do a RFT for the vendor selection focussing on the following points:a. Vendor Company Overview

a. History of the Organisation and Org Chartb. Resource Skills and Industry knowledgec. Organisational commitment to your organization i.e. how many people can this dedicate to you

specificallyd. Scope of Services and Offeringse. Current Activities and Investments e.g. R&Df. Current Legal issues facing the organisation globallyg. Financial Performanceh. Reference Sitesi. SLA monitoring process

b. Third Party alliances (if applicable)c. Delivery/Handover

a. Project Implementation methodology & approachb. Project Quality measuresc . Milestone management and signoffd. Resource Model i.e. how many of these people will actually be part of the delivery team fulltime?e. Training Approach and Methodology

d. Technical handovera. Application maintenance and support capabilitiesb. Infrastructure outsourcing

a. Hardware platform details/Data Centre specifications (if applicable)b. OS Platform detailsc. DBMS detailsd. Capacity and Scalability (memory and disk)e. Availabilityf. Versioning and Configuration Managementg. Security and Firewall protection

e. Pricing structure

What do our Finance Executives need to know to build a compelling case for Cloud Computing

a. What the Executive doesn’t need to knowa. Terminologies;b. Acronyms;c. Technical Platforms; andd. Architecture.

b. What the Executive DOES need to knowa. How will this improve the organisation’s business model?;b. Explain the benefits, upfront costs and ongoing costs in the business case?;c. What commitment is required of senior management i.e. Is it ongoing support or tacit approval?;d. Does this implementation make sense?;e. How do you pull the plug?;f. What are the risks?;g. What’s the exit strategy?; andh. What the rollout strategy?

Tips for new players and ‘Summary’

Bullet Points What should I consider before I begin my ‘Cloud journey’?

a. Know what you want, ask for what you need and ensure you get to where you like.

b. Please note there is no watchdog for the ‘Cloud’ industry i.e. there isn’t any formal legal recognition that your data must be kept secure.

c. Kindly note the vendor doesn’t have to give you your data back i.e. Data portability is an issue as well as ‘vendor locking’.

d. Most providers assume the availability of the internet; you’ll need to plan on how you will get around this in case of an emergency.

e. The ease of Cloud Computing implementation is it’s biggest benefit however most implementation partners don’t do training well.

f. The bigger the organisation the smaller the concerns you’ll have regarding the safety of your data.....until you wish to download it.

g. Data sovereignty is compromised once your data is held in another jurisdiction.

h. Cloud Computing vendors can be legally used by the authorities for evidence.

i. Always locally backup information you send into the Cloud.

j. Please note the vendor has the right to restrict the use of your system in the case of contractual dispute.

k. The age of cloud computing has demonstrated network performance is not to be underestimated as companies driving more complexity in their IT technologies and network-intensive services such as cloud computing chew more bandwidth at mission critical times e.g. Financial month-end and key sales submissions.

l. Manage your implementation through your SSMO.

Last Point

• Bottom line Cloud Computer Shared Services is an excellent idea however you must planfor the risks this service poses and have a risk mitigation plan in place before engagingwith vendors.

Questions

breaking through the hype

Technology