GETTING YOUR HEAD IN THE CLOUD
A
PRIMER
TO
THE
TYPES
OF
CLOUD
COMPUTING
SOLUTIONS
2
On June 3, 2009 Plante & Moran attended the
Midwest Technology Leaders (MTL) Conference ‐ an
event that brings together top technology
professionals in the Midwest to share trends, best
practices, and opportunities.
With the help of MTL, Table Sponsors, CIOs, and
additional conference attendees, we conducted 12
roundtable discussions on a variety of timely and
important IT topics.
As an outgrowth of the roundtable discussions, we
produced a series of educational white papers. Contents Abstract 2 Introduction 2 Service Layers 3 Deployment Models 4
Why Choose SaaS 4
Security Risks 5
What the Shift Means 7
Conclusion 8 ABSTRACT
Cloud computing is talked about extensively in
the IT world. It enhances collaboration, agility,
scaling, and availability, and provides the
potential for cost reduction through optimized
and efficient computing. However, there are
many aspects of it that aren’t completely
understood, and there are important factors to
consider based on specific business needs or
requirements. Gaining a better understanding
of cloud computing is the first step in knowing
if it’s right for you.
INTRODUCTION
Cloud computing (“cloud”) is an evolving term
that describes the development of many
existing technologies and approaches to
computing into something different. Cloud
separates application and information
resources from the underlying infrastructure,
and the mechanisms used to deliver them.
More specifically, cloud describes the use of a
collection of services, applications, information,
and infrastructure comprised of pools of
computing, network, information, and storage
resources.
These components can be rapidly orchestrated,
provisioned, implemented and
decommissioned, and scaled up or down ‐
providing for an on‐demand utility‐like model
of allocation and consumption.
The U.S. National Institute of Standards and
Technology (NIST) defines cloud computing by
describing five essential characteristics, three
cloud service models, and four cloud
deployment models.
3
ARCHITECTURAL SERVICE LAYERS OF CLOUD
COMPUTING
While the first evolution of the Internet saw the
three‐tier (or n‐tier) model emerge as a general
architecture, the use of virtualization in clouds
has created a new set of layers: applications,
services, and infrastructure. These layers don’t
just encapsulate on‐demand resources; they
also define a new application development
model. Within each layer of abstraction, there
are a myriad of business opportunities for
defining services that can be offered on a pay‐
per‐use basis.
Software‐as‐a‐Service (SaaS):
SaaS is at the highest layer and features a
complete application offered as a service, on‐
demand, via multitenancy — meaning a single
instance of the software runs on the provider’s
infrastructure and serves multiple client
organizations.
The most widely known example of SaaS is
Salesforce.com for customer resource
management (CRM), but there are now many
others, including Plex for enterprise resource
planning (ERP) or Google Apps offering basic
business services such as e‐mail. Of course,
Salesforce.com’s and Plex’s multitenant
application has preceded the definition of cloud
computing by a few years. On the other hand,
like many other players in cloud computing,
Salesforce.com now operates at more than one
cloud layer with its release of Force.com, a
companion application development
environment, or platform as a service.
Platform‐as‐a‐Service (PaaS):
The middle layer, or PaaS, is the encapsulation
of a development environment abstraction and
the packaging of a payload of services. The
archetypal payload is a Xen image (part of
Amazon Web Services) containing a basic Web
stack (for example, a Linux distro, a Web server,
and a programming environment such as Pearl
or Ruby). PaaS offerings can provide for every
phase of software development and testing, or
they can be specialized around a particular
area, such as content or document
management.
Commercial examples include Google App
Engine, which serves applications on Google’s
infrastructure or Microsoft SharePoint 2010,
which provides document management
capabilities. PaaS services such as these can
provide a great deal of flexibility but may be
constrained by the capabilities that are
available through the provider.
Infrastructure‐as‐a‐Service (IaaS):
IaaS is at the lowest layer and is a means of
delivering basic storage and computing
capabilities as standardized services over the
network. Servers, storage systems, switches,
routers, and other systems are pooled (through
virtualization technology, for example) to
handle specific types of workloads — from
batch processing to server/storage
augmentation during peak loads.
