Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Technologie Management Gruppe Global Resourcing GmbH
Germany
www.tmg-muenchen.de
Lecture 4
How to Manage the Cloud
Logical Cloud Connectivity
Jan 2012
Logical Cloud Connectivity: Unifying Services for People in the Cloud accessed by a
diversity of devices is the key challenge of the logical cloud connectivity
2
Cloud Administrator
Cloud User
Logical Cloud Connectivity: People
MyTasks
My Apps My Projects
MyRoles……
Security as a Service: Identity and Access management, Isolation and Encryption
3
Cloud Administrator
Cloud User
a)Identity and Access Management - Ensures that only properly authenticated entities (Cloud
Administrator or Cloud User) are allowed access. b)Isolation - Minimizes interaction with data by keeping Client-specific containers logically or physically separate.
c)Encryption - Used internally within the Data Center for protecting control channels and is provided optionally for customers who need rigorous data protection capabilities
Logical Cloud Connectivity
4
Identity and Access Management: Two separate “Cloud Gateways”
Cloud Administrator
Cloud User
4
Identity and Access Management: Creating “Social Circles” for focused
sharing of data, information and knowledge
5
Identity and Access Management: Assigning users to enterprise user circles
Cloud User
6
Isolation of Clients (1) : Multi-tenant Cloud Computing with Isolation of User
Project Implementation Database Concept
Multi-
Tenant
Projects
Sub-
Projects
Work
Streams
Activitie
s &
Tasks
7
Isolation of Clients(2) : Multi-tenant Cloud Computing with Isolation of Data
8
Client-specific Isolation of User and Data: Three Dimensional Business Space
9
Reg
ion
Customer Sector
The Client Business Space
Encryption, which encodes electronic messages so that only a recipient with the ability to decode the message can read it, is vital to the future of Cloud Computing. It prevents crime by keeping hackers from reading your e-mail or stooling your credit card numbers. It helps companies protect trade secrets. As more information flows over the open networks that constitute the Internet and the Cloud, people increasingly need encryption to keep their information secure.
Encryption: Definition
10
11
Encryption: How it works
11
Storage as a Service : Cloud-based Document-Management with integrated structured and
unstructured “BigData” on a single platform
12
Logical Cloud Connectivity: Data
• INCREASING NEED TO PROVIDE AN INTEGRATED GLOBAL VIEW OF AN ORGANIZATION’S
INFORMATION-AND SOMETIMES RELATED ORGANIZATIONS (CUSTOMERS / SUPPLIER) • AN IMPORTANT STEP IS THE CREATION OF A GLOBAL SCHEMA : CONTAINS ALL THE CRITICAL INFORMATION NEEDED
Data-Management Today: DISTRIBUTED DATABASE MANAGEMENT SYSTEMS ARE A REALITY
13
Cloud Storage Solution: Access for anywhere by any device on a central online storage
14
Reg
ion
Customer Sector
Organization Home Projects Market Account
MyTask Sub-Projects Editor
Projects Workstream
Strategy Execution Quality
Project Portal Portal Management Standard Project Set-up Special Project Set up
Organization Projects Market Account
Editor Workstream
Strategy Execution Quality Projects Portal
Data & Document-Management; Data & Document Management Editor for solving “Big
Data” challenges of structured (Import) or unstructured (Reports) Information
Monthly tracking of cost savings program (target vs. forecast)
[in Mio. €] Bud. Act. Plan FC* Δ Plan IL2 IL3 Impl. P&L ∑ Δ 2011 2012
