Anatomy of Cloud Computing Deals
Joaquin Gamboa
© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
October 19, 2011
Agenda
Cloud Computing Overview Enterprise Cloud Risks and Responsibilities Deal Tips Closing Thoughts Questions
2© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
3© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Overview
What is Cloud Computing?
The essential characteristics Hosted and managed by the vendor Made available to customers remotely via an IP-based
network Designed on a “virtualized” shared services / multi-tenant
platform High elasticity and scalability of computing resources Self-provisioning tools provided to customers on-line Available under subscription Usage is monitored with pay-as-you-go pricing
4© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
What is Cloud Computing?
Service delivery categories (the “SPI” framework) SaaS - Software as a Service PaaS - Platform as a Service IaaS - Infrastructure as a Service (VzB and AT&T call this
CaaS or Compute(ing) as a Service)
5© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
What is Cloud Computing?
6© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Obtained via Creative Commons license
What is Cloud Computing?
Cloud deployment models Public – The purist’s perspective Private – Is it really cloud computing? Hybrid
Private cloud used to host business critical applications and sensitive data
Public cloud for non-core applications and generic data
7© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Key Cloud Computing Drivers
The business case for cloud computing done right
Reduced implementation effort and cost
No lump sum licensing fees or equipment purchases
Rapid transition to new technologies and business processes
Lower total cost of usage
Better resource elasticity and scalability
Improved availability of applications to mobile/remote workers
More efficient and effective management of technology
resources by vendors with specialized skills
IT management-maintenance-upgrade hassles avoided8© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
9© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Risks and Responsibilities in Enterprise Cloud Transactions
Risks
Familiar IT risks apply to services in the cloud And some risks are heightened
Vendor lock-in Security and privacy
10© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Vendor Lock-In
Three primary concerns Data portability Application portability Infrastructure interoperability
Lock-in concern is exacerbated because many cloud vendors are new entrants, and their long-term viability is uncertain
11© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Vendor Lock-In
Data portability (establish contractual rights to data) IaaS
Customer controls logical access to the applications, database and storage so raw data access isn’t a problem
But vendor tools and assistance to extract and transfer data are still desirable
PaaS and SaaS Data access and control should be negotiated Is data in usable format readily loadable onto new cloud? Are there effective automated tools to extract data?
12© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Vendor Lock-In
Application portability and Infrastructure interoperability IaaS
Applications are customer-provided, but server VM images may be locked-up or configured uniquely for the vendor’s infrastructure
How portable are the server VM images, and how unique is your vendor’s virtualization layer?
PaaS Platforms often use proprietary database structures and unique
infrastructure components Considerable re-programming and architecture changes often required to
move to new PaaS vendor
SaaS Often walled off, with little ability for customers to take applications
elsewhere or in-house
13© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Information Security
Linking control and responsibility can be challenging Start with solution/vendor selection and evaluation Document obligations and consequences in the contract Auditing rights and follow-up
Three layers to consider Infrastructure Application Data
14© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Information SecurityInfrastructure Responsibilities
IaaS Vendor secures from virtualization layer down Customer is typically responsible for logical host security
Monitoring the O/S and application for intrusions and attacks Encrypting in-transit and stored data
Some vendors offer optional security services
PaaS & SaaS Vendor is responsible for securing all infrastructure
components (e.g., access controls, intrusion detection/prevention)
15© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Information SecurityApplication Responsibilities
IaaS Customer owns all aspects of app and database security
management Some vendors offer security management options Extra concerns for providers with application layer access
PaaS Vendor should own security up to the runtime engine Customer owns security for remainder of the app
SaaS Vendor should own security management for the full stack
16© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Information SecurityData Responsibilities
IaaS Customer is primarily responsible for data security, but
clearing and sanitizing infrastructure components is vendor’s responsibility
PaaS For vendor-provided storage, vendor should be fully
responsible Otherwise, it depends on the deployment options selected
SaaS Vendor fully responsible
17© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Privacy and Information Security Compliance
You can assign privacy responsibility to vendors, but you can’t delegate accountability through contracts
Extend the enterprise security / compliance program to the cloud Identify and classify information assets / data, and risk levels Identify / develop appropriate key controls Map controls to vendor (and vendor sub) responsibilities Monitoring, management and audit Regionalize solutions as required
Don’t let the contract fine print undermine the program
18© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
19© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Deal Tips
Commitments, Term and Pricing
Term No need to commit to a term, but vendors may try to make
a term financially attractive Anything longer than 1-year should be scrutinized Renewals at the customer’s option
Revenue or resource minimum commitments There shouldn't be any Vendors may offer better unit pricing in exchange for
minimum subscription levels and terms
Commitments may be hidden in termination fees
20© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Commitments, Term and Pricing
Pricing models: IaaS
Per resource / per hour, day, month Charges for upgraded support, maybe implementation
PaaS Per user / month Per resource / per hour, day, month Charges for upgraded resources, support
SaaS Per user or concurrent user / per month, year Per use (e.g., WebEx) Extra charges for customization, implementation, upgraded support Charges for additional storage
21© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Service Levels
Public cloud deals must include SLAs Key SPI SLA metrics
System availability/uptime Management portal/tools availability/uptime Incident response and problem-resolution times Service desk performance Back up data success rate, and restoration times after a
data loss event Service restoration times in response to disasters
22© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Service Levels
Key IaaS-specific metrics Resource deployment timeliness Configuration change timeliness
Key SaaS-specific metrics Application response time End user satisfaction
23© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Exit Strategies
Termination for convenience Be wary of a vendor’s attempt to add termination fees If applicable, termination fees should not be unduly punitive
Termination for cause Uncured material breach by either party Vendor’s “Critical Performance Failure”
Post-termination rights Cooperation and assistance with new cloud vendor or internal
staff Return of any prepaid subscription fees for unused portion of
service period Migration assistance over an appropriate period Access to and assistance with porting tools
24© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
25© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Closing Thoughts
Addressing the Cloud
Cloud Myths vs. Reality Not a new technology trend that will pass Will not destroy traditional on-premises IT Lock-in, security and privacy concerns are genuine
Public and hybrid SPIs are valuable delivery methods in the right contexts Approach the cloud with a long-term vision Negotiate cloud contracts today to establish strong
foundations for increasing reliance on cloud services
26© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
27© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.
Questions?
Contact Information
Joaquin Gamboa
Levine, Blaszak, Block & Boothby, LLP2001 L Street, NW., Suite 900Washington, DC 20036Phone – (202) 857-2574Fax – (202) 223-0833Email: [email protected]
28© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.