Embed Size (px)
Citation preview
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 1 / 30
Chaire de logiciel libre – Finance sociale et solidaire
December 2009
Grace Coppola
Cloud Computing for Social Economy SMEsDeploying
Open Source Social and Solidarity Financial Services Applications
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 2 / 30
Table of Content1 Introduction ................................................................................................................................. 5
1.1 Objective ............................................................................................................................... 5
1.2 Audience ............................................................................................................................... 5
2 Problem Description ..................................................................................................................... 6
3 What is Cloud Computing? .......................................................................................................... 7
3.1 Principal Characteristics of Cloud Computing ...................................................................... 7
3.2 Cloud Service Delivery Models ............................................................................................ 8
3.2.1 Software as a Service (SaaS) ...................................................................................... 8
3.2.2 Platform as a Service (PaaS) ....................................................................................... 8
3.2.3 Infrastructure as a Service (IaaS) ................................................................................. 9
3.3 Cloud Service Deployment Models ...................................................................................... 9
3.1.1 Public Clouds .............................................................................................................. 10
3.3.1 Private Clouds ............................................................................................................. 10
3.3.2 Hybrid Cloud ................................................................................................................ 11
3.3.3 Summary of Service Deployment Models .................................................................... 11
4 Cloud Computing Benefits and Drawbacks ................................................................................ 12
4.1 Cloud Computing Benefits .................................................................................................. 12
4.2 Cloud Computing Drawbacks ............................................................................................. 13
5 Evaluation and Recommendations ............................................................................................ 16
5.1 Evaluation Approach ........................................................................................................... 16
5.2 Evaluation Considerations .................................................................................................. 16
5.2.1 SME Profile ................................................................................................................. 16
5.2.1 SME Business Concerns ............................................................................................ 17
5.2.2 CICA Information Technology Control Guidelines ........................................................ 18
5.3 Evaluation .......................................................................................................................... 19
5.1.1 OFS Fit for Cloud Computing ..................................................................................... 20
5.3.1 Service Delivery Model Fit .......................................................................................... 21
5.3.2 Service Deployment Model Fit .................................................................................... 22
5.4 Recommendations .............................................................................................................. 23
6 Conclusion ................................................................................................................................. 26
7 Bibliography ............................................................................................................................... 27
8 Appendix A: CICA Information Technology Control Guidelines .................................................. 29
8.1 Computer Operations and Information Systems Support .................................................... 29
8.2 Information Technology Security ........................................................................................ 30
8.3 Business Continuity Planning and Information Technology Recovery ................................. 30
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 3 / 30
List of tables
Table 3-1 Cloud Computing Service Deployment ......................................................................... 11
Table 4-2 Cloud Computing Benefits.............................................................................................12
Table 4-3 Cloud Computing Drawbacks........................................................................................ 14
Table 5-4 Social and Solidarity Financial Services SME Profile.................................................... 16
Table 5-5 Software Profile............................................................................................................. 17
Table 5-6 SME Business Concerns...............................................................................................17
Table 5-7 Application Fit for Cloud Computing.............................................................................. 20
Table 5-8 Service Deployment Model Fit.......................................................................................22
Table 5-9 How Community Cloud solution addresses SME concerns...........................................24
List of figuresFigure 1 : Impact of cloud computing on the governance structure of IT organizations................22
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 4 / 30
Acronyms and Abbreviations
Terms Definitions
API Application Programming Interfaces
(the) ChairThe Chair for Open Source Software for Social and Solidarity Finance of the Department of Information Technology at University of Quebec at Montreal
CICA Canadian Institute of Chartered AccountantsENISA European Network and Information Security AgencyIaaS Infrastructure as a ServiceIDE Integrated Development EnvironmentIT Information TechnologyITCG Information Technology Control Guidelines (published by the CICA)NIST The US National Institute of Standards and Technology
OFS
Refers to the open source software for social and solidarity financial services. This software will be delivered as product line by the Chair which includes a set of financial services application. A name for the product line has yet to be given by the Chair, OFS is an acronym given by the author in this paper to facilitate writing and reading of this paper.
PaaS Platform as a Service SaaS Software as a ServiceSLA Service Level Agreement
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 5 / 30
1 Introduction
The Chair for Open Source Software for Social and Solidarity Finance of the Department of Information Technology at University1 of Quebec at Montreal has the goal of laying out the foundation for a family of open source software products for social and solidarity financial services. The Chair will act as the incubator for the development of the financial services product line of applications that would eventually be transferred over to the chair’s funding partner, the Association Internationale du Logiciel Libre (AI2L) for the social economy. The AI2L provides the specifications for the software applications and will also distribute the software to its members in the social economy community.
The Chair’s understanding is that the majority of the organizations that are part of the social economy interested in the financial services applications to be developed are small and medium size enterprises (SMEs). Most of these organizations do not have sufficient resources to properly deploy and maintain such an application that is vital to their operation. The Chair has requested that a preliminary analysis be conducted to determine if the Cloud Computing model could be a viable solution for these SMEs.
Note: A simple definition of Cloud Computing is that it is a way of consuming and delivering IT and business services over the Internet, a more comprehensive definition is given in Section 3 of this document. “The term Cloud is a metaphor for the Internet and is a simplified representation of the complex, internetworked devices and connections that form the Internet.”2
1.1 Objective
The objective of this paper is to investigate whether Cloud Computing is a viable solution for social economy SMEs interested in deploying the open source software for Social and Solidarity Finance Services (OFS) product line.
1.2 Audience
This paper has been requested by the chairman of the Chair, Professor Louis Martin and will also be presented to the Chair’s funding partner, AI2L. The AI2L is made up of 3 organizations from France and 3 from Quebec - Canada, they are:
• MACIF• Crédit-Coopératif• Groupe Chèque Déjeuner• Caisse d'économie solidaire Desjardins, Filaction • Fondaction CSN.
This document assumes the reader have some Information Technology (IT) technical knowledge, and is interested in understanding the basic characteristics of Cloud Computing, its advantages and disadvantages, the various Cloud Computing models that currently exist and how those model support the needs of organizations.
1 In French: La Chaire de logiciel libre- Finance sociale et solidaire, will be referred to as the Chair in the rest of this document.2 What Is Cloud Computing? Cloud Security and Privacy, 1st Edition by Tim Mather, Subra Kumaraswamy, and Shahed Latif , chapter 2, page 22, [BB-1]
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 6 / 30
2 Problem Description
The AI2L’s objective is to provide and distribute the open source software developed by the Chair to financial institutions and enterprises of social economy. The majority of these enterprises will be of the type small and medium size enterprises (SMEs). Typically SMEs are not well served by in-house IT resources. They have smaller IT departments with less diversely skilled human resources than the larger enterprises. SMEs often find it difficult to justify IT projects, which leads to low levels of IT investments and outdated infrastructures. This leads to the eventually inability of the IT team to properly, and effectively respond and support the business needs. Financial Services SME requirements from their IT department are very much same requirements as for larger enterprises; availability, performance and more importantly data security and privacy.
