cloud computing moving it _ pittacus.epub_ pittacus.epubout of the office

7/23/2019 Cloud Computing Moving IT _ Pittacus.epub_ Pittacus.epubOut of the Office

http://slidepdf.com/reader/full/cloud-computing-moving-it-pittacusepub-pittacusepubout-of-the-office 1/59



www.bcs.org/ebooksAvailable in a range of ebook formats

0 1 2 5 1 / P / A D / 0 1 1 2

© BCS, The Chartered Institute for IT, is the business name of The British Computer Society (Registered charity no. 292786) 2012

According to a recent iPass report, 73% ofenterprises allow non-IT managed devicesto access corporate resources. 65% ofcompanies surveyed reported security issues.

This latest ebook looks at the security risksof an increasingly mobile workforce andproposes a range of possible solutions.

£1.99

IT industry experts explore the challenges IT professionals face whenmoving from a technical into a managerial role. With training anddevelopment opportunities, the authors look at the skills required toscale the career ladder.

£1.99

This collection of exclusive interviews provides a fascinating insight intothe thoughts and ideas of influential figures from the world of IT andcomputing, including Sir Tim Berners-Lee, Donald Knuth, Jimmy Wales,Steve Wozniak and Karen Spärck Jones.

£2.99



CLOUD COMPUTING



CONTENTS

SECTION 1: WHAT IS THE CLOUD? 1

1 WHAT IS CLOUD COMPUTING? – Stuart Smith 2

2 DON’T BELIEVE THE HYPE – Matthew McGrory 8

SECTION 2: THE CASE FOR THE CLOUD 11

3 BUILDING ROI FROM CLOUD COMPUTING – Mark Skilton 12

4 THE POTENTIAL OF CLOUD – Mette Ahorlu 15

SECTION 3: MOVING TO THE CLOUD 18

5 OVERCOMING OBSTACLES – Matt McCloskey 19

6 CLOUD COMPUTING AND ENTERPRISE ARCHITECTURE – Serge Thorn 22

7 MANAGING THE RISKS TO CLOUD – Peter Deacon 26

SECTION 4: CHANGING THE IT INFRASTRUCTURE 29

8 THE DEATH OF THE OFFICE SERVER – Andrew Peddie 30

9 MANAGING MAJOR NETWORK CHANGE:

CHALLENGE AND OPPORTUNITY – Maria Goggin 33

SECTION 5: SECURITY IN THE CLOUD 36

10 PROTECTING DATA IN THE CLOUD – John Grimm 37

11 TRUSTING THIRD PARTIES WITH YOUR DATA – Greg McCulloch 40

12 AUTHENTICATING THE CLOUD – Dave Abraham 43

13 SKILLS FOR A SAFER CLOUD – John Colley 45

14 DATA PROECTION AND SECURITY: A LEGAL VIEW – Stuart Smith 48

Useful links 53

ii



SECTION 1:

WHAT IS THE CLOUD?

1



1 WHAT IS CLOUD COMPUTING?

An extract from a chapter in A Manager’s Guide to IT Law by Stuart Smith, a solicitor inthe Information Technology Team of Bond Pearce.

Cloud computing is best described as ‘a model for enabling convenient, on-demandnetwork access to a shared pool of configurable computing resources […] that can berapidly provisioned and released with minimal management effort or service providerinteraction’. National Institute of Standards and Technology (NIST).

Cloud computing consists o three dierent types o service provision. In each casethe services are hosted remotely and accessed over a network (usually the inter-net) through a customer’s web browser, rather than being installed locally on acustomer’s computer. Firstly, SaaS (sotware as a service) reers to the provision

o sotware applications in the cloud. Secondly, PaaS (platorm as a service) reersto the provision o services that enable customers to deploy, in the cloud, applica-tions created using programming languages and tools supported by the supplier.Thirdly, IaaS (inrastructure as a service) reers to services providing computerprocessing power, storage space and network capacity, which enable customers torun arbitrary sotware (including operating systems and applications) in the cloud.These three elements are together reerred to as the cloud computing ‘stack’. Thisarticle concentrates on the issues surrounding the provision o SaaS.

The supply o IT services in the cloud has been enabled both by the evolution o sophisticated data centres and widespread access to improved bandwidth. These

technical advances mean that services may be hosted on machines across a widerange o locations but, rom the customer’s perspective, they simply originate inthe ‘cloud’.

The cloud model enables customers to access, rom any computer connected to theinternet (whether a desktop PC or a mobile device), a multitude o IT servicesrather than being limited to using locally installed sotware and being dependenton the storage capacity o their local computer network.

This model o IT service provision is one that is growing exponentially. It is estimatedthat one third o all revenue generated in the sotware market today relates to the

delivery o cloud computing services, and that the value o the UK cloud computingmarket could reach around £10.5 billion in 2014, up rom £6 billion in 2010.

2

http://shop.bcs.org/display.asp?K=9781906124755&bc=search&trail=&font_size=0&contrast=0&hl=&FirefoxHTML\Shell\Open\Command

http://www.nist.gov/itl/cloud/index.cfm

http://www.nist.gov/itl/cloud/index.cfm




WHAT IS CLOUD COMPUTING?

THE SERVICES IN THE CLOUD

The multitude o IT services available in the cloud include amiliar web-based

email services such as Windows®

Live Hotmail®

(Microsot®

), Yahoo!®

Mail, Gmail®

(Google), and the search engine acilities Google, Bing™ (Microsot®), Yahoo!® and AltaVista®. They also include the social networking services o Facebook, Twitter,Friends Reunited, Bebo, Flickr®, YouTube, MySpace and LinkedIn®, which providechat, instant messaging and ile sharing services. But there are a growing numbero other services available. Two examples rom dierent ends o the spectrum areZynga®, which provides online gaming services, and Wikileaks, which publishesand comments on leaked documents alleging government and corporate miscon-duct. These services are oten provided ree o charge to the user.

There are also a range o paid-or business-orientated IT services. These are

provided by suppliers including Google, Microsot®

, Amazon, Salesorce.com®

andTempora. They oer a suite o services to assist with business management. Googleoers Google Docs or word processing, Business Gmail or emails, Google Calendaror diary management and Google Sites or website management, and it even oersdierent editions o its applications or dierent sectors (education, governmentaland ‘not or proit’). Microsot® oers Windows® Azure that allows users to build andhost applications on Microsot® servers (PaaS).

Amazon Web Services (AWS) oers its Elastic Compute Cloud (Amazon EC2),enabling customers to rent space on Amazon’s own computers rom which they canrun their own applications. Tempora provides a time recording and proitability

analysis system or creative agencies and proessional service irms, and Salesorce.com® provides customer relationship management solutions.

THE EVOLUTION OF CLOUD COMPUTING

Long beore the term cloud computing was coined, sotware suppliers were provid-ing services to their customers rom remote servers via internet-enabled computers.This was called Application Service Provision (ASP) and was the original platormo IT service delivery to emerge rom the convergence o computing and communica-tions in the mid-1990s. However, the ASP model ultimately was an experiment that

ailed. Firstly, it involved more complicated initial installation and coniguration(at the customer end) than is involved with today’s on-demand cloud services.Secondly, it originated as a means o providing sotware on a one-to-one basisrather than on the one-to-many (multi-tenant) basis o cloud computing, whereone supplier has many customers. Consequently, ASP lacked the huge advantagethat cloud computing enjoys o being very scalable.

The emergence o sotware as a service (SaaS) in around 2001 signiied the begin-ning o sotware delivery based on multi-tenant architecture involving network-based access to sotware managed rom a central location and removing the needor customers to install patches or upgrades.

The term SaaS is useul because it highlights the principal dierence betweenthe internet-based model o sotware provision and the more orthodox licence and

3



CLOUD COMPUTING

installation-based model. The latter involves a customer being granted a licenceto use a sotware package, while the ormer involves the provision o a web-basedservice under a contract or services. There are considerable dierences between a

sotware licence and a contract or services.

CLOUD FORMATIONS

The cloud environment is subdivided into public, private, hybrid and communityclouds.

•Public clouds are those in which services are available to the public at largeover the internet in the manner already described in this chapter.

• A private cloud is essentially a private network used by one customer or

whom data security and privacy is usually the primary concern. The downsideo this type o cloud is that the customer will have to bear the signiicant cost o setting up and then maintaining the network alone.

•Hybrid cloud environments are oten used where a customer has require-ments or a mix o dedicated server and cloud hosting, or example i some o the data that is being stored is o a very sensitive nature. In such circumstancesthe organisation may choose to store some data on its dedicated server and lesssensitive data in the cloud. Another common reason or using hybrid clouds iswhere an organisation needs more processing power than is available in-houseand obtains the extra requirement in the cloud. This is reerred to as ‘cloud

bursting’. Additionally, hybrid cloud environments are oten ound in situationswhere a customer is moving rom an entirely private to an entirely public cloudsetup.

•Community clouds usually exist where a limited number o customers withsimilar IT requirements share an inrastructure provided by a single supplier.The costs o the services are spread between the customers so this model isbetter, rom an economic point o view, than a single tenant arrangement. Although the cost savings are likely to be greater in a public cloud environment,community cloud users generally beneit rom greater security and privacy,which may be important or policy reasons.

SILVER LININGS AND THUNDER CLOUDS

The main beneits and drawbacks o cloud computing are as ollows.

AdvantagesAccess to resources

The greatest advantage o cloud computing is the access it provides to the process-ing power o multiple remote computers. This enables customers to take advantageo greater computation speed and larger storage capacity than most organisationscan provide on their premises and at a raction o the cost.

