Sie sind auf Seite 1von 20

UKCMG Free Forum 2010 – 13th October 2010

Storm clouds ahead?: A risk analysis of Cloud Computing

Storm Clouds Ahead?


A risk analysis of Cloud Computing

Session S6
Andy Bolton
Chief Executive Officer, Capacitas

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Abstract
Many organisations are now considering using 'Cloud Computing' offerings to meet their
scalability issues, environmental commitments and cost constraints. This could be a risky
approach as many important areas of Cloud computing are yet to be fully understood
within IT departments; these include the security model, data protection, resilience and
transaction performance. Service management aims to provide consistent, reliable and
cost-effective ICT services to its customers.

These goals could come under threat as the pressure to adopt Cloud-based services
increases unless a thorough understanding of the design and implementation constraints of
Cloud computing are understood. Additionally the Cloud business model introduces its own
open-ended financial risks to an adopter. This presentation and associated whitepaper will
describe a risk analysis of Cloud computing from a Service Management perspective and
recommend some mitigation that could be considered to protect adapters.

S6-2
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Agenda
• Introduction
• Risk Management
• Service Management
• Service Capacity
• Service Cost
• Service Performance
• Summary

S6-3
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Introduction
The IT industry has evolved over the last fifty years, changed paradigms constantly:

• from single, hugely expensive mainframe systems back in the 1960s and 1970s;
• through the rise of the personal computer in the 1980s;
• the associated explosion in distributed computing in the 1990s and server sprawl;
• and through to the new era of consolidation back onto centralised platforms.

S6-4
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Centralised Computing Paradigm (1955-1985)


Files
Applications
Databases

Dial-in or Leased Line

Remote user
Local users

S6-5
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Distributed Computing Paradigm (1985-1995)


Application Database Web File
Server Server Server Server

Dial-in

Remote user
Local users

S6-6
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Distributed Computing Paradigm (1995-2000)


Application Database Web File
Server Server Server Server

VPN over
Internet

Remote user
Local users

S6-7
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Distributed Computing Paradigm (2000-2005)


Web
Application Database Web File Services
Server Server Server Server Server

Internet

VPN over
Internet

Remote user
Local users

S6-8
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Distributed Computing Paradigm (2005-2010)


Web
Application Database Web File Services
Server Server Server Server Server

Internet
„Cloud‟
Provider

VPN over
Internet

Remote user
Local users

S6-9
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud: the next step in Virtualisation?


We have now virtualised many aspects of computing (i.e. consolidated onto larger
platforms):

• Computing power (e.g. VMware servers)


• Networks (e.g. VPNs)
• Storage (e.g. SANs)
• Desktops (e.g. Citrix)

S6-10
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud: the next step in Virtualisation?


Fibre
Channel
SystemGuard™ Environment

Storage Array Application A Application Application


Application VPN A B
Application B
Virtual Disk B

Guest Guest
Operating Operating
System System
Virtual Virtual
Machine Machine
Virtual Disk A

Virtual Hardware

Virtualisation Layer

Data System Services Configurations


Software (Profile and (Windows (Profile and
documents) services, COM, documents)
OLE, printers, etc)

Server Hardware Desktop Operating System

S6-11
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Typical Cloud Architecture

„Cloud‟ Provider

End-User Services
IT Management
Web Application Database Storage
Servers Servers Servers Servers Authentication Billing Provisioning Systems
Servers Servers Servers Management

End-User

Contract SLA Billing


S6-12
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud Service Providers


Some of the leading providers of Cloud services are:

• Amazon
• Google
• Microsoft
• Rackspace
• Salesforce

S6-13
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Some Cloud Services Available


• Web Servers (e.g. Apache, IIS)
• Application Servers (e.g. Java, Linux, Windows Server, Solaris)
• Queue Services
• Database Servers (e.g. Oracle, SQL Server)
• Storage Services

S6-14
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Risk Management
Definition of Risk Management:

“The proactive identification, analysis and control of those risks which can threaten the
assets or the earning capacity of an enterprise”
Institute of Risk Management

The art of risk management is to identify all risks and to reduce them to an acceptable
level.