Many of these SMEs will not have the resources to properly install, configure, operate, administer maintain and support and maintain the OFS application that would be vital to their operations. Examples of the types of support services being referred to are:
• System installation and configuration • Access Management Services • Security services• Software upgrades• Data backup and recovery • Performance tuning.
A possible solution for these SMEs is to use a Cloud Computing IT services delivery model. This paper investigates the various types of Cloud Computing and their advantages and disadvantages. Recommendations are made regarding which type of Cloud Computing model is best suited the SMEs in question wishing to deploy OFS applications.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 7 / 30
3 What is Cloud Computing?
The United States National Institute of Standards and Technology (NIST) definition of Cloud Computing is “Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”3
Cloud Computing has emerged thanks to number of extremely efficient and massively scalable data centers who decided to leverage their data center investment by offering their computing infrastructure to external organizations as a service. The services offered provide their customers a different way of building, deploying and selling IT services at a lower cost where the customers pay for these services on a pay-per-use model.
Clouds basically consist of a large pool of easily usable and accessible virtualized computing infrastructure resources (such as hardware, development platforms and services). These resources can be dynamically reconfigured to adjust to a variable load, allowing for optimum resource utilization.
There are several key factors in the IT industry today that are leading to the adoption (or at least interest) of Cloud Computing and its promise of lower IT cost, they are:
• Improved use of infrastructure resources through virtualization. Virtualization is the key enabling technology for Cloud Computing; it is the technology that facilitates the on-demand sharing of resources and security by isolating the resources. Virtualization allows a server to act as many independent virtual servers. Since everything is ‘virtual’, it becomes extremely easy to make changes as needed to the computing environment
• Advances in the quality and span of many open source software have made them ready for large scale deployments
• Automation advances in data center management• Increased data center density due to multi-core chips and blade server technology• Ongoing reduction of Internet latency and bandwidth costs are making it possible to
consume large quantities of computing resources remotely.
In short, Cloud Computing is about scalability, paying only for the resources used as in a utility model and is enabled by advances in virtualization technology, open source software, Internet technology, data center management, compute capacity and as will be seen in the next sections of this paper improved Cloud Computing architectural frameworks.
3.1 Principal Characteristics of Cloud Computing
Cloud Computing is based on five essential characteristics that distinguish it from the more traditional computing approaches.
1. Abstraction of InfrastructureTraditional computing approaches assumed dedicated computing infrastructure resources to a single user or owner. Cloud Computing is based on a business model where infrastructure resources are pooled and shared to deliver services. Virtualization technology makes it possible to abstract the underlying IT infrastructure to deliver the needed resources to an application. With virtualization one server is made to act as many completely independent
3 The NIST Definition of Cloud Computing, by Peter Mell and Tim Grance, Version 15, 10-7-09
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 8 / 30
virtual servers, a Cloud provider can then serve its many customers/ consumers using a multi-tenant model. The physical and virtual resources are assigned and reassigned according to consumer demand using Application Programming Interfaces (APIs).
2. On-demand self serviceIn Cloud Computing the services offered by a service provider can be for resources of type infrastructure, application or information. The pool resources are accessible to authorized users through standardized methods, allowing for consumers to self provision the resources on-demand without human interaction with the Cloud provider.
3. Ubiquitous Network AccessCloud Computing resources and services are made available over the network and accessible through standard thin and thick client mechanisms.
4. Rapid Elasticity Cloud Computing characteristics of on-demand scalability, ubiquitous, reliable and high-speed connectivity allows users to rapidly upsize or downsize resource allocation to as-needed capacity. This also allows for better utilization of resources and the releasing of resources when no longer needed.
5. Utility Model of Consumption and Allocation (Pay per use) Cloud Computing uses a measured service utility-cost and usage model where the Cloud provider controls and monitors resources consumption and the users pays only for the resource used.
3.2 Cloud Service Delivery Models There are three types Cloud Computing service delivery models, they are: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The following sections provide a brief description of each.
3.2.1 Software as a Service (SaaS)
SaaS is an alternative to locally running software applications. In this model the consumer does not purchase the software/application, instead the consumer uses or rents for use on a pay-per-use model the Cloud provider’s applications running on a Cloud infrastructure. The software is typically accessible through any authorized devices, which are mostly thin client interface devices (e.g. Internet browsers). The consumer does not manage or control any of the Cloud infrastructure resources (servers, software, storage, network), nor the application capability except for some limited user specific application configuration settings, using an Application Programming Interface (API). The key difference between traditional software model and the SaaS model is the number of ‘tenants’ the software application supports. With SaaS the application is shared by many customers but is logically unique to each customer with securely differentiated data belonging to each tenant/customer.
The main benefit of SaaS is that the organization outsources the hosting and management of applications to a Cloud service provider, reducing the cost required for infrastructure resources, personnel to manage and support these resources and the cost of application software licenses.
3.2.2 Platform as a Service (PaaS)
In a Platform as a Service delivery model the Cloud provider offers a development environment to developers, who develop applications using the programming languages and tools supported by the provider. Those applications are then offered as services through the Cloud provider’s
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 9 / 30
platform. PaaS is a variation of SaaS where the development environment is the service being offered. An application developed in a PaaS model benefits from highly productive integrated development environments (IDE). Developers use the Cloud provider’s building blocks to create applications without having to install tools on their computer, and then deploy the applications without needing specialized system administration skills. The PaaS model is most useful for general developers and start-up companies wanting to quickly deploy web-based applications without incurring the cost and complexity of buying servers and having to configure and maintain them. The consumer does not manage or control the underlying Cloud infrastructure resource but does have control over the deployed applications and possibly application hosting environment configurations.
Typically the Cloud provider not only develops the tools and standards for development but also the channels for distribution and payment. In the PaaS model the Cloud provider receives payment for providing the development environment, and also for the sales and distribution services of the deployed application.
3.2.3 Infrastructure as a Service (IaaS)
In an Infrastructure as a Service delivery model the Cloud provider provides the infrastructure resources for consumers to run their application, with the added features of a pay-per-use and scalability services to handle the peaks and troughs of consumer demand. The consumer does not manage or control the underlying Cloud infrastructure but does have control over operating systems, storage, deployed applications, and possibly some select networking components like firewalls and load balancers.
