exploring information stewardship with the cloud ecosystem ... · exploring information stewardship...
TRANSCRIPT
Exploring Information Stewardship with the Cloud Ecosystem Model
A. Baldwin1, Y. Beres1, L. Carrotte2, T. Koulouris1, B. Monahan1, D. Pym3, S. Shiu1, and C.Y. Yam1
1HP Labs, Bristol, England, UK 2Nomos Media Ltd, Bristol, England, UK
3University of Aberdeen, Scotland, UK
Abstract. The emergence of cloud computing has transformed the way in which enterprise IT is delivered and creates new challenges around risk management, security strategy, and control over policies and information. For a particular example, the economies of scale that can be achieved by large cloud service providers are encouraging ecosystems of service providers in which the marketplace (rather than the consuming enterprises or individuals) determines security standards. The problem goes beyond core security concerns, since all cloud stakeholders will be relying on others to steward their information, and so will be concerned with the overall sustainability and resilience of the ecosystem, from both security and business perspectives. To help cloud consumers and other stakeholders explore the impact of the cloud ecosystem on their business decisions, we have developed a system that combines systems modelling, simulation, and 3D visualization techniques. At the heart of this system is a model of the cloud ecosystem, built by combining economic and system modelling approach. The model uses utility theory as the unifying vocabulary for stakeholders to express their decision-making. Simulations of the model representing several years of operations are then performed, with various shocks — such as economic downturns and security attacks — introduced at certain points in time. The visualization component has been built specifically for this model and consists of interactive 3D graphics that can be used in any compatible web browser, so allowing stakeholders to interact with and explore the model and simulation results easily.
Keywords: Cloud Computing, Information Stewardship, Ecosystem Visualization
1 Introduction The typical risk management lifecycle involves risk
assessment, policy setting, investment programs, design and deployment of controls, procuring and managing infrastructure, and monitoring and audit to ensure controls and policies are effectively mitigating risk. A challenge with cloud computing is that the activities of this lifecycle become disaggregated and are performed by different, third parties, each with different incentives. As control over security policies seeps out, and the organization becomes dependent
on multiple stakeholders in the ecosystem, security concerns develop into information stewardship issues [25,11,23].
The challenge for enterprises is how to judge the risks involved in consuming cloud services, and to understand the options, and their consequences, that are available. This challenge is more complex than outsourcing, where consumers have been able to dictate terms and conditions: the large scale and cost structures of cloud providers will tend to allow vendors, and the marketplace, to dictate standard, one-size-fits-all, security service levels. Moreover, in order to leverage scale and associated cost reductions further, service providers will tend to bundle cloud services, standardized offering terms and conditions.
It is not just cloud consumers that are challenged. Each stakeholder in the ecosystem is vulnerable not only to changes that may occur within that ecosystem, but also to any to changes in the external environment that may impact on parts of the ecosystem’s operations. For one example, the activities criminals that target a particularly successful enterprise, causing high impact security incidents, may affect many different supply chains. For another, skill shortages and liquidity shocks will affect multiple groups in different ways, with potentially large impact on the whole ecosystem. Such incidents can affect the reputation and trust of many participants, as well as the whole system.
So, all cloud stakeholders must understand the options they have to improve stewardship outcomes. How should regulators and policy makers impose rules and regulations? How much influence does a single consumer have? How does this change if they act as a group? How much transparency into operations should be demanded by consumers and offered by providers? How should all the stakeholders act to deal with factors exogenous to the market, such as the state of the global economy, business trends, technology changes, or shifts of human skills?
The lack of effective ways for stakeholders to explore their assumptions about value, risk, and operational uncertainty will lead to inaccurate perceptions and, potentially, poor decisions. Clearly, the challenge is how to provide guidance and support for stakeholders to comprehend the risks associated with cloud, and so and form good strategic and operational responses.
In this paper, we present an interactive modelling and simulation tool that provides a step towards addressing this
2
challenge. At the heart of this is a mathematical system model that explores numerous aspects of the emerging cloud ecosystem. The system model consists of (hundreds of) firms consuming IT, (hundreds of) firms offering services, and several cloud platform providers offering IT resource capacity. In addition, the model explores the implications of exogenous and endogenous factors on the ecosystem and on information stewardship. The system model simulates the following: consuming firms switching from internal IT to the cloud, or changing service providers; new service providers entering the market with different cost and security properties; and new platforms offering different conditions for the service providers.
