Copyright 2009-12 1 Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled.

Slides:



Advertisements
Similar presentations
Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Advertisements

Symantec 2010 Windows 7 Migration EMEA Results. Methodology Applied Research performed survey 1,360 enterprises worldwide SMBs and enterprises Cross-industry.
Symantec 2010 Windows 7 Migration Global Results.
Variations of the Turing Machine
Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 23rd Bled eConference.
AP STUDY SESSION 2.
1
Copyright COMP 3410 – I.T. in Electronic Commerce E-Trading 5. Alternative Architectures Roger Clarke Xamax Consultancy, Canberra Visiting Professor,
Copyright Roger Clarke Xamax Consultancy and PSARN Security, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy,
Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 2nd International.
Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW Computer Science.
Select from the most commonly used minutes below.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
10-1 McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
David Burdett May 11, 2004 Package Binding for WS CDL.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
CALENDAR.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
1. Bryan Dreiling Main Contact for Three Year Plans
Photo Slideshow Instructions (delete before presenting or this page will show when slideshow loops) 1.Set PowerPoint to work in Outline. View/Normal click.
Engagement in Human Research & Multi-Site Studies K. Lynn Cates, M.D. Assistant Chief Research & Development Officer Director, PRIDE May 30, 2012.
Welcome. © 2008 ADP, Inc. 2 Overview A Look at the Web Site Question and Answer Session Agenda.
I n t e g r i t y - S e r v i c e - E x c e l l e n c e Headquarters U.S.A.F. 1 Commodity Councils 101 NAME (S) SAF/AQCDATE.
Break Time Remaining 10:00.
EE, NCKU Tien-Hao Chang (Darby Chang)
Turing Machines.
Table 12.1: Cash Flows to a Cash and Carry Trading Strategy.
PP Test Review Sections 6-1 to 6-6
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Taiwan ITQ.
EIS Bridge Tool and Staging Tables September 1, 2009 Instructor: Way Poteat Slide: 1.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Demand for Audit and Assurance Services Chapter.
Bellwork Do the following problem on a ½ sheet of paper and turn in.
Operating Systems Operating Systems - Winter 2010 Chapter 3 – Input/Output Vrije Universiteit Amsterdam.
Exarte Bezoek aan de Mediacampus Bachelor in de grafische en digitale media April 2014.
TESOL International Convention Presentation- ESL Instruction: Developing Your Skills to Become a Master Conductor by Beth Clifton Crumpler by.
Sample Service Screenshots Enterprise Cloud Service 11.3.
Copyright © 2012, Elsevier Inc. All rights Reserved. 1 Chapter 7 Modeling Structure with Blocks.
Copyright © AIIM | All rights reserved. #AIIM The Global Community of Information Professionals aiim.org Information Management and Social Media Jesse.
1 TV Viewing Trends Rivière-du-Loup EM - Diary Updated Spring 2014.
Adding Up In Chunks.
SLP – Endless Possibilities What can SLP do for your school? Everything you need to know about SLP – past, present and future.
MaK_Full ahead loaded 1 Alarm Page Directory (F11)
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt Synthetic.
GEtServices Services Training For Suppliers Requests/Proposals.
By CA. Pankaj Deshpande B.Com, FCA, D.I.S.A. (ICA) 1.
7/16/08 1 New Mexico’s Indicator-based Information System for Public Health Data (NM-IBIS) Community Health Assessment Training July 16, 2008.
: 3 00.
5 minutes.
1 hi at no doifpi me be go we of at be do go hi if me no of pi we Inorder Traversal Inorder traversal. n Visit the left subtree. n Visit the node. n Visit.
Section 404 Audits of Internal Control and Control Risk
1 Let’s Recapitulate. 2 Regular Languages DFAs NFAs Regular Expressions Regular Grammars.
Speak Up for Safety Dr. Susan Strauss Harassment & Bullying Consultant November 9, 2012.
1 Titre de la diapositive SDMO Industries – Training Département MICS KERYS 09- MICS KERYS – WEBSITE.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Essential Cell Biology
Converting a Fraction to %
Numerical Analysis 1 EE, NCKU Tien-Hao Chang (Darby Chang)
Clock will move after 1 minute
PSSA Preparation.
Essential Cell Biology
Physics for Scientists & Engineers, 3rd Edition
Energy Generation in Mitochondria and Chlorplasts
Select a time to count down from the clock above
Introduction Peter Dolog dolog [at] cs [dot] aau [dot] dk Intelligent Web and Information Systems September 9, 2010.
1 Decidability continued…. 2 Theorem: For a recursively enumerable language it is undecidable to determine whether is finite Proof: We will reduce the.
Aviation Management System 1 2  Silver Wings Aircraft Aviation Management System represents a functional “high – end” suite of integrated applications.
Cloud Computing - clearing the fog Rob Gear 8 th December 2009.
Presentation transcript:

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled eConference 19 June {.html,.ppt} A Framework for the Analysis of Cloudsourcing Proposals

Copyright Framework for Analysis of Cloudsourcing Proposals AGENDA 1.Cloud Computing 2.Research Approach 3.Cloudsourcing Theory 4.Info & IT Security Theory Operational Disbenefits and Risks Contingent Risks Security Risks (Security in the Less Broad) Commercial Disbenefits and Risks Compliance Disbenefits and Risks 5. Preliminary Field Reports

Copyright The Gartner Hype-Cycle for Emerging Technologies "... a snapshot of the relative maturity of technologies... "They highlight overhyped areas against those that are high impact, estimate how long they will take to reach maturity, and help organizations decide when to adopt"

Copyright ??

Copyright

Copyright

Copyright

Copyright

Copyright The Motivation Find Answers to These Questions Is each of the various forms of cloud computing ready for 'prime time'? Is it appropriate for organisations to rely on IaaS, PaaS and SaaS providers? On what basis can judgements be made as to whether cloud computing is sufficiently reliable? What complementary actions are needed by organisations that adopt it?

Copyright Research Approach

Copyright Categories of Outsourcing Domestic / Within-Nation cf. Cross-Border / 'Off-Shore' Hosting cf. 'Utility Computing' cf. Application Service Provision (ASP) IT (e.g. equipment hosting) cf. Business Process (e.g. call centres)

Copyright A 'Primary Drivers' Theme Cost Reduction Access to technological expertise Enabling focus on core competence, rather than sustaining and managing technical capabilities Few Demonstrated Cost-Savings Little Focus on Impact on Service-Quality Mis-fit, Lock-in, Lack of Adaptability And then the Myths Literature

Copyright Cloud Computing is a Form of Outsourcing How is it different from earlier forms? Scalability ('there when it's needed) Flexible Contractual Arrangements ('pay per use') Opaqueness ('let someone else worry about details') which means less user control: of the application, through commoditisation of service levels, through SLA dependence (assuming there's an SLA, and it's negotiable) of host location, through resource-virtualisation

Copyright From Insourcing to Cloudsourcing Off-Site Hosting Outsourced Facility

Copyright From Insourcing to Cloudsourcing Off-Site Hosting Outsourced Facility Multiple Outsourced Facilities

Copyright From Insourcing to Cloudsourcing Integrated Multi-Site Outsourced Facilities

Copyright From Insourcing to Cloudsourcing CloudSourced Facilities

Copyright From Insourcing to Cloudsourcing CloudSourced Facilities

Copyright Levels of Cloudsourcing Infrastructure as a Service (IaaS) Amazon EC2, Rackspace,... Platform as a Service (PaaS) MS Azure, Sware Dev Environments,... Software as a Service (SAAS) Google Gmail, Google Docs / Apps MS Live and Office 365 Dropbox Salesforce MYOB LiveAccounts, Intuit Online

Copyright Levels of Cloudsourcing Infrastructure as a Service (IaaS) 1960s on– Remote Application Hosting Platform as a Service (PaaS) 1990s on– Remote Servers Software as a Service (SAAS) 1980s– Application Service Providers (ASPs) 1990s– Hotmail => Webmail 2004– Gmail 2005– Zoho 2006– GDocs