Through virtualization technology the provider is able to split, assign and dynamically resize resources as needed to meet the customer’s demand, allowing applications to easily scale to high workloads and release resources when no longer needed. The consumer pays for the amount of computing resources, memory, disk space that they actually consume. In this model the customer gets access to best of breed technology IT solutions at a fraction of the cost.
With IaaS the Cloud provider has total control of the infrastructure; the consumer has control over the geographic location of the infrastructure and what runs on each server. With IaaS the consumer has more control than with SaaS or PaaS. IaaS allows consumers to properly address security and compliance concerns, since the applications are under the control of the customer even if they do run on virtual machines they are logically separate from other virtual machines running on the same physical machine.
IaaS is the foundation of all Cloud services with PaaS building upon IaaS, and SaaS building upon PaaS.
3.3 Cloud Service Deployment Models
Along with the three Cloud Computing service delivery model (SaaS, PaaS, IaaS) there are two primary ways in which Cloud services are deployed, known as: Private and Public CloudsThe Cloud service Deployment Models address elements such as:
• “Who manages the Cloud • Who owns it • Where it’s located • Who has access to it.”4
4 Security Guidance for Critical Areas of Focus in Cloud Computing, by Cloud Security Alliance, April 2009, [BA-2]
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 10 / 30
Private and Public Clouds are defined based on the relationship of the Cloud to an organization, more specifically who consumes the services and who is responsible for the management, security, availability, governance, and compliance of policies and standards of Cloud services for an organization.
3.1.1 Public Clouds
Public Clouds are hosted, operated and managed by a designated service provider (third party vendor) from one or more data centers who offer services to multiple tenants with all the benefits and functionality as identified by the five principle key characteristics of Cloud Computing (see Section 3.1 Principal Characteristics of Cloud Computing). The Cloud service provider makes resources (infrastructure resources or applications) available to the general public over the Internet.
Public Clouds services may be free or offered on a pay-per-usage model. Security management and day-to-day operations are controlled by the Cloud service provider. The consumer has a low degree of control and visibility over security aspect, the physical and logical resources.
3.3.1 Private Clouds
Private Clouds are built using the same technologies as Public Clouds, the difference being that the infrastructure resources belong to a specific organization. Resources are typically not shared outside the organization and full control the operation is maintained by the organization. The services provided have all the benefits and functionality of elasticity and utility model of Cloud Computing, without the concerns of security and reliability.
Typically with Private Clouds the physical resources is owned by and/or physically located in the organization’s data centers. As another option, the physical resources are owned and/or physically located at a location of a designated service provider (off-premise) with the management and security is controlled by the designated service provider for the organization, with no sharing of resources with other organizations.
Private Clouds are more likely to be considered by larger organizations and government departments. Private Clouds offer all the benefits of Public Clouds but is hosted inside the organizations firewall, hence full control over security and data access is maintained by the organization.
In this model consumers can scale on demand and are charged usage fees for resource used in the same manner as a Public Cloud service provider would charge its consumers. It is a known fact in IT industry that most computing resources, such as database servers, application servers, and networks, are underutilized, typically running at only a small percentage of their capacity at any given time. The appeal for organizations is that Cloud Computing is a great model for optimizing the use of hardware and software, using virtualization and other technologies used in Public Clouds.
Private Clouds come in a variety of patterns, following are the key ones as describe by the Cloud Security Alliance5:
1. Dedicated: the Cloud is hosted within the organization’s data center or server farm and operated by the internal IT division.
5 Ibid.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 11 / 30
2. Community: the Cloud infrastructure is shared by several organizations. It is controlled and used by a group of organizations that have shared interest, like for example; mission, security requirements, standards policy, and compliance considerations.
3. Managed: the Cloud infrastructure is owned by and/or physically located in the organization’s datacenters and day-to-day operations and the management of security, is designated to a 3rd party service provider with contractual Service Level Agreements (SLAs). As a result the customer has control and transparency of all aspects of the private Cloud infrastructure.
3.3.2 Hybrid Cloud
Hybrid Cloud model is basically an environment where an organization uses a combination of Public and Private Cloud service offerings. In this model an organization may run non-core applications in a Public Cloud, but run the core applications and keep sensitive data within their Private Cloud.
3.3.3 Summary of Service Deployment Models
The table below summarizes characteristics of Public Cloud and the various Private Cloud Deployment Models with regards to their relationship to infrastructure location, who manages the Cloud and who owns it.
Table 3-1 Cloud Computing Service Deployment Managed by (1)
Infrastructure Owned by (2)
Infrastructure Location (3)
Accessibly and Consumed by (4)
Public Third Party Provider
Third Party Provider
Off-Premise Untrusted
Private - Dedicated Organization Organization On-Premise TrustedPrivate - Community Prime
Community Organization
Community On (Community) Premise
Trusted
Private - Managed Third Party Provider
Third Party Provider
On Premise / Off Premise
Trusted or Untrusted
Hybrid – combination Public and Private
--- --- --- ---
(1) Management includes: operations, security, compliance, etc...(2) Infrastructure implies physical infrastructure such as facilities, compute, network and storage equipment(3) Infrastructure Location is both physical and relative to an Organization’s Management umbrella (4) Trusted consumers of service are those who are considered part of an organization’s legal/contractual umbrella including employees, contractors, & business partners. Untrusted are those that may be authorized to consume some/all services but are not logical extensions of the organizationSource: Cloud Security Alliance6
6 Ibid.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 12 / 30
4 Cloud Computing Benefits and Drawbacks
4.1 Cloud Computing Benefits
Cloud Computing provides an option for business organizations who wish to realign their business strategy to devote and focus resources and time to creating new business solution to meet business needs, instead of spending resources on IT operations.
The following table lists a number of benefits that Cloud Computing offers.
Table 4-2 Cloud Computing BenefitsBenefits Description
Cost Lower cost is the core benefit of Cloud Computing. Cloud Computing services should be less expensive than solutions deployed in traditional data centers since:• Customers pay only for what they use based on units of storage, time or
other means • Customers avoid capital expenditure in IT infrastructure resources
(hardware, communication, and software) • Customers avoid costs for maintaining the IT infrastructure, the support staff
to maintain the resources and the software licensing costs.
Access over the Internet
Clouds are accessed over the Internet making business applications accessible from any location using using standard clients. The Internet also provides access to many other valuable services like ecommerce APIs, social networking sites, and of course other Clouds. This provides organizations the ability to combine with other Cloud services to create powerful customer services.