So that various stakeholders, be they cloud consuming organizations or cloud services providers, can easily explore the model and the results obtained from its simulations, we have also developed the associated visualization tool that supports simulation play-back features, and allows interaction with the model using 3D graphics that can be used in any compatible web browser.
Section 2 describes our modelling methodology, combining system models with some elementary ideas from utility theory. Section 3 presents the model developed in order to capture the complex cloud ecosystem. Section 4 covers the visualizations of the model and simulation results. Section 5 reviews some related and Section 6 gives our conclusions.
2 Modelling Methodology We have developed a methodology for combining
economic and system models to help organizations with risk assessment, security analysis, and decision-making [1, 9, 27, 28, 29]. Economic models, represented within system models using simple utility functions, are used to help stakeholders think about and share their preferences and priorities for different business outcomes. We then use structural models to help stakeholders think about and share their assumptions for how different investment and policy choices will affect the outcome. Finally, we use a discrete process simulation tool [2, 3, 27] that allows stakeholders to explore and predict consequences of different assumptions. Figure 1 provides a schematic of this methodology.
Figure 1: A framework for using economic and system models
to support organizational decision-making.
We have also conducted a series of customer case studies [4, 5, 9] to develop and refine this process. An early example was to help a large enterprise decide between a range of policies and investments to manage risks from software vulnerabilities [6]. The structural models help ensure shared understanding between stakeholders, so they can discuss, say, whether scheduling is significantly delaying patch testing, or when and how often the assessment team should accelerate patch processes. However, with such a complex system of inter-dependent concurrent processes and actions, it can be very difficult to see or reason about the cause and effects. To address this, we use a simulation-modelling tool, Gnosis [2, 3 26, 7, 27], to create an executable mathematical model of the system. Gnosis builds on an underlying mathematical analysis of systems that is based on structural models of location, resource, and process [2, 7, 26, 27] and stochastic representation of environment [2, 27].
Using Gnosis we can run Monte Carlo-style simulations to explore the interactions and their effect on time to mitigate risks. By varying parameters stakeholders can see the (model) predicted effect of different investment choices. Results are typically shared as histograms showing, say, the difference in time taken to mitigate risk for different investment choices. Further experiments can explore the effect based on different assumptions about the threat environment, or to differentiate on different types of mitigation.
Most security decisions involve multiple trade-offs between mitigating different kinds of risks, maintaining services, and minimizing costs [9, 28, 29]. To frame this issue, we encourage stakeholders to define utility functions that express their preferences between the multiple outcomes. To make this approach deployable in practice, we built on the approaches to decisions with multiple objectives developed by Keeney and Raiffa [8]. We developed some simple tools for preference elicitation and then use the system models to explore the effect of different security choices on these other outcomes [9].
Our experience is that focusing on utility (of outcomes), in the context of system models, provides a constructive way to engage multiple stakeholders (with different knowledge and incentives) in the complex process of risk assessment and choosing security investment and policy. Providing evidence for this is difficult as organizations, people, and problems vary so much. We have done some preliminary studies that suggest our methodology affects the justifications security professionals might use, and which fits with why it might be useful for multi-stakeholder decision-making [10]. We are currently looking at further cognitive studies to generate more precise hypotheses about how and why economic and system modelling affect security decision-making.
3 The Cloud Ecosystem Model In previous modelling work, using the methodology
described above, we have explored security decisions by looking at one or two interacting processes. In the considering decision-making in cloud ecosystems, we must consider a much more complex situation, in which there are many
3
interacting entities that must be modelled. In [24], we have considered using real options modelling techniques from financial economics to examine an individual company’s decision as to whether to outsource its IT to cloud. This work suggests, unsurprisingly, that the decision depends on the company’s expectation of the value cloud will bring to its operations and the uncertainty about whether the chosen service will deliver that value.
The cloud ecosystem will consist in large numbers of customers and service providers with just a few platform providers. The actions of one entity, and exogenous events, may affect the way the overall system functions through both direct influences and feedback loops. In a previous paper [11], we have suggested a conceptual framework for information stewardship in the cloud and how to model cloud as an ecosystem, drawing on the analogy of ecological ecosystems [12]. In [23], we set this approach into the context of enterprise risk management. Here, we briefly describe elements of a cloud ecosystem model being visualized.
