cloud computing dissertation

Course code:04H

Individual ProjectCan a Small to Medium Enterprise run all of their IT services in the public cloud?SID: 1318715 5/20/2011

An investigation into placing a SME all into the public cloud. Is it possible and would it be effective for their business?

Weighting agreement

pg. iStudent ID: 1318715

Declaration of own work

In submitting this report I make the following declaration: I understand that the piece of work submitted will be considered as the final and complete version of my assignment of which I am the sole author. I have accurately stated the word count. I understand both the meaning and consequences of plagiarism and my work has been appropriately attributed.

Word Count: ___13160____________

Signed: ___________________

Date: ___19th May 2011 _____

pg. iiStudent ID: 1318715

AbstractCloud computing has appeared over the past few years with promises of cost saving, green computing and time saving technology. Cloud computing offers savings by supplying users with a virtualised model that allows operating systems to be setup in minutes and programs are ready to use at the press of a button without taking up local storage. Software and hardware can be supplied on a pay-as-youuse basis, so if the program has limited use then you are not paying for its usage. This technology may be ideal for SMEs and may provide them with the computing power of large organisations but only pay when they want that extra power. The question of whether a SME could run all in the public cloud has been researched on the internet and organisations have been asked if they know of any all in the cloud organisations, but no organisation has been found that has make such a bold move. Current economic and political situations in the UK are meaning that organisations are looking to make savings and boost revenue. Yet according to recent surveys cloud computing is still not a priority for SMEs in the UK and they are starting to fall behind the rest of Europe in adopting the cloud. Lack of knowledge and concerns over security seem to be holding them back from utilising these services. Primarily this report wants to answer the question can a SME move all into the cloud, but it also wants to look at the services provided in the cloud to give an SME advice on what the cloud is and how it may be utilised. It is also thought that this report shall be of use to any academic looking to start research into public cloud computing. In order to successfully adopt cloud computing SMEs need to be aware of the services, benefits, risks and how to manage a successful migration to cloud computing. This paper shall use researched

pg. iiiStudent ID: 1318715

information from different resources and provide details that shall benefit a SME looking to use these services. The projects aim is to help SMEs adopt services provided by public cloud computing. The main focus of this paper is on SaaS as this is found to be the most likely starting block for a SME looking to start using the services in cloud computing. As many SMEs do not have the IT knowledge, this paper provides descriptions and guidelines of the services in order to make it easier for a SME to understand this technology and how they may be able to use it to their advantage.

pg. ivStudent ID: 1318715

Acknowledgement

I would like to express my gratitude to all the tutors who have helped me to increase my knowledge over the past three years of my BSc degree. Without their knowledge and guidance I would not have been able to produce this project and complete the course. Thank you very much to my supervisor who has been of great help over the past three years and her knowledge has helped with the planning and construction of this report. A thank you has to go to Sue Bailey (Careers Adviser in Colchester Institute) for her advice on finding and talking to SMEs and thank you to Haydn White who has always helped with sourcing any research material that was hard to find. Both were very quick in their help and went out of their way to help. Last but by no means least I would like to thank my fiance Emma who has stood by me and believed in me throughout my degree and who has been neglected during the research of this project.

pg. vStudent ID: 1318715

ContentsWeighting agreement ............................................................... i Declaration of own work ......................................................... ii Abstract ................................................................................. iii Acknowledgement ................................................................... v Table of Figures ...................................................................... 3 Table of Tables ........................................................................ 4 1. 2. 2.1. 2.2. 3. 3.1. 3.2. 4. 4.1. 4.2. 4.3. 4.4.4.4.1.

Introduction................................................................... 5 Literature review ........................................................... 8 Research project guidance .............................................. 8 Research project ......................................................... 10 Methodology review ..................................................... 13 Primary research ......................................................... 14 Secondary research ..................................................... 16 Main Report ................................................................. 18 What is public cloud computing? .................................... 18 Why research into public cloud computing is relevant ....... 21 Deployment and Service models .................................... 24 IT services as a utility .................................................. 27Services used in the production of this report ................................ 27 File storage ......................................................................... 27 CRM ................................................................................... 29 Drawing tools ...................................................................... 29 Project management ............................................................ 32 Ecommerce ......................................................................... 33 Email .................................................................................. 33 Office.................................................................................. 35 Collaboration ....................................................................... 36 Accounting .......................................................................... 38 Telephony ........................................................................... 39

4.4.1.1. 4.4.1.2. 4.4.1.3. 4.4.1.4. 4.4.2. 4.4.2.1. 4.4.2.2. 4.4.2.3. 4.4.2.4. 4.4.2.5. 4.4.2.6.

Other relevant services for a SME ................................................. 33

4.5.4.5.1. 4.5.2. 4.5.3.

Benefits of public cloud computing ................................. 41Technological ............................................................................. 41 Economical ................................................................................ 43 Environmental ........................................................................... 46

pg. 1Student ID: 1318715

4.5.4.

Security .................................................................................... 48

4.6.4.6.1. 4.6.2. 4.6.3.

Risks of the public cloud ............................................... 50Outages .................................................................................... 50 Cost ......................................................................................... 51 Security .................................................................................... 54 Internal risks ....................................................................... 55 External risks....................................................................... 56

4.6.3.1. 4.6.3.2. 4.6.4. 4.6.5. 4.6.6. 4.6.7. 4.6.8.

Internet access and throughput.................................................... 56 Data Protection and safe harbor ................................................... 57 Standards ................................................................................. 59 Vendor lock-in ........................................................................... 60 Personal touch ........................................................................... 60

4.7. 4.8. 4.9. 5. 6.

Migration to the Cloud .................................................. 62 What the future may hold ............................................. 67 Conclusion .................................................................. 71 Project Evaluation ........................................................ 74 Future research ........................................................... 77

References ............................................................................ 79 Bibliography .......................................................................... 84 Appendices ............................................................................ 91 Appendix 1 ........................................................................... 92 Appendix 2 ........................................................................... 94 Appendix 3 .......................................................................... 100 Appendix 4 .......................................................................... 101 Appendix 5 .......................................................................... 102 Appendix 6 .......................................................................... 109 Appendix 7 .......................................................................... 110 Appendix 8 .......................................................................... 111 Appendix 9 .......................................................................... 114 Appendix 10 ........................................................................ 116 Appendix 11 ........................................................................ 123 Appendix 12 ........................................................................ 124 Stop Press ........................................................................... 124


Table of FiguresFigure 1: Guide to three of the deployment models ........................ 6 Figure 2: Cloud computing deployment and service models (Greenwood et al, 2010) ........................................................... 24 Figure 3: Service Layer Definitions of cloud computing (Katy, 2010) .............................................................................................. 25 Figure 4: Three network diagrams to show comparison of three diagram programs .................................................................... 31 Figure 5: Screenshots of Aceproject ........................................... 32 Figure 6: Online word processors vs. offline word processors ......... 36 Figure 7: Screenshot of a project collaboration using Huddle.com .. 38 Figure 8: Basics of Skype communications .................................. 40 Figure 9: The ability to connect different devices to the internet .... 41 Figure 10: Cloud suppliers have mobile apps allowing for more control over services whenever (Engates, 2010) ..................................... 42 Figure 11: Dedicated architecture vs. scalable cloud architecture (RightScale, 2010) ................................................................... 43 Figure 12: Microsoft online services cost estimator ....................... 44 Figure 13: Charging structure of Amazon EC2 for a web application 46 Figure 14: A comparison of power consumption of both private and public cloud services (Baliga et al, 2010) ..................................... 47 Figure 15: FreeCRMs security and user settings ........................... 49 Figure 16: Applications may cost more to run on the cloud than expected (Velte et al, 2010) ...................................................... 52 Figure 17: Google Apps vs Microsoft Exchange 2007 for 5 users .... 53 Figure 18: The cost to purchase 5 licenses for Microsoft Office 2010 .............................................................................................. 53 Figure 19: Use-case diagram of users of the website (Chaffey, D, 2009) ..................................................................................... 63 Figure 20: How the current office may look ................................ 69 Figure 21: How the office of the future may look .......................... 70


Table of TablesTable 1: Research stages in conducting a literature review (Randolph, 2009) ....................................................................................... 9 Table 2: Brief overview of computing networks working towards cloud computing (Varney, 2010)......................................................... 19 Table 3: Definition of a SME ...................................................... 21 Table 4: Comparison of three public cloud storage solutions .......... 28 Table 5: Comparison of three diagraming solutions ...................... 30 Table 6: Google Gmail vs. Microsoft Online Exchange ................... 34 Table 7: Comparison of Cloud based accounting systems (Veale, 2011) ..................................................................................... 39 Table 8: The cost of network downtime to an organisation (Tomkins, 2009) ..................................................................................... 51


1.