Expandability / Elasticity
Expandability means greater flexibility, customers can easily add as much capacity as they need allowing for improved business performance when most needed and can reduce capacity just as easily.
This benefit is also related to the cost benefit in that it avoids having to invest in IT infrastructure that sits waiting until it is needed.
Speed to implementation
In can take only a few days or in some cases hours to implement an application in a Cloud. A simple sign up, in most cases, gives access to the needed Cloud resources. Compared to the traditional method where organizations have to go through purchasing hardware and software, installation, testing, deployment, and dealing with the various human resources to become operational one can easily see the benefit of this aspect of Cloud Computing.
It’s green Cloud Computing is environmentally friendly, since organizations share computing resources, and thus should lead to the reduction of electric power consumption by virtue of some very power-hungry data centers closing down.
This benefit of Cloud Computing is of value for those organization that see business benefits in being ‘green’, it allows them to walk the talk. For enterprises that are part of the social economy community, using a greener approach to computing could be an added value.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 13 / 30
Security Cloud providers know that security is a main barrier for most organization and are implementing better security solutions. Cloud Computing platforms can be as secure as, or even more secure than on-premise systems. “...the Cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but Cloud -based defences can be more robust, scalable and cost-effective.”7
Some Examples of Cloud Computing security benefits are: • Security measures are cheaper when implemented on a larger scale; a
service provider can buy and implement better protection, like filtering, re-routing, multiple locations and more timely response to security threats
• Patch Management, ability to roll out new security patches more efficiently • Audit and evidence gathering, can provide dedicated resources for keeping
more cost-effective and comprehensive security audit logs for diagnostics, without having to bring down servers running business applications.
Diversification / Innovation
Clouds provides organizations the ability to diversify the use of IT systems, which they would otherwise not consider, this can bring about the potential for new business opportunities and new markets.
Cloud Computing infrastructures can be used by an organization to test or assess new applications and to engage in cooperative development with partners, enhancing business efficiency and innovation capacity.
Cloud Computing and the solutions it provides are new and innovative. It is fully expected that Cloud Computing and its provided solutions will continue to evolve and provide innovative features, this momentum of continued innovation and improvement in itself provides value to organizations that will leverage their operations on Cloud Computing
In addition Cloud Computing provides customers IT resources that are managed by skilled IT personnel who understand how to best use latest technologies.
Business continuity and resiliency
Cloud Computing makes it easier for organizations to introduce business continuity and disaster recovery capabilities, by using Cloud resources for redundancy.
4.2 Cloud Computing Drawbacks
There are concerns with Cloud Computing that organizations thinking of venturing into this space need to consider and asses its risk. Most of the concerns are based on the introduction of risks when an organization depends on another company it does not own or control. The concerns have to do with the service provider’s ability to provide the needed services, governance, level of security and availability.
Following is a table that outlines the mains drawbacks of Cloud Computing.
7 Benefits, risks and recommendations for information security, ENISA, November 2009, [BA-5]
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 14 / 30
Note: The drawbacks have to do mainly with Public Cloud Computing.
Table 4-3 Cloud Computing DrawbacksDrawbacks Description
Control Cloud Computing means that an organization gives giving up control of aspects of their IT infrastructure which execute their business applications. This places the organization at the mercy of the service provider, who now controls the infrastructure what hosts the enterprises’ files, data and processes.Following are some possible scenarios that may arise: • Possibility to be shut out of the Cloud if the organization inadvertently
violates some policy • The service provider goes out of business hence shuts down business
services leaving the customer without access to their data• Provider is sold to another company, which decides that the services the
organization is using is no longer profitable and discontinues the services• A service provider performs fixes and updates or retires older versions of
infrastructure resources, forcing the Cloud user into costly, untimely, and possibly unwanted changes.
Security The previous section of this document outlines some benefits of Cloud Computing from a security point of view. Following are some security risks that Cloud Computing brings about:• Isolation Failure: due to the nature of Cloud Computing with its multi-
tenancy and shared resources characteristics, there is risk of failure in the infrastructure that provides separation of storage and memory between the various tenants, potentially exposing important information. Note: although attacks on virtual servers are more difficult compared to attaches on traditional Operating Systems
• Data Protection: it may be difficult for Cloud consumers to effectively verify the lawful data handling practices of their service provider
• Malicious insider: possibility that a service provider insider may be tempted to sell the data to competitors or other organizations for whom the data is deemed valuable
• Lack of liability on the service provider in case of security incidents.
Cost The previous section in this document outlined a number of cost benefits, following are cases when Cloud Computing is not so cost effective:
• “When the service providers’ pay per use scheme is not clear• Uncontrolled variable costs• The cost and challenges of migration to the Cloud and any special features required by the application”8 • Moving an existing application from in-house environment to a Cloud Computing environment in general is not cost effective since many of the expenditures have already been made.
Lock-in There are currently little or no standards in terms of data formats or services interfaces that could guarantee data, application and service portability between Cloud providers.
Some Cloud platforms are proprietary in nature, introducing a dependency on the Cloud provider. Once an application is developed in the service provider’s
8 Ibid.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 15 / 30
environment, it can be very difficult or costly to migrate data or services to another Cloud provider or back into the organizations environment.
Compliance For organizations that are required to provide audit compliance, Cloud Computing providers may not provide the logging and auditing features required by law for compliance. Also it would be difficult for the customer to obtain assurance and details to ensure that the Cloud provider is doing the right thing.
Another concern is the inconsistency between national and international laws, making it difficult for service providers to offer compliant services.
Service Level Agreements (SLA)
A SLA is a service contract between the service provider and the customer which formally defines the required level of service that has been negotiated and mutually agreed upon. A SLA should contain details regarding levels of support, guaranteed levels of system performances related to downtime and penalties for services violations. In today’s environment many Cloud providers do not provide SLAs.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 16 / 30
5 Evaluation and Recommendations
The objective is this section is to conduct an analysis to determine if Cloud Computing is a variable solution for social economy SMEs interested in deploying the OFS product line of applications to be developed by the Chair.
5.1 Evaluation Approach
The analysis approach taken is to examine three aspects:1. The OFS application profile2. The perceived concerns of the targeted SMEs 3. Some of the information Technology Control Guidelines (ITCG) published by the
Canadian Institute of Chartered Accountant Since (CICA) requirements, since OFS is a set of financial applications.
All of the above aspects are considered to determine if Cloud Computing is a viable solution for the SMEs. The analysis starts with determining whether OFS is itself a candidate application for Cloud Computing. If the application does turn out to be a good fit for Cloud Computing, then determine which Cloud Service Delivery Model and which Cloud Service Deployment Model best addresses the enterprises’ needs and concerns.