S6-15
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Risk Management

a Risk Tolerance Limit


b
Impact

d
Do not proceed

Assess & decide

Safe to proceed
c

Likelihood

S6-16
Figure – Crown Copyright 2007 © Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Service Management
Service Management aims to provide to its customers consistent, reliable and cost-effective
ICT services.

Applying risk management definition to service management:

• The art of service management is to identify risks to service and provide


mitigation to reduce them to an acceptable level.

Three aspects will be briefly reviewed here:

• Service Cost
• Service Capacity
• Service Performance

S6-17
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Service Management (ITIL V3)

Service Strategy Service Design


• Service Portfolio • Service Portfolio Design
• Service Economics • Service Catalogue Management
• IT Financial Management • Service Level Management
• IT Demand Management • Supplier Management
• Strategies for: • Capacity Management
• Outsourcing • Availability & Service Continuity Management
• Insourcing Service • Information Security Management
• Co-sourcing Operation
Service Service
Strategy Design
Continual Service
Continual Service

Improvement
Improvement

ITIL

Service Operation Service Transition


• Service Request Management • Change Management
• Event Management Service • Service Asset & Configuration Management
• Incident Management Transition • Knowledge Management
• Problem Management • Service Release Management
• Access Management • Deployment, Decommission & Transfer

Figure – Crown Copyright 2007

S6-18
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Service Management & Risk Management


Risks acceptable
Demand-side risks to the supplier

Business Customer Service Service


Operations assets assets Operations

Risks acceptable Supply-side risks


to the customer

Service Management as a risk filter

S6-19
Figure – Crown Copyright 2007 © Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Managing Service Capacity


One of many reasons for companies to adopt Cloud computing is the difficulty in forward
planning of service capacity to meet demand.

This has many repercussions. These include:

• Inability to reduce or prevent capacity-related service outages;


• Inability to accurately forecast when additional capacity is required;
• Inability to identify when capacity can be reduced;
• Inability to plan capacity purchases in advance preventing cost-effective procurement;
• Inability to forecast costs of the infrastructure and provide accurate budgets;
• Inability to relate customer-driven demand units to capacity required.

Too many organisations therefore undertake easier, reactive capacity management


activities.

S6-20
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Managing Service Capacity


Managing
Service
Capacity

Managing Managing
Demand Supply

Developing Increasing
Partitioning Sharing
Complementary Customer
Demand Capacity
Services Participation

Developing
Offering Price Cross-Training Scheduling
Reservation
Incentives Employees Work-Shifts
Systems

Creating
Promoting Off- Using Part-Time
Adjustable
Peak Demand Employees
Capacity
Yield
Management
© Service Management: Operations, Strategy and Information
Technology. 2nd Edition, 1998, Fitzsimmons and Fitzsimmons S6-21
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Managing Service Capacity – Where is Cloud?


Managing
Service
Capacity

Managing Managing
Demand Supply

Developing Increasing
Partitioning Sharing
Complementary Customer
Demand Capacity
Services Participation

Developing
Offering Price Cross-Training Scheduling
Reservation
Incentives Employees Work-Shifts
Systems

Creating
Promoting Off- Using Part-Time
Adjustable
Peak Demand Employees
Capacity
Yield
Management
© Service Management: Operations, Strategy and Information
Technology. 2nd Edition, 1998, Fitzsimmons and Fitzsimmons S6-22
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Relationship between Demand, Supply & Cost

Capacity Plans Demand Forecasts

1. Marketing & Sales


2. Capacity Planning Capacity Marketing &
Finance translate demand provide forecasts of
Planning customer demand in Sales
forecasts into capacity
plans identifying the order that sufficient
financial costs capacity is available
when needed

Budget 3. Finance approve


or deny budgets
required to meet the
forecast business
demand
S6-23
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Capacity Management Maturity

Enterprise Level 5: Capacity Planning all Platforms and Services as one integral unit
Proactiveness

Service Level 4: Capacity Planning Service end-to-end on all Platforms

Platform Level 3: Capacity Planning on all Products per Platform

Application Level 2: Capacity Planning for individual Applications on a Platform

Level 1b: Trended capacity utilization with semi-reactive upgrading


Reactive Level 1a: Capacity utilization monitoring with reactive upgrading

None Level 0: No Capacity Planning or Management


S6-24
© Andy Bolton 1998 © Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud Service Costs


The comparative cost advantage of the Cloud business model is contentious at best.