1 Processes / structures 0,3 0,5 5,5 6,7 1,2 5,6 0,0 0,0 2,7 4,2 6,9 1,3 6,7 6,9
2 Procurement 3,5 1,6 3,5 3,8 0,3 3,8 0,0 0,0 3,9 2,0 5,8 2,0 3,8 5,8
3 Design-to-Cost 0,0 0,0 3,2 2,9 -0,2 14,0 0,0 6,2 8,0 0,0 14,2 0,2 14,2
4 Production/Lean 2,3 1,2 10,0 3,3 -6,7 10,1 0,0 0,0 0,9 2,8 3,7 -6,5 3,3 3,7
5 Indirect costs 2,6 3,5 3,1 5,9 2,8 3,1 0,0 0,0 1,1 5,1 6,1 3,1 5,9 6,1
Subtotal recurring measures 8,7 6,8 25,2 22,6 -2,6 36,6 0,0 6,2 16,5 14,1 36,7 0,1 22,6 36,7
6 One-time 18,5 24,3 5,5 12,6 7,1 4,8 0,7 0,0 6,8 0,0 7,5 2,7 12,6 7,5
Total 27,2 31,1 30,7 35,2 4,5 41,4 0,7 6,2 23,3 14,1 44,2 2,9 35,2 44,2
[in Mio. €] Bud. Act. Plan FC* Δ Plan IL2 IL3 Impl. P&L ∑ Δ 2010 2011
7 Working Capital 5,0 36,0 14,3 35,4 21,2 14,3 0,0 0,0 -0,5 36,0 35,4 21,2 35,4 35,4
Status
2011 kum
2010 2011 kum
2010Categories
Inventory
2012 kum Status
2012 kum
RampUp 2010
Reporting Date: Entity:
Plan:
IL2 - IL5 28,9 28,9 29,5 28,4 28,4 28,4 28,4 28,4 28,4 28,4 28,4 28,4
2,5
5,4
8,2
11,1
13,815,6
17,519,4
21,723,9
26,0
28,423,3
20,1
18,6
17,3
14,512,3
10,38,4
6,34,2
2,2
0,02,8 3,0
2,3 0,0 0,00,0 0,0 0,0 0,0 0,0 0,0 0,00,3 0,4
0,40,0 0,0 0,5 0,5 0,5 0,4 0,3 0,1 0,0
0,0 0,00,0
0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0
Target
Jan. 10 Feb. 10 Mrz. 10 Apr. 10 Mai. 10 Jun. 10 Jul. 10 Aug. 10 Sep. 10 Okt. 10 Nov. 10 Dez. 10
Target (100%) = 23,89 million €in million €
IL3: Decided Oper. implementedIL2: Evaluated P&L ef fectiveIL1: Target
Monthly ramp up of measures (by implementation level)
GuV3,3
GuV8,9
19,3
21,7
0,0
6,2
0,0
0,0
3,51,6
3,5 3,80,0
0,00,0
12,6
0,0
7,5
Plan 2009 Ist 2009 Plan 2010 FC 2010 Plan 2011 FC 2011
One-Time Continuous DI2 DI3 Umg. GuV
Split of effects by year (actuals, plan and forecast)
15
Data Storage Trend: The Web is quickly becoming the world's fastest growing repository of data”
16
Future Trend: Unification of Services in the Cloud - Example strategicfrontend.com
17
MyTasks
My Apps My Projects
MyRoles……
Editor Workstream Strategy Execution Quality Projects MyService
MyProjects MyAPPS My
Logical Cloud Connectivity: Social Productivity driven by the Cloud
18
Strategic Cloud Connectivity Organizational Cloud Connectivity
Logical Cloud Connectivity Physical Cloud Connectivity
Service & Software for scalable Pull Platforms
Cloud Computing
Modular Design & Security of flexible Knowledge Access/Creation
Manager Workplace Management Process
Management of Knowledge Flows
Business Ecosystem
New Value Creation
Forces of Change: • Computing • Digital Storage • Bandwidth • Cloud Users • Wireless
Subscriptions
Forces of Change: • Internet Activity • Wireless Activity • Social Media Activity • Worker Passion
Forces of Change: • Inter Firm knowledge Flow • Decision Cycle Time • Executive Turnover • Returns to Talent • Labor Productivity
Forces of Change: • Competitive Intensity • Stock Price Volatility • Asset Profitability • Firm Topple Rate • Shareholder Value
Gap • Consumer power • Brand Disloyalty • Economic Freedom
The Cloud Management Framework
Security: 1) The secure method of file transfer to the cloud based application 2) The secure method of file storage The system stores sensitive financial data about our clients, outside of typical communication encryption and user access, how is the data protected 1) Is there any access logging done? 2) Is sensitive data stored in a separate more secure database? 3) Will user PC’s/IP addresses be tied to the application to keep unauthorized users out?