5.2 Evaluation Considerations
5.2.1 SME Profile
This section provides a brief profile of the types of SMEs that the Chair understands participate in the social economy for which the Chair is developing OFS for.
The category SME is really a measure of the business’s complexity, which includes its revenue base, the number of products, channels, countries it operates in, and the supply chain integration with 3rd parties.
The following table outlines the Chair’s current understanding of the type of SMEs it is developing the software for.
Table 5-4 Social and Solidarity Financial Services SME ProfileElement Description Notes
SME definition as per European Commission9
Employees: < 10 and up to 250.Annual Turnover: < or = 2 Million Euros and up to 50 Million Euros.
Services provided Financial services for example: loans, savings accounts, insurance
Organization locations Initially France and Quebec, Canada
But not limited to these locations, the application needs to be designed to be implemented in any country
9 The new SME definition, User guide and model declaration European, European Commission, 2003
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 17 / 30
and support multiple languages and subject to different laws and legislation
Number of clients 20 – 10000 This is the Chairs current assumption
Currently SMEs have software applications to support their services
Not all SMEs
Currently SMEs have IT support staff that will be able to install, configure and maintain OFS
Not all SMEs
Acceptable downtime in case of failure
Maximum 1 day This is the Chairs current assumption
Following outlines the profile of the OFS software to be developed by the Chair.
Table 5-5 Software ProfileElement Description
Open source licence GNU GPL
User Interface Web based, Internet browser
Data base Open Source PostgreSQL
Source Code Java and Grail
Product Line Loosely coupled family of financial services products
5.2.1 SME Business Concerns
The assumption being made here is that the social and solidarity finance SMEs to thinking of adopting Cloud Computing as a style of computing would have basically same concerns identified in the previous Section 4.2 Cloud Computing Drawbacks.
Table 5-6 SME Business ConcernsConcerns Description
Control The organization gives giving up control of all or some aspects of its IT infrastructure including the data which supports the business. Other control concerns include cases where the Cloud provider goes out of business leaving the customer organization scrambling for a solution.
Security Security is one of the main concerns for all businesses thinking of adopting a Cloud Computing model. Areas of concern are:
• Lack of isolation of storage and memory between the various tenants of the Cloud
• Data Protection, it in that it is difficult to effectively verify the lawful data handling practices of cloud providers
• Possibility of malicious insiders on the service provider side
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 18 / 30
• Lack of liability of the service provider in case of security incidents.
Cost Although cost is a one of the main reasons why an organization would choose Cloud Computing there are several issues that an organization needs to be aware of to ensure the Cloud Computing solution put forth is cost effective, for example unclear service provider’s pay per use scheme and uncontrolled variable costs.
Compliance Being that the SMEs will be implementing financial services applications the Chair fully expects that these organizations will be required to provide some form of audit compliance. Cloud Computing providers may not provide the logging and auditing features required by law for compliance.
Also expected is that the SMEs will be from different parts of the world, with definitely compliance requirements differences in national and international laws.
Service Level Agreements
The SMEs will require SLAs to ensure their applications are available when needed, and perform at acceptable levels. In today’s environment many Cloud providers do not provide SLAs. It is expected that as larger enterprise adopt Cloud Computing service providers will be committing to SLAs, as an effect the service providers will pass the cost of providing specific levels of service to the customer.
Ability to migrate the system back in-house
A SME may decide to initially go the Cloud Computing route since the upfront costs for IT is minimal but later may decide to migrate the application to an in-house IT Infrastructure.
5.2.2 CICA Information Technology Control Guidelines
The information Technology Control Guidelines (ITCG) is published by the Canadian Institute of Chartered Accountant (CICA). “The value of ITCG is in its focus on a specific area of risk control and its assistance in allowing IT controls to be designed and implemented appropriately.”10
The guide describes the control objectives, standards and techniques applicable to seven different areas:
1. Responsibility for risk management and control2. Information technology planning3. Information systems acquisition, development and maintenance4. Computer operations and information systems support5. Information technology security6. Business continuity planning and information technology recovery 7. Application based controls.
For the purpose of what considerations would be applicable to SMEs trying to determine whether Cloud Computing is a good model only three of the above areas are considered:
1. Computer operations and information systems support2. Information technology security3. Business continuity planning and information technology recovery.
10 Information Technology Control Guidelines, 3rd Edition, by the Canadian Institute of Chartered Accountants, Principal Author - Deloitte & Touche,1998
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 19 / 30
Appendix A provides the description of the above controls as outlined in the guide that are deem pertinent. Following is a summarized list of the controls:
1. Computer Operations and Information Systems SupportThis area addresses the implementation of guidelines and standards to ensure reliable, available, cohesive, effective and controlled operations services. Some of the key controls are:
• The need for formal services level agreement • Procedures to monitor operations and service delivery performance• The need to establish measurable performance criteria for availability, response time,
quality of service and support• Need Off-site backup procedures to support business continuity and recovery
requirements• Procedures required to protect and minimize damage or disruptions from computer
viruses• The network should ensure integrity, confidentiality and availability requirements for
information transmissions.
2. Information Technology Security Implementation of guidelines and standards: to ensure the integrity, confidentiality and availability of information technology resources, such as:
• Security mechanisms in place to ensure data confidentiality• Security mechanisms in place to ensure authorized access to IT components• Appropriate physical access to IT resources • Identification and authentication of users accessing resources • Use of encryption to protect identification and authentication data transmitted across the
network• Location of resources protected from threats of sabotage, terrorism, vandalism and other
physical risks.
3. Business Continuity Planning and Information Technology RecoveryImplementation of backup, off -site storage and recovery procedures to ensure ongoing continuity of critical business functions in event of a significant disruption to normal business operations. The guidelines described in the guide are very similar to the business continuity concerns outline in the previous Section 4.1 Cloud Computing Benefits, they include:
• Backup and recovery services: depending on the service model type, the SMEs need to be able to backup and recovery their data in a timely fashion• Access Management: depending on the SME the organization need to properly manage access to their application.
5.3 Evaluation
As stated earlier the evaluation to determine if Cloud Computing is a viable solution for SMEs wanting to implement OFS takes into consideration the software application profile, the SMEs profile and their concerns.
Cloud Computing is an evolving style of computing and there are no hard and fast documented rules to determine whether Cloud Computing is the solution of an application and for the business enterprise. The book by David S. Linthicum 11 indentifies a number of criteria that help to determine when Cloud Computing is a good solution for an application. Although the OFS application has not yet been developed, the Chair does know the software architecture and design principles the application will be adhering to.
