Myth or Reality? – The most Common Objections to Cloud Computing Peter van der Zouwe Windows Azure Partner Lead Microsoft Canada petervdz@microsoft.com Twitter: @ petervdz March 2012 Agenda • • Context – The Windows Azure Platform How to Target Cloud Computing – People and Business • Common Objections to Cloud Computing - Patriot Act (contact Microsoft Directly) Security Critical Data Availability Multi-Tenancy Compliance Performance Microsoft Confidential - Signed NDA Required CDN caching compute messaging storage database VMs business analytics identity networking commerce automated managed resources elastic usage based Global Physical Infrastructure servers/network/datacenters North Central US, S. Central US, N. Europe, W. Europe, E. Asia, S.E. Asia + 24 Edge CDN Locations Microsoft Confidential - Signed NDA Required Cloud Services Microsoft Confidential - Signed NDA Required Azure Usage Scenarios Scenario Example Marketing Portals Rapid Launch of Innovative Marketing Campaigns, e-Commerce Public Facing Website Product Launch Application Development/Migration Customer urgently needs infrastructure for new Applications Development and Test Outsource Infrastructure needed for Applications Development and Test Bursting Need additional capacity for short periods of time Application Extension Run Applications on premise & in the Cloud Departmental Applications Building new Tier 2 Applications Storage/Archiving/Back-up Store large amounts of non-critical data in back-up scenario High Performance Computing Manage Peak loads for analytics applications Open Government Allow Citizens to access Open Data Video Streaming Capture, Store, Stream & Analyze Video Microsoft Confidential - Signed NDA Required How to Target Cloud Computing Solutions People Business Risk • Target Business and Technology Visionaries • Target Lower Business Impact (LBI) Application to start. • Cloud Computing more of a business Value Proposition than pure IT • Customers willing to accept more risk on SaaS Solutions (SLA) • Easier for SaaS Cloud Vendors to get to the Business Decision Makers • For some customers Cloud is a long term journey (Federal Government) • If you are going to target IT – talk to CIO or Application Development • “Hybrid” Solutions – alternative to pure Cloud plays • Agility – ability to do things quickly (more quickly than competitors • No up-front costs for massively scalable computing infrastructure • Pay for what you use, when you use it • Eliminate utilization concerns • Add compute power as business grows or demand spikes • No ongoing depreciation and maintenance costs • Lower risk (scale or fail quickly) • Opex vs Capex Common Objections – Security Microsoft Confidential - Signed NDA Required “How can you guarantee that our data is secure?” • • • • • This is a very Complex Area and requires and expertise to address all the needs of security experts in Enterprises (e.g. Financial Services) For Cloud Platforms - Need to consider Platform (Cloud Service Provider), Architecture (Customer and /or IT Partner) and Code (Customer and /or IT Partner). Need to design using good security practices (SDLC). Most Cloud Providers take Security VERY Seriously and invest heavily in this area (e.g. MSFT hired 3 X Top Tier Penetration testing teams to test Azure – over 7 weeks not one successful attack) Examples of Cloud Security measures; Intrusion Detection Methods, Video Surveillance, Biometrics, Access Control, Background checks on all Data-Centre Personnel, Use of Standards like SSL/HTTPS, Data Encryption, Auto Updating of Security patches, Threat & Vulnerability Management, Anti-Malware, Edge Routers. For Serious/Large customers have them take a Data Centre Tour. Microsoft Confidential - Signed NDA Required Common Objections – Critical Data & Availability “I do not want to (or legally cannot) put critical Customer Data in the Cloud” • • • Discuss Hybrid Solutions (Keep Critical Data on Premise) What do you do outside of Canada now? E.g. Who does your payroll? Discuss what data is used for? There is typically something that can be put in the Cloud. “Can you gaurantee that your Cloud Solution will be available when (& where) I need it?” • • • SLA’s (Most Cloud Service Providers offer at least 99.9% and many offer a Financial Guarantee if it falls below this service level) Cloud Services are not perfect and there is always the risk of downtime (as there is in an OnPremise Environment). As with normal SW Development “Design for faults”. Back-up. Redundancy. Microsoft Confidential - Signed NDA Required Common Objections – Multi-Tenancy & Performance “I do not like the fact that there are Multiple customers on the same server, what if someone else can see my data?” • • • • Typically with Cloud you are in a Multi-Tenant Environment Azure has NW Level protections in place to stop cross-Tenant intrusions & Communications Need to encrypt data to ensure secure communications between Services For Cloud Storage you can encrypt data and it is secured as standard using randomly generated storage “keys” “How well does your solution perform? I need to know that it is not going to be slow because there are multiple customers accessing the US based Cloud Solution” • • • • Do a Proof of Concept/Test the Solution. Cloud providers manage Load Balancing, Performance etc Cloud Providers Typically have huge Bandwidth in and out of the Data Centre Still a dependence on Architecture, Applications and Design. Microsoft Confidential - Signed NDA Required Common Objections – Compliance “What about Compliance? I need to ensure that your solution complies with internationally recognized standards” • • • • • Ask Customer where the Compliance Concern is coming from? E.g. Legal, Industry Standard etc. Need to understand issue to address the concern. Common Standards that customers will ask for: ISO-27001 (Broad International Information Security Standard), SAS70/SSAE 16 (US Accounting Audit Standard), PCI DSS (Credit Card Information). Be careful when discussing Standards with Customers. While your Cloud Data Centre may conform to a standard. You need to ensure that all the services that sit on top of the platform are also compliant. There are some standards that are VERY difficult to meet e.g. PCI DSS. Typically Partners will solve this by outsourcing credit card payment to a specific PCI DSS Compliant Vendor. For Canada look at PIPEDA (can be covered off via online Privacy Policy) Cloud Round Table Microsoft Confidential - Signed NDA Required “With proper privacy protections designed into the system from the very beginning of its lifecycle, and integrated at every system layer, businesses can gain the huge financial and competitive advantages of cloud and ensure security,” Dr. Ann Cavoukian, Ontario Privacy Commissioner The conversation also covered one of the biggest current concerns about cloud privacy, The U.S. Patriot Act. Cavoukian argued that companies shouldn’t fear it, because it’s not that big a deal. Michael Power, a privacy lawyer at Michael Power Barrister & Solicitor, agreed. “There are a lot of things you should ask your cloud provider ... but location shouldn’t be the sole focus,” he said. “You’ll find that a lot of the similar kinds of provisions that are found in the Patriot Act already exist in Canada.”