Cloud Computing: Technologies and Enterprise IT Strategies

Transcription

1 Cloud Computing: Technologies and Enterprise IT Strategies Stephen Obioma Luis D. Morales 1 Instructor: Prof. Paul Lin January 05, 2013 Possible Transition Items IPFW IT web page enables students and staff accesses many functions. These include: Account Password Change Requests Access Hardware and Printer Lab Access Schedule Drop/Add Classes through Oasis elearning through Blackboard Web/Multimedia Software Access IRB Approval Process Any off campus registration or approval forms 2 1

2 Public Cloud Providers Provider Services Service Fees Service Level Agreement Hyperlink Amazon Web Services Cloud Computing/Content Delivery/Database/Management/Application Services/Payment/Storage Based on Usage 99% Availability Amazon Microsoft SkyDrive Storage/Microsoft Document Management/ Free N/A Microsoft Google Cloud Applications/Web Page/Database Free $500/acc/month 99.9% Availability Google 3 Private Cloud Providers Provider Services Service Fees Service Level Agreement Hyperlink SAVVIS Websites/Production Applications/Data Centers/Oracle or SQL $67/month 99.99% Availability Savvis Verizon Terremark Colocation/Hosting/Networking/Security/Data Centers $0.037/hr 100% Availability Terremark Citrix Data Centers/Networking/Remote Access Licensed Based N/A Citrix vmware IT Services/Operations Management/Disaster Recovery/Operation Services Licensed Based N/A vmware hpcloud Storage Solutions/Data Processing/Cloud Migration/Workload Management/Bursting $0.035/hr $1.12/hr 99.95% Availability hpcloud 4 2

3 Evaluation Matrix EVALUATION CRITERIA Criteria Name Criteria Description Option Public Cloud Private Cloud Option Description High Availability Approach What approach is taken to provide high availability? None There is no HA approach being used. Commodity HW 10 8 HA is achieved using redundant commodity HW. Specialized SW 5 7 HA is achieved using specialized SW to automatically fall over to different HW. Specialized HW 0 2 HA is achieved by using specialty HW with built-in redundancy. Availability Requirement Latency Requirements What is the availability requirement of this component? What is the latency requirement for this component? Low 10 8 Can be off-line for extended periods. Business Critical 8 10 Considered to be a business critical component. Regulated 3 5 Subject to specific regulation(e.g. Banking systems) Life Critical 0 1 Life critical systems(e.g. Medical, Air Traffic) None 10 8 There is no specific latency requirement. Moderate 8 10 The latency requirement is modest and is readily attainable (e.g. minutes) Low 3 5 There is low latency requirement that may be difficult to meet (e.g. seconds) Extremely Low 0 1 There is an extremely low latency requirement that is (e.g. milliseconds). 5 very difficult to meet Table3. Evaluation metrics for Cloud provider/service selection Source IBM Evaluation Matrix Integrations How are integrations to other system integrated? None 10 8 The component is stand alone requiring no integrations. Batch 6 10 Only batch integrations are necessary. Government Requirements Is this component subject to government requirement? Standards-Based 8 6 All of the integrations are based on widely used industry standards. Complex 0 2 The integrations include complex custom integrations. None 10 8 There are no applicable government regulations. Low 8 10 Potential target of discovery but not actively regulated (e.g. ) Statefulness What is the statefulness of this component? Medium 5 5 Subject to specific industry or information right regulation (e.g. HIPAA, EC 45/2001). High 1 3 Contains government classified information. None 10 8 Fully autonomous idempotent transactions with no state requirement. Low 8 8 State is encapsulated in transactions (e.g. extended URL). Medium 6 8 State is handled by an authoritative external service. High 2 4 This component acts as a state service for other components. 6 Table3. Evaluation metrics for Cloud provider/service selection Source IBM 3