Figure 2: Dynamics of the cloud ecosystem.
Within our cloud model (see Figure 2), we have a number of companies who consume IT in order to run their business processes (for example, accounts payable and supply chain management). Each company has a choice: it can run these using its own internal IT experts and data centers (or outsource them) or it can use a cloud service, in which case it must choose a particular service offering, with associated terms and conditions. There is a group of Software-as-a-Service (SaaS) providers who would offer these services. Perhaps in the past they would have produced shrink-wrapped enterprise software. Here we assume that they have little infrastructure themselves, and instead rely on public cloud providers, such as Amazon, HP, or Microsoft, to provide raw computational power and storage. The service providers need to decide on the terms and conditions they offer to their customers based on their costs and perceived needs of their customers and the infrastructure properties (such as security and resilience) they gain from the cloud platforms. Platform (or Infrastructure-as-a-Service, IaaS) providers must make
decisions about the basic technology offerings, as well as when to provision new data centers to create new capacity.
The cloud ecosystem sits within a wider world, and here we look at modelling the overall effects of the economy and the threat environment as stochastic variables. All of these internal and external factors relate in a number of feedback loops that determine how the overall ecosystem functions. This allows us to run the ecosystem in different environments to see how it will fare and to shock the system to see how resilient it is to serious external or internal disruptions. For example, we could look at a credit crunch where investment capital becomes limited — how does that effect the way decisions are made, there outcomes, and hence the overall functioning of the cloud ecosystem.
Our approach to modelling is to describe just enough of the structure of the systems that we are modelling to capture the important aspects of their behaviour for the questions of interest to us. We build models using the Gnosis modelling language [2, 3, 27] — based on concepts of process, resource and location — that allows us to model the structure of distributed systems. Hence when we talk of the feedback loops within the ecosystem our model does not explicitly code them but they emerge due to the processes that each of the entities within the model run.
Figure 3 depicts the various entities, states, and processes involved. A detailed description of the model will be the subject of another paper; here we aim to describe enough to give the reader an idea of how the model being visualized works.
Consider, for example, a company consuming IT services. For each service, there will be a review process that periodically looks at the value the company is getting from its IT provision and whether this could be improved. The idea of value here is wrapped up in a utility function for the company that includes productivity improvements for the business, as well as potential costs arising from risks such as the exposure of information, loss of integrity of the process, loss of availability of the data, or failure to meet regulations. When reviewing a decision perhaps comparing internal IT with different cloud services, the customer will look at how well different options meet its utility along with the costs of the different options. Here, a customer may take a slightly lower utility where the cost is much cheaper.
In making the decision and looking at how its utility is met, the customer will consider what information is available within the system. For example, in assessing risks of moving to the cloud the customer may look at the overall reputation of the cloud along with any views they have on the particular cloud providers they are considering. Reputation figures will be derived from others’ experiences and events such as service downtime and security incidents. These are reported through other processes happening within ecosystem, so creating the feedback loops. Other examples of information used in making decisions may be staff costs (dependent on labour availability and rewards for cloud start-ups) or the availability of software to run internally, or the ability to raise capital for investing in new IT systems. When comparing different cloud offerings, a company may look at both its own
4
utility (how secure it needs the system to be) and the threat environment (including published incidents).
Figure 3: Components of the cloud ecosystem model.
Note that the model described here does not contain a model of the market for cloud services (i.e., prices, supply-demand interaction). That level of economic sophistication will be necessary in future developments, but is not necessary to support the visualization thread of our work, which is the focus of this paper. Here, pricing information is represented using simple stochastic variables.
Currently, we run simulations based on the developed model over a seven-year horizon. In the first instance, we explore scenarios that examine the evolution of the ecosystem and its services based on the different amounts of economic growth (or lack thereof). We plan to follow up with scenarios in which the threat environment worsens and also to explore
the effects of vendor lock-in in the ecosystem for different mixes of open- versus closed-source cloud service providers.