4




MobilityCustomers can access the services rom almost any location in the world becausethe services are web-based (and because o the advent o mobile devices). This can

enable employees to access important business tools while they are on the move.For example, the employee can ill in a Tempora online timesheet whilst on a train,providing the rest o the business with access to that data in real time.

Easily scalable

Both the monthly subscription and ‘pay as you use’ charging models make it easyor the amount o service being provided to be increased or decreased. Should acustomer want to increase the number o ‘seats’ included in its subscription toTempora or the amount o megabytes o storage space rented rom AWS, this canbe done easily. The supplier simply provides access to additional users or increasesthe storage space available in exchange or higher monthly payments by the

customer. The scalability o the cloud computing model makes it especially attrac-tive to growing organisations with varying levels o demand or computer resources(e.g. where an organisation’s website receives higher volumes o visitors at certaintimes o year).

Data security and storage capacityData security is o particular importance as lapses in procedure can cause severeinancial and reputational damage. For the majority o organisations, the datasecurity and data storage capacity oered by data centres is ar superior to thatwhich can be aorded in-house. This is because they specialise in the secure storageo data.

Cost savings

Most business-orientated cloud computing services are paid or and the paymentmodel is usually a rental arrangement based on monthly subscription charges (peruser or ‘seat’) or a ‘pay as you use’ system. This means that there is no large uprontpayment as there would be with the purchase o a licence in the orthodox sotwarelicence model. Although there may be an initial setup or coniguration ee, this isusually very low by comparison.

The monthly subscription charges will also usually include support and mainte-nance ees, which would be signiicantly higher in the orthodox sotware licence

model. Also, customers do not need to invest in secure servers because hosting isprovided by third-party data centres and is included in the subscription charge.

The ‘pay as you use’ system is o particular beneit to an organisation with peaksand troughs in its demand or computing resources. It is cheaper than paying orexclusive use o enough resources to meet peak demand when it is not required, asis the case where all computation is carried out by an organisation in-house.

Additionally, cloud services reduce the need or an organisation to maintain in-houseexpertise in their own technological inrastructure, which reduces IT costs.

Finally, cloud computing services do not represent a capital expenditure, socustomers lose less i they switch suppliers.

5



CLOUD COMPUTING

Maintenance and supportThe supplier will usually oer ongoing support services. However, remote hostingo the services makes the process o maintaining and supporting the services

less intrusive or the customer. The supplier can handle backups, updates andupgrades automatically and remotely without visiting a customer’s site. This willgenerally mean that maintenance and support can be carried out more quickly. Inaddition, customers are able to piggy-back on their suppliers’ upgrades in comput-ing resources and are not locked into using inrastructure purchased at great cost10 years previously.

Environmentally friendly

It has been suggested that data centres are a ‘green’ alternative to in-housecomputing and this is a hotly debated topic. This is because servers in very largedata centres typically run at around 80 per cent capacity, while an in-house server

might run at ive per cent capacity, to allow or peaks in resource demand; and aserver running at ive per cent capacity uses only slightly less energy per hour thanone running at 80 per cent, while doing 16 times less computation. Nevertheless,it is probable that the existence o cheap and more easily accessible cloud comput-ing architectures has increased the overall demand or computation, outstrippingthe energy-eiciency gains that have been made in data centres. One option is tochoose a supplier that uses a data centre that makes use o solar technology or windcooling, or a data centre that is based in an area where local electricity comes roma renewable energy resource.

Free trials

Some suppliers oer the opportunity to trial their product or a period withoutcharge. This is made easier by the supplier’s ability to terminate access at the endo the period and provides them with the opportunity to ‘hook’ the customer. Thisbusiness model is sometimes reerred to as a ‘reemium’.

DisadvantagesInternet reliability

Clearly where IT services are provided over the internet, lack o internet accessor slow connections will hinder access to those services. Where those services arebusiness-critical this can be a major problem. However, as internet access improves,this should be a diminishing concern. Also, it should be remembered that there is no

guarantee o uninterrupted service even with locally hosted sotware applicationsor data storage, which can be rendered inoperable by deects or bugs.

Dependence on the supplierWith cloud computing the customer is dependent on the supplier or day-to-dayaccess to the IT services rather than just or support and maintenance. I thesupplier is in inancial trouble, is reliant on an unstable subcontractor or is involvedin litigation, its ability to provide the services may be aected. These issues couldleave the customer without access to business-critical systems.

However, dependence on a supplier is a common concept or most organisations and

the usual risk assessment can be carried out to mitigate that risk. Due diligencechecks on the supplier may disclose whether it is, or example, in inancial troubleand reerences can be sought rom existing or past customers to establish whether

6




the supplier has a history o reliability. The customer can always seek to includecertain measures in the contract to provide protection rom the risks mentioned.Ultimately, i in too much doubt, the customer may need to choose an alternative

supplier.

As part o supplier selection, the customer should consider what steps will berequired to switch suppliers i this proves necessary. For example, what termi-nation notice periods apply, how the customer’s data will be retrieved rom thesupplier-controlled servers (including in what ormat) and what level o migrationassistance is available rom the supplier. Furthermore, it is prudent to establishwhat level o interruption to operations would be caused by switching suppliers;in other words, identiying how long it would take to get up and running with analternative supplier.

Some cloud computing suppliers also provide IT services in the orthodox licencemodel. Where this is the case, it may be possible to agree that ailure o the cloudcomputing service would trigger an orthodox licence o the sotware to be hosted onthe premises by the customer.

Finally, there are also data protection and security concerns associated with cloudcomputing and these are discussed in more depth in Section 5, Security in the cloud.

7



2 DON’T BELIEVE THE HYPE

The main changes in the cloud computing arena have been the acquisition of smallniche technologies by specific software vendors or from larger companies wishingto increase their presence in the cloud space. Matthew McGrory, Director of Managed

Services at ADA Computer Services, digs deep into the cloud phenomenon to unearththe pros and cons of the cloud, especially for SMEs.

The number o enterprise and mid-market IT businesses oering cloud serviceshas rapidly increased and marketing directors are inding it increasingly hard toavoid the temptation to base their entire marketing strategy solely around cloudcomputing.

There are now a number o implications or small and mid-market businesseswhich may be alarmed at the pace o change. What is the cloud? Should I be doingsomething about it? What are its beneits and risks? Can I just do nothing? Who do

I go to in order to receive impartial advice? How much should I be paying or cloudservices? Whether you are running a small- or medium-sized business or manag-ing an entire IT department, these are likely to be questions that have alreadypresented themselves.

BENEFITS

There are ive main beneits attached to cloud services. These include:

•Cost efficiency – Shared inrastructure means shared costs. You also pay only

or what you use, because most pricing models are consumption-based. This canbe ‘per user’, ‘per device’, ‘per server’ or ‘per instance’.

•Easy to use – Basic cloud services work ‘out o the box’. For more complexsotware and database solutions, cloud computing allows you to skip the hard-ware procurement and capital expenditure phase and just get on with theimplementation.

•Up to date – Most providers constantly update their sotware oering, addingnew eatures as they become available.

•Scalability – Depending on business growth, you can grow or contract quickly

as cloud systems are built to cope with sharp increases and reductions in work-load. Pricing models are built to support sotware reductions should businessesneed to scale down, which removes the business pressures associated with ixedcosts.

8



DON’T BELIEVE THE HYPE

•Mobile – Cloud services are designed to be used rom a distance, so i you havea mobile workorce, sta can access most o your systems ‘on the go’, increasingproductivity.

TECHNICAL CONSIDERATIONS

Increase network performanceIrrespective o the type o service deployed, all cloud computing initiatives have onething in common: data is centralised, while users are distributed. This places anincreased emphasis on the network, making cloud computing more susceptible toWAN bandwidth, latency and quality challenges.

Fault tolerant network performance

Enterprises spend a lot o time and money ensuring that, i anything rom a singleserver all the way to an entire data centre goes down, there is adequate connectivityto back up resources. In the case o the cloud, a much higher level o ault toleranceis needed. Accessing an on-premises solution is achievable with a ailed internetconnection. With cloud provided services, it is not.

LEGAL ASPECTS

Most cloud providers will be delivering low-cost commodity services, subject to avery standard set o terms and conditions. I these are not good enough, expect to

pay more or the service.

The cloud also raises questions around data privacy, jurisdiction and storage. Allbusinesses handling data are obliged to keep it sae, yet accessible, in the event thata consumer requests access to their records or i auditors require more inormation.Roughly 50 per cent o those embracing the cloud ail to evaluate properly providersor security prior to deployments. I you do not have a handle on governance, riskmanagement and regulatory compliance internally, moving to the cloud will exposeyour vulnerability externally.

Security audits will happen, so make sure that your cloud provider can accom-

modate these and is contractually covered to assist your business within yourtimerames.

•End-user experience – When cloud-based sotware as a service (SaaS)applications are deployed they oten impact end users. The cost o training,document template conversion and automation should thereore be includedwhen considering migrating. Integrating cloud services into local IT systemscan also prove challenging and unexpectedly expensive. Factoring the hiddencosts o IT (internal or hosted) requires more eort and consideration thansimply adding up hardware costs or exploring the subscription plans o a cloudprovider.

•Management – Changing and updating documented procedures ollowing theintroduction o cloud must be considered. Training o both sta and systemsadministrators must be provided as standard.

9



CLOUD COMPUTING

•The potential for divorce – As the cloud service provider market becomesincreasingly competitive, businesses should check that data is in a transerableormat should they choose to move to another supplier.

Business should approach the cloud in the same way that they approach any newtechnology. It needs to be ully reviewed, understood and then embraced or itsability to improve day-to-day business operations. Ater all, it is likely that theworld o business is going to be a better place because o it.