11 Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide, David S. Linthicum, 2009
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 20 / 30
5.1.1 OFS Fit for Cloud Computing
The elements outlined in the following table are based on the book by David S. Linthicum12. The ‘Fit” is based on the Chair’s adopted design principles for the application as they are understood today.
Table 5-7 Application Fit for Cloud ComputingElement Description OFS Fit
Loosely coupled applications
Processes, applications, and data that are mostly independent of other applications or information, are a good fit for Cloud Computing.
Processes, applications and data that are tightly coupled or are interdependent, with other applications it will be difficult or not impossible to decouple, and operate independently on a remote platform.
Yes
Integration point are well defined
Well-defined points where that application can share data, behaviour, and processes means that the application is easy to integrate with applications executing in the enterprise.
If the integration points or the mechanisms to synchronize information and processes hosted on the Cloud with those systems that exist within the enterprise are not well defined then integration between the systems becomes a high risk.
Yes
Lower level of security is acceptable
The information contained within the Cloud Computing environment requires a low level of security, meaning it would not be a complete disaster if the information got out.
Systems that require high level of security are rare. Examples are: “new products and solutions not yet protected by a patent, specific know-how, research results, customer and project information.”13
Typically Cloud Computing provides ‘good enough’ security for commercial systems.
Yes
Control is not critical
The enterprise can afford to outsource a critical component to a service provider who is less than 100% reliable.
Yes, acceptable downtime in case of failure can be as high as 1 day
Core internal enterprise architecture is healthy
A core internal enterprise architecture that is healthy means that the internal IT department has the systems it manages in order, therefore making it much easier to integrate Cloud Computing systems into the architecture.
If the enterprise architecture is dysfunctional then extending to outside systems will be very risky.
Yes, if implementing the
complete OFS Product Line
12 Ibid.13 European Network and Information Security Agency (ENISA) , [BW-4]
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 21 / 30
Application is web based
Cloud Computing uses the Internet to access remote servers located anywhere in the world. The user interface is within a browser.
Yes
Cost is an issue
As discussed earlier there are some clear cost benefits to Cloud Computing. An organization wanting to build and deploy an application economically, Cloud Computing is the way to go.
Yes
New applications
It is easier to deploy new applications on Cloud platforms than it is to migrate existing applications.
Depends, SME may have an
existing application it
wisher to migrate to OFS
Varying degrees of demand
Have varying degrees of resource demands (computing power, storage), Example: seasonal, month end, year end.
Yes, but minimal, e.g. additional
processing required during
tax season
Based on the above elements and the current understanding of the architecture and design principles that have been adopted by the Chair OFS is a good fit for Cloud Computing.
5.3.1 Service Delivery Model Fit
In the previous section we established that OFS is a good fit for Cloud Computing. The next step is to determine which service model would be most appropriate for OFS and the SMEs’ business.
As described in Section3.2 Cloud Service Delivery Models there are 3 types of Service Delivery Models for Cloud Computing, they are:
1. Software as a Service (SaaS)2. Platform as a Service (PaaS)3. Infrastructure as a Service (IaaS).
Since the PaaS model is about the Cloud Computing service provider providing a development environment for developing application and the OFS software will be developed by the Chair in its own development environment the PaaS model is not considered for this evaluation.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 22 / 30
The distinguishing factor between SaaS and IaaS is who controls what resources in the Cloud. The figure below provides a summary of this relationship.
Infrastructure as a Service
Who controls Software as a Service
Who controls
ApplicationOrganization has control
ApplicationService provider has control
Virtual MachineOrganization shares control with service provider
ServicesService provider has control
ServerService provider has control
ServerService provider has control
StorageService provider has control
StorageService provider has control
NetworkService provider has control
Network Service provider has control
Figure 1 : Impact of cloud computing on the governance structure of IT organizationsSource: Figure adapted from [BB-1]14
For those SMEs who have the IT resources to manage, support and configure OFS the IaaS delivery model is a good option, since it gives an SME control over the application, and the SME only uses the Cloud provider infrastructure resources.
For SMEs who not have the IT resources to manage, support and configure OFS then the SaaS delivery model is the better fit. This means that the organization would relinquish complete control of the application to the service provider. The SME does not own the application, and it is shared by other enterprises. The big assumption here is that there would be a Cloud Computing service provider available to rent/provide OFS as service.
Based on the above a SME can adopt Cloud Computing service delivery model of either IaaS or SaaS, depending of the maturity of the IT department in the organization or whether the organization has the IT staff to support the OFS application.
5.3.2 Service Deployment Model Fit
Besides the Cloud Computing Service Delivery Model, we need to determine which Service Deployment Model would best suit the social economy SMEs. As described in Section 3 What isCloud Computing? the two primary service deployment models are Public and Private. The Service Deployment Models are differentiated by the relationship between the Cloud provider to the organization, which is defined by the elements identified in Section 5.2.1 SME BusinessConcerns and 5.2.2 CICA Information Technology Control Guidelines.
The following table shows those concerns and indicates how well the type of Cloud deployment model can alleviate those concerns.Note: The ratings attributed are based on the author’s understand the SME needs. Table 5-8 Service Deployment Model Fit
Elements of SME concern Public Private
14 What Is Cloud Computing? Cloud Security and Privacy, 1st Edition by Tim Mather, Subra Kumaraswamy, and Shahed Latif , chapter 2, page 30, [BB-1]
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 23 / 30
Organization gives up control (also addressed in CICA-ITCG)
Yes [ - ] No [ + ]
Provided needed level of Security (also addressed in CICA-ITCG)
No [ - ] Yes [ + ]
Cost savings - due to economy of scale, pay per use Yes [ + ] No [ - ]
Potential for uncontrolled costs
Yes [ - ] No [ +]
Compliance – ability to provide required logging and auditing features
No [ - ] Yes [ + ]
Service-level agreements– to ensure needed performance and availability (also addressed in CICA-ITCG)
No [ - ] Yes [ + ]
Ability to migrate No [ - ](the Cloud
provider may modify the
source code)
Yes [ + ]
Other CICA ITCG concerns
Monitoring of operations, performance and quality of services and support
No [ - ] Yes [ + ]
Data confidentiality, authentication support No [ - ] Yes [ + ]
Physical Access and protection of IT resources Yes [ + ] Yes [ + ]
Business Continuity No [ - ] believe can
provide backup
facilities, not sure about
timely recovery facilities
Yes [ + ]
Based on the above Private Cloud Service Deployment Model is the better fit for the SMEs. Private Cloud offers all the benefits of Cloud Computing without the concerns for security and privacy.
