290 Cloud Computing
Murray:
You do realize that if we found a cloud provider that we
could really trust, and hold them to their SLA, and they
are as efficient and responsive as IT, then from a cost/ben-
efit perspective, I may want to modify IT in this com-
pany and move our infrastructure ownership and control
over resources to a cloud provider.
Jim:
Of course. This is actually called a “shadow IT” organiza-
tion, but it won’t happen overnight. First we need to find
a provider that we can trust with our noncritical data, and
then asses over time whether we want to go the next step.
There isn’t a single C-level executive with fiduciary
responsibility to his or her company and shareholders
that would make a commitment of this magnitude with-
out meeting the providers, doing a deep dive to separate
reality from roadmaps of future promises, and establish-
ing a true partnership for success. Frankly, with the lim-
ited number of staff I currently have, we can become the
governance arm of this relationship. Another value-add
that we can leverage is to have the cloud providers pro-
vide security and privacy compliance services, avoiding
the cost of expensive personnel, hardware, and software
to do it. This is very similar to what was provided by
MSSPs before the dot-com bust. Murray, I believe you
were around then and understand the value; in fact, if I
remember correctly, don’t you go back to the Commo-
dore days?
Murray:
Yes, I certainly do, Jim. There’s some value to having a
gray-hair on this board. If you start attending a few more
of my staff meetings, you might even start to learn some-
thing other than your gear-head stuff.
All: <
Chuckle.>
Danny:
All my team knows our current product—do you know
how much time it will take for them to learn a new prod-
uct and what makes it better?
Jim:
Danny, the new product can do so much more for you—
things like pipeline forecasting, executive dashboards,
global views by customer category, etc. The learning
Appendix B.fm Page 290 Tuesday, May 26, 2009 2:09 PM
Appendix B 291
curve isn’t that steep, and we could help you by providing
brown-bag seminars and sessions that show them essen-
tial skills first, to get this moving quickly.
Linda:
Jim, is this software limited just to customer data? What
can it do for HR?
Jim:
Linda, that’s the best part. While HR abounds with SAAS
providers, there aren’t many that fit the cloud model.
Most HR service providers today simply don’t have the
well-defined APIs yet. Today, much integration among
HR systems is brute-force replication and synchroniza-
tion of data. In some ways, the proliferation of various
best-of-breed SAAS offerings has simply increased the
extent of data replication across systems. In a full-blown
version of cloud computing for HR, employee and HR
data would stay in place, perhaps even apart from any
particular HR service provider. In this idealized version of
HR cloud computing, data is integrated or “mashed up”
on an on-demand basis. This is a key difference from
today’s SAAS offerings. Cloud computing implies that
data is available from cloud-based data stores, which can
be read, updated, subscribed to, and maintained by vari-
ous authorized HR services—enrollment, performance
management, learning, compensation, etc. It doesn’t
mean that there would be a single HR cloud database for
an employer’s entire HR function. There likely would be
a single cloud database for HR master data and separate
stores for data owned or controlled by ecosphere partners.
Examples of the latter might be competency content or
candidate profile data. Suffice it to say, though, that the
version of cloud computing I’m talking about here is not
how HR services are provided today. Full-blown cloud-
computing for HR is likely a few years away, and skepti-
cism is warranted. However, it merits watching. End
users should neither lump it in with SAAS and ASP offer-
ings, nor tolerate loose claims from vendors about provid-
ing services from the cloud. This software allows us to
customize it so we can have part of it used for managing
internal employees as well as customers. We can create
Appendix B.fm Page 291 Tuesday, May 26, 2009 2:09 PM
292 Cloud Computing
automated reports to help you, and it costs no more to do
that. This could help streamline the processes you have
and, with the project management and task features, it
can be useful to everyone.
Susan:
What exactly is this cloud you talk about, and where do
you think it will be next year?
Jim:
Well, the Internet is the cloud, and we have a choice of
hosting it ourselves since we already own the equipment,
or we could outsource all of it. The thing about outsourc-
ing all of it is that those providers will want to collect a
monthly recurring charge for providing the equipment
and the service. When we ran the numbers for us to out-
source the equipment and the service, it didn’t pan out as
well as for us to continue using our own investment in
hardware and hosting the software out of the box. As for
next year, it’s not going away anytime soon.
Murray:
How long would it take to set up something like this?
