Technologie Management Gruppe Global Resourcing GmbH

Germany

Paul.Gromball@tmg-muenchen.de

www.tmg-muenchen.de

Lecture 4

How to Manage the Cloud

Logical Cloud Connectivity

Jan 2012

Logical Cloud Connectivity: Unifying Services for People in the Cloud accessed by a

diversity of devices is the key challenge of the logical cloud connectivity

2

Cloud Administrator

Cloud User

Logical Cloud Connectivity: People

MyTasks

My Apps My Projects

MyRoles……

Security as a Service: Identity and Access management, Isolation and Encryption

3

Cloud Administrator

Cloud User

a)Identity and Access Management - Ensures that only properly authenticated entities (Cloud

Administrator or Cloud User) are allowed access. b)Isolation - Minimizes interaction with data by keeping Client-specific containers logically or physically separate.

c)Encryption - Used internally within the Data Center for protecting control channels and is provided optionally for customers who need rigorous data protection capabilities

Logical Cloud Connectivity

4

Identity and Access Management: Two separate “Cloud Gateways”

Cloud Administrator

Cloud User

4

Identity and Access Management: Creating “Social Circles” for focused

sharing of data, information and knowledge

5

Identity and Access Management: Assigning users to enterprise user circles

Cloud User

6

Isolation of Clients (1) : Multi-tenant Cloud Computing with Isolation of User

Project Implementation Database Concept

Multi-

Tenant

Projects

Sub-

Projects

Work

Streams

Activitie

s &

Tasks

7

Isolation of Clients(2) : Multi-tenant Cloud Computing with Isolation of Data

8

Client-specific Isolation of User and Data: Three Dimensional Business Space

9

Reg

ion

Customer Sector

The Client Business Space

Encryption, which encodes electronic messages so that only a recipient with the ability to decode the message can read it, is vital to the future of Cloud Computing. It prevents crime by keeping hackers from reading your e-mail or stooling your credit card numbers. It helps companies protect trade secrets. As more information flows over the open networks that constitute the Internet and the Cloud, people increasingly need encryption to keep their information secure.

Encryption: Definition

10

11

Encryption: How it works

11

Storage as a Service : Cloud-based Document-Management with integrated structured and

unstructured “BigData” on a single platform

12

Logical Cloud Connectivity: Data

• INCREASING NEED TO PROVIDE AN INTEGRATED GLOBAL VIEW OF AN ORGANIZATION’S

INFORMATION-AND SOMETIMES RELATED ORGANIZATIONS (CUSTOMERS / SUPPLIER) • AN IMPORTANT STEP IS THE CREATION OF A GLOBAL SCHEMA : CONTAINS ALL THE CRITICAL INFORMATION NEEDED

Data-Management Today: DISTRIBUTED DATABASE MANAGEMENT SYSTEMS ARE A REALITY

13

Cloud Storage Solution: Access for anywhere by any device on a central online storage

14

Reg

ion

Customer Sector

Organization Home Projects Market Account

MyTask Sub-Projects Editor

Projects Workstream

Strategy Execution Quality

Project Portal Portal Management Standard Project Set-up Special Project Set up

Organization Projects Market Account

Editor Workstream

Strategy Execution Quality Projects Portal

Data & Document-Management; Data & Document Management Editor for solving “Big

Data” challenges of structured (Import) or unstructured (Reports) Information

Monthly tracking of cost savings program (target vs. forecast)

[in Mio. €] Bud. Act. Plan FC* Δ Plan IL2 IL3 Impl. P&L ∑ Δ 2011 2012

1 Processes / structures 0,3 0,5 5,5 6,7 1,2 5,6 0,0 0,0 2,7 4,2 6,9 1,3 6,7 6,9

2 Procurement 3,5 1,6 3,5 3,8 0,3 3,8 0,0 0,0 3,9 2,0 5,8 2,0 3,8 5,8

3 Design-to-Cost 0,0 0,0 3,2 2,9 -0,2 14,0 0,0 6,2 8,0 0,0 14,2 0,2 14,2

4 Production/Lean 2,3 1,2 10,0 3,3 -6,7 10,1 0,0 0,0 0,9 2,8 3,7 -6,5 3,3 3,7

5 Indirect costs 2,6 3,5 3,1 5,9 2,8 3,1 0,0 0,0 1,1 5,1 6,1 3,1 5,9 6,1

Subtotal recurring measures 8,7 6,8 25,2 22,6 -2,6 36,6 0,0 6,2 16,5 14,1 36,7 0,1 22,6 36,7