The best‐known commercial example is
Amazon Web Services, whose EC2 and S3
services offer bare‐bones computing and
storage services (respectively). Another
example is Joyent whose main product is a line
of virtualized servers which provide a highly
scalable on‐demand infrastructure for running
websites, including rich Web applications
written in Ruby on Rails, PHP, Python, and Java.
4
CLOUD COMPUTING DEPLOYMENT MODELS
Regardless of the service model used (SaaS,
PaaS, or IaaS), there are four deployment
models for cloud services, with derivative
variations that address specific requirements:
1. Public Cloud: The cloud infrastructure is
made available to the general public or a
large industry group and is owned by an
organization selling cloud services.
2. Private Cloud: The cloud infrastructure is
operated solely for a single organization. It
may be managed by the organization or a
third party, and may exist on premises or
off premises.
3. Community Cloud: The cloud infrastructure
is shared by several organizations and
supports a specific community that has
shared concerns (e.g., mission, security
requirements, policy, or compliance
considerations). It may be managed by the
organizations or a third party and may exist
on premises or off premises.
4. Hybrid Cloud: The cloud infrastructure is a
composition of two or more clouds (private,
community, or public) that remain unique
entities but are bound together by
standardized or proprietary technology that
enables data and application portability
(e.g., cloud bursting for load‐balancing
between clouds). It’s important to note that
there are derivative cloud deployment
models emerging due to the maturation of
market offerings and customer demand.
An example is virtual private clouds — a way of
using public cloud infrastructure in a private or
semi‐private manner and interconnecting these
resources to the internal resources of a
consumers’ datacenter, usually via virtual
private network (VPN) connectivity.
WHY CHOOSE SOFTWARE‐AS‐A‐SERVICE
(SAAS)
The benefits of Software‐as‐a‐Service (SaaS)— from ease‐of‐use to lower cost of ownership—
have been well publicized over the past few
years, due in part to the success of companies
like Salesforce.com. This increased attention
has resulted in the SaaS model growing in both
awareness and popularity among North
American businesses. In fact, analyst firm
Gartner Inc. is projecting a compound annual
growth rate of 22.1 percent for the SaaS market
as a whole through 2011. Despite this trend,
not all applications are appropriate for the on‐
demand model, and IT departments should be
aware of the downsides of SaaS as well as the
benefits.
The benefits of SaaS:
To accurately assess the value that Software‐as‐
a‐Service can offer, an understanding of the
potential benefits and drawbacks of SaaS is
required. When considering a specific solution,
it’s important to review each of these benefits
and drawbacks against the solution under
evaluation, as they won’t apply in every case. A
breakdown of common SaaS benefits follows:
1. Faster, less expensive deployments: With no
underlying infrastructure to purchase and
install, and minimal customization required,
SaaS deployments typically take much less time
to implement than in‐house solutions.
2. Lower up front capital investment: Acquiring
software traditionally required significant
infrastructure purchases (hardware,
5
model, much of this investment is unnecessary
and can be eliminated. SaaS solutions can also
be treated as an operating expense, making it
easier for departments to remain within their
budgets.
3. Lower total cost of ownership (TCO), pay‐as‐
you‐go: SaaS solutions are typically less
expensive than in‐house solutions for at least
the first few years. When you take into
consideration the considerable cost of software
upgrades, a lower TCO can often be maintained
for much longer periods of time. SaaS also
allows companies to purchase only those
services that are immediately required, with
the option to expand services whenever
needed. This can prevent big, up front
purchases that often end up as shelf ware,
going unused.
4. Reduced management overhead: SaaS
solutions allow IT departments to offload time
consuming operational activities, allowing them
to focus on higher‐value‐added, more mission‐
critical tasks.
5. On‐demand access to powerful
infrastructure: By sharing computing resources
among customers, SaaS providers can provide a
high level of computing performance on‐
demand, regardless of how frequently the
customer requires access.