Over the next 10 years all IT inrastructure and operations will gradually turntowards a commodity-based model. In the uture, the cloud landscape will be unda-mentally simpler and all businesses will need to know is how much it costs andwhere you plug in to get it, just like your electricity.

10



SECTION 2:

THE CASE FOR THE CLOUD

11



3 BUILDING ROI FROM CLOUD

COMPUTING

The Open Group has developed a set of eight key considerations for how to build and measure return on investment (ROI) for cloud computing initiatives from a businessperspective. By examining the benefits that cloud computing offers organisations and

by showing the potential return it can provide from the beginning, companies may findit easier to gain buy-in for cloud initiatives from the executive team, as well as fromthe IT department. Mark Skilton, Director, Capgemini, and cloud computing lead at TheOpen Group, reports.

Cloud computing has been described as a technological change brought about by theconvergence o a number o new and existing technologies. But this is only hal thestory. These technical characteristics can also be ound in non-disruptive technologysolutions. The rate o change and magnitude o cost reduction and speciic technicalperormance impact o cloud computing are not just incremental, but can give a iveto ten times order o magnitude improvement.

The amous graph used by Amazon Web Services illustrating the capacity– utilisation curve has become an icon in cloud computing. The model illustrates thecentral idea around cloud-based services enabled through an on-demand businessprovisioning model to meet actual usage.

The reason why this matters to business is that one o the core precepts o cloudcomputing is to avoid the cost impact o over-provisioning and under-provisioning.This is in addition to the opportunity or cost, revenue and margin advantages o business services enabled by rapid deployment o cloud services with low entry costand the potential to enter and exploit new markets.

We contend that in years rom now, when cloud computing is seen in a historicalcontext, the capacity–utilisation curve will be seen as an iconic model that had thesame eect as previous well-known business models, including Moore’s Law whichestablished the concept o exponential growth in computational power, but hassubsequently been seen in other technology areas, including storage and networks.

THE RACE TO THE BOTTOM VERSUS QUALITY OF SERVICE

The positioning o cloud computing, while initially seen as a disruptive technol-

ogy inluence on both buyer and seller prospects, is now evolving into a trade-o between low-cost arbitrage and added value quality o service (QoS).

12

http://www.opengroup.org/cloud/whitepapers/ccroi/index.htm






BUILDING ROI FROM CLOUD COMPUTING

The term ‘race to the bottom’ reers to the competing drive between participantsin a market driven by the need to make the greatest cost savings. The term isoten seen in a negative context, because the lower costs and margins are seen

as a detriment to the participants. Massively scalable services rom cloud comput-ing providers have the eect o driving down costs and prices, because the dynamicso competition are shited by the presence o potentially rapid cost reductions andhuge data centre investments.

The counter-balance to this is the QoS and the associated cost o that service (CoS)that characterises the value o the cost per unit o perormance provisioned.

The dierentiator o cloud computing is not just the utility inrastructure comput-ing services, but includes all the higher level services that enhance and buildbusiness service value. We see this as the inluence and scope o the movement

rom IT-centric to business-centric services across a wider services continuum, withutility services or inrastructure at one end, and with business-centric sotwareand business processes delivered as a service rom the cloud at the other.

In addition, the need to provide adequate security should be considered. People arewilling to pay a little more or a service i they are assured that there will be goodsecurity measures in place.

BUILDING ROI

But how do organisations go beyond the initial capacity and utilisation beneitsdescribed in cloud computing? The typical view o capacity and utilisation is rom atechnology provider/seller viewpoint, which is essentially based on key perormanceindicators (KPIs) rather than business beneit metrics. In particular it is orientatedaround two areas:

•IT capacity1 – As measured by storage, CPU cycles, network bandwidth orworkload memory, capacity is an indicator o perormance.

•IT utilisation2 – As measured by uptime availability and volume o usage,utilisation is an indicator o activity and usability.

However, eective cost/perormance ratios and levels o usage activity do not neces-sarily imply proportional business beneits. They are just indicators o businessactivity that are not in themselves more valuable than lower operating cost.

1 IT capacity reers to the amount o IT resources available, deined by units o that resource which may be a physi-cal capacity or virtual capacity. This typically includes storage volume, compute power (gigahertz), memory size,database size, number o disk input/output operations, network bandwidth, packet size and type o chip set andoperating system.

2 IT utilisation reers to the level o planned and actual use o IT resources that may be physical or virtual. This isdierent to availability, which is the level o planned or actual uptime an IT resource capacity is available or use.Utilisation reers to the level o use o the IT resource capacity during the uptime period.

In the wider IT operations that manage IT capacity availability and service level perormance, the capacity can alsobe seen as the wider eectiveness and eiciencies o the support operations and sta resources that support the ITservice. IT utilisation optimisation in oten seen in the context o resource management and seeks to maximise physi-cal and virtual utilisation through techniques o virtualisation and load balancing.

13



CLOUD COMPUTING

Through extensive discussion we have identiied eight business metrics thattranslate the indicators o the capacity–utilisation curve to direct and indirectbeneits to the business.

•Speed and rate of change – The speed and rate o change o cost reduc-tion can be much aster using cloud computing than traditional investmentand divestment o IT assets because the responsibility is transerred tothe service provider. While there are challenges today in the portability o cloudservice providers, users do have greater lexibility to adopt and remove theservice either at the point o use (to scale up and down) or to make choices touse new services or change service provider.

•Optimising total cost of ownership (TCO) – A key aspect o moving to cloudcomputing is the ability to select hardware, sotware and services rom deineddesign conigurations to run in production. Cloud computing bridges the design-

time and run-time divide and optimises service perormance. Patches andupgrades or new technology are in theory invisible to the end user o the servicebecause they are included as part o the automatic asset management eatures.

•Rapid provisioning – Elastic provisioning to scale up and down to actualdemand creates a new way or enterprises to match their IT to enable busi-ness to expand. The provisioning time compression rom a week to hours, orexample, demonstrated by cloud computing providers is a means to rapidprovisioning that is not just about saving time, but is also deining a newbusiness operating model.

•Increase margin and cost control – Cloud computing oers the opportu-nity or cost, revenue and margin advantages. It also allows organisationsthe potential to enter and exploit new markets through rapid deployment o low-cost cloud services.

•Dynamic usage – Elastic computing and service management targets realend users and real business needs or unctionality as the scope o users andservices evolves seeking new solutions. With either ixed usage volumes orvariable unctional usage, new innovative consumption models enabled by cloudcomputing allow businesses to consider using IT in a lexible and agile way.

•Risk and compliance improvement – Cloud computing green capabilitiescan be leveraged through shared services.

•Enhanced capacity utilisation – IT avoids over- and under-provisioning o IT services to improve smarter business services.

• Access to business skills and capability improvement – Cloud computingenables access to new skills and solutions through cloud sourcing on-demandsystems.

Cloud computing is an important stage in the development o IT systems, compa-rable with the emergence o the mainrame, the minicomputer, the microprocessorand the internet. It can provide many advantages over conventional approachesto IT provisioning, which can translate into signiicant improvements in ROI. Butwhat makes it particularly exciting is that its potential eect on business is not justincremental improvement, but disruptive transormation through new operatingmodels.

14



CLOUD COMPUTING

But the shared model behind cloud also raises concerns. Security is the mainconcern, but companies also worry about being locked in with a speciic vendor,about compliance and data location, and about auditability and service levels. The

very low cost o Amazon EC2, or instance, is achieved by providing a totally stand-ardised service with no service level or security guarantees, allowing the clients noaccess to auditing. This description its all the public cloud providers, and thereoremany applications are not it or public cloud.

Instead, the concept o ‘private cloud’ has appeared. Private cloud is a cloud that isonly used by the employees o one company, owned either by the company itsel orby a hosting provider, still with the cloud characteristics, but with less lexibilityand higher cost than a public cloud. Traditional outsourcing companies, such asIBM, Fujitsu and BT, are oering shared clouds with traditional enterprise servicecharacteristics o service level agreements (SLAs), security, auditability etc. These

oerings are in-between public and private cloud, and thereore also in-betweenwith respect to lexibility and cost.

GETTING ONTO THE CLOUD: WHERE TO START AND WHAT TO DO?

With so many options it can be diicult to know where to start. Two out o threecompanies in Europe say they have a strategy or use o cloud, so the chance is thatyou are among them. Ater all, who does not need lower IT cost and more lexibil-ity? You may already have started: more than 70 per cent o European companiesalready use cloud somewhere in the organisation. Companies have typically started

getting into the cloud when departments gave up waiting or the IT departmentand instead went directly to the market and bought the solution rom the cloud oncredit cards.

This approach is worrying or corporate IT departments that need consistency andneed to deal with the concerns about cloud discussed above. The best ways orthem to combat this piecemeal approach is to ensure that their companies havea strategy (and policy) or cloud. Cloud is not ‘either–or’, and there is no ‘one-size-its-all’. You will need to consider your applications one by one to ind out whichones would beneit rom being migrated to cloud and to which type o cloud, sinceapplications have dierent requirements. The accounting system has much stricter

security requirements than the email system, but may accept lower availabilitythan a production monitoring solution etc.

It is important to start by looking at the business requirements or the solution,how important each application is or the business and where the need or agilityand lexibility is greatest. The next step is the more technical requirement: somesolutions will be easy to migrate to a cloud environment, and or standard sotwarethere are oten standard migrations available. For legacy solutions, migration willtypically be much more diicult and probably not worth the cost and risk.

You can now create business cases that will lead to prioritisation and orm the basis

or a cloud roadmap. Most services companies oer short workshops to help youunderstand cloud and identiy where the largest opportunities lie. Be aware thatyou will need to review your strategy and roadmap regularly: the cloud market

16



THE POTENTIAL OF CLOUD

develops quickly and what looks diicult now may be a lot easier next year, andyour business priorities may have changed.