Copyright Levels of Cloudsourcing and What is and isn't Outsourced

Copyright The Cloudsourcing Provider A Commercial Enterprise A Community Provider A Government Business Enterprise A Central Government Agency The User Organisation Itself The Location(s) Provider's Choice User Organisation's Choice User Organisation's Own Premises

Copyright Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.The service depends on virtualised resources i.e. the user has no technical need to be aware which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used

Copyright Cloudsourcing from the User Perspective A service that satisfies all of the following conditions: 1.It is delivered over a telecommunications network 2.The service depends on virtualised resources i.e. the user does not know which server(s) running on which host(s) is/are delivering the service, nor where the host(s) is/are located 3.The service is acquired under a relatively flexible contractual arrangement, at least re the quantum used 4.The user organisation places reliance on the service for data access and/or data processing 5.The user organisation has legal responsibilities

Copyright Information Security Data Secrecy Prevent access by those who should not see it Data Quality / Data Integrity Prevent inappropriate change and deletion Data Accessibility Enable access by those who should have it

Copyright IT Security Security of Service Integrity Reliability Robustness Resilience Accessibility Usability Security of Investment Assets The Business

Copyright The Conventional IT Security Model Threats impinge on Vulnerabilities, resulting in Harm

Copyright From Insourcing to Cloudsourcing Changes in Risk-Exposure Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilities in Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities

Copyright From Insourcing to Cloudsourcing Changes in Risk-Exposure Sourcing Phases Insourcing Outsourced Site Outsourced Facility Outsourced Facilities in Multiple Locations Integrated Multi-Site Outsourced Facilities Cloudsourced Facilities Increasing: Component-Count Location-Count Complexity Dependencies Fragility Decreasing: Internal Expertise Internal Knowability ('set and forget')

Copyright Potential Benefits Technical Business Financial Enhanced Service Accessibility

Copyright Potential Benefits Technical Scalability Professionalised Backup and Recovery Copyright Convenience Collaboration Convenience...

Copyright Potential Benefits Business Rapid Prototyping Rapid Launch of New Services Rapid Scalability of Services that have Variable or Uncertain Demand Operational Costs that Reflect Usage...

Copyright Potential Benefits Financial Lower Investment / Up-Front Cost Lower Operational Costs Lower IT Staff Costs From Capital Budget (CAPEX) to Recurrent Budget (OPEX)? Escape from 'Whole of Life' Costing?...

Copyright Potential Benefits Enhanced Service Accessibility Access to Services that are otherwise unavailable from any location from multiple desktop devices from scaled-down devices from multiple device-types

Copyright Downsides from the User Perspective (Security in the Broad) (1)Operational Disbenefits and Risks Dependability on a day-to-day basis (2)Contingent Risks Low likelihood, but highly significant (3)Security Risks Security in the less broad (4)Commercial Disbenefits and Risks (5)Compliance Disbenefits and Risks

Copyright (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

Copyright (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

Copyright (1)Operational Disbenefits and Risks Fit – to users' needs, and customisability Reliability – continuity of operation Availability hosts/server/db readiness/reachability Accessibility network readiness Usability response-time, and consistency Robustness frequency of un/planned unavailability (97% uptime = 5 hr per week offline) Resilience speed of resumption after outages Recoverability service readiness after resumption Integrity – sustained correctness of the service, and the data Maintainability – fit, reliability, integrity after bug-fixes & mods

Copyright (2)Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

Copyright (2)Contingent Risks Major Service Interruptions Service Survival – supplier collapse or withdrawal Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers Data Survival – data backup/mirroring/synch, accessibility Data Acessibility – blockage by opponents or a foreign power Compatibility – software, versions, protocols, data formats Flexibility Customisation Forward-Compatibilityto migrate to new levels Backward-Compatibilityto protect legacy systems Lateral Compatibilityto enable dual-sourcing and escape