Jim:
We have a sandbox set up with it now. We’ve been play-
ing around with it for about three weeks, testing what it
can and cannot do, and I’d be happy to show you all how
we can benefit from taking this approach.
Danny:
I’d like to see this before making a decision.
Murray:
Jim, as the CFO, I’m also responsible for privacy risk and
compliance. I’m very concerned about what I’ve been
hearing about a cloud provider’s ability to protect or PII
and our ability to keep our SAS 70, and ISO 17799 attes-
tation if we go with a third party.
Jim:
First of all, we’ve prepared for this by gaining an under-
standing of what your risk and what compliance require-
ments really are and how we currently address them on
our internal systems. Before anybody asserts that cloud
computing isn’t appropriate because of risk and not hav-
ing an answer to “How do we handle that today?,” we
wanted to be prepared in order to avoid embarrassment.
My security operations and engineering manager Mike
and I briefed you on our requirements last month in
preparation for this meeting.
Appendix B.fm Page 292 Tuesday, May 26, 2009 2:09 PM
Appendix B 293
Murray:
Yes you did—it was an excellent approach, by the way.
Go on. . . .
Jim:
Of course we also explained our risk assessment mecha-
nism to define levels of risk and make it part of the sys-
tem development life cycle. Without our preparation in
this regard, it would be impossible for us to evaluate
whether a given system is a good candidate for operating
in the cloud and to assess your potential cloud hosting
operators for their risk management practices. With this
completed, our projects can have their risk assessments
mapped against the cloud provider and a decision can be
reached about whether cloud hosting is appropriate for
this system. Our cloud hosting risk assessment should be
treated as a dynamic target, not a static situation. Since
cloud computing is developing rapidly, our current evalu-
ation will probably not be accurate in six months and
we’ll have to continue the assessment. As part of the
external assessment, we’ll also assess the cloud provider’s
compliance with SAS 70, ISO 17799/27001, PCI, and
other appropriate standards for our business, and most
important, the effect on our continued compliance with
these standards.
Susan:
I agree. Big decisions should take time, to ensure we get it
right. We’ll set that up later. Jim, was that it?
Jim:
No. For the finance folks, there’s a similar solution for
expense reporting and payments. For helping the cus-
tomer, there’s a solution that ties to the contact solution
to provide customer support and track customer history.
There are a lot of ways we can improve, but I recommend
taking one step at a time. We should change one area and
see the improvements before trying to change another
area. This gives us flexibility to adjust along the way. I do
think we can make all of this happen within six months,
and if we shave a couple of million in expenses along the
way, that’s not a bad thing!
Susan:
Let’s do a deeper dive on our security risk in going with
a cloud provider. I read recently that, along with PII
Appendix B.fm Page 293 Tuesday, May 26, 2009 2:09 PM
294 Cloud Computing
protection, this is the biggest concern of organizations
and individuals using these services.
Jim:
As I said before, it’s all about assessing the capabilities and
integrity of the provider that we choose, in addition to
ensuring that they have the security staff and privacy con-
trol and protection expertise that can be leveraged to
make up skill sets and security hardware and software that
either we currently don’t have or can reduce if we are
using a third party. As a recent Gartner report stated,
there are seven primary focus areas that we need to
address with the cloud vendor that we chose: privileged
user access, as I mentioned earlier, regulatory compliance,
data location, data segregation, recovery, investigative
support, and long-term viability. Of course, there are also
many other items that we have to address with a prospec-
tive vendor, which we have included in our assessment
report—I can email it to all of you right after this meet-
ing adjourns.
Danny:
Come on, Jim, are you going to try to tell me that you’ve
accounted for the virtualization security challenges?
Jim:
Actually, yes, I have, Danny. Of course, as security experts
warn, all the vendor activity in the world won’t help a
company that dives headlong into the cloud without
thinking through the risks first, and as long as companies
fail to grasp the nuts and bolts of virtualization, dangers
remain. As Murray will attest to, we have done our home-
work in this regard. You must realize that security in a vir-
tual server environment is different, and you have to
think differently and use different tools to achieve the
same level of security and risk management you had in
the past. Operationally and technically, there’s a lot more
integration and tightening that have to occur. There are
even solutions that protect both physical and logical
infrastructure, and that can provide application-aware
firewalling, inter-VM flow visibility and analytics, appli-
cation policy control, and intrusion-prevention capabili-
ties.
Appendix B.fm Page 294 Tuesday, May 26, 2009 2:09 PM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.