UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Storm Clouds Ahead?A risk analysis of Cloud Computing
Session S6
Andy Bolton
Chief Executive Officer, Capacitas
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
© Capacitas 2002-2010S6-2
Abstract
Many organisations are now considering using 'Cloud Computing' offerings to meet their scalability issues, environmental commitments and cost constraints. This could be a risky approach as many important areas of Cloud computing are yet to be fully understood within IT departments; these include the security model, data protection, resilience and transaction performance. Service management aims to provide consistent, reliable and cost-effective ICT services to its customers.
These goals could come under threat as the pressure to adopt Cloud-based services increases unless a thorough understanding of the design and implementation constraints of Cloud computing are understood. Additionally the Cloud business model introduces its own open-ended financial risks to an adopter. This presentation and associated whitepaper will describe a risk analysis of Cloud computing from a Service Management perspective and recommend some mitigation that could be considered to protect adapters.
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
© Capacitas 2002-2010S6-3
Agenda
• Introduction
• Risk Management
• Service Management
• Service Capacity
• Service Cost
• Service Performance
• Summary
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Introduction
The IT industry has evolved over the last fifty years, changed paradigms constantly:
• from single, hugely expensive mainframe systems back in the 1960s and 1970s;
• through the rise of the personal computer in the 1980s;
• the associated explosion in distributed computing in the 1990s and server sprawl;
• and through to the new era of consolidation back onto centralised platforms.
© Capacitas 2002-2010S6-4
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Centralised Computing Paradigm (1955-1985)
© Capacitas 2002-2010S6-5
Applications
Databases
Files
Dial-in or Leased Line
Remote userLocal users
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Distributed Computing Paradigm (1985-1995)
© Capacitas 2002-2010S6-6
ApplicationServer
DatabaseServer
WebServer
FileServer
Dial-in
Remote userLocal users
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Distributed Computing Paradigm (1995-2000)
© Capacitas 2002-2010S6-7
ApplicationServer
DatabaseServer
WebServer
FileServer
VPN overInternet
Remote userLocal users
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Distributed Computing Paradigm (2000-2005)
© Capacitas 2002-2010S6-8
ApplicationServer
DatabaseServer
WebServer
FileServer
WebServicesServer
Internet
Remote userLocal users
VPN overInternet
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Distributed Computing Paradigm (2005-2010)
© Capacitas 2002-2010S6-9
ApplicationServer
DatabaseServer
WebServer
FileServer
„Cloud‟Provider
Remote userLocal users
VPN overInternet
Internet
WebServicesServer
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud: the next step in Virtualisation?
We have now virtualised many aspects of computing (i.e. consolidated onto larger platforms):
• Computing power (e.g. VMware servers)
• Networks (e.g. VPNs)
• Storage (e.g. SANs)
• Desktops (e.g. Citrix)
© Capacitas 2002-2010S6-10
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud: the next step in Virtualisation?
© Capacitas 2002-2010S6-11
Server Hardware
Storage Array
Virtu
al D
isk
A
Virtu
al D
isk
B
Desktop Operating System
Data(Profile and documents)
System Services(Windows
services, COM, OLE, printers, etc)
Configurations(Profile and documents)
Application A
SystemGuard™ Environment
Application B
Software
Virtualisation Layer
Virtual Hardware
Virtual Machine
Virtual Machine
Application A
Application
Application B
Guest Operating System
Guest Operating System
VPN
FibreChannel
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Typical Cloud Architecture
© Capacitas 2002-2010S6-12
ApplicationServers
DatabaseServers
WebServers
StorageServers
„Cloud‟ Provider
AuthenticationServers
BillingServers
ProvisioningServers
IT ManagementEnd-User Services
Systems Management
End-User
Contract SLA Billing
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud Service Providers
Some of the leading providers of Cloud services are:
• Amazon
• Microsoft
• Rackspace
• Salesforce
© Capacitas 2002-2010S6-13
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Some Cloud Services Available
• Web Servers (e.g. Apache, IIS)
• Application Servers (e.g. Java, Linux, Windows Server, Solaris)
• Queue Services
• Database Servers (e.g. Oracle, SQL Server)
• Storage Services
© Capacitas 2002-2010S6-14
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Risk Management
Definition of Risk Management:
“The proactive identification, analysis and control of those risks which can threaten the assets or the earning capacity of an enterprise”
Institute of Risk Management
The art of risk management is to identify all risks and to reduce them to an acceptable level.