There is advice to be ound also among your peers about where to start: 40 per cento European companies already use email rom the cloud, 35 per cent use securitysolutions and 30 per cent use databases, CRM, oice productivity and collabora-tion tools. Development and test environments are well suited or cloud, whereasyour core applications are more likely to beneit rom waiting or the next wave o cloud, unless you want to make a big move to a private cloud or to cloud as part o outsourcing agreements where you get the necessary guarantees.

European companies have also started to use cloud or business innovation. Oneexample is Audi’s use o design data to create pictures or sales instead o realphotos, enabling the buyer to change colour, interior etc. on the picture, making

brochure production much more lexible and creating a good buyer experience. Another example is Wimbledon’s enhancement o the user experience through real-time predictive analysis during a game o tennis. Cloud will most likely also oeropportunities or you to drive innovation in your business. You might want to startthinking about how.

17



SECTION 3:

MOVING TO THE CLOUD

18



CLOUD COMPUTING

resources. Ultimately this makes it easier or businesses to respond to the needsplaced upon them.

So, with all these beneits, what’s getting in the way?

BARRIERS TO CLOUD ADOPTION

It’s common to hear concerns about the security o cloud computing. Intuitively,this makes sense: the servers aren’t yours, they exist somewhere outside yourour walls, and you need dependable network connections to get at them. From asecurity standpoint, there is peace o mind in having installed the security measuresyoursel and knowing exactly where your data is physically housed. It can seem likea huge shit and a risky move to entrust a third party with this responsibility.

The thing to remember is that these third parties have extremely stringent andcurrent security measures in place, both electronic and physical. Their incomedepends on their reputation and their ability to handle data without loss or leakage.I it’s something you’re concerned about, you’ll need to careully inspect whatsecurity accreditations they hold.

For most businesses an ISO27001 accreditation will more than suice. However, ororganisations in the public sector a greater level o security is required. That’s whythe government has created the Next Generation Network (NGN) 2-2-4 and NGN3-3-4 accreditation standards.1 The 2-2-4 standard is appropriate or most local

authorities, whereas the 3-3-4 accreditation is intended or higher security bodies,such as the Ministry o Deence.

Rather than compromising on security, by adopting cloud computing many organi-sations will ind that their applications actually become more secure. That said, notall business data is suitable or public clouds. Careul consideration will need to betaken in order to decide what kind o set-up works best or you. You may ind thatprivate or hybrid clouds are better suited to your speciic business needs.

CONNECTIVITY

Security isn’t the only concern that organisations have when it comes to the cloud.One o the most common bugbears that we’ve come across in talking to businessesabout cloud computing is connectivity.

You can picture the situation, we’ve all been there. You’re at work and the web goesdown or slows down to an absolute crawl. It’s annoying, but the resourceul amongus will ind a way to carry on working, temporarily doing something else oline.

1 These standards are not accessible to the general public and have only been made available to a select ew bodies.For a comment on this see http://blog.itsecurityexpert.co.uk/2010/01/secret-government-security-standards.html.This blog post gives an overview o the implementation process http://interweave-consulting.blogspot.com/2010/10/cesg-il2il3-accreditation-224-334.html .

20

http://www.27001-online.com/index.htm

http://blog.itsecurityexpert.co.uk/2010/01/secret-government-security-standards.html

http://interweave-consulting.blogspot.com/2010/10/cesg-il2il3-accreditation-224-334.html




http://blog.itsecurityexpert.co.uk/2010/01/secret-government-security-standards.html

http://www.27001-online.com/index.htm



OVERCOMING OBSTACLES

With cloud-based applications that’s not acceptable: i you can’t access the web, youcan’t access your applications.

For businesses that are embracing the cloud it’s absolutely essential to have a rock-solid connection in place that will deliver suicient bandwidth to cope at all times.For large enterprises this means investing in a dedicated connection rom the datacentre to your oice.

I you’re worried about the cloud service provider having an outage, make sure thatyour service level agreement (SLA) has disaster recovery and back-up systems ona dierent site. This should ensure a seamless transition should the worst happen.

Latency is another undamental concern or many businesses. With a conventionalon-premises solution, your access to iles and read/write ability is limited to the

unctions and eatures o your own equipment. With a cloud service, your networkor internet connection plays an important part too. Fortunately ibre-optic networksare exceptionally quick and the majority o applications can be accessed and savedin the blink o an eye.

What’s more, with suicient network capacity in place to give you the appropriatelevel o cloud access or your business, you’ll never have to worry about hitting abottleneck as large volumes o data move across the network.

THE CLOUD IS COMING

With research irm Gartner predicting that by 2016 all Global 2000 companies willbe using public cloud services, it seems that widespread adoption o the cloud will beupon us very quickly. However the move to the cloud shouldn’t be rushed. Whilstcloud computing can generate signiicant cost eiciencies and give IT more reedomto ocus on projects that will make a big dierence to the whole organisation, it willonly do this i it’s deployed correctly.

To beneit ully rom cloud computing, organisations must take time to considercareully what they want to use the cloud or, what solutions will meet their needstoday and in the uture and, importantly, how they will access the cloud. Taking this

approach will ensure that all obstacles are identiied and overcome.

21

http://www.gartner.com/it/page.jsp?id=1465614




6 CLOUD COMPUTING AND ENTERPRISE

ARCHITECTURE

Cloud computing is often characterised by virtualised computing resources,seemingly limitless capacity and scalability, dynamic provisioning, multi-tenancy, self-service and pay-for-use pricing. Enterprise architecture can help to make the shift to

cloud computing smooth. Serge Thorn, CIO at Architecting the Enterprise, explains.

Cloud computing is a computing model by which users can gain access to theirapplications rom anywhere through any connected device. Thanks to a strongservice management platorm, the management costs o adding more IT resourcesto the cloud can be signiicantly lower than those associated with alternate inra-structures. Enterprise architecture is necessary regardless o changes to under-lying technologies. I managed properly, enterprise architecture will iterate andadjust to the winds o change. Client–server, SOA, RFID, cloud and other technol-ogy developments should be considered as styles, but enterprise architecture isat the heart o change. In reality, cloud computing should have little impact on

enterprise architecture.

It is the role o the enterprise architecture team to:

•investigate i any style is simply hype or whether it holds real business value;

•understand the beneits and risks o a speciic style;

•communicate these to business and IT;

•develop an adequate governance ramework;

•align the style with business requirements;

•give guidance or sustainable innovation;

•support business transormation.

I cloud computing does not take enterprise architecture into consideration, it willresult in ‘spaghetti clouds’ (aligned with ‘spaghetti architectures’).

For organisations ocusing more on technology architecture, cloud computing couldbe a big hit. But or businesses that want to adopt cloud computing successully ina way that aligns to their business strategy, enterprise architecture is imperative.

Cloud computing may be a it when the core o internal enterprise architec-ture is mature. This means, as recommended in various enterprise architecture

22



CLOUD COMPUTING AND ENTERPRISE ARCHITECTURE

During the implementation and deployment, activities may also include therelocation o:

•business processes (process-as-a-service);

•applications (application-as-a-service);

•data (inormation-as-a-service and database-as-a-service);

•technical services (storage-as-a-service and inrastructure-as-a-service).

Security and operations implementation will have to be taken into considerationduring the relocation. Security can also be considered as security-as-a-service.

The development and deployment teams would now be sourcing rom and conorm-ing to the cloud API and services, without the enterprise architecture team

becoming the police and enorcing the reerence architectures or corporate stand-ards at various checkpoints (compliance and dispensation activities will remainor internal new systems). With overarching cross-project oversight not relevantanymore, each project would tend to work in its own cloud development sandbox,partly engendered by the partitioning paradigm o the cloud itsel.

Barring some exceptions, traditionally the enterprise architecture team has notbeen relevant to the operation side o the organisation, but with the cloud, thatseems to be disappearing. The cloud providers will urnish the relevant tools ormanagement and reporting and take away the onerous tasks o patch manage-ment, version upgrades, high availability, disaster recovery and the like.

New technology styles are exciting, but using technology styles just or the sake o technology does not bring a real value. Technology use should be driven not by its‘coolness’ actor, but rather by business requirements and an underlying enterprisearchitecture ramework. Moving some applications to the cloud can make someinrastructures go away, but badly designed solutions won’t be improved by relocat-ing to the cloud.

25



CLOUD COMPUTING

•Does the company gain access to a more agile and responsive data centre byusing cloud? Businesses that are devoting their eorts to meeting customers’daily needs may assume cloud equals agility, but CIOs should look closely to

see i the new cloud provider’s service genuinely adds value in meeting com-mercial objectives and secures their company reputation or reliability. For aUK business planning system expansion ater the recession, are there adequateperormance guarantees when moving to this new service model?

•Will any elements o the cloud solution, such as security, be ederated out topartners? There is always potential or risk surrounding cloud migration inrelation to aspects like corporate and customer data. I the cloud vendor intendsto ederate some aspects o the cloud to third parties, will the security risk actu-ally be worsened rather than contained? As well as gaining assurances overlikely costs, the CIO will need end-to-end SLAs in line with their particularindustry’s compliance needs. For risk to be contained, the cloud provider should

deliver a plan o phased implementation with its implications or the business,together with detailed migration phases and technical support.

RISK MANAGE CLOUD FOR TRANSFORMATION

For cloud computing to ulil its undoubted transormational potential, businesses’CIOs need to satisy these risk management criteria. For those that can’t answerthese questions or decide to pursue a narrow ocus on cloud as a cost cutter, adopt-ing this strategy, like many other technology innovations, could actually poseadditional risks to those it was originally intended to manage. Like any systemmigration, cloud computing models need to be closely risk managed and the longer-term business case and cloud provider’s capabilities rigorously tested beore it isadopted.