4 Visual Representation Our aim in developing the ecosystem model has been to
enable various stakeholders to explore the evolution of the ecosystem and the outcomes of their own decisions under various exogenous and endogenous factors. However, with the model being so complex, our previously developed structural representations did not illustrate the effects of complex firm inter-dependencies and richness of autonomous and group behavior in the desired level of detail.
We have decided to create a totally separate model-visualization component, specifically aimed at capturing the cloud ecosystem as an element that evolves over time. The requirements are to be able show individual entities in the ecosystem, relationships between entities, activity between
5
entities, progress over simulation time, top-level statistics, trends over time, and external influences on the system.
Figure 4: Visualization of the cloud ecosystem model.
We have devoted considerable effort to selecting the
good (helpful, reliable) visual metaphors and operations to make the ecosystem concepts accessible to audiences of various backgrounds, while maintaining richness of the visual information. The developed tool supports multiple displays and concurrent views, including three-dimensional, global views of the cloud supply chains, ‘drill-down’ views of particulars firms, and graphical representations of statistics of interest at various levels of detail. Visualized simulation scenarios can be controlled in real-time using a dedicated control interface, including jumping to particular points in the simulated timeline, pausing, forwarding or reversing to assist in analyzing model effects. Finally, this visual front-end is supported ‘behind the scenes’ by a scalable cloud-based simulation engine which handles the massive computational workloads required to execute models of this scale and to render the visuals. Figure 4 shows a screenshot of the ‘global view’ displayed by the model visualization tool.
The ecosystem is represented as a three-dimensional sphere with consumers as blue dots, service providers in purple, using infrastructure provided by platforms, in pink. The sphere has two atractors, the top representing cloud and the bottom in-house IT service provision. Using this metaphor, platforms cluster around the topmost, with cloud service providers organized in a sphere around them. In turn, consumers are positioned on the surface of the larger sphere according to how much cloud or in-house IT they consume in aggregate. During simulation, consumer firms float upwards as more cloud is consumed or, conversely, gravitate towards the bottom if in-house IT becomes more attractive. This can be demonstrated statically when Figures 4 and 5 are compared. Any changes in the ecosystem, such as the introduction of a shock, the arrival or departure of firms, or the effect of service procurement, have a corresponding effect on the placement of firms in the ecosystem sphere and the re-organization of nodes. A wide range of ecosystem effects, ranging from subtle to large-scale events, can be visualized in this manner.
Figure 5: The cloud ecosystem during a period of high cloud
adoption.
Fluid visualization of the ecosystem’s behaviour is complemented with the inclusion of a ‘headline metrics’ panel that provides a quick overview of key ‘ecosystem health’ indicators.1 The panel’s contents can be rearranged and expanded to assist in monitoring particular effects. Key metrics include the following: cloud usage (aggregate cloud usage as a proportion of global IT transactions); internal IT usage (aggregate in-house IT usage as proportion of global IT transactions); security incidents (the number of overall attempted/successful in cloud versus attempted/successful in internal IT security incidents); IT transactions (overall number of transactions); cloud satisfaction (aggregate satisfaction level, calculated as the difference between desired utility and received utility for each service); switching cost/vendor lock-in (aggregate of switching costs calculated for each consumer); credit availability (externally available credit); economy (value created inside or because of the ecosystem); cloud utilization (cloud usage compared to overall capacity); and cloud reputation (overall reputation of the market ecosystem as viewed by consumers).
Figure 6: Detailed view of an individual consumer firm.
1 The charts in the presented screenshots show some preliminary results from simulations, and as such are presented for the purpose of example and not for the use of interpretation of the model and results from simulations.
6
Finally, the tool allows for zooming-in on an individual consumer, and for exploring the supply-chain dependencies developed between it and its service providers and platforms, as well as more specific metrics such as particular utility and satisfaction, as shown in Figure 6.
5 Related Work and Future Directions There has been considerable amount of work on cloud
architectures, and various properties within them, but not as much work exploring the digital cloud ecosystem and the implications on its various stakeholders. A number of cloud service models (e.g., Business-process-as-a-Service, Soft-ware-as-a-Service, Platform-as-a-Service, Infrastructure-as-a-Service), as well as cloud deployment and management models (private, public, community and hybrid), have been explored [15, 16, 17, 19]. However, organizations need mechanisms to understand better the implications of these cloud service models and their impact on application, process, and data interoperability. Towards that aim is the work by Briscoe and Marinos [14], in which they present a socio-technical conceptualization for sustainable cloud computing and explore briefly the tensions between open source and proprietary software use within. Related to this is also the work by Gill and Bunker [18] on the context-aware cloud adaptation framework that is aimed at enabling organizations to better self-assess, select, and adopt an appropriate cloud computing model.