Introduction

This research project has been conducted with the aim of finding out whether a SME would be able to move their entire IT infrastructure onto public cloud computing and how this may be achieved. This question first became evident when at a CMA (Communications Management Association) seminar on SaaS held in London (2010) (Is this the right time to move services into or from the cloud?). Mr Martin Rice (CEO of Erudine) was asked at the end of his seminar whether he knew of any Organisations that had moved all into the public cloud. He replied that he had heard of an organisation in the Caribbean that had, but he could not substantiate his claim with any evidence and it was more hearsay than fact. With the hype surrounding cloud computing and the increased number of devices that allow users access to the internet wherever they are, should SMEs be taking advantage of the public cloud now? And may it be advantageous for SMEs to move all to the cloud so that they have the same IT ability as their larger competitors. In the 1960s J.C.R. Licklider envisaged an infrastructure that would enable resource sharing, where data could be got at anywhere in the world (Gurd et al, 2005). Some see Lickleders idea as being the inspiration for ARPANET which led to the internet. Another man who made a prediction around the same time was John McCarthy, who said that computation may someday be organized as a public utility. Is this the time that these concepts and ideas start to become a reality? This paper is going to investigate whether a SME may be capable of moving all into the public cloud and act as a guide to any SME looking at moving into public cloud computing (whether all-in or some-in).


With this new paradigm there are four different types of deployment models (Williams, 2010): Public Cloud Private Cloud Hybrid Cloud Community Cloud

An example of some of the providers of these deployment models can be found in figure 1.

Hybrid Private Public

Internal IT:Microsoft office Outlook VMware Oracle Sharepoint Own servers

External Provider:CombinationSalesforce.com Amazon Ec2 Rackspace Googlemail Huddle Google Docs

Figure 1: Guide to three of the deployment models This project is only concerned with the public cloud and shall not go into depth on the other three models. They may be mentioned in this project but they are not a primary part of this project. Through the use of primary research methods, this project shall gather current information from SMEs to try and understand what they know about the public cloud and whether any of these SMEs is using or have any intention of using public cloud services.


Secondary research shall be used to gather information from reliable sources such as: Peer reviewed journals Seminars Current books News Internet sources This Week in Cloud Computing (http://thisweekin.com/thisweekin-cloud-computing/) Using the skills developed over the course of this degree, information shall be gathered together and used to produce a report that may be useful to a SME looking for information about public cloud computing and how it may or may not benefit their organisation. The information gathered in this report may also be useful for an academic looking for relevant information in cloud computing to start their research. Focus shall be given to SaaS in this report as it is felt that this may be sufficient to place a small SME fully onto the cloud and keeps the report within its limits. IaaS and PaaS shall be mentioned but only to make the reader aware of them. To keep with the theme of SaaS some of the free services, available at the time of writing this report, in the public cloud shall be used to help produce this report. These shall be made clear in section 4.4.1. As this is subject that is constantly changing as new models are formed and technology improves, a section has been inserted into appendix 12 called stop press. This contains a selection of articles that have come to light after research has ended that are relevant to this report.


2.

Literature review

2.1. Research project guidanceIn order to conduct this research project it was important to show that the literature in the field had been understood (Boote & Beile, 2005 cited in Randolph, 2009, p.1). Randolph has a PhD in educational research and a MEd in international education. His Guide to writing the dissertation literature review seemed to have more useful information in it than (Cottrell, 2008). Dawson (2009) was rather brief and Silverman (2010) goes into a lot of detail about a literature review for a qualitative research project. Luck (1999), Randolph (2009) and Dawson (2009) all show the importance of producing a research project and why it shall be useful to the writer and others who may use the report to research information for their own project or for people looking for an explanation on your subject. Relevant information is supplied by Luck (1999) for a research project in general even though his book is rather old now. He offers clear advice on managing the project and the stages that are required for a successful project. Randolph (2009) offers a journal that is up to date and describes the reasons for producing a literature review in an academic research project report. He offers a clear, comprehensive table of the research stages of a literature review that could be overlooked without guidance (as shown in table 1)


Table 1: Research stages in conducting a literature review (Randolph, 2009) Dawson (2009) is ideal for an undergraduate or postgraduate IT project of this type and his book has been used extensively throughout the life of this project. He breaks his book into sections that are in the same order as you would expect to produce an IT research project report. Cottrell (2008) and Becker (2009) both have rough guides to research projects, but only brief advice for such a project. Their information is more for the modules of a degree course rather than a project. As this project is a qualitative project, Silverman (2009) has been able to offer invaluable advice on conducting this project. His book is not aimed at IT in general but his advice is written in a chronological order and is mainly aimed at helping students to conduct qualitative research. He does have some quantitative research advice, but only to help the qualitative researcher use their information more productively.


2.2. Research projectAs cloud computing is still in its infancy it was difficult to source relevant books for this report. Colchester Institute did not possess any books and The University of Essex only had Velte et al (2010). For an established University to only have one book on an up to date topic shows how much this subject is still in its infancy. Velte et al (2010) talks about some of the big players (Amazon, Microsoft, Google, IBM, Salesforce.com, etc.) in cloud computing at the time of writing their book. They go into great depth about the types of cloud computing and the technology that the vendors are using to make cloud computing exist. The authors are all wellestablished authors and co-authors of more than a dozen IT books. To make the subject of cloud computing more understandable, to any business wanting to move into cloud computing, it would be advised to read the material produced by Barnatt (2010), Velte et al (2010) and Williams (2010). They all produce guides to what cloud computing is and how it can be used by organisations. Barnatt (2010) offers a brief guide to cloud computing and shows the reader what cloud computing is and what he thinks it will bring in the future. He covers briefly what services are offered in the cloud and mentions lots of service providers and what they offer. His insight into the future of the cloud is interesting and is entitled The second digital revolution. This chapter shows how the continuing development of interfaces is enabling the cloud to become a reality and grow produce more uses. This has been demonstrated in a recent TV advertisement by PC World which shows how with the use of a touch screen computer the user is able to put picture on the cloud, alters it and then prints it at home. This is only a small part of cloud computing, but it shows how the use of the interface (the


computer) can improve the users experience and draw them to use the services of the cloud. While Barnatt (2010) shows the services in the cloud, Williams (2010) gives an explanation about: Risks and benefits Choosing suppliers Protecting your data in public clouds A five step process to moving into the cloud

His guide is brief but does explain cloud computing in plain English so as to avoid the confusion that cloud computing brings with its terminology. He has used a chapter with case studies to demonstrate how organisations have used the cloud. To make sure that this subject is relevant it has been important to use both peer review journals and internet sourced articles to make sure that the information is up to date. Business Link (www.businesslink.gov.uk) has been used to try and investigate the IT systems that are used by a SME to run their business. They are a government resource that provides clear information for SMEs setting up and running their own business. They also offer a valuable insight into cloud computing that is designed to give SMEs a basic insight into what they can do in cloud computing. For a SME looking to move to the cloud this is a great service that business link offer as other organisations like them do not seem to be offering this service. Keboko is a company run by Charlie Cowan in the UK and he has teamed up with salesforce.com to offer services to move SMEs to cloud computing. He has a blog at http://iamcharliecowan.com/keboko/ and this continues on http://www.keboko.com/category/blog. His blogs offer the reader


advice on how he has trialled the services he offers first and how he has gone about doing so. His blog offers an insight into some of the new things that are happening in both cloud computing and in SMEs. He takes into account the recent political and economic situation that has arisen lately and makes a point to mention it in a blog of its own. Although blogs are not very academic or reliable, they are part of the changing way that we communicate and if they are current then they may well be reliable.