Data Management 1) Where will the data be stored? 2) Who will have access to Companys sensitive data? 3) Will the data be replicated to any other datacenters around the world (If yes, then which ones)? 4) Do you offer single sign-on for your services? 5) How do you detect if an application is being attacked (hacked), and how is that reported to Company?
6) Will I have full ownership of my data? Support: Who will people call if they have problems? 1) Will Company IT Helpdesk formally provide level 1 support? 2) Regardless, the Company helpdesk will inevitably receive support calls, how should they be handled? 3) The Company help desk does not currently provide 24hr support ( section 3 Requirement). 4) How will users be added to the system? 5) How will new employees be assigned windows Live ID’s and be added to the system?
Exit Strategy : What is the exit strategy for the system? 1) Can we get a load of the files and data within the system and discontinue its use? 2) How can we confirm that all sensitive data has been expunged from the system?
Cloud Pricing: Are there ongoing support and usage costs? Per User? Per Project? Per Month?
Appendix: Cloud Due Diligence Example
19
20
Microsoft Answer to Core Questions of Company IT : Security
1) The secure method of file transfer to the cloud based application The usual way of securely transferring files (or rather any information) from or to a Windows Azure application, both for functional as well
as management purposes, is HTTPS. Windows Azure allows users to upload their own certificate(s) that are to be used for HTTPS
communication. In that regard, a Windows Azure application is no different than a traditional web site that requires secure communication.
2) The secure method of file storage The Windows Azure platform offers a range of storage services that comprise both classic relational database management systems
(“SQL Azure”) as well as semi-structured storage services (“Windows Azure Storage Service”), all of which cater to different usage,
scalability and throughput scenarios. All these services allow secure communication over an encrypted communication channel. While
none of these services transparently encrypt stored data*, any application running on Windows Azure can implement encryption on top of
our platform.
* SQL Server 2008 Enterprise Editions and later versions are capable of Transparent Data Encryption (TDE). This feature is on the
roadmap to be included in SQL Azure as well.
The system stores sensitive financial data about our clients, outside of typical communication encryption and user access, how is the data
protected
Microsoft Global Foundation Services, our division that operates the data centers where Windows Azure is hosted, are certified for ISO
27001, SAS70 Type II, and other standards that are concerned with confidentiality, integrity, and availability in data center operations (you
can find more details athttp://www.globalfoundationservices.com/security/index.html). On top our infrastructure and procedures, any
application running on Windows Azure can use arbitrary means to further enhance its security level, e.g. by shredding data and storing its
fragments it in numerous storage services.
1) Is there any access logging done? On the application level, that is the responsibility of the application itself. At data center or service level (i.e. Windows Azure), auditing is
part of the standard operations framework. Consequently, in order for our support personnel to even touch a customer’s application
components, the customer has to open a support request first.
2) Is sensitive data stored in a separate more secure database? There really is no notion of a less or unsecure vs. a more secure database in SQL Azure. All SQL Azure databases are secure by default
and client applications should always use encrypted connections. Furthermore, no SQL Azure database is accessible
from anywhere other than the management portal by default. Customers have to explicitly exclude IP address ranges from the SQL Azure
firewall to even connect to a SQL Azure database.
3) Will user PC’s/IP addresses be tied to the application to keep unauthorized users out? This feature can be implemented by custom code or an extension module that we offer for Internet Information Services (“Dynamic IP
restrictions”). Please keep in mind that this approach is not sufficient as an authorization technique, and impractical nowadays since client
devices in modern infrastructures do not have fixed IP addresses or are located in a totally unpredictable IP address range (think of Wi-Fi
networks, 3G/4G, laptops, smart phones etc.). Authorization therefore is a mandatory requirement at the application level.
20
1)Where will the data be stored? The Customer Data which an End User uploads for transmission or storage in Windows Azure or SQL Azure (“Customer
Content”) will be stored in the geographic region the End User specifies in account setup. Current options for Windows Azure are
North America, Asia, or Europe. Customer Content may be replicated between data centers in the same region. A customer may
also configure the account through certain features such as CDN to replicate data to a broader set of locations. Customer Content
may be accessed outside the specified region when legally required such as in response to a valid law enforcement subpoena.