On the other hand, there is the work exploring economic implications and the various economic models in the cloud [20, 21, 22]. However, we are not aware of any work in this area that enables the various stakeholders to explore interactively the cloud ecosystem using models and simulations. Our next aim with the work presented here is to be able to use the model and visualization tool in a scenario- planning workshops, involving various stakeholders such as IT managers responsible for procuring services from cloud or security practitioners that care about how security and stewardship requirements can be met in the cloud ecosystem.
6 Conclusions As organizations employ cloud services, they rely on
others not only to provide those services, but also to protect their information and appropriately control its interactions and evolution. In the cloud, IT operations will be purchased from highly inter-connected ecosystems of services, consumers, and platform providers. Changes in one part of the ecosystem can affect many other parts, in complex ways that will, typically, be difficult to conceptualize. We contend that modelling and simulations, of the kind we have described in this paper, together with interactive visual tools can help decision-makers to understand these complex relationships and dependencies. From the perspective of managing the security lifecycle, organizations can use this information to understand how different events in different components of the ecosystem may affect the systems for which they are responsible. From the wider perspective of the stewardship of
the ecosystem itself, this approach can help explore how the ecosystem can be managed to be sustainable and resilient.
Acknowledgements This work has been partially supported by the ‘Cloud Stewardship Economics’ project [13], funded by the Technology Strategy Board of the UK Government. We are grateful to Marco Casassa Mont, Christos Ioannidis, Martin Sadler, and Julian Williams for valuable discussions of our ideas.
7 References [1] Pym, D., Shiu, S., Coles, R., van Moorsel, A., Sasse M. A., Johnson, H.: Trust Economics: A systematic approach to information security decision-making. Final report for the UK Technology Strategy Board-funded ‘Trust Economics’ project. Hewlett-Packard, 2011. http://www.hpl.hp.com/news /2011/oct- dec/Final_Report_collated.pdf
[2] Collinson, M., Monahan, B., Pym, D.: Semantics for Structured Systems Modelling and Simulation. Proc. Simultools 2010. ACM Digital Library and EU Digital Library. ISBN: 978-963-9799-87-5.
[3] Core Gnosis. System available for download (subject to HP licence agreement) at: http://www.hpl.hp.com/research/ systems_security/gnosis.html.
[4] Baldwin, A., Casassa Mont, M., Shiu, S.: Using Modelling and Simulation for Policy Decision Support in Identity Management. Proc. IEEE Policy 2009 Symposium, London: 17-24.
[5] Squicciarini, A.C., Rajasekaran, S. D., Casassa Mont, M.: Using Modelling and Simulation to Evaluate Enterprises' Risk Exposure to Social Networks. IEEE Computer 44(1), 66-73, January 2011.
[6] Beres, Y., Griffin, J., Shiu, S., Heitman, M., Markle, D., Ventura, P.: Analyzing the performance of security solutions to reduce vulnerability exposure windows. Proc. 2008 Annual Computer Security Applications Conference (ACSAC), IEEE Computer Society Press, 2008, 33-42.
[7] Collinson, M., Monahan, B., Pym, D.: A logical and computational theory of located resource. Journal of Logic and Computation 19(b): 1207-1244, 2009.
[8] Keeney, R. L. and Raiffa, H.: Decisions with Multiple Objectives: Preferences and Value Tradeoffs. Wiley, New York, 1976. Reprinted, Cambridge University Press, New York, 1993.
[9] Beres, Y., Pym, D., Shiu, S.: Decision Support for Systems Security Investment. In Proc. Business-driven IT
7
Management (BDIM) 2010, Network Operations and Management Symposium Workshops. IEEE Xplore, 2010.
[10] Shiu, S., Baldwin A., Beres, Y., Casassa Mont, M, Duggan, G.,Johnson, H., Middup, C.: Economic methods and decision making by security professionals. In Bruce Schneier (editor), Proc. 10th Workshop on the Economics of Information Security (WEIS), 2011. Springer, 2012. In press. Preprint available at http://weis2011.econinfosec.org/papers/ Economic%20methods%20and%20decision%20making%20by%20security%20profession.pdf.