28



SECTION 4:

CHANGING THE IT INFRASTRUCTURE

29



8 THE DEATH OF THE OFFICE SERVER

Once the linchpin of every office, the office server is now on the verge of becoming arelic, an eBay listing, a forgotten piece of technology. CIOs and IT managers will no longerhave a use for it. This is not because there is anything wrong with it, but because tech-

nology is becoming more readily available and easier to use. This is especially the casewith cloud-based business applications, data storage, software-as-a-service (SaaS) andplatform-as-a-service (PaaS) becoming the norm for many businesses. Andrew Peddie,Managing Director of First Hosted, highlights the changing landscape of business ITsystems, storage and usage, and how these changes are completely transforming thetechnology landscape and the way businesses interact with it.

For many years now, the oice server has been a central part o the workings o any IT set-up. Considered the brain or hub o a company’s network, acilitatingbackup and storage o its most vital completed work, the ailure o this server hasproved catastrophic or many businesses. Overloading, power-outs, overheating

and downtime all cause dips in productivity, lost business, problems related to theloss o vital data, and the list just goes on.

The traditional oice server also takes up space, an expensive commodity thesedays, with many businesses diversiying and making allowance or lexible andhome working to suit busy liestyles and constricted budgets.

UP, UP AND AWAY

The emergence o the cloud was initially greeted with some trepidation by businesses,

with many ears about security and reliability suracing. Understandably businesseswanted to ensure its saety and eicacy beore entrusting their precious businessdata, processes and applications to it.

The concept o relying on an outsourced ‘invisible’ platorm or everyday storage andbusiness processes, such as CRM, ERP and email, took a bit o adjusting to, but isnow rapidly becoming a dominant business technology choice.

Sotware as a service (SaaS) innovators such as Salesorce.com®, NetSuite andOracle® have provided cloud-based enterprise resource planning (ERP), customerrelationship management (CRM), ecommerce, accounting, supply chain manage-

ment and inventory sotware to businesses across all manner o sectors, bothimproving their operational eectiveness through simple-to-use applications, andreducing their IT support and set-up costs. Retail businesses can also now see the

30



THE DEATH OF THE OFFICE SERVER

beneits o NetSuite point-o-sale applications ully integrated with their back oiceunction, which provide instant visibility o vital business and inventory inorma-tion across any store.

These applications have played their part in committing the oice server to theannuls o history or many businesses, in turn also making the allibilities o the backup tape, virtual private networks (VPNs), the IT department, patches,upgrades, maintenance, disk space, memory and uninterruptable power supplies,a mere distant memory.

THE APPLICATION OF EFFICIENCY

Increasingly, businesses are incorporating add-on applications to their businesses,

allowing them to integrate all manner o business unctions through the cloud.These unctions, which include sales dashboards, point-o-sale accounting and CRMto name a ew, are oten accessed by dierent sta in their relevant departmentson varying scales. Cloud computing makes huge sense in these situations becausethe required applications can be accessed by the sta via permission-based access(passwords) through the cloud on a SaaS basis. This has a double-edged eiciencysaving or businesses. Firstly, cloud-based sotware and services are more costeective because the company only pays or the levels o actual sotware usage,as opposed to a company purchasing 30 licences, which are not all used, or usedenough, to justiy the cost.

The lexibility to ramp up and down the level o usage required, removing andadding users dependent on business requirements, maximises the cost eec-tiveness o the IT systems within any business. In addition to this, accessingcloud-based platorms and sotware completely eradicates the requirement oron-site storage (an oice server) and the associated support and maintenance costs. Any aults with the sotware are solved o-site and downtime is minimal. Equally,data is stored securely and businesses need no longer worry that a technical ailurelike a server explosion may damage their valuable data.

A good example o a company using cloud-based sotware to transorm completelythe way it does business is Reading-based Ecocleen. The eco-cleaning and support

service ranchise business implemented a cloud-based business managementplatorm, which saw it become completely server-less and streamline its operation,enabling it to work more eectively.

The company switched to a cloud-hosted integrated CRM platorm that storedall corporate data in one single database, with access to key perormance indica-tor (KPI) data, integration with back-oice accounting and ERP through simpledashboards. The implementation o this SaaS cloud-based platorm enabledEcocleen to automate all customer billing in electronic ormat, adding to its eco-credentials, and roll out a centrally controlled emarketing campaign.

The business, which has a number o regional oices, had traditionally operateddisparate, regional IT systems, which had hindered a uniorm, branded marketingand CRM strategy and visibility o customer activity. The sel-service portal within

31



CLOUD COMPUTING

the new solution will allow the regional Ecocleen oices to access quickly and easilyinormation relating to their transactions. The company had been using Sage Line50 and Microsot® Excel® to collect and analyse KPI inormation, a time-consuming

and complex process. Replacing these systems has allowed the regional oices toaccess KPI inormation in real time and benchmark their own perormance againsteach other or their own targets, which works as a motivational tool. This, and theeiciency-saving impact o the platorm, are projected to play their part in Ecocleen’sgrowth strategy, with predictions that the platorm will assist it in going rom11 regional oices to an anticipated 25 over two years with a 120 per cent increasein revenue.

It is clear rom examples such as this that the implementation o a cloud-basedsolution can help improve the eiciency o a business, providing the opportunityto ocus on and expand its core business to meet inancial and business targets.

This ‘work smarter, not harder’ concept, along with the reduced costs, worries andinconveniences associated with cloud-based applications, mean that when it comesto eliminating the traditional storage and sotware hub, the server, or ‘brain’ o anoperation, the decision really is a no-brainer.

32



9 MANAGING MAJOR NETWORK

CHANGE: CHALLENGE AND

OPPORTUNITY

Over the past few years the flood of technology and applications capable ofchanging the way companies do business has been staggering. The network infra-structure has had to adapt to cope with new and varied demands placed on it by these

trends, and organisations in both public and private sectors continue to re-evaluatetheir networks to cut operational expenditure or facilitate technologies like cloud orvirtualisation. Major network alterations can drive improved efficiency and lower cost,but these opportunities present challenges that must be overcome if an organisationis to benefit fully from any new technology. Maria Goggin, Head of Product, NetworksFirst reports.

Against a backdrop o changing technology, there is also the additional pressureo changes in business practice, such as increasing numbers o home workers anda growing mobile workorce. Recession too inevitably brings about mergers andacquisitions and resultant network consolidation, and elsewhere a general desire

to cut costs has oten maniested itsel in network shrinkage, re-evaluation and theexploration o shared services. The public sector, in particular, has had to ind waysto seek out extra eiciency thanks to enorced budget cuts and spending reorms.

CHALLENGING TIMES FOR IT MANAGERS

Today’s IT managers and directors are acing the three-pronged challenge o supporting operational requirements now while mapping out the uture directionor the IT inrastructure and managing the change that will inevitably come withit. They have to look at the wider business, and this means ocusing on more than

IT to see how technology can beneit the organisation as a whole.

Organisations oten assume that the network in its existing guise will simply copewith whatever new technology is thrown at it. At best this approach harms the userexperience and overall network perormance, and at worst can lead to downtime,which damages productivity and is expensive to ix. Sixty per cent o all networkdowntime is caused by misconiguration rather than hardware ailures, whichdemonstrates the importance o a robust approach to network management in theace o so much change.

MOBILE DEVICES AND CONSUMERISATION

Technology itsel has changed how the limits o the network are deined. Whereonce the IT manager would have had complete control over the limits o the WAN

33



CLOUD COMPUTING

and LAN, now, thanks to mobile devices, the boundaries o the network oten lieoutside the business and on equipment owned by sta members rather than the ITdepartment. The consumerisation o IT has long been a talking point, but the eect

o this trend on the network is oten overlooked. Many businesses are happy to letpersonal devices connect to the company network because o the productivity gainson oer, but this access needs to be controlled closely.

It is interesting to note that this change has largely been driven by senior manage-ment outside o the IT department. Tablet computers, or example, are oten irstbrought into the workplace by C-level (CEO/CIO/CFO) executives. These execu-tives have the seniority to introduce network access or these devices beore the‘trickledown eect’ leads to tablets being brought in by other sta members alsodemanding to be connected to the network.

As a result the network now stretches ar beyond the traditional conines o theoice. Uniied communications, video and VoiP, alongside mobile access, virtualisa-tion and the cloud, might create a whole host o new opportunities, but they alsoplace a rat o new demands and challenges on today’s corporate networks – a low-latency, jitter-ree environment quickly becomes essential. Meanwhile achievingthe right balance between perormance, availability and security is becoming evermore diicult.

BEST PRACTICE AND NETWORK MATURITY

With so much at stake across ever more expansive networks, it is imperative thatbest practice processes are ollowed to manage any changes and prevent the timeand expense o troubleshooting ater implementation. Failure to properly managesuch change can quickly wipe out the intended beneits and severely damageROI – not to mention both personal and company reputations.

Beore embarking on a project to consolidate a network or roll out a new technologyor application, an organisation should ensure that its IT strategy is closely alignedwith that o the business as a whole. I the organisation is striving to increaseeiciency, this should be mirrored in the IT strategy and, thereore, within theproject itsel. This will ensure that the results o the project add real value to the

wider business. While this may sound obvious, business leaders outside the ITdepartment do not always consider the impact their strategy changes might haveon the IT unction, particularly i the IT director/CIO is not involved in board-leveldiscussions. Ensuring that IT is taken into account when a business is planningchange is yet another challenge or IT directors and network managers.