© Capacitas 2002-2010S6-15
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Risk Management
© Capacitas 2002-2010S6-16
Likelihood
Imp
act
Risk Tolerance Limit
b
c
dDo not proceed
Safe to proceed
Assess & decide
a
Figure – Crown Copyright 2007
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Service Management
Service Management aims to provide to its customers consistent, reliable and cost-effective ICT services.
Applying risk management definition to service management:
• The art of service management is to identify risks to service and provide mitigation to reduce them to an acceptable level.
Three aspects will be briefly reviewed here:
• Service Cost
• Service Capacity
• Service Performance
© Capacitas 2002-2010S6-17
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Service Management (ITIL V3)
© Capacitas 2002-2010S6-18
Service Strategy
• Service Portfolio• Service Economics• IT Financial Management• IT Demand Management• Strategies for:• Outsourcing• Insourcing
• Co-sourcing
Service Design
• Service Portfolio Design• Service Catalogue Management• Service Level Management• Supplier Management• Capacity Management• Availability & Service Continuity Management• Information Security Management
Service Transition
• Change Management• Service Asset & Configuration Management• Knowledge Management• Service Release Management• Deployment, Decommission & Transfer
Service Operation
• Service Request Management• Event Management• Incident Management• Problem Management• Access Management
ITIL
ServiceDesign
ServiceStrategy
ServiceTransition
ServiceOperation
Co
ntin
ua
l Se
rvic
eIm
pro
ve
me
nt
Co
nti
nu
al S
erv
ice
Im
pro
ve
me
nt
Figure – Crown Copyright 2007
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Service Management & Risk Management
© Capacitas 2002-2010S6-19
Customerassets
Service assets
Demand-side risks
Supply-side risks
BusinessOperations
ServiceOperations
Risks acceptableto the supplier
Risks acceptableto the customer
Service Management as a risk filter
Figure – Crown Copyright 2007
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Managing Service Capacity
One of many reasons for companies to adopt Cloud computing is the difficulty in forward planning of service capacity to meet demand.
This has many repercussions. These include:
• Inability to reduce or prevent capacity-related service outages;
• Inability to accurately forecast when additional capacity is required;
• Inability to identify when capacity can be reduced;
• Inability to plan capacity purchases in advance preventing cost-effective procurement;
• Inability to forecast costs of the infrastructure and provide accurate budgets;
• Inability to relate customer-driven demand units to capacity required.
Too many organisations therefore undertake easier, reactive capacity management activities.
© Capacitas 2002-2010S6-20
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Managing Service Capacity
© Capacitas 2002-2010S6-21
Managing Service
Capacity
Managing Demand
Managing Supply
Yield Management
Developing Complementary
Services
Partitioning Demand
Promoting Off-Peak Demand
Offering Price Incentives
Developing Reservation
Systems
Sharing Capacity
Increasing Customer
Participation
Creating Adjustable Capacity
Scheduling Work-Shifts
Cross-Training Employees
Using Part-Time Employees
© Service Management: Operations, Strategy and Information Technology. 2nd Edition, 1998, Fitzsimmons and Fitzsimmons
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Managing Service Capacity – Where is Cloud?
© Capacitas 2002-2010S6-22
Managing Service
Capacity
Managing Demand
Managing Supply
Yield Management
Developing Complementary
Services
Partitioning Demand
Promoting Off-Peak Demand
Offering Price Incentives
Developing Reservation
Systems
Sharing Capacity
Increasing Customer
Participation
Creating Adjustable Capacity
Scheduling Work-Shifts
Cross-Training Employees
Using Part-Time Employees
© Service Management: Operations, Strategy and Information Technology. 2nd Edition, 1998, Fitzsimmons and Fitzsimmons
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Relationship between Demand, Supply & Cost
© Capacitas 2002-2010S6-23
2. Capacity Planning translate demand
forecasts into capacity plans identifying the
financial costs
FinanceMarketing &
SalesCapacity Planning
Demand ForecastsCapacity Plans
Budget 3. Finance approve or deny budgets
required to meet the forecast business
demand
1. Marketing & Sales provide forecasts of customer demand in order that sufficient capacity is available
when needed
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Capacity Management Maturity
© Capacitas 2002-2010S6-24
Enterprise
Service
Platform
Application
Reactive
None
Pro
acti
ven
ess Level 5: Capacity Planning all Platforms and Services as one integral unit
Level 4: Capacity Planning Service end-to-end on all Platforms
Level 3: Capacity Planning on all Products per Platform
Level 2: Capacity Planning for individual Applications on a Platform
Level 1b: Trended capacity utilization with semi-reactive upgradingLevel 1a: Capacity utilization monitoring with reactive upgrading
Level 0: No Capacity Planning or Management
© Andy Bolton 1998
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud Service Costs
The comparative cost advantage of the Cloud business model is contentious at best.