[11] Baldwin, A., Pym, D., Sadler M., and Shiu, S.: Information stewardship in cloud ecosystems: towards models, economics and delivery. Proc. 3rd IEEE International conference on Cloud Computing, Athens, 2011. IEEE Conference Publications, 784-791, 2011. doi: 10.1109/CloudCom.2011.121.
[12] Chapin III, F. S., Kofinas, G. P., Folke C., (editors): Principles of Ecosystem Stewardship: Resilience-Based Natural Resource Management in a Changing World. Springer-Verlag, 2009
[13] The ‘Cloud Stewardship Economics’ project, IISP, https://www.instisp.org/SSLPage.aspx?pid=463.
[14] Briscoe, G., Marinos, A.: Digital Ecosystems in the Clouds: Towards Community Cloud Computing. Proc 3rd IEEE International Conference on Digital Ecosystems and Technologies, 2009.
[15] Mell, P., Grance, T.: The NIST Definition of Cloud Computing, 2009. NIST Special Publication 800-145. http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
[16] Shroff, G.: Enterprise Cloud Computing: Technology, Application and Architecture. Cambridge University Press, 2010.
[17] Whyld, D.C.: Moving to the Cloud: An Introduction to Cloud Computing in Government, 2010. http://www.business ofgovernment.org/report/moving-cloud-introduction-cloud-computing-government.
[18] Gill, A.Q., Bunker, D.: Conceptualization of a Context Aware Cloud Adaptation Framework. Proc. Ninth IEEE International Conference on Dependable, Autonomic and Secure Computing, 2011.
[19] Lenk, A., Klems, M., Nimis, J., Tai, S., Sandholm, T.: What’s Inside the Cloud? An Architectural Map of the Cloud Landscape. ICSE Workshop on Software Engineering Challenges of Cloud Computing, CLOUD '09, 2009.
[20] Lindner, M.A, Vaquero, L. A, Rodero-Merino, L., Caceres, J.: Cloud economics: dynamic business models for
business on demand. International Journal of Business Information Systems, 2010.
[21] Yam, C-Y., Baldwin, A., Ioannidis, C., Shiu, S.: Migration to Cloud as a Real Option: Investment decision under uncertainty. Proc. IEEE TrustCom 2011 Symposium & Workshops.
[22] Hongyi Wang, Qingfeng Jing, Rishan Chen, Bingsheng He, Zhengping Qian, Lidong Zhou: Distributed systems meet economics: pricing in the cloud. Proc. 2nd USENIX Conference on Hot Topics in Cloud Computing (HotCloud'10), 2010.
[23] Baldwin, A. Pym, D. and Shiu, S.: Enterprise information risk management: Dealing with cloud computing. To appear: Privacy and Security for Cloud Computing: Selected Topics, Siani Pearson and George Yee (editors), Springer, Computer Communications and Networks series, 2012.
[24] Yam, C-Y. Baldwin, A., Ioannidis, C., Shiu, S.: Migr- ation to Cloud as a Real Option: Investment decision under uncertainty. In Proc. IEEE TrustCom 2011 Symposiums & Workshops.
[25] Pym, D., Sadler, M.: Information Stewardship in Cloud Computing. International Journal of Services Science, Management, Engineering, and Technology 1(1), 50-67, 2010.
[26] Collinson, M., Pym, D.: Algebra and Logic for Resource-based Systems Modelling. Mathematical Structures in Computer Science 19:959-1027, 2009.
[27] Collinson, M., Monahan, B., Pym, D.: A Discipline of Mathematical Systems Modelling. College Publications, 2012.
[28] Ioannidis, C., Pym, D., Williams, J.: Investments and Trade-offs in the Economics of Information Security. In Proc. Financial Cryptography and Data Security 2009, LNCS 5628: 148-162, Springer, 2009.
[29] Ioannidis, C., Pym, D., Williams J.: Information Security Trade-offs and Optimal Patching Policies. European Journal of Operational Research, 216(2):434-444, 2012. doi:10.1016/j.ejor.2011.05.050.