6 One-time 18,5 24,3 5,5 12,6 7,1 4,8 0,7 0,0 6,8 0,0 7,5 2,7 12,6 7,5

Total 27,2 31,1 30,7 35,2 4,5 41,4 0,7 6,2 23,3 14,1 44,2 2,9 35,2 44,2

[in Mio. €] Bud. Act. Plan FC* Δ Plan IL2 IL3 Impl. P&L ∑ Δ 2010 2011

7 Working Capital 5,0 36,0 14,3 35,4 21,2 14,3 0,0 0,0 -0,5 36,0 35,4 21,2 35,4 35,4

Status

2011 kum

2010 2011 kum

2010Categories

Inventory

2012 kum Status

2012 kum

RampUp 2010

Reporting Date: Entity:

Plan:

IL2 - IL5 28,9 28,9 29,5 28,4 28,4 28,4 28,4 28,4 28,4 28,4 28,4 28,4

2,5

5,4

8,2

11,1

13,815,6

17,519,4

21,723,9

26,0

28,423,3

20,1

18,6

17,3

14,512,3

10,38,4

6,34,2

2,2

0,02,8 3,0

2,3 0,0 0,00,0 0,0 0,0 0,0 0,0 0,0 0,00,3 0,4

0,40,0 0,0 0,5 0,5 0,5 0,4 0,3 0,1 0,0

0,0 0,00,0

0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0 0,0

Target

Jan. 10 Feb. 10 Mrz. 10 Apr. 10 Mai. 10 Jun. 10 Jul. 10 Aug. 10 Sep. 10 Okt. 10 Nov. 10 Dez. 10

Target (100%) = 23,89 million €in million €

IL3: Decided Oper. implementedIL2: Evaluated P&L ef fectiveIL1: Target

Monthly ramp up of measures (by implementation level)

GuV3,3

GuV8,9

19,3

21,7

0,0

6,2

0,0

0,0

3,51,6

3,5 3,80,0

0,00,0

12,6

0,0

7,5

Plan 2009 Ist 2009 Plan 2010 FC 2010 Plan 2011 FC 2011

One-Time Continuous DI2 DI3 Umg. GuV

Split of effects by year (actuals, plan and forecast)

15

Data Storage Trend: The Web is quickly becoming the world's fastest growing repository of data”

16

Future Trend: Unification of Services in the Cloud - Example strategicfrontend.com

17

MyTasks

My Apps My Projects

MyRoles……

Editor Workstream Strategy Execution Quality Projects MyService

MyProjects MyAPPS My

Logical Cloud Connectivity: Social Productivity driven by the Cloud

18

Strategic Cloud Connectivity Organizational Cloud Connectivity

Logical Cloud Connectivity Physical Cloud Connectivity

Service & Software for scalable Pull Platforms

Cloud Computing

Modular Design & Security of flexible Knowledge Access/Creation

Manager Workplace Management Process

Management of Knowledge Flows

Business Ecosystem

New Value Creation

Forces of Change: • Computing • Digital Storage • Bandwidth • Cloud Users • Wireless

Subscriptions

Forces of Change: • Internet Activity • Wireless Activity • Social Media Activity • Worker Passion

Forces of Change: • Inter Firm knowledge Flow • Decision Cycle Time • Executive Turnover • Returns to Talent • Labor Productivity

Forces of Change: • Competitive Intensity • Stock Price Volatility • Asset Profitability • Firm Topple Rate • Shareholder Value

Gap • Consumer power • Brand Disloyalty • Economic Freedom

The Cloud Management Framework

Security: 1) The secure method of file transfer to the cloud based application 2) The secure method of file storage The system stores sensitive financial data about our clients, outside of typical communication encryption and user access, how is the data protected 1) Is there any access logging done? 2) Is sensitive data stored in a separate more secure database? 3) Will user PC’s/IP addresses be tied to the application to keep unauthorized users out?