5.4 Recommendations
As seen in the previous section OFS is a good fit for Cloud Computing. The Service Delivery Model can be either SaaS or IaaS. If the SME organization has the IT staff to support the operations then the IaaS model is a good option, if not then the SaaS model is a better choice since the organization needs not concern itself with any IT activities, it only uses the application and pays for whatever resources and services it uses.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 24 / 30
As for which Cloud Computing Deployment Model best addresses to the SME business and ITCG concerns, based on the evaluation conducted in Section 5.3.2 Service Deployment Model Fit, the Private Cloud Computing is the better fit.
There are 3 types of Private Clouds, Dedicated, Community and Managed. The SMEs profile suggests that most cannot afford to own or operate a dedicated Private Cloud, nor pay a 3rd party vendor to manage or operate an IT infrastructure for them. The third option, Community Cloud Computing is worth looking into a little further.
The Community Cloud infrastructure is controlled and used by several organizations that have shared interests. The SMEs interested in the OFS product line share an interest in providing financial services for the social economy, they need to abide to similar standards and compliance regulations, require similar levels of control, security, availability and services such as backup and recovery.
The question with a Private Community Cloud solution is who will host and manage the IT infrastructure services? An opportunity exists for one of the larger organization that is a member of the AI2L to take on the role of Community Cloud service provider for other SMEs that are part of the social economy. That organization would of course charge appropriate fees based on resource usage to the SMEs.
Another option would be the creation of a cooperative where the SMEs pool their resources to create a Cloud infrastructure to provide services to each other. The co-op would operate and manage the Private Community Cloud for the member SMEs. The co-op could provide both SaaS and IaaS services depending on the individual needs of the SMEs. Following are examples of SaaS services that the Community/Co-op Cloud service provider would provide:
• All the needed IT infrastructure resources with on-demand scalability • OFS installation• OFS application configuration• Application support• User Access Management services• Backup and recovery services.
For an SME opting for the IaaS Service Deliver Model the Community/Co-op service provider would basically provide:
• All the needed IT infrastructure resources with on-demand scalability • Backup and recovery services.
The Community Cloud is a solution that addresses most of the SMEs’ concerns. The following table lists the Cloud Computing drawbacks and SME concerns as outlined in previous sections of this paper, and describes how a Community Cloud addresses those concerns.
Table 5-9 How Community Cloud solution addresses SME concernsSME Concerns Community Cloud Solution description
Control An SME gives up control of all or some aspects of their IT infrastructure to the Community/Co-op Cloud provider. Since the SMEs are members of the co-op, this helps to remove any concerns of the Cloud provider going out of business leaving the SME organization scrambling for a solution.
Security All the SMEs will require the same level of security. The co-op
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 25 / 30
members would pool their resources into the Community Cloud to provide the needed security solutions. For most of SMEs the solutions provided by the Community Cloud would be better than their current security solutions.
Cost Being a co-op all members would be involved in helping put forth an acceptable payment scheme and need not be concern about unclear pay per use schemes or uncontrolled variable costs.
Compliance The Chair believes that appropriate audit compliance, including logging, need to be an inherent features of the software. The Cloud service provider needs to provide the resources to execute those features.
The SMEs will be located in different parts of the world, with different compliance requirements in national and international laws. This feature must be built into the software to be able to address such flexibility requirements.
Service Level Agreements
The co-op would define and manage the required SLAs to ensure the member SMEs can provide the required level of service to their own clients.
Ability to migrate the system back in-house
A SME may decide to initially go the Cloud Computing route since the upfront costs for IT are minimal and later may decide to migrate the application in-house. Since the Chair is developing OFS as open source software, using opens source technologies and open standards there should be no issues for an SME to migrate data or services to another Cloud provider or into its in-house IT environment.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 26 / 30
6 Conclusion
The aim of this study was to investigate whether Cloud Computing is a viable solution for social economy SMEs interested in deploying the open source software for Social and Solidarity Financial Services to be developed by the Chair, and to make recommendations as to what the Cloud Computing environment would look like to serve that community.
The technologies Cloud Computing uses are not new technology. Cloud Computing is an emerging computing model for provisioning scalable services over the web as computing utilities, it is more of a change in business model than anything else.
The main advantages of Cloud Computing have to do with lower computing costs, speed time to market, on demand self serve and rapid elasticity of computing resources. The main concern of Cloud Computing is that of trust. The computing model is not yet mature hence there exist a number of concerns about confidentiality, availability and reliability which for some enterprises need to be proven before they can trust to go to this model. These concerns translate into risks, which can lead to business failure, something no enterprise of any size wants. Note the concerns are especially true of Public Clouds and not the case for Private Clouds.
This study provides a basic understand of what Cloud Computing is and its advantages and disadvantages. The study also describes the various Service and Deployment Models that define Cloud Computing.
An evaluation is conducted based on the author’s understanding of the soon to be developed OFS application adopted architecture and design principles and some basic understanding of the interested SMEs’ business profile and concerns. Based on the evaluation Cloud Computing can offer a lot of advantages to these SMEs. The issue is that the public Cloud Computing model poses considerable risks and the dedicated private Cloud Computing model may be too expensive for most of the SMEs. An opportunity exists for these financial services social economy SMEs interested in using OFS to form a cooperative to build a private Community Cloud. The Community/Co-op Cloud will allow for the SMEs to pool their IT resources, including their IT skilled human resources to create and effectively manage a Cloud Computing environment. The Community Cloud would provide services to member SMEs such as: system installation and configuration, access management Services, security services, software upgrades, data backup and recovery and performance tuning.