There are many reports that claim Cloud is less expensive than conventional in-house computing. However there are also reports that claim the opposite.
The answer…
…is not in this presentation I‟m afraid!
Some contradictory resources:
• Forrester report: The ROI Of Software-As-A-Service, by Liz Herbert and Jon Erickson
• CMG MeasureIT 8.2: Capacity Concerns in a SaaS and Cloud World
© Capacitas 2002-2010S6-25
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud Service Costs – Pricing Models
Pricing tend to be based on utility models, often comprising a mixture of the following methods:
• a subscription fee (e.g. monthly)
• a resource usage fee (e.g. CPU seconds, GB storage, GB I/O)
• a transaction fee (e.g. # of transactions processed)
This pricing structure is comparable to buying utilities, such as gas and electricity, hence the term „utility computing‟.
© Capacitas 2002-2010S6-26
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud Service Costs – Example Pricing
An example pricing model is described below:
• Processing: £0.10 per CPU available per hour
• Storage: £0.12 per GB stored per month
• Storage transaction: £0.01 per 5,000 transactions
• Data transfers: £0.05 in / £0.10 out / GB
© Capacitas 2002-2010S6-27
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud Service Costs: Pricing – A Case Study
So, using an example of the following IT user company who are investigating pricing based on their current key online service:
© Capacitas 2002-2010S6-28
Resource Pricing Volume Unit Rate per Unit Per month
Processing 4.8 Cores per hour £0.10 £345.60
Storage 2,000 Avg GB per GB per month £0.12 £240.00
Storage Transactions 12,000 Avg / hr per 5,000 £0.02 £34.56
Data In 150 Avg Mb/s GB £0.05 £1,944.00
Data Out 150 Avg Mb/s GB £0.10 £3,888.00
Assumes 30 days / month TOTAL £6,452.16
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud Service Costs: Pricing – A Case Study
The pricing on the previous slide compares favourably to buying server hardware, the appropriate licensed software and paying a recurring fee to host in a shared data centre with the appropriate network bandwidth.
Also as this is operational expenditure, it is tax efficient, like leasing, compared to purchasing hardware and software.
However, the hosted solution has one advantage. The cost is predictable every month. The cost of the Cloud solution is variable based on its usage.
© Capacitas 2002-2010S6-29
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Cloud Service Costs: Pricing – A Case Study
Imagine a doubling of transactional demand. This would impact processing, transactions and I/O (though not necessarily the total storage):
This results in a near doubling of costs…
© Capacitas 2002-2010S6-30
Resource Pricing Volume Unit Rate per Unit Per month
Processing 9.6 Cores per hour £0.10 £691.20
Storage 2,000 Avg GB per GB per month £0.12 £240.00
Storage Transactions 24,000 Avg / hr per 5,000 £0.02 £69.12
Data In 300 Avg Mb/s GB £0.05 £3,888.00
Data Out 300 Avg Mb/s GB £0.10 £7,776.00
Assumes 30 days / month TOTAL £12,664.32
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
The Implication of Utility Pricing
While there are many advantages with adopting a Cloud model, there is a risk of this uncapped pricing scheme resulting in unexpectedly large bills.
IT organisations like budgets! These are designed so that the company knows in advance what the annual ICT expenditure is likely to be.
Cloud introduces a completely variable cost item into the financial model. This doesn‟t mean it‟s unpredictable, but unless there is some way contractually to cap the volume-based fees this is a risk.
© Capacitas 2002-2010S6-31
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
The Implication of Utility Pricing on Outsourcers
The variability of the utility pricing model can have a considerable impact on Outsourcers.
Their customers expect a fixed price for their contracts, especially in the public sector. The public sector often plans budgets out as far as 3 or 5 years, so cost variability is unwelcome. They frequently specify caps for transaction volumes.
An outsourcer who wants to provide or use a Cloud-based infrastructure may have to carefully structure contracts to avoid paying for its customers excess demand.