Data Management 1) Where will the data be stored? 2) Who will have access to Companys sensitive data? 3) Will the data be replicated to any other datacenters around the world (If yes, then which ones)? 4) Do you offer single sign-on for your services? 5) How do you detect if an application is being attacked (hacked), and how is that reported to Company?

6) Will I have full ownership of my data? Support: Who will people call if they have problems? 1) Will Company IT Helpdesk formally provide level 1 support? 2) Regardless, the Company helpdesk will inevitably receive support calls, how should they be handled? 3) The Company help desk does not currently provide 24hr support ( section 3 Requirement). 4) How will users be added to the system? 5) How will new employees be assigned windows Live ID’s and be added to the system?

Exit Strategy : What is the exit strategy for the system? 1) Can we get a load of the files and data within the system and discontinue its use? 2) How can we confirm that all sensitive data has been expunged from the system?

Cloud Pricing: Are there ongoing support and usage costs? Per User? Per Project? Per Month?

Appendix: Cloud Due Diligence Example

19

20

Microsoft Answer to Core Questions of Company IT : Security

1) The secure method of file transfer to the cloud based application The usual way of securely transferring files (or rather any information) from or to a Windows Azure application, both for functional as well

as management purposes, is HTTPS. Windows Azure allows users to upload their own certificate(s) that are to be used for HTTPS

communication. In that regard, a Windows Azure application is no different than a traditional web site that requires secure communication.

2) The secure method of file storage The Windows Azure platform offers a range of storage services that comprise both classic relational database management systems

(“SQL Azure”) as well as semi-structured storage services (“Windows Azure Storage Service”), all of which cater to different usage,

scalability and throughput scenarios. All these services allow secure communication over an encrypted communication channel. While

none of these services transparently encrypt stored data*, any application running on Windows Azure can implement encryption on top of

our platform.

* SQL Server 2008 Enterprise Editions and later versions are capable of Transparent Data Encryption (TDE). This feature is on the

roadmap to be included in SQL Azure as well.

The system stores sensitive financial data about our clients, outside of typical communication encryption and user access, how is the data

protected

Microsoft Global Foundation Services, our division that operates the data centers where Windows Azure is hosted, are certified for ISO

27001, SAS70 Type II, and other standards that are concerned with confidentiality, integrity, and availability in data center operations (you

can find more details athttp://www.globalfoundationservices.com/security/index.html). On top our infrastructure and procedures, any

application running on Windows Azure can use arbitrary means to further enhance its security level, e.g. by shredding data and storing its

fragments it in numerous storage services.

1) Is there any access logging done? On the application level, that is the responsibility of the application itself. At data center or service level (i.e. Windows Azure), auditing is

part of the standard operations framework. Consequently, in order for our support personnel to even touch a customer’s application

components, the customer has to open a support request first.

2) Is sensitive data stored in a separate more secure database? There really is no notion of a less or unsecure vs. a more secure database in SQL Azure. All SQL Azure databases are secure by default

and client applications should always use encrypted connections. Furthermore, no SQL Azure database is accessible

from anywhere other than the management portal by default. Customers have to explicitly exclude IP address ranges from the SQL Azure

firewall to even connect to a SQL Azure database.

3) Will user PC’s/IP addresses be tied to the application to keep unauthorized users out? This feature can be implemented by custom code or an extension module that we offer for Internet Information Services (“Dynamic IP

restrictions”). Please keep in mind that this approach is not sufficient as an authorization technique, and impractical nowadays since client

devices in modern infrastructures do not have fixed IP addresses or are located in a totally unpredictable IP address range (think of Wi-Fi

networks, 3G/4G, laptops, smart phones etc.). Authorization therefore is a mandatory requirement at the application level.

20

1)Where will the data be stored? The Customer Data which an End User uploads for transmission or storage in Windows Azure or SQL Azure (“Customer

Content”) will be stored in the geographic region the End User specifies in account setup. Current options for Windows Azure are

North America, Asia, or Europe. Customer Content may be replicated between data centers in the same region. A customer may

also configure the account through certain features such as CDN to replicate data to a broader set of locations. Customer Content

may be accessed outside the specified region when legally required such as in response to a valid law enforcement subpoena.