3.

Methodology review

To produce this research project a qualitative methodology was chosen as this was thought to be more suitable for the research of this project. The report did not require any statistics to find out how many had done something (quantitative research). It was not aimed at finding out how many SMEs were moving to the cloud or how many had certain issues with the cloud. Its main focus was on researching how an SME could move onto the public cloud and whether this was achievable. In order to gain the knowledge to produce this report, information has to be gathered from reliable sources. Primary research was aimed at investigating what knowledge and worries a small group of SMEs have about public cloud computing. This did take on a bit of a quantitative research but still stayed within the scope of a qualitative methodology. To research the relevant type of information for such a report it was necessary to conduct secondary research to begin the project. Authors like Cottrell (2008), Becker (2009), Luck (1999) and Dawson (2009) help to plan the gathering of information in a project management type fashion. Knowledge of this type of planning was also learnt from IT Project Management module and was put to good use throughout this project. A project plan (appendix 1) and log (appendix 2) were used to monitor the project throughout its life. Project preparation made sure that risk assessments had been put in place. Amendments to the project were noted in the project plan to keep track of them. As the project was based on a report about public cloud computing, it was only fair that some cloud computing services were used in the production of this report. The following SaaS services were used:


Aceproject was used to create a project plan (aceproject.com) Dropbox was used to store the project (dropbox.com) CRMfree was used to build a database of some local SMEs (freecrm.com) Gliffy was used to produce some of the network diagrams (gliffy.com)

These services were chosen because they were either free or recommended by colleagues. Aceproject was found after trialling Microsoft Project and Zoho Project. Aceproject was easier to use and produced a relevant Gantt charts. Google Docs was looked at and trialled but due to its lack in functionality it was decided that it did not have the correct tools for a project of this type at present. All email correspondence with the supervisor was printed out and kept in a folder. This proved to be invaluable when a question was deleted from my emails and the hard copy had to be retrieved. Several of these messages can be found in appendix 3 as evidence. Regular meetings were held with the supervisor so that any questions could be answered and the project could be tracked by the supervisor. Meetings were held on Monday afternoons during term time.

3.1. Primary researchA questionnaire was designed for conducting interviews to try and understand what SMEs knew about cloud computing. After circulating a draft questionnaire to colleagues, careful consideration of their feedback was combined with my own ideas to tailor the questionnaire. It was realised that this could be used for interviews and it may also be circulated to SMEs through email or directly canvassing them asking them to fill it in. This may provide a larger feedback from SMEs than just interviews.


After producing a cover sheet describing the study, the questionnaire was sent out to local SMEs. Sue Bailey (Careers Adviser) of Careers Guidance Centre in Colchester Institute, helped compile a list of 43 SMEs (appendix 4), who were emailed a copy of the questionnaire. It was expected that there may be no response to this approach of canvassing them, but 12 did reply and one company did explain that they had a lot of requests for questionnaires to be filled in and so they would not have the time to complete mine. Several SMEs did give comments which were of great help in understanding the knowledge they had about cloud computing. Interviews were structured and conducted in a face to face manner. In this way the interviewer was able to capture the most detail, both verbal and non-verbal (Maylor and Blackmon, 2005). This structured approach of using a pre-made questionnaire allowed the answers to be written in a space below each question and as the interview was face to face it was possible to explore unexpected answers. A journey to the Cloud Expo in London on the 2nd of February 2011 was used to gather information from cloud computing suppliers. The seminars were the most useful part of this trip and some of the slides were emailed to me after the show. The major account manager (Paul Augaitis) of an established cloud computing supplier (carrenza.com) provided some very helpful information and agreed that I could contact him in the future. The seminars gave good up to date qualitative information from some of the top cloud computing suppliers in the world, including Rackspace, HP, etc. Emails communication with Paul Augaitis provided a little information on the processes involved in setting up a cloud and the basics of the planning process required putting an organisation into the cloud. This was helpful and provided guidance to carry out research in relevant areas.


Cloud services were used to trial some of the services that a SME may be expected to use to help run their IT on a day to day basis. File storage has been used in the cloud so that this report and other college reports could be retrieved from any computer anywhere as long as there was an internet browser and internet connectivity.

3.2. Secondary researchAs this is still a relatively new subject, books were not readily available on the subject. The few books that I was able to source that were of any use to this research project can be found in the literature review in section 2. Haydn White (Learning Resources Adviser) of Colchester Institute Library was consulted with on two occasions through the life of this project. As this is a new topic he was asked if he had any knowledge what the Dewey numbers for this subject may be. He was unaware and advised that as it is a new subject it may not have been assigned to any particular Dewey number and he could find no evidence otherwise. The books sourced for this project have been found in the business section of Colchester Library and the computing section of Colchester Institute, University of Essex and Braintree College. The internet was a major source of secondary research information and provided journals, case studies, government information and up to date information in the news. Business Link (UK government's online resource for business) are providing information on their website about cloud computing and it was found when trying to research the types of information systems that an SME may use. The Chambers of Commerce and Colbea, that are set up to help SMEs, were not providing information on their website on cloud computing yet. They were asked if they were providing information and as yet there has been no response.


The BCS were used to try and find forum groups on cloud computing to try and make contact with people who have the same interest. The BCS only had one forum group that consisted of 6 people at the time of writing this report. One person on there was helpful and pointed me in the direction of their manager who has set up his own company and is currently running it in the cloud and selling cloud services. This was fruitful as he has a blog that was full of information on how he went about setting up his business and exploring the clouds services. I did contact him but he was brief in his answers and only pointed me towards his blogs.


4.

Main Report

4.1. What is public cloud computing?Before we discuss cloud computing it is important to trace its history in order to understand it. Cloud computing is a new word that has entered the world of computing but it is not a new concept. In the 60s J.C.R Licklider and John McCarthy envisaged an infrastructure where data and computations could be accessed anywhere in the world and delivered as a public utility where you only pay for what you use (similar to the way gas and electricity are used) (Timmermans et al, 2010). Cloud computing is similar to centralised computing in that the user is using services and storage not on their local computer. Table 2 shows how between the 50s and late 70s the use of centralised computing was used due to poor local storage on computers. Poor networks and improved local storage in the 80s led to devolved computing, where the needs for centralised computing diminished and the personal computer started to be used more as application were now able to be stored and run on computers. The 90s and 2000s had great improvements in both Local Area Networks (LAN) and Wide Area Networks (WAN) which allowed organisations to start using centralised storage again and the possibility to save money on the amount of servers run in the organisation. Now organisations can run their IT on dumb terminals (thin clients) again after technology has come round full circle with improvements in virtualisation and networks.