To make sure the network inrastructure is optimised to support the demandso these new technologies, organisations need to take a systematic approach andmanage the complete lie cycle o the network. The use o a network maturity model,such as that proposed by Gartner, helps network managers to compare what iscurrently deployed against industry and manuacturer recommended best practice

as a key perormance indicator (KPI).

34



MANAGING MAJOR NETWORK CHANGE: CHALLENGE AND OPPORTUNITY

BE PREPARED

This kind o pre-deployment work is crucial to the success o any project because

it can oten prevent runaway costs at a later date. Troubleshooting ater the actcan be a cost-intensive and time-consuming task, which can make an organi-sation less agile and less productive. One way that irms can guard againsttroubleshooting costs is through a transormation testing process to emulate howthe new network coniguration will perorm beore any real-world changes aremade, thereore dramatically cutting the cost and risk usually associated withmajor network inrastructure changes.

The transormation testing process enables organisations to stress-test ully theviability o dierent bandwidth services and monitor how disrupting actors aectnetwork operation and user experience. For irms moving key applications to an

o-site data centre, integrating new applications on to the WAN or transition-ing to a cloud or virtual environment, this can be an invaluable method to limitproject costs.

NOTHING IS PERMANENT EXCEPT CHANGE

Managing change is a delicate and technical process but one that is necessary tokeep the network up-to-date and ully optimised. Not every business has a changeprogramme manager or a transormation manager and, as a result, some organisa-tions may need to call upon external experts or guidance. Each major new appli-

cation has the potential to increase the burden on the network and aect the wayin which the network operates, but all too oten this act is orgotten. The networkacilitates the opportunities oered by cloud and virtualisation, but or an organisa-tion to make the most o the potential gains it is important to manage properly thenetwork change timeline. An approach tied to best practice guidelines and rigorousdocumentation processes will provide the best results.

As organisations evolve and grow, so do their networks: change is a constant anda natural part o any network’s operational lie cycle. The reward or managingnetwork alterations in an eective and systematic manner is not only a moreeicient network, better equipped to cope with the strains o additional technology,

but also a better user experience across the entire organisation.

35



SECTION 5:

SECURITY IN THE CLOUD

36



10 PROTECTING DATA IN THE CLOUD

Cloud computing has been a hot topic among IT professionals for some time now, yetuptake has been decidedly mixed, largely due to concerns over security. For someorganisations, security is such a cause for concern that they are steering clear of the

cloud altogether or are only using it for non-business-critical functions. John Grimm,Director of Product Marketing, Thales e-Security, explains how to protect your data inthe cloud.

Security in the cloud is a major challenge. A CIO might legitimately ear losingcontrol over a company’s data assets. ‘How can I protect my data?’ is one o themost important questions IT proessionals should ask beore moving to the cloud.While there’s no magic bullet, any cloud data protection policy should be rooted incryptography, which time and time again has proven to be the most eective meanso securing data. Below are some best practice tips or protecting data in the cloud.

UNDERSTAND YOUR DATA ASSETS

Not all data needs the same level o protection. Companies need to evaluate theirdata assets beore they move to the cloud so that they can bestow an appropri-ate level o protection to each one. Which employees need access to a particulardata set? Which data is the most sensitive? In the past, a perimeter-based securitymodel relying on irewalls, antivirus sotware and monitoring systems was deemedsuicient to protect a company’s data. Such models are inappropriate or the cloudwhere boundaries are not clearly delineated. In a cloud environment, it is vital thatdata assets themselves are protected, not just the inrastructure and systems they

travel through.

SECURING THE CLOUD WITH CRYPTOGRAPHY

Cryptography is the practice o rendering data unreadable to anyone except author-ised personnel. This means that i a data breach does occur, the data is useless to theintruder. Data can only be read with the correct ‘key’, the string o bits that decryptsthat data in conjunction with the correct algorithm. This means that storing andprotecting the keys is an essential element o protecting the data. Cryptography isthe solution to many o the security challenges posed by the cloud.

When deployed properly, using best practices, strong algorithms and appropri-ate key lengths, cryptography is eectively unbreakable because, i data is lost

37



CLOUD COMPUTING

or stolen, it is unreadable without the associated key. Likewise, when properlydeployed, cryptography is used to digitally ‘sign’ messages or other data. The valida-tion process provides mathematical proo that the signature could only have been

created by someone with the private signing key.

Cryptography also provides tangible evidence o security to customers and auditors.Data is either encrypted or not, digital signatures are validated or they aren’t. Thisleaves no room or doubt.

UNDERSTAND DIFFERENT TYPES OF ENCRYPTION

Below are our types o encryption that may be o great beneit when moving to thecloud:

•Network encryption applies cryptography when data is in transit. Datahas to move between private networks and a cloud, within a cloud or betweenclouds themselves. Any data in transit is vulnerable because networks generallycannot be assumed to be secure. Network encryption is thus essential orprotecting data in the cloud. Fortunately, it can be easily utilised and, whenproperly implemented, is transparent to users and has minimal impact onperormance.

•Storage encryption is the encryption o data stored in the cloud, whetherthat data resides in an archive, a temporary cache or a live database. It is alsotransparent and relatively easy to deploy. However, there are issues concerningkey management. A balance has to be struck between security and availability.I data is to be available at all times, it means keeping the keys accessible at alltimes, which can be challenging when implementing proper measures to securethose same keys.

• Application level encryption is the selective encryption o speciic data usedby speciic applications. This type o encryption is very closely linked to theapplications being used. Instead o protecting the whole stream o data mov-ing in the cloud like network encryption, it just protects speciic items whenprocessed by the application. Dierent applications may or may not requireencryption based on the type o data they handle, reinorcing the need to evalu-

ate adequately data assets beore they are put into the cloud. As application level encryption requires the integration o cryptography with

particular applications, it can be harder to set up and manage than other typeso encryption.

•Edge of cloud encryption is the blanket encryption o sensitive data beore itleaves a company’s control and moves into the cloud. The great beneit o ‘edgeo cloud’ is that all data that is heading to the cloud is encrypted prior to leavingthe enterprise premises, so it is never exposed to the cloud at all. This sort o encryption is likely to be what many companies will eel most comortable with. Yet there are downsides. It requires extra management and greater overheadsdepending on the volume o data passing into the cloud and the accessibility o that data which a company requires.

38



11 TRUSTING THIRD PARTIESWITH YOUR DATA

As the cloud movement continues to advance, many foresee a shift away frommanaging IT in-house toward a model where more third-party organisations overseeservers, storage, applications and operational management. This shift will drastically

change the fundamental practice of IT operations as we know it. Greg McCulloch, UKManaging Director Interxion, discusses how organisations can learn to trust third par-ties with their data in the cloud.

By transitioning into the cloud, organisations can remove administrative burdenson IT departments, avoid expensive hardware and upgrade costs, and adjust theirsotware licensing and maintenance practices. Third-party co-location data centresare increasingly convincing companies that their operations will continue ree o disruption in the cloud i they leverage the inrastructure and expertise that theyoer.

CLOUD TAKES OFF

A 2011 Gartner survey revealed that CIOs expect to adopt new cloud services muchaster than originally expected. Currently, just three per cent o CIOs have themajority o their IT running in the cloud or on SaaS technologies, but over the nextour years CIOs expect this number to increase to 43 per cent.

Companies are realising the immense expense that comes with storing and manag-ing data in their own acilities, but many businesses are hesitant to move morethan their basic CRM and email systems into the public cloud, keeping key applica-

tions and inrastructure in-house. Companies naturally need to eel conident thattheir operations will continue ree o disruption, which is why many are turningto third-party data centre providers to supply carrier-neutral co-location services.

A NEUTRAL APPROACH

Carrier-neutral co-location provides exceptional levels o connectivity to deliverhigh-speed application perormance while driving down bandwidth and otherassociated costs. Some carrier-neutral providers oer ive types o connectivityoptions (carrier, ISP, IX, ethernet and global and regional content delivery network

(CDN)), which enable a better user experience and increased network resilience orcloud-based services or platorms. Co-location also provides the option to subscribeto managed services that support critical business operations to back-up data,

40





12 AUTHENTICATING THE CLOUD

While much has been discussed about the security of applications and data in the cloud,there tends to be a blind spot when it comes to authentication. Dave Abraham, CEO atSignify, sheds some light on the issue.

While the cost beneits o using applications in the cloud have proved to be compel-ling or some, many still have major concerns about the security, policy and legalimplications o implementing cloud services. In particular, there has been a greatdeal o debate about the protection and governance o any sensitive data residingon third-party data centres and about it being accessed remotely. Yet, despite all thevery public concerns about the security o applications and data in the cloud, thereis one major aspect that appears to have been largely overlooked. This blind spot isuser identiication and authentication.

TWO-FACTOR AUTHENTICATION

Over the past ive years or so, in the ‘traditional’ world o IT, there has been a majorshit away rom relying solely on a username and password or allowing a useraccess to applications to strong two-actor authentication (2FA). 2FA is certainlynot a new concept and with the increase in remote and home working or greaterlexibility, a better work–non-work balance and o course cost savings, it is increas-ingly being used to secure remote access.

2FA works by requiring the user to present two dierent actors o identity, typically‘something you know’, such as a secret PIN or password, combined with ‘something

you have’, like a one-time passcode (OTP) delivered to a hardware token, smartcardor mobile phone; or ‘something you are’, such as a ingerprint, iris scan or acialrecognition.

The use o OTPs through hardware tokens is still the most popular approach, butmore recently there has been an interest in tokenless authentication, which usespasscodes that are delivered ‘on demand’ to mobile phones or other devices.

However, while token or tokenless 2FA is becoming the de-acto standard or remoteaccess to server-based business applications, users o most o the existing popularSaaS (sotware as a service) applications such as Salesorce.com® and Google Apps

are still only being authenticated through username and static passwords that canbe easily compromised.

