Storm Clouds Ahead? A risk analysis of Cloud Computing

(1)

Storm Clouds Ahead?

A risk analysis of Cloud Computing

Andy Bolton

Chief Executive Officer, Capacitas

hpUG (UK) – 19th_{January 2012}

Storm clouds ahead?: A risk analysis of Cloud Computing

Abstract

Many organisations are now considering using 'Cloud Computing' offerings to meet their scalability issues, environmental commitments and cost constraints. This could be a risky approach as many important areas of Cloud computing are yet to be fully understood within IT departments; these include the security model, data protection, resilience and transaction performance. Service management aims to provide consistent, reliable and cost-effective ICT services to its customers.

These goals could come under threat as the pressure to adopt Cloud-based services increases unless a thorough understanding of the design and implementation constraints of

(2)

Agenda

• Introduction • Risk Management • Service Management • Service Capacity • Service Cost • Service Performance • Summary

Introduction

The IT industry has evolved over the last fifty years, changed paradigms constantly:

• from single, hugely expensive mainframe systems back in the 1960s and 1970s;

• through the rise of the personal computer in the 1980s;

• the associated explosion in distributed computing in the 1990s and server sprawl;

• and through to the new era of consolidation back onto centralised platforms.

(3)

Centralised Computing Paradigm (1955-1985)

Dial-in or Leased Line

Remote user Local users

Distributed Computing Paradigm (1985-1995)

Application Server Database Server Web Server File Server

(4)

Distributed Computing Paradigm (1995-2000)

Distributed Computing Paradigm (2000-2005)

(5)

Distributed Computing Paradigm (2005-)

Cloud: the next step in Virtualisation?

We have now virtualised many aspects of computing (i.e. consolidated onto larger platforms):

• Computing power (e.g. VMware servers)

• Networks (e.g. VPNs)

• Storage (e.g. SANs)

(6)

Cloud: the next step in Virtualisation?

Desktop Operating System

Data (Profile and documents) System Services (Windows services, COM, OLE, printers, etc)

Configurations (Profile and documents) Application A SystemGuard™ Environment Application B Software Virtualisation Layer Virtual Hardware Virtual Machine Virtual Machine Application A Application Application B Guest Operating System Guest Operating System VPN Fibre Channel

Typical Cloud Architecture

© Capacitas 2002-2012 12 Application Servers Database Servers Web Servers Storage Servers ‘Cloud’ Provider Authentication Servers Billing Servers Provisioning Servers IT Management End-User Services Systems Management End-User

(7)

Cloud Service Providers

Some of the leading providers of Cloud services are:

• Amazon • Google • Microsoft • Rackspace • Salesforce © Capacitas 2002-2012 13

Some Cloud Services Available

• Web Servers (e.g. Apache, IIS)

• Application Servers (e.g. Java, Linux, Windows Server, Solaris)

• Queue Services

• Database Servers (e.g. Oracle, SQL Server)

(8)

Risk Management

Definition of Risk Management:

“The proactive identification, analysis and control of those risks which can threaten the assets or the earning capacity of an enterprise”

Institute of Risk Management The art of risk management is to identify all risks and to reduce them to an acceptable level.

15

Risk Management

Risk Tolerance Limit b

c

d

Do not proceed

Safe to proceed Assess & decide

a

(9)

Service Management

Service Management aims to provide to its customers consistent, reliable and cost-effective ICT services.

Applying risk management definition to service management:

• The art of service management is to identify risks to service and provide mitigation to reduce them to an acceptable level.

Three aspects will be briefly reviewed here:

• Service Cost

• Service Capacity

• Service Performance

17

Service Management (ITIL V3)

Service Strategy •Service Portfolio •Service Economics •IT Financial Management •IT Demand Management •Strategies for: •Outsourcing •Insourcing •Co-sourcing Service Design

•Service Portfolio Design

•Service Catalogue Management

•Service Level Management

•Supplier Management

•Capacity Management

•Availability & Service Continuity Management

•Information Security Management

ITIL Service Design Service Strategy Service Operation C o n ti n u a l S I m p ro v e a l S e rv ic e v e m e n t

(10)

Service Management & Risk Management

© Capacitas 2002-2012 19 Customer assets Service assets Demand-side risks Supply-side risks Business Operations Service Operations Risks acceptable to the supplier Risks acceptable to the customer

Service Management as a risk filter

Managing Service Capacity

One of many reasons for companies to adopt Cloud computing is the difficulty in forward planning of service capacity to meet demand.