1950s Transistorised Computer Centralized Computing, Centralised Storage, No Network 1960s Improved Computers, Dumb Terminals Centralized Computing, Centralised Storage, Rudimentary Networks, Business Applications 1970s Multiple Computers, Multiple Dumb Terminals Ethernet Networks. Centralised Computing, Centralised Storage Complex Networks, Business Apps 1980s Personal Computer Devolved Computing, Local Storage, No Network Data Interchange by Disk, Business Apps on Computer Late Networked PCs 1980s Devolved Computing, Local Storage, Local Business Apps, Data interchange over Simple Network 1990s PCs Networked to Central Storage Local Computing, Centralised Storage, Local Business Apps Local Area Network (LAN) Late PCs Networked to Central Storage and Computing 1990s Connected to the Internet. Centralized Computing, Local Computing, Centralised Storage Local Storage, Centralised Apps, Local Apps Local area Network & Wide Area Network 2000s Cloud Computing, Dumb Terminals (Thin) Centralised (Cloud) Computing, Centralised (Cloud) Storage, Centralised (Cloud) Business Apps Wide Area Network Table 2: Brief overview of computing networks working towards cloud computing (Varney, 2010) The term cloud computing comes from the way that Wide Area Networks (WAN) and the internet are drawn as a cloud in network diagrams. There are many definitions of cloud computing but the National Institute of Standards and Technology (NIST) offers a definition that is publically available and from a reliable source. Their definition of cloud computing is: Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service


provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. (Mell and Grance, 2010) Public cloud computing allows users to be able to rent space on virtual servers. This means that you only pay for what you use. So unlike a data centre or local storage where you pay for a set amount of storage or use of applications, public cloud computing uses a pay as you use model. If you use an application more or less or storage use alters up or down then the cost moves on a sliding scale and you only pay for what you are using. This sounds good but as with all technology it does come with its benefits and risks which will be covered in sections 4.5 and 4.6.


4.2. Why research into public cloud computing is relevantPublic cloud computing has been described by John Engates of Rackspace, at the Cloud Expo 2011 in London, as being easy for SMEs and start-ups to adopt but harder for large corporations. It has been said by many that the public cloud may give SMEs the same computing power as larger organisations, but only pay for what they use when they require it. What is a SME? According to the European Commission for Enterprise and Industry (2003): Enterprises qualify as micro, small and medium-sized

enterprises (SMEs) if they fulfil the criteria laid down in the Recommendation which are summarized in the table below. In addition to the staff headcount ceiling, an enterprise qualifies as an SME if it meets either the turnover ceiling or the balance sheet ceiling, but not necessarily both. A rough guide to this is shown in the table 3 as defined at http://ec.europa.eu/enterprise/policies/sme/facts-figuresanalysis/sme-definition/index_en.htm. Enterprise Category Medium-sized Small Micro Headcount < 250 < 50 < 10 Turnover Or Balance sheet total < 43 million < 10 million < 2 million

< 50 million < 10 million < 2 million

Table 3: Definition of a SME When a questionnaire was sent to local SMEs (appendix 5), most of them that replied did not know exactly what the public cloud had to offer and some did not even know what the cloud computing is. Several did not have any intention of using the cloud at the moment and no view of using it in the future. These results were backed up


by a recent survey by peopleperhour.com who survey 1300 SME across the UK and discovered that almost 74% did not use cloud computing and 43% of those did not even know what the term meant. 36% of those who understood cloud computing did not see a need for it in their business and 10% saw the technology as to expensive. Only 9% avoid the cloud because of security fears even though many companies site the security as being the reason that they avoid it (Scott, 2011). Organisations like the Chambers of Commerce and Colbea do not seem to be presenting information openly for SMEs at the current time. An email from the Chambers of Commerce explained that they are not yet advising members directly. Business Link is supplying basic information that may be useful to a SME looking to move to cloud computing. Primary and secondary research conducted has shown that the two main obstructions for a SME moving into the public cloud are: Trust Knowledge

It seems that SMEs are still not getting the information that they require to understand cloud computing. Koehler et al (2010) states that most research work focuses on the technical aspects of cloud computing and not enough research on consumers preferences. This research report shall investigate how the public cloud may be adopted by a SME, so that both academic and SMEs understand some of the perquisites before adopting the public cloud. This research report may also show whether or not such a move would be of benefit or not. The report aims to investigate whether a SME is able to move all into the public cloud and shall inform SMEs what public cloud computing can offer them. With only 48% of UK firms using some form of cloud


computing compared to 60% of European SMEs (Tyrsina, 2011) it seems clear that the SMEs in the UK are still unclear about what cloud computing is. Public cloud computing may need to be clarified in order to elucidate the myths and stories about the services. Forrester and Gartner predicted that cloud computing revenue is expected to rise from $41 billion in 2011 to $118.7 billion and $148.8 billion respectively by 2014 (Valentino-DeVries, 2011). With such predictions it is clear that cloud computing is here to stay and so research should be carried out in order to make public cloud computing more understandable to SMEs.


4.3. Deployment and Service modelsThe four deployments and three service models that have been mentioned in the NIST (Mell and Grance, 2009) definition of cloud computing are shown in figure 2.

Figure 2: Cloud computing deployment and service models (Greenwood et al, 2010) All three service models can be accessed in the public cloud deployment. The three services according to NIST are: SaaS Software as a Service This offers the user the ability to access applications over a network, typically applications on a pay-as-you-use rate. The user only controls the application and has no control over the hardware or operating systems. Some key providers are Google Apps, Zoho, Netsuite, Salesforce.com and Microsoft 365. PaaS Platform as a Service Offers a platform for deploying web applications without the need to buy and manage the specialist hardware and software required to produce such applications. The user can control the application and select an operating system but tends not to control the hardware. Some key providers are Google Appengine, Force.com and Azure. IaaS Infrastructure as a Service The supplier offers storage, servers, networking components and hardware which is housed and maintained by them for clients to use on a pay per use basis. The user has the ability to control the operating systems


and alter settings in the hardware. Sometimes known as Hardware as a Service (HaaS). Some key providers are Amazon EC2 & S3, Rackspace and Carrenza. Figure 3 shows a visual representation of the service layers for the services defined above and shows how they stack on top of each other.

Figure 3: Service Layer Definitions of cloud computing (Katy, 2010) The public cloud offers the three service models but according to a survey run by European Network and Information Security Agency


(ENISA, 2009), 34% of respondents would use SaaS and 28% would most likely use PaaS. This may be down to SMEs not having the IT skills or the money to employ a dedicated IT staff member that would be involved in setting up their infrastructures in IaaS or PaaS. Instead they may outsource the setting up and maintaining of their servers and networks to third parties. According to ENISA (2009) the main service that most SMEs would be inclined to use at this time is SaaS. This seems quite logical as the completed questionnaires (appendix 6) show that SMEs worry about security and IaaS and PaaS mean storing your information on someone elses system. With the introduction of Apple IPods, IPhones and IPads most people know about applications on the web but they may not understand IaaS and PaaS due to lack of understanding. This report centres on SaaS as this is thought to be the most understood service available to SMEs at this time.


4.4. IT services as a utilityThis section shall try and describe some of the SaaS services in the public cloud that a SME may use to help run their organisations IT. After interviews with two SMEs (appendix 7) of different sizes and researching information systems of a SME, the main IT systems that may be used to help run a generic organisation may be: Email Internet CRM Office (Word, Excel, etc) Finance

Suppliers like Zoho, Salesforce and Google can supply packages of software or applications can be individually sourced. Appendix 8 has a list of resources compiled by Velte et al (2010) as an example of some relevant resources. The following sections show some SaaS solutions that may be of use to a SME in running their organisation smoothly.

4.4.1. Services used in the production of this reportTo produce this report it was planned that SaaS services would be evaluated and used to help produce the report. These services were chosen because they were either free, easy to trial and recommended by colleagues. These were all setup quickly, easily and did not require installation on the local computer.

4.4.1.1. File storageFor storage Dropbox was used and is now being used for other projects at the same time. It was tempting to use Microsoft SkyDrive but at the time of producing this report Dropbox had some


advantages that made it more appealing. Table 4 shows a comparison of three public cloud storage providers. Dropbox Free storage Microsoft SkyDrive 25GB free Amazon Cloud Drive 5GB free

Paid for plans

2GB free and extra 250MB for each friend referral up to 8GB maximum 50GB at $99/yr None 100GB at $199/yr

Automatic synchronising Sharing Store history of work Mobile device apps Largest upload file size

Yes Yes Yes Yes (most devices)

No (only with services like Gladinet) Yes No Only now starting to come out No bigger than 50MB

20GB at $20/yr 50GB at $50/yr 100GB at $100/yr 200GB at $200/yr 500GB at $500/yr 1000GB at $1000/yr No No No No No limit

No limit on desktop upload but 300MB cap on website upload Security Stored files have AES-256 encryption. Data transmitted is sent over SSL Table 4: Comparison of three

You have to encrypt your files before uploading manually

You have to encrypt your files before uploading manually

public cloud storage solutions

The table above shows that when selecting a storage service it depends on what the user is looking for, whether it is storage, price or functionality.