Copyright (3)Security Risks Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

Copyright (3)Security Risks Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity Data Security Environmental, second-party and third-party threats to content, both in remote storage and in transit Authentication and Authorisation How to provide clients with convenient access to data and processes in the cloud, while denying access to imposters? Susceptibility to DDOS Multiple, separate servers; but choke-points will exist

Copyright (4)Commercial Disbenefits and Risks Acquisition Lack of information Non-Negotiability of Terms and SLA Ongoing Loss of Corporate Expertise re apps, IT services, costs to deliver Inherent Lock-In Effect from high switching costs, formats, protocols High-volume Data Transfers from large datasets, replication/synchronisation Service Levels to the Organisation's Customers

Copyright (4)Commercial Disbenefits and Risks Acquisition Lack of information Non-Negotiability of Terms and SLA Ongoing Loss of Corporate Expertise re apps, IT services, costs to deliver Inherent Lock-In Effect from high switching costs, formats, protocols High-volume Data Transfers from large datasets, replication/synchronisation Service Levels to the Organisation's Customers

Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

Copyright (5)Compliance Disbenefits and Risks General Statutory & Common Law Obligations Evidence Discovery Law Financial Services Regulations Company Directors' obligations re asset protection, due diligence, business continuity, risk management Security Treaty Obligations Confidentiality – incl. against foreign governments Strategic Commercial Governmental Privacy – particularly Unauthorised Use and Disclosure Second-Party (service-provider abuse), Third-Party ('data breach', 'unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

Copyright Risk Management Strategies Processes Risk Assessment => Risk Management Legal Aspects Service Level Agreement (SLA) Contract Terms Ongoing Due Diligence Audit and Certification Multi-Sourcing Several Suppliers Of necessity compatible Parallel, In-House Redundancy – Multiple and Independent Processing Facilities Hot/Warm-Site Data Storage

Copyright Testing Needed Is this Framework relevant, understandable, practicable and comprehensive? Approaches Review of its Rationale Pilot-Testing in various settings Deep case studies A Preliminary Test of the Checklist Media Reports of Cloud Outages

Copyright Preliminary Field Reports 105 relevant articles 49 relevant events: 26 related to 10 SaaS providers 7 events related to 5 PaaS providers 16 events related to 5 IaaS providers Clarke R. (2012) 'How Reliable is Cloudsourcing? A Review of Articles in the Technical Media ' Comp. Law & Security Review 28, 1 (Feb 2012) ,

Copyright Inferences from the Reports (1) Outages are not Uncommon (2) Outages Arise from Multiple Causes (3) Providers' Safeguards are Sometimes Ineffective (4) Failure Cascades are Prevalent (5) Providers have had to be Forced to be Responsive (6) Providers have often been Uninformative (7) Outages may Affect Important Ancillary Services (8) The Direct Impacts have sometimes been Significant (9) Indirect Impacts have often been Even More Significant (10) Few Customers are Recompensed

Copyright Conclusions Cloudsourcing can be better understood and better managed, by drawing on prior knowledge of: Outsourcing Security and Risk Management Theoretical Risks have been identified Evidence shows that they are real, and even common Organisation often adopt services without evaluation Directors have legal responsibilities re business risk assessment and management The framework provides a basis for executives to assist Directors in fulfilling their responsibilities

Copyright Framework for Analysis of Cloudsourcing Proposals AGENDA 1.Cloud Computing 2.Potential Benefits 3.Cloudsourcing Theory 4.Info & IT Security Theory Operational Disbenefits and Risks Contingent Risks Security Risks (Security in the Less Broad) Commercial Disbenefits and Risks Compliance Disbenefits and Risks 5. Preliminary Field Reports

Copyright Roger Clarke Xamax Consultancy, Canberra Visiting Professor in Computer Science, ANU and in Cyberspace Law & Policy, UNSW 25th Bled eConference 19 June {.html,.ppt} A Framework for the Analysis of Cloudsourcing Proposals