The Community Cloud Computing model which offers all the promises of Cloud Computing and greatly limits the risks associated with Cloud Computing definitely looks like an option worth looking into. A business plan which addresses among other things the operational and financial models of a Community Cloud is required to further explore this option.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 27 / 30
7 Bibliography
Books[BB-1] Tim Mather, Subra Kumaraswamy, and Shahed Latif
What Is Cloud Computing? Cloud Security and Privacy, 1st Edition, 2008, by O'Reilly, ISBN : 0596527934, 9780596527938
[BB-2] David S. LinthicumCloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide 2009, by Addison-Wesley Professional, Web ISBN-13: 978-0-321-65939-2
[BB-3] Information Technology Control Guidelines, 3rd Editionby the Canadian Institute of Chartered Accountants, Principal Author - Deloitte & Touche1998, ISBN: 0-88800-494-X
[BB-4] John LambThe Greening of IT: How Companies Can Make a Difference for the Environment2009, by IBM Press, Web ISBN-13: 978-0-13-611754-4
Articles / Papers[BA-1] The NIST Definition of Cloud Computing
by Peter Mell and Tim Grance. Version 15, 10-7-09
[BA-2] Security Guidance for Critical Areas of Focus in Cloud Computing by Cloud Security Alliance, April 2009http://www.Cloudsecurityalliance.org/csaguide.pdf
[BA-3] A Break in the Clouds: Towards a Cloud Definitionby Luis M. Vaquero ACM Computer Communication Review, Volume 39, Number 1, January 2009http://ccr.sigcomm.org/online/files/p50-v39n1l-vaqueroA.pdf
[BA-4] Cloud Computing and the Common Manby John Viega, McAffee, Computer, published by the EEE Computer Society, 2009
[BA-5] Benefits, risks and recommendations for information security European Network and Information Security Agency (ENISA), November 2009
[BA-6 Business Strategy for Cloud Providersby IBM Global Business Servicesftp://ftp.software.ibm.com/common/ssi/sa/wh/n/gbw03096usen/GBW03096USEN.PDF
[BA-7] Cloud Computing is a trap by GNU founder Richard Stallman, October 2008, http://www.guardian.co.uk/technology/2008/sep/29/Cloud .computing.richard.stallman
[BA-8] Introduction to Cloud Computing Architecture white paper by Sun, June 2009 http://www.sun.com/featured-articles/CloudComputing.pdf
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 28 / 30
[BA-9] Cloud Computing Use CasesA white paper produced by the Cloud Computing Use Case Discussion Group, Version 2.0, 30 October 2009http://www.slideshare.net/jasonwreed/cloud-computing-use-cases-whitepaper
[BA-10] The Cloud , the Crowd, and Public Policyby Michael R. Nelson, summer 2009 http://www.issues.org/25.4/nelson.html
[BA-11] Which Cloud Computing Platform Is Right For You?Understanding The Difference Between Public, Hosted, And Internal Cloudsby James Staten, April 13, 2009 http://www.forrester.com/Research/Document/Excerpt/0,7211,54043,00.html
[BA-12] The new SME definition, User guide and model declaration EuropeanEuropean Commission, 2003http://ec.europa.eu/enterprise/policies/sme/files/sme_definition/sme_user_guide_en.pdf
[BA-13] Key Advantage of Open Source is Not Cost SavingsComputer Economics, May 2005 http://www.computereconomics.com/article.cfm?id=1043
[BA-14] Effectively and Securely Using the Cloud Computing Paradigmby Peter Mell, Tim Grance, NIST, Information Technology Laboratory, 10-7-2009http://www.federalarchitect.com/2009/03/19/effectively-and-securely-using-the-cloud-computing-paradigm/
[BA-15] Business Strategy for Cloud ProvidersIBM Global Business Services, ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/gbw03096usen/GBW03096USEN.PDF
[BA-16] Cloud Computing: Some Implications for Key Managementby Lee Badger, June 2009 http://csrc.nist.gov/groups/ST/key_mgmt/documents/June09_Presentations/lee_badger_KMWJune09_Clouds_keys.pdf
Sites Web[BW-1] Chaire de logiciel libre — Finance sociale et solidaire
http://www.chaire-logiciel-libre.uqam.ca/spip.php?article7&lang=fr
[BW-2] l'Association Internationale du Logiciel Libre (Ai2L) pour l'Economie Socialehttp://ai2l.org/spip/
[BW-3] http://en.wikipedia.org/wiki/Cooperative#cite_note-1
[BW-4] European Network and Information Security Agency (ENISA) http://wiki.enisa.europa.eu/index.php?title=A_user_perspective_on_Cloud_Computing_%28i.e._SME%29
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 29 / 30
8 Appendix A: CICA Information Technology Control Guidelines
The text in this section are verbatim from the book Information Technology Control Guidelines, 3rd Edition by the Canadian Institute of Chartered Accountants, Principal Author - Deloitte & Touche [BB-3].
8.1 Computer Operations and Information Systems Support
Control Objectives, minimum control standards and control techniquesComputer OperationsN: To ensure that operations services are appropriately controlled and meet defined user requirements efficiently and effectively.
N1: Computer operations and support services to be provided should be defined in formal services level agreements.
N1-2 Clearly define the nature and level of services to be provides.
N2: there should be procedures in place to monitor computer operations and service delivery performance.
N2-1 Establish measurable performance criteria including availability, capacity response, and quality for acceptable service and support.
O: To ensure the integrity and availability of computer operations services.
O5: Off-site backup procedures should support business continuity and information technology processing recovery requirements.
O7: There should be adequate physical and/or logical control over computer processing output.
P: To ensure that systems software procedures and activities contribute to the reliability, effectiveness and control of compute operations services.
P4: Procedures should be established to protect against and minimize damage and/or disruption arising from infection by computer viruses.
Q: to ensure that appropriate controls are established over information transmitted to and from outside organization.
Q3: Network design features should incorporate integrity, confidentiality and availability requirements for information transmissions.
DATE Page
Cloud Computing for Social Economy SMEs 2009-12-18 30 / 30
8.2 Information Technology Security
Control Objectives, minimum control standards and control techniques T: To ensure the integrity, confidentiality and availability of information technology processing throughout the enterprise
T7: Custodians and users of information and data should impalement, and comply with, security mechanisms and procedures to maintain confidentiality at a level appropriate to the sensitivity classification allocation by owners of the information and data. T9: Security mechanisms and procedures should be implemented to ensure that access to information technology components is authorized by the owner, and is in accordance with established policies and procedures.
T13: Physical access to information technology resources should be protected using measures appropriate to the value and sensitivity of the resources.
U: To ensure that access to the enterprise’s systems and information is reliably controlled
U2: Identification and authentication of users accessing the enterprise’s information technology resources from outside the enterprise should require the use of controls stronger than a password which avoids risks of “masquerading” by “stealing” or “copying” a transmitted static password.
U2-2: where possible, use encryption techniques in conjunction with authenticated sequence numbers, to protect user identification and authentication data transmitted across telecommunication lines, and to prevent capture and replay exposures.
V: To ensure that information technology resources are housed and operated in appropriate environmental conditions.
V3: Information technology resources should be located with due consideration to threats of sabotage, terrorism, vandalism and other physical risks.
8.3 Business Continuity Planning and Information Technology Recovery
Control Objectives, minimum control standards and control techniquesY: To ensure that critical business processes can continue, or be resumed promptly, in the event of significant disruption to normal business operations (business continuity planning)
Y2: Management should ensure that business continuity plans are appropriate to ensure ongoing continuity of the enterprise’s critical business functions.
Y4: Procedures should be in place to periodically test business continuity plans to ensure that they are still relevant and effective.