There are many reports that claim Cloud is less expensive than conventional in-house
computing. However there are also reports that claim the opposite.

The answer…

…is not in this presentation I‟m afraid!

Some contradictory resources:

• Forrester report: The ROI Of Software-As-A-Service, by Liz Herbert and Jon Erickson
• CMG MeasureIT 8.2: Capacity Concerns in a SaaS and Cloud World

S6-25
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud Service Costs – Pricing Models


Pricing tend to be based on utility models, often comprising a mixture of the following
methods:

• a subscription fee (e.g. monthly)


• a resource usage fee (e.g. CPU seconds, GB storage, GB I/O)
• a transaction fee (e.g. # of transactions processed)

This pricing structure is comparable to buying utilities, such as gas and electricity, hence
the term „utility computing‟.

S6-26
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud Service Costs – Example Pricing


An example pricing model is described below:

• Processing: £0.10 per CPU available per hour


• Storage: £0.12 per GB stored per month
• Storage transaction: £0.01 per 5,000 transactions
• Data transfers: £0.05 in / £0.10 out / GB

S6-27
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud Service Costs: Pricing – A Case Study


So, using an example of the following IT user company who are investigating pricing based
on their current key online service:

Resource Pricing Volume Unit Rate per Unit Per month


Processing 4.8 Cores per hour £0.10 £345.60
Storage 2,000 Avg GB per GB per month £0.12 £240.00
Storage Transactions 12,000 Avg / hr per 5,000 £0.02 £34.56
Data In 150 Avg Mb/s GB £0.05 £1,944.00
Data Out 150 Avg Mb/s GB £0.10 £3,888.00

Assumes 30 days / month TOTAL £6,452.16

S6-28
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud Service Costs: Pricing – A Case Study


The pricing on the previous slide compares favourably to buying server hardware, the
appropriate licensed software and paying a recurring fee to host in a shared data centre
with the appropriate network bandwidth.

Also as this is operational expenditure, it is tax efficient, like leasing, compared to


purchasing hardware and software.

However, the hosted solution has one advantage. The cost is predictable every month. The
cost of the Cloud solution is variable based on its usage.

S6-29
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Cloud Service Costs: Pricing – A Case Study


Imagine a doubling of transactional demand. This would impact processing, transactions
and I/O (though not necessarily the total storage):

Resource Pricing Volume Unit Rate per Unit Per month


Processing 9.6 Cores per hour £0.10 £691.20
Storage 2,000 Avg GB per GB per month £0.12 £240.00
Storage Transactions 24,000 Avg / hr per 5,000 £0.02 £69.12
Data In 300 Avg Mb/s GB £0.05 £3,888.00
Data Out 300 Avg Mb/s GB £0.10 £7,776.00

Assumes 30 days / month TOTAL £12,664.32

This results in a near doubling of costs…

S6-30
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

The Implication of Utility Pricing


While there are many advantages with adopting a Cloud model, there is a risk of this
uncapped pricing scheme resulting in unexpectedly large bills.

IT organisations like budgets! These are designed so that the company knows in advance
what the annual ICT expenditure is likely to be.

Cloud introduces a completely variable cost item into the financial model. This doesn‟t
mean it‟s unpredictable, but unless there is some way contractually to cap the volume-
based fees this is a risk.

S6-31
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

The Implication of Utility Pricing on Outsourcers


The variability of the utility pricing model can have a considerable impact on Outsourcers.

Their customers expect a fixed price for their contracts, especially in the public sector. The
public sector often plans budgets out as far as 3 or 5 years, so cost variability is
unwelcome. They frequently specify caps for transaction volumes.

An outsourcer who wants to provide or use a Cloud-based infrastructure may have to


carefully structure contracts to avoid paying for its customers excess demand.