Microsoft abides by the Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use,

and retention of data from the European Economic Area and Switzerland.

2)Who will have access to Companys sensitive data? In general any customer data is regarded sensitive data and there is no distinction between more or less sensitive data. Data may

be accessed by technical support personnel during a customer’s request in case of a technical support incident.

What controls are in place to ensure safety for my data while it is stored in your environment?

Microsoft certified the operation of its data centers (global foundation services) according to the ISO27001 standard. In addition,

Microsoft is SAS70 Typ II certified. For additional information on the procedures to ensure data integrity, privacy and security

please have a look into the attached whitepaper.

3)Will the data be replicated to any other datacenters around the world (If yes, then which ones)? No. See comment on the first bullet point.

4)Do you offer single sign-on for your services? Yes. A customer may decide to use the Azure Access Control Service to implement SSO based on industry standards (SAML).

5)How do you detect if an application is being attacked (hacked), and how is that reported to Company? Microsoft does not provide any information about how security measures are implemented internally. If Microsoft detects illegal

access and/or usage of customer data it will notify the customer.

6)Will I have full ownership of my data?

What is the meaning of full ownership of data? A customer may decide at any time to delete, edit, change or modify the

data that is stored in the Azure platform. In that sense, the customer has the full ownership of the data that is stored on

the Azure platform.

Microsoft Answer to Core Questions of Company IT : Data Management

21

1) Will Company IT Helpdesk formally provide level 1 support?

Yes, that is my understanding. Microsoft’s support will likely take place at third level:

1 – Company (application usage and management)

2 – TMG (application code or configuration issues)

3 – Microsoft (Windows Azure platform)

2) Regardless, the Company helpdesk will inevitably receive support calls, how

should they be handled?

See above.

3) The Company help desk does not currently provide 24hr support (section 3

Requirement).

From an application perspective, this is a business decision. The Windows Azure platform is obviously

supported

24x7.

How will new employees be assigned windows Live ID’s and be added to the system?

Windows Live IDs are only required for employees that need to access the Windows Azure Management

Portal – administrators and other IT staff. Live IDs and can be obtained by anybody

at http://www.passport.net/. Application users use whatever credentials the application requires (e.g.

username/password, certificates etc.).

Microsoft Answer to Core Questions of Company IT : Support

22

1) Can we get a load of the files and data within the system and discontinue its use?

Customers can create copies of databases or other stored data at any time. Please keep in mind that

Windows Azure is a Platform-as-a-Service offering. It provides compute and storage services to run

applications in the cloud, but a customer has full control over these services.

2) How can we confirm that all sensitive data has been expunged from the system?

To my knowledge, there is no such runtime capability in Azure or any other cloud service. Guaranteed data

destruction happens when hardware is decommissioned. Encryption and data shredding may help to mitigate

data remanence issues. If data remanence is a concern, I suggest to consider a hybrid model, where part of

the data is stored in the cloud, whereas other parts are stored at a customer’s data center.

Are there ongoing support and usage costs? Per User? Per Project? Per Month?

You can find our pricing model at http://www.microsoft.com/windowsazure/pricing/. Our online pricing

calculator at http://www.microsoft.com/windowsazure/pricing-calculator/ makes it easy to quickly create cost

estimates. As far as support is concerned:

Customers have access to a support phone number to call at any time to report potential issues with the

Windows Azure platform service. Issues with the platform will be escalated to the Windows Azure platform

operations team to investigate and correct. You can also call at any time for developer support to assist you

with your application. Developer support will be charged on a per incident basis but is temporarily being

provided at no charge as an additional benefit to our customers. Premier customers, MSDN subscribers and

MPN members will be able to leverage support incidents and support hours provided as part of these

program benefits. We will also continue to provide moderated forum support at no charge. You can access

more information regarding your support options at the following

URL: http://www.microsoft.com/windowsazure/support

(from the Windows Azure FAQ at http://www.microsoft.com/windowsazure/faq/

Microsoft Answer to Core Questions of Company IT : Exit Strategy and Pricing

23