© Capacitas 2002-2010S6-32
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Financial Risk to Outsourcers
© Capacitas 2002-2010S6-33
80
90
100
110
120
130
140
150
Jan
-09
Feb
-09
Mar
-09
Ap
r-0
9
May
-09
Jun
-09
Jul-
09
Au
g-0
9
Sep
-09
Oct
-09
No
v-0
9
De
c-0
9
Jan
-10
Feb
-10
Mar
-10
Ap
r-1
0
May
-10
Jun
-10
Jul-
10
Au
g-1
0
Sep
-10
Oct
-10
No
v-1
0
De
c-1
0
Jan
-11
Feb
-11
Mar
-11
Ap
r-1
1
May
-11
Jun
-11
Jul-
11
Au
g-1
1
Sep
-11
Oct
-11
No
v-1
1
De
c-1
1
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Financial Risk to Outsourcers
© Capacitas 2002-2010S6-34
80
90
100
110
120
130
140
150
Jan
-09
Feb
-09
Mar
-09
Ap
r-0
9
May
-09
Jun
-09
Jul-
09
Au
g-0
9
Sep
-09
Oct
-09
No
v-0
9
De
c-0
9
Jan
-10
Feb
-10
Mar
-10
Ap
r-1
0
May
-10
Jun
-10
Jul-
10
Au
g-1
0
Sep
-10
Oct
-10
No
v-1
0
De
c-1
0
Jan
-11
Feb
-11
Mar
-11
Ap
r-1
1
May
-11
Jun
-11
Jul-
11
Au
g-1
1
Sep
-11
Oct
-11
No
v-1
1
De
c-1
1
Service cap is
breached
Unexpectedleap in demand
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Financial Risk to Outsourcers
© Capacitas 2002-2010S6-35
80
90
100
110
120
130
140
150
Jan
-09
Feb
-09
Mar
-09
Ap
r-0
9
May
-09
Jun
-09
Jul-
09
Au
g-0
9
Sep
-09
Oct
-09
No
v-0
9
De
c-0
9
Jan
-10
Feb
-10
Mar
-10
Ap
r-1
0
May
-10
Jun
-10
Jul-
10
Au
g-1
0
Sep
-10
Oct
-10
No
v-1
0
De
c-1
0
Jan
-11
Feb
-11
Mar
-11
Ap
r-1
1
May
-11
Jun
-11
Jul-
11
Au
g-1
1
Sep
-11
Oct
-11
No
v-1
1
De
c-1
1
Service cap is
breached
Unexpectedleap in demand
Outsourcerliable for this cost
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Service Performance
When IT infrastructure is kept in-house monitoring and measuring service performance at each step of a transactional path is achievable, though it is not frequently not undertaken.
However as more companies adopt formal Service Management processes such as ITIL there is the need to establish Service Level Agreements (SLAs).
One key aspect of a Service Level Agreement is the monitoring, measurement and reporting of aspects of service performance such as transactional response times, availability and batch run times and end times.
Moving to a Cloud model can make this more difficult. Some commercial Cloud SLAs are a retrograde step from current commercial outsourcers‟ SLAs, simply containing statements like:
“we guarantee […] external connectivity 99.95% of the time”.
© Capacitas 2002-2010S6-36
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Service Performance – In-house
© Capacitas 2002-2010S6-37
ApplicationServers
DatabaseServers
WebServers
StorageServers
Data Centre
End-User
MeasurableEnd-to-EndTransaction
Response Time
Measurable LocalResponse Time
Measurable RemoteResponse Times
Local Office
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Service Performance – Cloud
© Capacitas 2002-2010S6-38
ApplicationServers
DatabaseServers
WebServers
StorageServers
„Cloud‟ Provider
End-User
MeasurableEnd-to-EndTransaction
Response Time
CustomerDemarcation
SupplierDemarcation
Measurable LocalResponse Time
ImmeasurableBut Derivable
SupplierResponse Times
Local Office
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
Service Performance – Service Level Agreements
The Service Level Agreement defines the service that the customer expects from a supplier
Key Points:
• Do not rely on Service Credits to guarantee performance; often it is cheaper for the service provider to pay the service credit than resolve the problem
• Ensure the SLA is achievable, watertight and equitable; one-sided SLAs help neither party in the long-term
• Unless the SLA has a Service Bonus for exceeding performance do not expect anything more than achieving any targets; this is the service provider‟s margins at stake!
© Capacitas 2002-2010S6-39
UKCMG Free Forum 2010 – 13th October 2010
Storm clouds ahead?: A risk analysis of Cloud Computing
© Capacitas 2002-2010S6-40
Summary
• Cloud is a new computing paradigm that is here to stay
• As with any new technology or business model it has its pros and cons
• Before adopting Cloud it requires careful consideration of:
• Service Management aspects, such as capacity, performance and resilience
• Security and Data Protection compliance
• The financial model
Top Related