In using Dropbox to produce this report there was a problem with a files synchronising and a file was almost lost but thanks to the work history being stored for a month the previous copy of this file was retrieved successfully online.

4.4.1.2. CRMCustomer Relations is an integral part of the sales of any organisation and Customer Relations Management (CRM) software solutions allow an organisation to strategize to reduce cost and increase profitability. CRM solutions are ideal for contact tracking, sales, customer services and business management (Gander, 2011). CRMFree was used to automatically email the questionnaire for this project to 43 SMEs. This was successful but was rather tricky to set up. CRMFree has no integration with Google docs where competition like Zoho and Salesforce.com do have integration which makes it easier to use a truly online solution to create your advertisement, etc. and then email it to all that it may concern. To truly benefit from CRM cloud solution it is felt that it would be beneficial to let a member of the sales team trial some of these services to find the ones that they prefer to use.

4.4.1.3. Drawing toolsFor most projects around an office it is important to be able to put words into pictures or diagrams to get your point across especially in presentations. For example to produce this report Gliffy was trialled to see if it was powerful enough to compete with installed software solutions. Unfortunately it was not as powerful a solution as Edraw. Another solution that was found was at www.diagram.ly, this offered a similar solution to Gliffy and was still limited as shown in table 5.


Cost

security

Upload limit

Who can see my diagrams MS Office support Save file as Predefined objects

gliffy.com Free or $5 $1750 p/m depending on amount of users Secure SSL login on premium version 2MB free Unlimited on Premium Public on free version Private, public or shared on premium edition No jpg/png/svg

diagram.ly Free

Edraw Max 79.95 99.95depending on version 1

None

Not required

None

N/A

Private

Private

No xml/vdx/jpg/png

Yes jpg/bmp/dib/png/ tif/wmf/emf/html/xml

375 plus upload own Over 4600 plus save 198 and save own objects own objects Table 5: Comparison of three diagraming solutions

Other solutions exist like lucidchart.com, cacoo.com and creately.com but were unable to be tested at this time due to time constraints. Figure 4 shows some simple network diagrams created on each of the solutions mentioned above to show a comparison.

1

Source: Google shopping


Diagramly

Gliffy

Internet Cloud

Edraw Figure 4: Three network diagrams to show comparison of three diagram programs Whilst they all look similar Edraw has the better selection of tools to use. The online solutions were very limited to what they could produce, but they were more than capable of being able to create basic diagrams.


4.4.1.4. Project managementThe project management of this report was managed using software supplied by aceproject.com. This software was mainly chosen after trying for several hours to get to grips with Microsoft Project. Microsoft Project seems awkward to use and it is felt that it would require training to use it successfully. Aceproject was rather simple to use and had great functionality for keeping track of this project and can be collaborated between shareholders by supplying them usernames and passwords to access it anywhere with internet access. The screenshots in figure 5 show some of the functionality of Aceproject to give an idea of some of its uses and simplicity.

Figure 5: Screenshots of Aceproject Other solutions to project management solutions can be found at http://pm-sherpa.com/solutions/. Due to time constraints, the


solutions on this site could not all be trialled but do correspond with previously used solutions like Huddle.

4.4.2. Other relevant services for a SMEThe following services have been researched for this project but have not been used to produce it. They are all relevant solutions that a SME would be able to use.

4.4.2.1. EcommerceIf a SMEs main business is selling products, they shall probably have some sort of software that allows them to carry out their daily ecommerce functions. There are many SaaS solutions in the cloud. Some of the larger suppliers of this service are Corecommerce, ePages and Actinic. They each offer similar solutions and ePages offers its solution through resellers like BT, 123Reg and Kingston Communication to name a few. A full list can be found at http://www.epages.com/en/partners/providers/overview/. Each supplier of ecommerce solutions offers a variety of different packages. Most of them also offer a trial version that can be used to evaluate the services that they offer. The advice on moving into a cloud computing ecommerce solution would be to try before you buy.

4.4.2.2. EmailBoth Google and Microsoft offer SaaS solutions for business. Both offer similar packages as can be seen in table 6. Other cloud organisations like Cobweb, Amazon Simple Email Service (Amazon SES) and Iron Mountain, all offer variations of email systems in the cloud.


Service Cost

Google Gmail 33 per user/per year As part of the Google Apps bundle 99.9% Yes 25GB per user Yes Yes No Yes but calendars and contacts need a separate app that can only run on windows to synch them Google has built its client for internet browsers from scratch and Google Apps has been designed for internet browsers from the bottom up

Up time Spam Filter Storage Web interface Email archival Tasks Desktop Email client integration

Microsoft Online Exchange 3.36 per user/per month Or bundle with BPOS for 6.71 per user/per month 99.9% Yes 25GB per user Yes Yes Yes The use of Microsoft Outlook allows simple integration Microsoft web client resembles Outlook and compared to most web based email systems encountered, has not been designed from a web browser perspective Exchange integration is simpler than Google Many smartphones come with Exchange support

Web Client

Active Directory Integration

Google Apps requires some Python scripts to integrate Mobile phone Synchronising integration contacts and calendar can be a problem if your phone is not a Blackberry Support Google offer great Microsoft offer a documentation but representative 24/7 only offer phone who can be called support if the service with almost any query is down Table 6: Google Gmail vs. Microsoft Online Exchange Who to choose would depend on the service that is required or whether savings were of higher priority. Yale Daily News reports that Yale University is moving 20,000 email accounts from Horde email to


Gmail over the next two years in phases and expects to make savings of at least one-third of its email budget (Gorman, 2011). The comparison between Gmail and Microsoft Online Exchange (table 6) show that clear savings can be made, but the cost to train staff in the new system may also balance out the savings.

4.4.2.3. OfficeOffice packages are available (word, excel and presentation software in one) or they can be accessed for free using services like Google Docs or Zoho Writer. Both of these solutions enable: Collaboration Storage Access control

A full list of features for Google docs can be found at http://www.google.com/google-d-s/intl/en-GB/whatsnew.html.


Zoho Writer

Google Docs

Microsoft Word 2010 Figure 6: Online word processors vs. offline word processors Zoho Writer and Google Docs did not offer the same functionality as Word 2010 to produce this report. The automatic table of contents was not available in both products. If it had of been then they would have been used. Both online products have about the same functionality and they operate well as basic word processors so it would be down to the operators preference in choice.

4.4.2.4. CollaborationIf users are based in different offices or a SME is collaborating with another organisation to complete a project then collaboration


software may help them to achieve their goals. By granting access to users or other organisations it is possible to share certain documents. Dropbox has a function that allows documents to be shared with invited users but Huddle has more access control and the ability to lock documents while they are being edited. The free version of Huddle was used in the past to produce both a Project Management module and an Ecommerce module. Both of these projects had shareholders that were unable to meet up in person. Since these were joint ventures single documents had to be worked on collectively. With the help of Huddles functions and tools this goal was achievable. A few of Huddles functions are: Document storage Document sharing Calendar Shareholder approval system Meetings Diary Whiteboard Online support for editing Microsoft documents Mobile device application


Figure 7: Screenshot of a project collaboration using Huddle.com Huddle has case studies from organisations that are from all different types of business including government, education, charities, health, professional services and agencies. These case studies can be found at http://www.huddle.com/customers/featured-customers/.

4.4.2.5. AccountingAccounting systems are available on the public cloud for SMEs. Suppliers like Xero offer consumers the ability to trial the software before buying. A blog by Veale (2011) offers a comparison table that is updated every 5 minutes as shown in table 7.


Table 7: Comparison of Cloud based accounting systems (Veale, 2011) Accountancy software should be looked at by accountants before any decision is made on a solution.