4 Availability Services Zenoss Cloud Monitoring RevealCloud RevealUptime Gomez APM Rackspace Cloud Monitoring 7 Security Rules and Regulations Data classification policies should clearly define the types of information deemed sensitive and prohibited from residing outside of the organization s direct control. Mapping legal, regulatory, intellectual property, and security requirements to the various types of data. Determining the sensitivity (public, restricted, or highly sensitive) of the various types of data. Establishing requirements (such as encryption) for data transmission. Identifying data owners individuals who have the proper knowledge and authority to decide who should be granted data access and the type of data access. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules. Covered Entity (Health Care Providers, Health Plans, Health Care Clearinghouses) and Business Associate (Including Cloud Service Providers and other Sub contractors) 8 4

5 Security Rules and Regulations Box 1Data privacy standards in the EU Privacy Directive The Department of Homeland Security Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) project, which is providing an architecture for dynamic system monitoring and reporting. The Security Content Automation Protocol (SCAP) initiative at NIST, which provides specifications for expressing security configurations and events, event management, and incident handling. The National Science Foundation Future Internet Architectures initiative which is developing Internet architectures to provide advanced security and reliability in the context of emerging Internet usage patterns. The Federal Information Security Management Act (FISMA). In accordance with the Act, Federal Information Processing Standards (FIPS) 200 and NIST Special Publication (periodically updated) provide baseline security controls and guidance for federal information systems. 9 Implications In the event of a catastrophic system failure and multiple tenants simultaneously requiring support, lower priority organizations might not receive the required service level response from the CSP. The consolidation of multiple large organizations on a CSP s infrastructure presents to hackers a larger and possibly a more well known target. Ensure that the CSP contract terms states that the CSP would take full responsibility in the case of any damage or loss that results as a result of the system being down or data being breached. Deploy encryption over data hosted on cloud solutions and have a defined failover strategy that would leverage another CSP s solution or an internal solution. As a result, cloud based solutions may need to be designed to store certain data within specific countries borders instead of storing the data in a country that is at the CSP s discretion. 10 5

6 Recommendations Applying cloud computing solutions without the proper care, due diligence, and controls is bound to cause unforeseen problems. Used appropriately with the necessary precautions and controls in place, and by applying the school s risk management system cloud computing could yield a multitude of benefits, some unheard of until now and some yet to be discovered. By being aware of the risks and other issues related to cloud computing, the school is more likely to achieve organizational objectives as it manages the risks in this dynamic and evolving environment that likely will become the most popular computing model of the future. 11 References [1] IPFW [Online]. Available: Jan. 04, 2013 [2] Purdue [Online]. Available: Jan. 04, 2013 [3] Enterprise cloud[online]. Available: us/infrastructureservices/enterprise cloud/pages/home.aspx, Jan.04, 2013 [4] Enterprise [Online]. Available: Jan. 04, 2013 [5] Citrix [Online]. Available: Jan. 04, 2013 [6] VMware [Online]. Available: Jan. 04, 2013 [7] HP Cloud [Online]. Available: Jan. 04, 2013 [8] Amazon AWS [Online]. Available: Jan. 04, 2013 [9] Microsoft [Online]. Available: US/skydrive/download, Jan. 04, [10] Google Cloud [Online]. Available: Jan. 04,

7 References [11] Enterprise Cloud [Online]. Available EnterpriseCloud SA.pdf Feb.3, 2013 [12] Cloud candidate selection tool [Online]. Available: wp cloud candidate tool r pdf Feb.3, 2013 [13] Cloud monitoring [Online]. Available Feb.3, 2013 [14] Cloud performance monitoring tools [Online]. Available: cloud performance monitoring tools/ Feb.3, 2013 [15] Cloud computing issues, impact and insight [Online]. Available: $File/Cloud%20computing%20issues%20and%20impacts_14Apr11.pdf Feb.3, 2013 [16] Hipaa regulation, The Cloud and Beyond [Online]. Available: hipaa hitech regulation, the cloud, and beyond Feb.3,