This has many repercussions. These include:

• Inability to reduce or prevent capacity-related service outages;

• Inability to accurately forecast when additional capacity is required;

• Inability to identify when capacity can be reduced;

• Inability to plan capacity purchases in advance preventing cost-effective procurement;

• Inability to forecast costs of the infrastructure and provide accurate budgets;

• Inability to relate customer-driven demand units to capacity required.

Too many organisations therefore undertake easier, reactive capacity management activities.

(11)

Managing Service Capacity

© Capacitas 2002-2012 21 Managing Service Capacity Managing Demand Managing Supply Yield Management Developing Complementary Services Partitioning Demand Promoting Off-Peak Demand Offering Price Incentives Developing Reservation Systems Sharing Capacity Increasing Customer Participation Creating Adjustable Capacity Scheduling Work-Shifts Cross-Training Employees Using Part-Time Employees

Managing Service Capacity – Where is Cloud?

Managing Service Capacity Managing Demand Managing Supply Developing Complementary Services Partitioning Demand Sharing Capacity Increasing Customer Participation

(12)

Relationship between Demand, Supply & Cost

23

2. Capacity Planning translate demand forecasts into capacity

plans identifying the financial costs

Finance Marketing &

Sales Capacity

Planning

Demand Forecasts Capacity Plans

Budget 3. Finance approve

or deny budgets required to meet the

forecast business demand 1. Marketing & Sales

provide forecasts of customer demand in order that sufficient capacity is available

when needed

Cloud Service Costs

The comparative cost advantage of the Cloud business model is contentious at best. There are many reports that claim Cloud is less expensive than conventional in-house computing. However there are also reports that claim the opposite.

The answer…

…is not in this presentation I’m afraid! Some contradictory resources:

• Forrester report: The ROI Of Software-As-A-Service, by Liz Herbert and Jon Erickson

• CMG MeasureIT 8.2: Capacity Concerns in a SaaS and Cloud World

(13)

Cloud Service Costs – Pricing Models

Pricing tend to be based on utility models, often comprising a mixture of the following methods:

• a subscription fee (e.g. monthly)

• a resource usage fee (e.g. CPU seconds, GB storage, GB I/O)

• a transaction fee (e.g. # of transactions processed)

This pricing structure is comparable to buying utilities, such as gas and electricity, hence the term ‘utility computing’.

25

Cloud Service Costs – Example Pricing

An example pricing model is described below:

• Processing: £0.10 per CPU available per hour

• Storage: £0.12 per GB stored per month

• Storage transaction: £0.01 per 5,000 transactions

(14)

Cloud Service Costs: Pricing – A Case Study

So, using an example of the following IT user company who are investigating pricing based on their current key online service:

27

Resource Pricing Volume Unit Rate per Unit Per month

Processing 4.8 Cores per hour £0.10 £345.60

Storage 2,000 Avg GB per GB per month £0.12 £240.00

Storage Transactions 12,000 Avg / hr per 5,000 £0.02 £34.56

Data In 150 Avg Mb/s GB £0.05 £1,944.00

Data Out 150 Avg Mb/s GB £0.10 £3,888.00

Assumes 30 days / month TOTAL £6,452.16

Cloud Service Costs: Pricing – A Case Study

The pricing on the previous slide compares favourably to buying server hardware, the appropriate licensed software and paying a recurring fee to host in a shared data centre with the appropriate network bandwidth.

Also as this is operational expenditure, it is tax efficient, like leasing, compared to purchasing hardware and software.

However, the hosted solution has one advantage. The cost is predictable every month. The cost of the Cloud solution is variable based on its usage.

(15)

Cloud Service Costs: Pricing – A Case Study

Imagine a doubling of transactional demand. This would impact processing, transactions and I/O (though not necessarily the total storage):

This results in a near doubling of costs…

29

Resource Pricing Volume Unit Rate per Unit Per month

Processing 9.6 Cores per hour £0.10 £691.20

Storage 2,000 Avg GB per GB per month £0.12 £240.00

Storage Transactions 24,000 Avg / hr per 5,000 £0.02 £69.12

Data In 300 Avg Mb/s GB £0.05 £3,888.00

Data Out 300 Avg Mb/s GB £0.10 £7,776.00

Assumes 30 days / month TOTAL £12,664.32

The Implication of Utility Pricing

While there are many advantages with adopting a Cloud model, there is a risk of this uncapped pricing scheme resulting in unexpectedly large bills.