43



CLOUD COMPUTING

This does appear to be a serious security anomaly in the cloud. And it is even morediicult to understand when you consider that many industry policies and guide-lines, such as PCI DSS, are increasingly speciying 2FA or remote access. It seems

that many organisations do not realise that these compliance requirements mustalso include access to their SaaS applications.

But while many users o SaaS applications and cloud services are still only authen-ticating themselves by a username and password, there are ways to ill this gapwith the addition o third-party services.

O course, as with everything, there is a trade-o, and the level o security needsto be balanced with ease o use. But in this case, it needn’t make lie more diicultor users or IT managers. It is possible to increase the level o protection or accessto corporate applications and data in the cloud through ast and convenient token

or tokenless authentication.

SINGLE SIGN-ON

Another problem that aces cloud service providers and users is the issue o singlesign-on. Currently, every time a user logs on to a cloud application they have tore-authenticate themselves with a separate set o credentials, which they have toremember.

Solutions that enable users to log on once to multiple applications are commonplaceat the intranet level using networking protocols and directory services, such asKerberos, which provide a centralised authentication system that can be utilisedby other network applications. Extending these solutions to the cloud has beenproblematic. However, the security assertion mark-up language (SAML) authenti-cation protocol developed by the Organization or the Advancement o Structured Inormation Standards (OASIS) group is now emerging as the enterprise standardunderlying many browser-based authentication solutions.

SAML assumes that a user has enrolled with at least one identity provider who isexpected to provide local authentication services. At the user’s request, the identityprovider passes a SAML assertion to a new service or application provider to grantaccess. SAML attempts to remove the problems o remembering and handlingmultiple credentials by delivering a ederated identity and authentication solution.

Allowing users to identiy and authenticate themselves just once or access to alltheir network or cloud-based applications using a single set o 2FA credentialsincreases the level o protection and avoids costly help desk calls because usershave orgotten their passwords.

With more and more SaaS applications appearing every week and sotware vendorsquick to jump on to the cloud, it is clear that there is an urgent need to embracestrong 2FA with a solution that eliminates the need to log on separately to everyapplication. Certainly, the ability to obtain state-o-the-art inormation sotwareservices quickly and easily, with little or no development costs or capital expenditureand beneits rom ongoing lexibility and cost savings, is a tempting proposition. Butthese beneits must not blind users to the considerable risks they ace i they ail toaddress the need or better authentication in the cloud.

44

https://www.pcisecuritystandards.org/security_standards/

http://web.mit.edu/kerberos/

http://www.oasis-open.org/




http://web.mit.edu/kerberos/

https://www.pcisecuritystandards.org/security_standards/



13 SKILLS FOR A SAFER CLOUD

Cloud computing has become mainstream and organisations see it as an enablerfor more powerful, flexible and scalable computing. In the meantime, there are realconcerns over security of data in the cloud. For instance, there appears to be no clear

solution to issues such as compliance, data security and access once the data leaves thehost organisation. John Colley, (ISC)2 MD EMEA, explains why security skills develop-ment is crucial to cloud computing success.

We need to take a step back. Perhaps these challenges stem rom a more unda-mental issue: what is cloud computing? Currently the deinition and hence theunderstanding o cloud computing is not simply poorly deined, but also evolv-ing. Services that used to be known as hosting, grid computing, outsourcing, evenbasic online services, are being reerred to as cloud oerings. In act, vendors andservices providers attach the term ‘cloud’ to anything related to the internet in whatsometimes appears to be an attempt to get on to the bandwagon. There are now

various lavours o cloud computing developing, such as inrastructure-as-a-service,sotware-as-a-service, platorm-as-a-service, web services in the cloud, as well ashybrids o these models. This is exacerbating the conusion and will potentiallycontinue until standards mature.

Thereore, rom a skills standpoint, it is no surprise that dangerous gaps existbetween the goals o organisations and the skills to provide security in the cloud.There is an admission rom the inormation security community to this eect. The2011 (ISC)2 Global Inormation Security Workorce Study, conducted by Frost &Sullivan, highlights that security proessionals are concerned about cloud comput-ing, but or the most part lack the training to address adequately perceived risks.

Exposure o conidential inormation to unauthorised systems/personnel and coni-dential/sensitive data loss or leakage are top-o-mind concerns related to the cloud. Almost three quarters o survey respondents agree that cloud computing requiresa more specialised set o skills, with over 90 per cent wanting to gain detailedtechnical understanding o cloud and over 80 per cent eeling the need or enhancedtechnical knowledge.

This lack o knowledge and skills is potentially translating into security incidentsin the real world already. Security company Trend Micro’s global survey indingsreveal that 43 per cent o cloud users had a security incident in 2010. However,perhaps even more worrying is the inding that some respondents did not even

know that they were using the cloud, much less securing it.

Additionally, there are ew clear, established standards or governance issues suchas compliance, access to and protection o data, the robustness o the systems

45

https://www.isc2.org/uploadedFiles/Landing_Pages/NO_form/2011GISWS.pdf



http://apac.trendmicro.com/apac/about/news/pr/article/20110926071604.html

http://apac.trendmicro.com/apac/about/news/pr/article/20110926071604.html




CLOUD COMPUTING

and sotware choices, event monitoring and management, and the like. This isintensiying the challenge o understanding and articulating the risks associatedwith the variety o services that are coming online.

Another complex area is compliance, which is not well understood. ENISA , the EU’ssecurity agency, determined earlier in 2011 that cloud services are not suitable orgovernment use, citing the complexity o the regulatory environment and the needor it to catch up with the cloud. Considerations extend beyond the obvious require-ment to maintain PSI DSS standards or online transactions or upholding the UK’s Data Protection Act. For example, the oten cited Sae Harbor Agreementssupport-ing data low between the UK and the USA don’t necessarily provide the protectionsought as regulations can conlict. The US Patriot Act suggests the US governmentcan gain access to any data on its soil in the right circumstances. Even i compliancestandards are met, this requires evaluation o acceptability to customers.

Key to resolving these issues concerning successully implementing cloud comput-ing is skills development and training at all levels o an IT department alongside amajor shit in behaviour.

Inormation security proessionals need to develop proactively both technical andbusiness knowledge on cloud computing. On a technical level, they must under-stand the various types o cloud computing services that vendors are oeringthrough attending workshops, training courses, conerences or the like. Only thenwill they be able to identiy and assess the risks that their organisations will beexposed to, articulate them back to the business and take the necessary measures

to mitigate them. This is an ongoing process.

Further, this kind o in-depth understanding o cloud oerings will also enablethem to assess the security position o the vendors themselves. For instance, i their organisation is putting sensitive and personal inormation o its sta on thecloud, they must ensure that the vendor has the necessary security measures inplace to protect eectively that inormation. At the same time they must have anunderstanding o the data protection implications or their own organisation in theevent o a security incident. This requires them to extend their knowledge beyondtechnology to the larger compliance and business issues.

Yet another skill set that inormation security proessionals need to enhance isthat o soter business skills. Whether the IT and security departments like itor not, sta will download cloud applications, unbeknown to them. Such is theaccessibility o cloud services. For example, it is not unusual or departments andteams to utilise Dropbox, a cloud-based collaboration sotware, to share iles anddocuments with external organisations in real time, because the latter don’t haveaccess to the company’s intranet. Similarly, easily downloadable applications suchas Google Docs, Evernote® and Skype are already popular in business. Contraryto the traditional approach o blocking employees rom using such applications,inormation security proessionals must adopt a more open approach to securityand IT. Encouraging sta to voice their needs or cloud applications and acilitat-

ing adoption in the proper manner is more likely to prevent untoward securityincidents.

46

http://www.enisa.europa.eu/

http://www.legislation.gov.uk/ukpga/1998/29/contents


http://export.gov/safeharbor/

http://export.gov/safeharbor/






SKILLS FOR A SAFER CLOUD

The inormation security workorce continues to grow. Frost & Sullivan estimate that inormation security proessionals will reach nearly 4.2 million worldwide by2015 rom 2.28 million in 2010, highlighting the potential loss o control as organi-

sations shit data to cloud-based services as one o the main drivers or the proes-sion’s growth. There is no magic bullet to overcome the skills gap: due diligence,ongoing technical and business education, negotiating skills and planning with along-term view is the only way.

47





14 DATA PROTECTION AND SECURITY:

A LEGAL VIEW

An extract from a chapter in A Manager’s Guide to IT Law by Stuart Smith, a solicitor inthe Information Technology Team of Bond Pearce.

The servers used by suppliers o cloud computing services to host their customers’data can be located anywhere in the world. Where the customers’ data includespersonal data, and that data is hosted by the supplier on a third-party server, itcan be diicult or even the third party or the supplier to know exactly where thatdata is stored. Customer data may even be spread over a network across dier-ent territories. This raises concerns or the customer because European Unionlegislation places responsibility or ensuring compliance with data protection lawson the customer (data controller), even where the supplier (data processor) or itsthird-party hosting provider is in possession o that data.

As a result, when a European-based organisation uses cloud computing services,

it is liable or any ailure by the supplier to process (store) that customer datain accordance with EU data protection legislation. Such a breach could occur, orexample, i the supplier (with or without its knowledge) were to process data in acountry outside the EEA (EU countries plus Norway, Iceland and Liechtenstein),where the hosting provider is not signed up to the Sae Harbor Principles, notsubject to an exemption or where that data has not been transerred under acontract stipulating compliance with EU data protection rules.

I there is any question over whether a supplier’s procedures comply with theEU data protection legislation, clariication can be sought rom the InormationCommissioner.