4.4.2.6. TelephonyProviders like Skype could be used to set up a public cloud solution. Skype works by either using your computer with a microphone and headphones or a separate VOIP phone plugged in to make your phone calls through your computers internet connection as shown in figure 8.


1) Skype software is installed on PC and user can either use microphone and speaker or use a VoIP telephone to make the telephone calls through the computer.

2) The call is sent over 3) The call can the computers internet either be received connection on a landline or can be made to another computer with Skype installed. Calls to other Skype users are free. Figure 8: Basics of Skype communications

This solution may suit a small organisation but may not have the quality for larger organisations. This is because Skype uses the same connection as the computers, so as the network load gets busy the connection may lose quality and may even loose connection altogether.


4.5. Benefits of public cloud computingThe internet is full of promises that using cloud computing services will save organisations money. This may be the case but not always. This section shall try and show some of the benefits the cloud can bring to SMEs.

4.5.1. TechnologicalWith so many mobile devices available for organisations to use in business and broadband networks being improved over the coming years, organisations can use technology to improve the productivity by allowing employees access to working tools and documents from anywhere.

Figure 9: The ability to connect different devices to the internet Android and Apple apps are allowing user the ability to access systems from anywhere in the world as long as they have some sort of network connection on their mobile devices. These allow users the power to be able to manage their cloud solutions as the example shows in figure 10.


Figure 10: Cloud suppliers have mobile apps allowing for more control over services whenever (Engates, 2010) Other technological benefits are the ability to deploy systems rapidly and the ability to scale them up or down on a sliding scale basis to suit your needs. This means smaller organisations can use as much or as little power or storage as they want. Unlike traditional systems where you increase the power or storage it stays in the machine and may never be fully utilised again. Complete operating systems can be set up in minutes due to the virtualisation that is happening in the cloud environment. This could save SMEs time in setting up users on systems, where an operating system would normally take time to install and set up permissions the cloud may reduce this time. With the scalability of services like Amazons AWS, SQL functions that may take hours to complete can be done quicker. By paying for extra compute capacity for as long as you want and then revert back to as little power as you need may allow organisations to get the work done in fraction of the time. Figure 11 shows a comparison between dedicated architecture and scalable cloud architecture.


Figure 11: Dedicated architecture vs. scalable cloud architecture (RightScale, 2010) Due to applications being accessed through web browsers it does not matter what operating system is running on the computer and some applications are also accessible through other mediums like smartphones. This gives a great advantage over previous software which most of the time depended on operating systems installed on the computer.

4.5.2. EconomicalCloud computing can offer economic benefits in the way that it charges. The following is a rough guide to how the three main service models of public cloud computing is charged (Williams, 2010): SaaS Not all services have to be paid for and some small start-ups may well get away with using the free services that are available on the public cloud. Some of the pay for services charges tends to be either monthly or yearly. Many of the


services are broken down and you pay either for the package at a reduced bulk price or you just pay for the applications that you use. Figure 12 shows how Microsoft online services can be broken down so you may only pay for the applications that you use or you can pay for the suite and receive all the applications.

Figure 12: Microsoft online services cost estimator This allows different users of the organisation to be charged for the services that they use. Theres no point in paying for John in accounts to have live meeting and SharePoint if he does not use it. Some of the services may have requirements (minimum amount of users, minimum term). Prices may also vary with the amount of support that a service provides. PaaS This is charged differently by different suppliers. For example Google charges for units as follows: o Outgoing Bandwidth per gigabytes o Incoming Bandwidth per gigabytes o CPU Time per CPU hours o Stored Data per gigabytes per month o High Replication Storage per gigabytes per month o Recipients Emailed per recipient o Always On per daily Salesforce.coms PaaS service Force.com charges slightly differently:


o Number of users o Number of applications o Number of database objects o Storage size o Access to CRM accounts and contact in salesforce.com CRM o Desirable level of customer support Both of the above services charge per month and this seems to be the same across most service providers. IaaS The charges for IaaS are complicated widely vary. To give an example Amazon offer a simple monthly calculator to work out the cost and it has some common examples to pick from. Figure 13 shows the things you would be expected to be charged for if you were to run a web application scenario in Amazon EC2 cloud. This shows some of the things that an organisation using IaaS may be charged for. o No of IPs o Amount of servers and utilisation o Data transfer o Total data processed


Figure 13: Charging structure of Amazon EC2 for a web application As you shall see in the risks in section 4.6, the cost is not always a benefit and should be carefully researched before adopting the public cloud.

4.5.3. EnvironmentalAlthough it has been said that cloud computing is beneficial to the environment. Baliga et al (2010) has been shown this to be an inaccurate comment and investigation should be carried out before assuming that because you are using cloud computing you are now environmentally friendly. Baliga et al (2010) found that the power consumption of the private cloud seemed to be less than users using the public cloud. Both the private and public cloud were more efficient than local storage so they are both more beneficial than using local storage when the computational tasks were small but this can soon change when the transporting of information to the cloud increases. It was found that even with the energy saving technology techniques and advanced cooling systems, cloud computing is not always the greenest


computing technology. Figure 14 graphs the power consumption between transport, storage and servers in both the private cloud and public cloud.

Public Cloud

Private Cloud

Figure 14: A comparison of power consumption of both private and public cloud services (Baliga et al, 2010) Cloud computing allows users to use thin clients and laptops that have a lower power rating than an average desktop computer. This may offer greater energy savings depending on the uses of the computer and so offer a greener solution for the environment. Barnatt (2010, p19) states that countries like Iceland are realising that they are some of the best countries to cut down on the carbon footprint due to cold weather being used to cool datacentres instead of air conditioning and geo thermal power being used to power them. These advancements could improve on Baliga et als theories. It is thought that advancements in computing technology shall help with power saving as UK and EU regulations on carbon footprint put pressure on organisations. Chip producers like Intel and AMD are already producing processors that use less energy than previous processors. Cloud computing may also help to reduce the carbon footprint by allowing workers to collaborate online through SaaS services like


video conferencing, document sharing and instant messaging. This will make both carbon and financial savings as workers will be able to work from home and less travel will be required to have meetings with offices abroad.

4.5.4. SecurityEvery organisation that uses IT has to put there information at risk. Risk is then mitigated and minimised. Cloud computing is no different to traditional infrastructure when it comes to security. The information is still sent over networks and employees have access granted to them, so that they can access the system. Cloud computing may actually give some of the smaller organisations more security than they could ever afford to implement on their own infrastructure. Not only do large cloud computing suppliers have to comply with regulations, they also have to make sure that their reputation is not tarnished by serious problems like security breaches. Most security risks come from the staff within the organisation. The Guardian ran a recent story about the NHS being involved in 909 data breaches by the 30 trusts in London alone over the last three years. Almost all of these breaches were down to staff errors and lack of knowledge (Laja, 2011). This suggests that if you make your staff aware of their responsibility and obligations through policies, then your information should be safer. No matter where your information is held, human error is always going to be a risk. Some cloud computing suppliers will be able to carry out audits and have the ability to monitor their networks better than a SME and they are likely to employ dedicated security staff. Some actually simplify the process of access control so that if a user were to have their employment terminated then it is simple to remove their access to


sensitive information as shown in figure 15. If they have their datacentres in the UK then they will also have to comply with UK and European legislations. For a SME it is all about how much risk they want to take and how many questions they ask the supplier before joining.

Figure 15: FreeCRMs security and user settings When looking to cloud services for security you should focus on five key areas: Authentication Authorisation Confidentiality Integrity Non-repudiation

These building blocks work together to provide a comprehensive data security infrastructure (Ford, 2010).