Potential drawbacks of SaaS solutions:
Though the benefits are great, the Software‐as‐
a‐Service model can suffer from some serious
drawbacks that are often overlooked. A quick
overview of these drawbacks includes:
1. Limited customization and basic
functionality: Since SaaS delivers the same
general functionality to every customer,
customization can sometimes be limited. As a
result, there are fewer opportunities to use
SaaS solutions to provide a competitive
advantage.
2. Hidden costs: When evaluating SaaS
solutions, be aware that some have hidden,
“add on” costs for items such as testing,
support, storage and integration that may not
be apparent during the initial sales process.
3. Usage commitments: SaaS solutions often
price in bundles, requiring the customer to
commit to paying for a certain volume over a
period of time, regardless of whether or not the
actual volume usage goes down.
4. Less control for IT: With up to 85 percent of
SaaS solutions being sold directly to business
units today without the input of IT, there is a
potential for businesses to make software
decisions that cause problems in the long run in
terms of integration with other systems,
availability, and corporate security
requirements.
SECURITY RISKS FOR CLOUD COMPUTING
Though cloud computing is often touted as a
cost saver for companies, IT pros still have
lingering concerns about the safety and security
of working in the cloud.
Around 45 percent of IT professionals recently
surveyed by the ISACA (formerly known as the
Information Systems Audit and Control
Association) said the risks involved in cloud
computing outshine any benefits. Questioning
more than 1,800 IT professionals in the U.S.
who are members of the group, the ISACA
found that only 10 percent of them plan to use
cloud computing for mission‐critical IT services,
6
and 26 percent don't expect to tap into the
cloud at all.
"The cloud represents a major change in how
computing resources are utilized, so it's not
surprising that IT professionals have concerns
about risk vs. reward," said Robert Stroud, vice
president of ISACA, in a statement. "If cloud
computing is treated as a major initiative
involving many stakeholders, it has the
potential to yield benefits that can equal or
outweigh the risks."
Cloud computing is fraught with security risks.
Smart customers will ask tough questions and
consider getting a security assessment from a
neutral third party before committing to a
cloud vendor. Cloud computing has "unique
attributes that require risk assessment in areas
such as data integrity, recovery, and privacy,
and an evaluation of legal issues in areas such
as e‐discovery, regulatory compliance, and
auditing. Customers must demand
transparency, avoiding vendors that refuse to
provide detailed information on security
programs.
Here are seven of the specific security issues
customers should raise with vendors before
selecting a cloud vendor.
1. Privileged user access: Sensitive data
processed outside the enterprise brings with it
an inherent level of risk, because outsourced
services bypass the "physical, logical, and
personnel controls" IT departments exert over
in‐house programs. Get as much information as
you can about the people who manage your
data. Ask providers to supply specific
information on the hiring and oversight of
privileged administrators and the controls over
their access.
2. Regulatory compliance: Customers are
ultimately responsible for the security and
integrity of their own data, even when it’s held
by a service provider. Traditional service
providers are subjected to external audits and
security certifications, such as a SAS 70. Cloud
computing providers who refuse to undergo
this scrutiny are "signaling” that customers can
only use them for the most trivial functions.
3. Data location: When you use the cloud, you
probably won't know exactly where your data is
hosted. In fact, you might not even know what
country it will be stored in. Ask providers if they
will commit to storing and processing data in
specific jurisdictions, whether they will make a
contractual commitment to obey local privacy
requirements on behalf of their customers, and
if they abide by federal government
requirements, such as PCI, HPAA, etc.
4. Data segregation: Data in the cloud is
typically in a shared environment alongside
data from other customers. Encryption is
effective but isn't a cure‐all. Find out what is
done to segregate your data from the rest of
their customers. The cloud provider should
provide evidence that encryption schemes
were designed and tested by experienced
specialists. Encryption accidents can make data
totally unusable, and even normal encryption
can complicate availability.
5. Recovery: Even if you don't know where your
data is, a cloud provider should tell you what
will happen to your data and service in case of
a disaster. Any offering that does not replicate
the data and application infrastructure across
multiple sites is vulnerable to a total failure. Ask
your provider if it has the ability to do a
7
6. Investigative support: Investigating
inappropriate or illegal activity is very
challenging in cloud computing. Cloud services
are especially difficult to investigate, because
logging and data for multiple customers may be
co‐located and may also be spread across an
ever‐changing set of hosts and data centers. If
you cannot get a contractual commitment to
support specific forms of investigation, along
with evidence that the vendor has already
successfully supported such activities, then
your only safe assumption is that investigation
and discovery requests will be impossible.