As a data controller, the customer is required by the data protection legislation tocarry out due diligence beore it appoints a supplier to process customer data. Thisdue diligence should establish that the supplier adopts procedures that complywith data protection requirements. Furthermore, the customer is under an obliga-tion to continue to monitor the supplier’s procedures to ensure that they remaincompliant.

It is also necessary or customers to notiy individuals where their personal datamay be transerred to third parties, outside the EEA, in order that such processingis air and lawul.

The customer’s obligations also extend to protecting personal data rom unlawulprocessing including accidental loss or destruction and unauthorised alteration or

48





DATA PROTECTION AND SECURITY: A LEGAL VIEW

disclosure. As a result, it is important that customers are notiied by their suppliero any security breach involving their data.

Permanent data loss should not be a problem rom huge data centres like thoseo Google, Amazon, IBM® and Microsot®. These and other data hosting providers,with the latest security technology and backup systems, are in reality less likelyto lose data than an individual is likely to lose a laptop or lash memory stick.However, cloud computing customers should still keep backup copies o their datawhere possible.

IMPORTANT CLAUSES IN A CLOUD COMPUTING CONTRACT FOR SERVICES

The agreement between supplier and customer is essentially a normal contract

or services but with particular emphasis on the areas set out below. Althoughthe contract will normally be on the supplier’s standard terms, click-wrapped anddiicult to negotiate, the customer may wish to insist on amendments in respecto those issues below that are o most concern or, where this is not possible, to indan alternative supplier.

Service rentalThe supplier should grant the customer a non-exclusive right or either a certainnumber o authorised users to access its service, or or the customer to use a certainamount o computation resource (e.g. data storage). In exchange, where a ‘per seat’model is used, the customer should be prohibited rom allowing more users than a

subscription permits to access the service, and should be obliged (as ar as is reason-able) to prevent unauthorised access to the services by a third-party organisation.

The supplier should be required to provide a clear statement or speciication o theservices to be provided.

Customer obligationsThe customer will be required to make payment in accordance with the supplier’snormal payment terms and payment method. The customer should also be requiredto provide all necessary cooperation to the supplier in perorming the service. It isimportant or the supplier that it is not responsible or service ailure where the

customer does not adhere to the supplier’s maintenance speciications (e.g. regard-ing the customer’s internal networks or communication links). Additionally, thecustomer should be required to use the service in accordance with the supplier’sinstructions.

Supplier obligationsThe supplier should warrant to perorm the service with reasonable care and skilland to use commercially reasonable endeavours to correct any non-perormancepromptly. The supplier should also warrant that the service will it its speciicationand that the supplier maintains public liability and proessional indemnity insur-ance (which should cover data loss).

The supplier is unlikely to give a warranty that the service will be uninterrupted,error-ree or will meet the customer’s requirements. This is because suppliers are

49



CLOUD COMPUTING

usually relying on third-party hosting providers who operate on low margins andwill themselves give ew, i any, warranties to the supplier.

Data processing, protection and securityIt is o importance to the supplier that it establishes in the contract or servicesthat it will be the data processor and that the customer will be the data controllerin relation to all customer data.

It should also be set out in the contract that the customer owns all data receivedby the supplier in the course o providing the services as well as any output datagenerated by the supplier or the customer. The customer should seek certaintyover how its data would be retrieved on termination o the contract.

The supplier will want to ensure that in the event o any loss or damage o customer

data, the sole remedy available to the customer will be the supplier’s commerciallyreasonable endeavours to restore that data rom its latest backup copy (maintainedin accordance with the speciied backup policy).

The customer should seek the supplier’s agreement to comply with a speciied dataprotection and security policy, which mirrors the obligations o a data processorunder the Data Protection Act. The customer may even seek an indemnity romthe supplier in case o any breach o the Act, but this may be diicult to obtain. I any data protection or security breach does occur the supplier should be requiredto provide the customer with details o that breach immediately.

The supplier will also insist that the customer ensures it is entitled to transer anypersonal data to the supplier (including that data subjects have given any neces-sary consent). Furthermore, the supplier should obtain the customer’s agreementin order to transer and store customer data outside the EEA.

For customers that do not wish their data to be transerred outside the EEA, thereare some suppliers that will promise to keep their data within that geographicarea. However, as already mentioned, there is some question over how a suppliercan make this guarantee in respect o the data it processes, and the customer(as data controller) should remember that it has ultimate responsibility or itsown data.

It is worth noting that a urther economic model or cloud computing servicesinvolves the supplier generating revenue rom secondary uses o the customer’sdata (e.g. the sale o that data or marketing purposes). As a result, the customershould ensure it is aware o, and happy with, the purposes or which the suppliermay use its data.

IndemnitiesThe customer should expect to indemniy the supplier against any loss it suers inconnection with the customer’s use o the services and the supplier should grant anindemnity to the customer in respect o any intellectual property rights claim that

is made against the customer regarding its use o the service.

50



CLOUD COMPUTING

O course service levels will have more eect where they are linked to predeinedservice credits that will apply where the service levels are not met.

Cloud computing usage will increase rapidly in the uture. With the internetbecoming more reliable and oering users more lexible and agile technologies, theconcerns over internet connectivity, data security and protection are likely to beoutweighed. As a result, organisations will increasingly be able to take advantageo the beneits oered by this unstoppable trend in IT service provision. The cloudis not going to be blown away.

52



USEFUL LINKS

ORGANISATIONS

Cloud Security Alliance: https://cloudsecurityalliance.org

ENISA, the European Network and Inormation Security Agency: www.enisa.europa.eu

The Open Group: Cloud Computing: www3.opengroup.org/subjectareas/cloudcomputing

PCI Security Standards Council: www.pcisecuritystandards.org/security_standards

GUIDELINES AND REPORTS

Guidelines on Security and Privacy in Public Cloud Computing: http://www.nist.gov/manuscript-publication-search.cm?pub_id=909494

TrendMicro report ‘Security Threats to Evolving Data Centres’: http://www.trendmicro.com/cloud-content/us/pds/security-intelligence/reports/rpt_security-threats-to-datacenters.pd

OPINION

Cloud Computing blog: http://cloudcomputing.blogspot.com

CloudTweaks: http://www.cloudtweaks.com

Sotware as Services: http://www.zdnet.com/blog/saas

James Urquhart on GigaOM: http://gigaom.com/author/jurquhart

53

https://cloudsecurityalliance.org/



http://www3.opengroup.org/subjectareas/cloudcomputing


http://www.pcisecuritystandards.org/security_standards


http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909494


http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports/rpt_security-threats-to-datacenters.pdf



http://cloudcomputing.blogspot.com/

http://www.cloudtweaks.com/

http://www.zdnet.com/blog/saas

http://gigaom.com/author/jurquhart

http://gigaom.com/author/jurquhart

http://www.zdnet.com/blog/saas

http://www.cloudtweaks.com/

http://cloudcomputing.blogspot.com/












https://cloudsecurityalliance.org/



BCS, THE CHARTERED INSTITUTE FOR IT

Our mission as BCS, The Chartered Institute for IT, is to enable the information society. We

promote wider social and economic progress through the advancement of informationtechnology science and practice. We bring together industry, academics, practitioners andgovernment to share knowledge, promote new thinking, inform the design of new curricula,shape public policy and inform the public.

Our vision is to be a world-class organisation for IT. Our 70,000 strong membershipincludes practitioners, businesses, academics and students in the UK and internation-ally. We deliver a range of professional development tools for practitioners and employ-ees. A leading IT qualification body, we offer a range of widely recognised qualifications.

Further InformationBCS, The Chartered Institute for IT,First Floor, Block D,North Star House, North Star Avenue,Swindon, SN2 1FA, United Kingdom.T +44 (0) 1793 417 424F +44 (0) 1793 417 444www.bcs.org/contactus

http://www.bcs.org/contactus

http://www.bcs.org/contactus



© 2012 British Informatics Society Limited

The right of the author(s) to be identified as author of this work has been asserted by him/her in accordance withsections 77 and 78 of the Copyright, Designs and Patents Act 1988.

All rights reserved. Apart from any fair dealing for the purposes of research or private study, or criticism orreview, as permitted by the Copyright Designs and Patents Act 1988, no part of this publication may bereproduced, stored or transmitted in any form or by any means, except with the prior permission in writing ofthe publisher, or in the case of reprographic reproduction, in accordance with the terms of the licences issued bythe Copyright Licensing Agency. Enquiries for permission to reproduce material outside those terms should bedirected to the publisher.

All trade marks, registered names etc. acknowledged in this publication are the property of their respective owners.BCS and the BCS logo are the registered trade marks of the British Computer Society charity number 292786 (BCS).

Published by British Informatics Society Limited (BISL), a wholly owned subsidiary of BCS, The Chartered Institutefor IT, First Floor, Block D, North Star House, North Star Avenue, Swindon, SN2 1FA, UK.www.bcs.org

PDF ISBN: 978-1-78017-130-2ePub ISBN: 978-1-78017-131-9Kindle ISBN: 978-1-78017-132-6

British Cataloguing in Publication Data.A CIP catalogue record for this book is available at the British Library.

Disclaimer:The views expressed in this book are of the author(s) and do not necessarily reflect the views of BCS or BISLexcept where explicitly stated as such. Although every care has been taken by the authors and BISL in thepreparation of the publication, no warranty is given by the authors or BISL as publisher as to the accuracy orcompleteness of the information contained within it and neither the authors nor BISL shall be responsible

or liable for any loss or damage whatsoever arising by virtue of such information or any instructions or advicecontained within this publication or by any of the aforementioned.

Typeset by Lapiz Digital Services, Chennai, India.

cloud computing moving it _ pittacus.epub_ pittacus.epubout of the office

Documents