Microsoft abides by the Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use,
and retention of data from the European Economic Area and Switzerland.
2)Who will have access to Companys sensitive data? In general any customer data is regarded sensitive data and there is no distinction between more or less sensitive data. Data may
be accessed by technical support personnel during a customer’s request in case of a technical support incident.
What controls are in place to ensure safety for my data while it is stored in your environment?
Microsoft certified the operation of its data centers (global foundation services) according to the ISO27001 standard. In addition,
Microsoft is SAS70 Typ II certified. For additional information on the procedures to ensure data integrity, privacy and security
please have a look into the attached whitepaper.
3)Will the data be replicated to any other datacenters around the world (If yes, then which ones)? No. See comment on the first bullet point.
4)Do you offer single sign-on for your services? Yes. A customer may decide to use the Azure Access Control Service to implement SSO based on industry standards (SAML).
5)How do you detect if an application is being attacked (hacked), and how is that reported to Company? Microsoft does not provide any information about how security measures are implemented internally. If Microsoft detects illegal
access and/or usage of customer data it will notify the customer.
6)Will I have full ownership of my data?
What is the meaning of full ownership of data? A customer may decide at any time to delete, edit, change or modify the
data that is stored in the Azure platform. In that sense, the customer has the full ownership of the data that is stored on
the Azure platform.
Microsoft Answer to Core Questions of Company IT : Data Management
21
1) Will Company IT Helpdesk formally provide level 1 support?
Yes, that is my understanding. Microsoft’s support will likely take place at third level:
1 – Company (application usage and management)
2 – TMG (application code or configuration issues)
3 – Microsoft (Windows Azure platform)
2) Regardless, the Company helpdesk will inevitably receive support calls, how
should they be handled?
See above.
3) The Company help desk does not currently provide 24hr support (section 3
Requirement).
From an application perspective, this is a business decision. The Windows Azure platform is obviously
supported
24x7.
How will new employees be assigned windows Live ID’s and be added to the system?
Windows Live IDs are only required for employees that need to access the Windows Azure Management
Portal – administrators and other IT staff. Live IDs and can be obtained by anybody
at http://www.passport.net/. Application users use whatever credentials the application requires (e.g.
username/password, certificates etc.).
Microsoft Answer to Core Questions of Company IT : Support
22
1) Can we get a load of the files and data within the system and discontinue its use?
Customers can create copies of databases or other stored data at any time. Please keep in mind that
Windows Azure is a Platform-as-a-Service offering. It provides compute and storage services to run
applications in the cloud, but a customer has full control over these services.
2) How can we confirm that all sensitive data has been expunged from the system?
To my knowledge, there is no such runtime capability in Azure or any other cloud service. Guaranteed data
destruction happens when hardware is decommissioned. Encryption and data shredding may help to mitigate
data remanence issues. If data remanence is a concern, I suggest to consider a hybrid model, where part of
the data is stored in the cloud, whereas other parts are stored at a customer’s data center.
Are there ongoing support and usage costs? Per User? Per Project? Per Month?
You can find our pricing model at http://www.microsoft.com/windowsazure/pricing/. Our online pricing
calculator at http://www.microsoft.com/windowsazure/pricing-calculator/ makes it easy to quickly create cost
estimates. As far as support is concerned:
Customers have access to a support phone number to call at any time to report potential issues with the
Windows Azure platform service. Issues with the platform will be escalated to the Windows Azure platform
operations team to investigate and correct. You can also call at any time for developer support to assist you
with your application. Developer support will be charged on a per incident basis but is temporarily being
provided at no charge as an additional benefit to our customers. Premier customers, MSDN subscribers and
MPN members will be able to leverage support incidents and support hours provided as part of these
program benefits. We will also continue to provide moderated forum support at no charge. You can access
more information regarding your support options at the following
URL: http://www.microsoft.com/windowsazure/support
(from the Windows Azure FAQ at http://www.microsoft.com/windowsazure/faq/
Microsoft Answer to Core Questions of Company IT : Exit Strategy and Pricing
23