4.6. Risks of the public cloud 4.6.1. OutagesAs public cloud computing relies on a connection to the internet, there is always the chance that there may be network outages. Any type of outage may cause a business to lose money and customers but if all assets were in the public cloud then productivity may come to a standstill as well. Bill Rhys Jones of Computerwise Ltd. (appendix 9) advised me that one of their clients use a cloud based solution. The gas board were doing works on their estate and cut through some phone cables, this left the client with no access to their system for a whole day and had to do everything manually. Problems occurred in Egypt on the 27th of January when the government cut off internet access to the country to try and stop communication between protestors. This would have had a knock on affect to organisations that were using the public cloud (Arthur, 2011). The most recent outage recorded came on April 21st 2011 when Amazon had a networking storm that caused them to have a service outage. Some services were resumed in hours and some took days. The main criticism that has come to light about this outage is that many users did not know about it until they were notified by their customers (Hickey, 2011). Network downtime can have a dramatic cost to an organisation as shown in table 7.


Table 8: The cost of network downtime to an organisation (Tomkins, 2009) Many organisations give their availability time in the Service Level Agreement in the form of a percentage. These figures are normally quite high and may lead you into thinking that 99.5% or 99.9% mean that there is going to be very little downtime. This can equate to 1.83 days and 8.76 hours per year. From research carried out through a questionnaire sent to SMEs, most responded that they had outages in their infrastructure. From this section you can see that any sort of outage is going to cost your business money. Outages happen in both in-house and cloud computing infrastructure so it depends on how much you trust a cloud organisation to hold your information.

4.6.2. CostThe cloud carries no guarantee that it shall make savings for an organisation. In certain cases the cloud may be cost effective but in some cases it may be cheaper to buy a server and run the service yourself. For instance if you offer a service streaming high-definition


video over 100 sources then your costs are going to spike as the throughput increases as shown in figure 16 (Velte et al, 2010).

Figure 16: Applications may cost more to run on the cloud than expected (Velte et al, 2010) As has been pointed out to me by Bill Rhys Jones (appendix 9) the cloud is not always the most effective in cost for some of the smaller SMEs. Some of the larger SMEs have contracts that have their IT changed or upgraded within a certain time limit. This is not always the case with the smaller SMEs. They may buy software and it may well last them for well beyond three years. When the cost of cloud services is calculated it is sometimes more expensive beyond three years. Figure 17 shows a comparison between the purchase of 5 licenses for Google Apps and Microsoft Exchange 2007 and shows that a larger SME using its own servers may benefit from using Google Apps. This may be ideal for a larger SME but figure 18 shows that it would only cost 1548.25 to purchase five licenses to run Microsoft Office 2010 Standard. This works out cheaper to run over three years or more compared with Google Apps.


Figure 17: Google Apps vs Microsoft Exchange 2007 for 5 users

2

Figure 18: The cost to purchase 5 licenses for Microsoft Office 2010

3

2

Source: http://www.google.com/apps/intl/enGB/business/appscalculator/index.html 3 Source: http://www.microsoft.com/licensing/mla/quickquote.aspx


4.6.3. SecurityAccording to the BSIs Small to Medium Enterprise Statistics (Infosecurity, 2011): SMEs account for 99.9% of all businesses in the UK and 49% of total business turnover, yet often treat esecurity as a "grudge purchase" or do not realise the need for compliance with key legislation And The average number and cost of a security breach in a small organisation rose from an average of six incidents, with the worst costing an of average 20,000 in 2008, to 11 incidents in 2010, with the worst costing 55,000 on average These figures should be an eye opener for any SME. Cloud computing carries risks the same as any information system but by using the cloud there are risks in the security. Some of the main security risks come from: Internal external data protection data loss

The following sections break these down and give a brief summary of them so as to make the reader of this report more aware of them. Service Level Agreements (SLAs) should be checked over thoroughly to make sure that any data loss, security breach, downtime, etc. is effectively covered. Goo et al (2009) reveals that changing characteristics of SLAs may be dampening the level of trust and commitment between organisations.


4.6.3.1. Internal risksJust like traditional IT infrastructure, cloud computing is also at risk from internal employees and lack of internal security. As the cloud services are accessed over the internet, a malicious attacker may only require your password to access your services and information. Some of the internal risks include: Disgruntled member of staff Ex-employee Key loggers Homogenous passwords

These risks can be minimised by access controls, removing users when they leave the organisation, running up to date antivirus and using two-factor authentication. Two-factor authentication involves using a username and password and any one of the following authentication examples: Biometric (retinal, fingerprint or voice scans) Token (smart card, USB stick) Typing Rhythm Public Key infrastructures Sending one of passwords to mobile or email when you sign in

This is only a few of the mechanisms that can be used along with security policies that help inform how the system is to be used by employees and contractors and their duties to the organisation. Internal security measures cannot be forgotten about just because the information is held somewhere else.


4.6.3.2. External risksAs the information and services are being held on third parties infrastructures, it is important to realise that any network is only a secure as its weakest link. If the cloud supplier has a security weakness in any of their software then any SMEs who are using that supplier are at risk. Mazzon (2009) reported in a blog for Google that Google Docs had a bug in it that led to a small percentage of documents being shared among unauthorised users. If SMEs information is of any importance to them then they will no doubt have security policies in place internally. It is of upmost importance that they also make sure that their cloud suppliers also have good policies and security in place. Some of the cloud suppliers are large organisations like Amazon, Google and Microsoft to name a few. These large names all have something in common and that is that they are targets for hackers trying to break their system or gather information. In December 2010 Anonymous (a hacker group) tried to bring down Amazon with a Distributed Denial of Service (DDoS) attack. This attack failed and barely made a chink in Amazons armour (Vijayan, 2010). This type of story goes to show that attacks are planned on large cloud operators and your information is at risk but some organisations have got strong measures in place.

4.6.4. Internet access and throughputAt the moment some areas still have no broadband access and use dial up to get any internet access. Due to the cost and the speed of dial up it would not be advised to use the public cloud services at this time as this may increase cost and cause lag on your system. Some places do not have phone lines and due to one company having a fire and relocating they were unable to have access to phone lines


and so had no access to the internet. If they had the cloud then their system may have been saved from the fire, but they would have no access to the system at the new location. In January 2011 Bell Canada and Telus of Canada were to start charging usage based billing on broadband connections. They started changing from charging consumers a flat monthly rate for downloads to charging them a monthly rate and then charge them when they go over the download limit. This affected households and businesses in Canada. These bandwidth caps mean that organisations that use a lot of bandwidth may be put off setting up in these countries. If your organisation wants to set up in the cloud then the bandwidth you use should be considered very carefully.

4.6.5. Data Protection and safe harborThe purpose of data protection legislation is to ensure that personal data is not processed without the knowledge and, except in certain cases, the consent of the data subject, to ensure that personal data which is processed is accurate, and to enforce a set of standards for the processing of such information (Data Protection Act, 1998). The problem that faces SMEs entering into cloud computing is that they own the information and not the cloud service suppliers. If the information is not held securely, then the blame rests at the feet of the SME. Sensitive data should not be held in other countries outside of Europe as the security of this data would be held outside of the European Law and could not be guaranteed protection. However there is an agreement between Europe and America called the Safe Harbor Agreement which allows European organisations to store information on US systems and have their data protected.


Legal company Eversheds Have reported that a German privacy watchdog has recommended organisations to conduct their own checks on US companies as research has shown that a number of US companies are falsely claiming Safe Harbor membership (Fitzsimons, 2010). After checking on the Information Commissioners Office news releases (www.ico.gov.uk) to research any breaches in the Data Protection Act through the use of cloud computing, it was found that most breaches came from: laptops being lost or stolen and not being encrypted Information being improperly secured on internal networks Information being disposed of incorrectly Emails being sent in error

These cases have been at the fault of human error or human neglect. No cases of breaches in the Data Protection Act 1998 could be found in cloud computing. This could be because: Organisations are not using the cloud for this information There has been no security breaches of this type yet Organisations have not been reporting these breaches to save reputation Lately Sony has had trouble with their PlayStation Network (CellanJones, 2011) and this led to users details being stolen by hackers. This is not a cloud computing case but it does highlight that there are problems in storing data in internet services. There have also been worries about information being disclosed. This has come to light in the recent case with Wikileaks. Not only did Amazon shut down the service they were providing them but subpoenas were issued to Google, Facebook and Twitter asking that all information be handed over to the US government. Now Julian


Assange has accused the US intelligence of developing an interface that runs on Facebook, Google and Yahoo and is able to record information and help to build their databases of who knows who (Horn, 2011).

