© 2012 IBM Corporation

PRIVATE CLOUD – a discussion

Jay Safer

Vice President, General Counsel and Secretary

IBM Canada Ltd.

© 2012 IBM Corporation

Cloud Review New style of computing – a new consumption and delivery mode:

National Institute of Standards and Technology (NIST) Definition

Characteristics:– On demand self-service– Ubiquitous network access– Location independent resource pooling– Rapid elasticity– Pay per use (measured service)

Service/Delivery models:– IaaS (processing, storage, networks, etc. = fundamental computing resources; includes, for example,

operating systems, and host firewalls– PaaS (consumer deployed applications and configuration settings for the application-hosting

environment, aka transactional web applications– SaaS (capability to use provider’s applications)– BPaas (business process – a specialization within SaaS)

Deployment models:– Private– Hybrid (virtual private)– Community (same sector, some customization)– Public

© 2012 IBM Corporation

CLOUD: Optimizing workload environment

2. Affect on business processesContent:

A. Interoperability; mandated buy-in; reduce costs; transformationala. User complies with lawsb. User has consent where neededc. Indemnity to provider in the event 1 and/or 2 become an issued. Recognition that provision of services includes ‘use’ of confidential information under some definitions and is consented to

B. Choice varies as to customer requirements: Data privacy; data security and confidentiality.a. Regulatory compliance is the responsibility of the customer: providers do not provide legal advice or insurance as part of their offerings [[ cf: US HIPPA v. GLB v. EU 95/46/EC and Swiss FADP or ‘should there be a future in the Safe Harbour concept]]b. Negotiation trend: attempt to combine: confidential information (which everyone will agree not to take) v. data security (which should be particularized as a service, and subject to warranty and the LoL).

E.g. Provider cannot agree to ‘data in the cloud is confidential information’ or ‘compliance with all applicable data

privacy laws’ as the result negates any data security particularization.

3. Standards emerging – leveraging current: eg. ISACA (COBIT), ITIL, SOA Governance, NIST, CSCC, CCC, CIMI, FedRamp, TOSCA, OVF, Open Stack Foundation, etc.

1. Virtualize: standardize: automate = “cloud ready”a. Greater utilization [[ 10-20 v 70-90 ]]b. Utility pricing – scalabilityc. Standard and portable infrastructure (Service Oriented Architecture)

© 2012 IBM Corporation

Private Cloud differences

- Single tenant- On site or off-site; owned/managed by customer or owned and/or managed and/or hosted 3 rd party:

1. Data security control- security and privacy concerns- isolation, encryption, anonymization, masking; detection software, etc;

2. Trade off customization and control for cost variability and fully elastic scaling (“bursts” to public cloud; non-sensitive to public cloud)

3. Within your firewalls4. Dedicated infrastructure – v. shared environments (more risky than private?)

a. controlled (‘closed” access to infrastructure4. Data residency5. Data security control – isolation, encryption, anonymization, masking; detection software, etc;6. Provisioning – implementation; control over jurisdictional issues; accountability; auditability7. Control over internet or dedicated lines: use of VPN8. Pricing model9. Early adoption – security; applications; deployment flexibility

** The availability of data security control measures is large and growing. Cloud offerings come with some built into the price. It’s vitally important to know the customer requirements, choices and budget.

© 2012 IBM Corporation

Private Cloud Services Levels

1. Public Cloud – standardization means: accept vendor service levels

2. Private Cloud – service levels can vary with investment

a) resiliency (high availability) v. data residency v. cost, and efficiency

© 2012 IBM Corporation

Private Cloud Vendor Liability

All choices by customer:

a. Expect service performance default/warranty

b. Data protection and backup1. Know the contents of the workload

• monitoring – intrusion detection, operational analytics• data security control

2. Know what vendor provides and what’s available3. Backup – in cloud v. back to home base4. Use of multiple vendors

• use of open standards• portability is key

c. Selective use• costly business model• analyze if beneficial

© 2012 IBM Corporation

Private Cloud Strategies

1. Data residency: internet

2. Hybrid

3. Security

4. Backup

5. Tools to follow data