IT organisations like budgets! These are designed so that the company knows in advance what the annual ICT expenditure is likely to be.

Cloud introduces a completely variable cost item into the financial model. This doesn’t mean it’s unpredictable, but unless there is some way contractually to cap the

(16)

volume-The Implication of Utility Pricing on Outsourcers

The variability of the utility pricing model can have a considerable impact on Outsourcers. Their customers expect a fixed price for their contracts, especially in the public sector. The public sector often plans budgets out as far as 3 or 5 years, so cost variability is

unwelcome. They frequently specify caps for transaction volumes.

An outsourcer who wants to provide or use a Cloud-based infrastructure may have to carefully structure contracts to avoid paying for its customers excess demand.

31

Financial Risk to Outsourcers

© Capacitas 2002-2012 32 80 90 100 110 120 130 140 150 Ja n -0 9 Fe b -0 9 M ar -0 9 A p r-0 9 M a y-0 9 Ju n -0 9 Ju l-0 9 A u g-0 9 Se p -0 9 O c t-0 9 N o v-0 9 D e c -0 9 Ja n -1 0 Fe b -1 0 M ar -1 0 A p r-1 0 M a y-1 0 Ju n -1 0 Ju l-1 0 A u g-1 0 Se p -1 0 O c t-1 0 N o v-1 0 D e c -1 0 Ja n -1 1 Fe b -1 1 M ar -1 1 A p r-1 1 M a y-1 1 Ju n -1 1 Ju l-1 1 A u g-1 1 Se p -1 1 O c t-1 1 N o v-1 1 D e c -1 1

(17)

Financial Risk to Outsourcers

© Capacitas 2002-2012 33 80 90 100 110 120 130 140 150 Ja n -0 9 Fe b -0 9 M ar -0 9 A p r-0 9 M a y-0 9 Ju n -0 9 Ju l-0 9 A u g-0 9 Se p -0 9 O c t-0 9 N o v-0 9 D e c -0 9 Ja n -1 0 Fe b -1 0 M ar -1 0 A p r-1 0 M a y-1 0 Ju n -1 0 Ju l-1 0 A u g-1 0 Se p -1 0 O c t-1 0 N o v-1 0 D e c -1 0 Ja n -1 1 Fe b -1 1 M ar -1 1 A p r-1 1 M a y-1 1 Ju n -1 1 Ju l-1 1 A u g-1 1 Se p -1 1 O c t-1 1 N o v-1 1 D e c -1 1 Service cap is breached Unexpected leap in demand

Financial Risk to Outsourcers

120 130 140 150 Service cap is breached Unexpected Outsourcer liable for this cost

(18)

Service Performance

When IT infrastructure is kept in-house monitoring and measuring service performance at each step of a transactional path is achievable, though it is not frequently not undertaken. However as more companies adopt formal Service Management processes such as ITIL there is the need to establish Service Level Agreements (SLAs).

One key aspect of a Service Level Agreement is the monitoring, measurement and reporting of aspects of service performance such as transactional response times, availability and batch run times and end times.

Moving to a Cloud model can make this more difficult. Some commercial Cloud SLAs are a retrograde step from current commercial outsourcers’ SLAs, simply containing statements like:

“we guarantee […] external connectivity 99.95% of the time”.

35

Service Performance – In-house

Response Time Measurable Remote_{Response Times} Local Office

(19)

Service Performance – Cloud

© Capacitas 2002-2012 37 Application Servers Database Servers Web Servers Storage Servers ‘Cloud’ Provider End-User Measurable End-to-End Transaction Response Time Customer Demarcation Supplier Demarcation Measurable Local Response Time Immeasurable But Derivable Supplier Response Times Local Office

Service Performance – Service Level Agreements

The Service Level Agreement defines the service that the customer expects from a supplier Key Points:

• Do not rely on Service Credits to guarantee performance; often it is cheaper for the service provider to pay the service credit than resolve the problem

• Ensure the SLA is achievable, watertight and equitable; one-sided SLAs help neither party in the long-term

(20)

39

Summary

• Cloud is a new computing paradigm that is here to stay

• As with any new technology or business model it has its pros and cons • Before adopting Cloud it requires careful consideration of:

• Service Management aspects, such as capacity, performance and resilience • Security and Data Protection compliance