4.6.6. StandardsCloud computing has not got any set standards. Just as operating systems work on different standards so too does cloud computing. Marlin Pohlman of the Cloud Security Alliance (CSA) was quoted as saying that globally, organisations are asking What is the baseline security standard we have to have to trust third parties to govern our data?" (Field, 2011). Without global standards in security, privacy and software it may make it difficult to understand cloud computing and the implications that may be hidden by cloud suppliers. With global standards it would make it easier to understand and also to move from one provider to another. With no standards in place it makes it easier for some cloud providers to lock consumers into contracts that they find difficult to leave when they expire. Organisations are beginning to join together to produce standards that they can all work on collaboratively. One of these standards is OpenStack. As open source software like Linux has gained users over the years and is now being used by more organisations than before and Android now has 38% and Apple has 23% of the UK smartphone market (Chris, 2011). This shows that open source is becoming more popular so it is of no shock to see that OpenStack is backed by Rackspace, NASA, Dell, Citrix, Cisco, Canonical and over 50 other organizations. The Cloud Industry Forum (CIF) and the Cloud Security Alliance (CSA) have also announced that they are going to team up to try and promote best practices and industry standards (Preez, 2011).


After attending several seminars, the topic of standards has been raised time and time again. With organisations now forming alliances it looks like cloud computing may be starting to form some global standards.

4.6.7. Vendor lock-inVendor lock-in is the level of difficulty that is associated with moving your information or applications from a cloud service provider. Some cloud providers make it difficult to move your information from their systems or your applications are written in languages that make it very hard to move them between vendors. Variables like time, cost and level of difficulty all need to be addressed when planning to join a vendor and a plan put in place for the moving of information in the future. Organisations like The Cloud Computing Interoperability Forum, The Distributed Task Forces Open Cloud Standards Incubator, The Cloud Manifesto and The Open Grid Forums Open Cloud Computing Interface Working Group are all trying to introduce cloud interoperability proposals (Williams, 2010). This would make the moving of your information or infrastructure from one vendor to another easier.

4.6.8. Personal touchWith the advent of cloud computing there is now a time when you no longer require talking to a consultant or sales person to get advice on an information technology product or buy one. These services can be accessed, ordered and implemented online. The services can be altered at the press of a button and if you have a problem with the service theres always a knowledge base somewhere or a forum with the answer.


The social aspect of business seems to be disappearing and automation is kicking in. Cloud service providers probably do not know who most of their customers are (especially the small organisations). This may become a problem when you have a problem and do not know who to contact for help.


4.7. Migration to the CloudMigration to the public cloud would involve a full risk analysis and project management. It may also be a good idea to find a good glossary of terms, like Velte et al (2009) has produced (appendix 10), to learn the terminology used in this new technology before beginning research. If you have no knowledge about cloud computing and would like to learn more, then Rackspace have what they are calling Cloud University (available at http://www.rackspace.co.uk/cloudhosting/cloudu/?cmp=email_bcsnewsletter_cloud) which is full of webinars and white papers to educate about cloud computing. Williams (2010) also offers a Quick start guide to cloud computing that is an ideal tool for a business looking to move into cloud computing. The use of system design tools like use-case diagrams, such as the one in figure 19, help designers and testers work out who uses the systems and how they are used. Figure 19 shows how the users may use an ecommerce website and shows the parts of the system each user has access to.


Browse Website

Search for goods

Sales Advisor

Register account

Consumer

Purchase on website

Customer Relations

Cancel Order

Email Queries

Customer Services

Figure 19: Use-case diagram of users of the website (Chaffey, D, 2009) In order to try and ensure that the transition to cloud computing is a smooth journey common project management tools should be used: Gantt charts Critical path analysis (PERT charts) Risk analysis Time and cost management Contingency planning Regular meetings with staff involved

The CSA offer free tools to help cloud customers assess the security of cloud providers. The GRC Stack contains three tools for assessing cloud providers (Cloud Security Alliance, 2011): Cloud Controls Matrix (CCM) is a form that can be used to provide a control framework that provides control direction in relationship with other industry accepted security standards such as ISO27001/27002, COBIT, PCI and NIST.


Cloud Audit is used to provide a common interface for cloud computing providers to automate the audit, assertion, assessment and assurance of their services and allow authorised consumers an open and secure common interface. This tool is provided to enable transparency and trust in the cloud.

Consensus Assessment Initiative Questionnaire (CAIQ) focuses on providing an industry-accepted ways to document security controls.

All of the above are powerful tools in providing the correct questions to a consumer of cloud computing to ask the suppliers. These forms would be of great help to any SME with a limited knowledge of cloud computing and supply some of the questions that may help them to choose a secure provider. The CSA offer a host of information on cloud security issues and would be a great place to start checking out the security in cloud computing. For a small SME to start-up in the public cloud there may be less risk and the migration may be smoother with the correct plan in place, compared to a larger SME or a SME already running as they would be required to think about: Licenses Software migration Information migration Network bandwidth utilisation

Network bandwidth may be overlooked but as Velte et al (2010, p294) points out a bank decided to use Salesforce.coms solution and after careful planning and piloting they went ahead only to find out that they slowed down their whole network and affected other workers network access.


One of the main problems with costing cloud computing is that it requires all of the components to be taken into consideration to do a proper comparison. To compare costs properly it is important to consider (Shroff, 2010): Server utilisation Power and cooling cost Management time Hardware purchase cost Life expectancy of the hardware

Do not try to move all your systems at once. Move each system one at a time and trial each one before you move onto the next. If you are start-up then it may make sense to trial the services before starting the business. Put it in your business plan and make sure to find alternative in house solutions in the event that the cloud does not work out. It may be best to get staff to trial SaaS and observe them and get them to keep diaries, to see how they manage with the new software. Find out from them how it compares to other systems they may have used in the past. If you are a larger SME then you are going to have to train staff how to use the new system. So you should be sure that they are going to be able to migrate with ease to try and keep the cost down and the efficiency of your organisation. Granneman (2009) offers a book which is more like an instruction manual on how to migrate to or start using Google Apps. Literature like this can be very helpful in making a smooth transition. The internet is also full of forums and literature that can help with this process. Velte et al (2010) has compiled a list of resources that may be a starting point and are in appendix 8.


Make sure services are tried before you buy and make sure that there are telephone numbers to allow contact with suppliers if things go wrong. If IaaS or PaaS are the services planned to be used then it is essential to carry out access capacity planning to manage the space that will be required on a virtualised system. These cloud services will require continuously monitoring and evaluating of the systems.


4.8. What the future may holdAt present primary research has shown that some SMEs require a traditional IT infrastructure due to the speed of their internet connections. At the moment this is hampering them from adopting services that cloud computing offers them. The Department of Culture, Media and Sport (DCMS) have said that they Government have a 850 million strategy in place that shall mean that Britain has the best broadband network in Europe by 2015 (DCMS, 2010). They say that the proposal includes: A digital hub in every community by the end of this Parliament. Investing 50 million in a second wave of projects to test how we deliver this (on top of the four pilots we are currently running on how we deliver superfast broadband to remote and rural areas). Cutting the costs of and access to infrastructure increasing shared access, work with house builders to make new home broadband ready, and cutting the costs of laying cable by clarifying the rules on street works. Awarding spectrum for mobile services.

These advances in the broadband could be the turning point in cloud computing, that allows it to boom as some start-ups choose to start their business in rural areas to avoid paying high outgoings. Currently technology is changing the way we use computers and this is changing the way organisations use their technology. The introduction of the IPad and IPhone is now progressing and more tablet computers are being released along with compute

cloud computing dissertation

Documents