7. Long‐term viability: Ideally, your cloud
computing provider will never go broke or
get acquired and swallowed up by a larger
company. But you must be sure your data and
perhaps the software will remain available even
after such an event. Ask potential providers
how you would get your data back and if it
would be in a format that you could import into
a replacement application.
WHAT DOES A SHIFT TOWARD CLOUD
COMPUTING MEAN?
So who is affected by a paradigm shift in the
computing industry? The shift would affect
companies in a few different sub‐industries,
including software companies, Internet service
providers, and hardware manufacturers.
Companies in each of these industries will face
significant change if cloud computing is to be
the next step for the industry. While it’s
relatively easy to see how the main software
and Internet companies will be affected by such
a shift, to know how other Internet companies
and hardware manufacturers will be affected, it
is slightly more difficult.
Who gains?
Consulting/Software/Hardware and Services
companies that could gain from a shift towards
cloud computing include: IBM
Software producers that could gain from a shift
toward cloud computing include: NetSuite (Financial) Salesforce.com (CRM) Taleo (TLEO)
RightNow Technologies (RNOW) Concur Technologies (CNQR) Omniture (OMTR) Plex (ERP) Hyperic Quest Software (QSFT) Disney (DIS)
Internet‐based companies that could gain from
a shift towards cloud computing include: Cloud Technology Partners SAVVIS (SVVS)
Who loses out?
Traditional software producers that could have
some catching up to do if cloud computing
ultimately wins out include: ORACLE (ORCL) SAP AG (SAP) Blackbaud (BLKB) Lawson Softwares (LWSN)
8
CONCLUSION
Cloud computing is attractive, seductive, and
perhaps irresistible. The benefits are compelling,
particularly the pay‐as‐you‐go model that has
been likened to buying electricity (or, if you
prefer, buying your drinks by the glass rather than
the bottle). Enterprises that have been
considering the use of the cloud in their
environment should determine whether the
solution meets their current and future business
needs, calculate what cost savings the cloud can
offer them, and consider what additional risks are
incurred. Once potential cost savings and risks are
identified, enterprises will have a better
understanding of how they can leverage cloud
services. There’s a powerful business case for
buying computational power, disk storage,
collaboration, application development resources,
ERP, CRM, and on‐demand. Rather than buying
more servers and disks or expanding or deploying
expensive infrastructure and programs, cloud
computing is flexible and scalable. It can meet
short‐term initiatives and requirements and deal
with peaks and valleys in business cycles.
THANK YOU
Plante & Moran would like to thank Pat McQueen,
Table Sponsor from Salesforce.com, Joe Drouin,
CIO from Kelly Services, Inc., and all roundtable
participants for their contributions.
For more information, please contact:
Doug Wiescinski
248.223.3208
Sources Cited
1 Take Your Business to a Higher level
http://www.cloudsrus.net/upload/cloud_computing_primer.pdf
2 CSA Guidance
http://www.cloudsecurityalliance.org/csaguide.pdf
3 Cloud Computing ‐ Business Benefits with
Security Governance and Assurance
Perspectives
http://www.isaca.org/ContentManagement/ContentDisplay.cf m?ContentID=53060
4 Email Archiving: To SaaS or Not to SaaS?
http://www.proofpoint.com/id/email‐archiving‐
saas/index.php
5 Cloud Computing risks outweigh reward
http://news.cnet.com/8301‐1001_3‐20001921‐92.html
6 2010 ISACA IT Risk/Reward Barometer—US
Edition
http://www.isaca.org/AMTemplate.cfm?Section=20102&Templa te=/ContentManagement/ContentDisplay.cfm&ContentID=5665
6
7 Seven Cloud computing security risks
http://www.infoworld.com/d/security‐central/gartner‐seven‐
cloud‐computing‐security‐risks‐853?page=0,0