S6-32
© Capacitas 2002-2010
100
110
120
130
140
150
100
110
120
130
140
150

80
90
80
90
Jan-09 Jan-09

Feb-09 Feb-09

Mar-09 Mar-09

Apr-09 Apr-09

May-09 May-09

Jun-09 Jun-09

Jul-09 Jul-09

Aug-09 Aug-09

UKCMG Free Forum 2010 – 13th October 2010


UKCMG Free Forum 2010 – 13th October 2010

Sep-09 Sep-09

Oct-09 Oct-09

leap in
demand
Unexpected
Nov-09 Nov-09

Dec-09 Dec-09

Storm clouds ahead?: A risk analysis of Cloud Computing


Storm clouds ahead?: A risk analysis of Cloud Computing

Jan-10 Jan-10

cap is
Service
Feb-10 Feb-10

breached
Mar-10 Mar-10

Apr-10 Apr-10

May-10 May-10

Jun-10 Jun-10

Jul-10 Jul-10

© Capacitas 2002-2010
© Capacitas 2002-2010
Aug-10 Aug-10

Sep-10 Sep-10

Oct-10 Oct-10

Nov-10 Nov-10

Dec-10 Dec-10

Jan-11 Jan-11

Feb-11 Feb-11

Mar-11 Mar-11

Apr-11 Apr-11

Financial Risk to Outsourcers


Financial Risk to Outsourcers

May-11 May-11

Jun-11 Jun-11

Jul-11 Jul-11

Aug-11 Aug-11

Sep-11 Sep-11

Oct-11 Oct-11

Nov-11 Nov-11

Dec-11 Dec-11

S6-34
S6-33
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Financial Risk to Outsourcers


150

140 Outsourcer
liable for
this cost
Service
130 cap is
breached

120

Unexpected
leap in
demand
110

100

90

80
Dec-09

Dec-10

Dec-11
Aug-09

Oct-09

Oct-10

Oct-11
Aug-10

Aug-11
Apr-09

Apr-10

Apr-11
Jan-09

Nov-09

Jan-10

Nov-10

Jan-11

Nov-11
Feb-09

Sep-09

Feb-10

Sep-10
May-09

May-10

Feb-11

Sep-11
May-11
Jun-09

Jun-10

Jun-11
Jul-09

Jul-10

Jul-11
Mar-09

Mar-10

Mar-11 S6-35
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Service Performance
When IT infrastructure is kept in-house monitoring and measuring service performance at
each step of a transactional path is achievable, though it is not frequently not undertaken.

However as more companies adopt formal Service Management processes such as ITIL
there is the need to establish Service Level Agreements (SLAs).

One key aspect of a Service Level Agreement is the monitoring, measurement and
reporting of aspects of service performance such as transactional response times,
availability and batch run times and end times.

Moving to a Cloud model can make this more difficult. Some commercial Cloud SLAs are a
retrograde step from current commercial outsourcers‟ SLAs, simply containing statements
like:
“we guarantee […] external connectivity 99.95% of the time”.

S6-36
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Service Performance – In-house

Local Office Data Centre

Web Application Database Storage


End-User
Servers Servers Servers Servers

Measurable
End-to-End
Transaction
Response Time

Measurable Local
Measurable Remote
Response Time
Response Times

S6-37
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Service Performance – Cloud

Customer Supplier
Demarcation Demarcation

„Cloud‟ Provider
Local Office

Web Application Database Storage


End-User
Servers Servers Servers Servers

Measurable
End-to-End
Transaction
Response Time

Immeasurable
Measurable Local
But Derivable
Response Time
Supplier
Response Times

S6-38
© Capacitas 2002-2010
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing

Service Performance – Service Level Agreements


The Service Level Agreement defines the service that the customer expects from a supplier

Key Points:
• Do not rely on Service Credits to guarantee performance; often it is cheaper for the
service provider to pay the service credit than resolve the problem
• Ensure the SLA is achievable, watertight and equitable; one-sided SLAs help neither
party in the long-term
• Unless the SLA has a Service Bonus for exceeding performance do not expect
anything more than achieving any targets; this is the service provider‟s margins at
stake!

S6-39
© Capacitas 2002-2010

UKCMG Free Forum 2010 – 13th October 2010


Storm clouds ahead?: A risk analysis of Cloud Computing

Summary
• Cloud is a new computing paradigm that is here to stay
• As with any new technology or business model it has its pros and cons
• Before adopting Cloud it requires careful consideration of:
• Service Management aspects, such as capacity, performance and resilience
• Security and Data Protection compliance
• The financial model

S6-40
© Capacitas 2002-2010