HOME / Cloud Computing: A New IT Business Model

FEATURE ARTICLE - Issue 57 Articles, Issue 57: Oct 2012

Cloud Computing: A New IT Business Model

BY Hearsay

1268 Views

‘With the cloud, you don’t own anything. You already signed it away through the legalistic terms of service with a cloud provider that computer users must agree to. I want to feel that I own things, … A lot of people feel, “Oh, everything is really on my computer,” but I say the more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.'” Steve Wozniak (Co-founder of Apple Inc.) 2012

Introduction

The concept of Cloud computing has in recent times become a very hot corporate IT phenomenon. The first avenue for cloud computing arose out the expansive server farms implemented by such organisations as Google, Amazon, Microsoft and other large internet based organisations. These server farms have substantial capacity reserves which could be made available to third parties for their own IT processing. Further, many web-hosting organisations identified that they too had substantial spare capacity which could be utilised by third party organisations. For example, my own organisation DOTS Talent Solutions has entered into a number of cloud arrangements with Bulletproof Web-Hosting to offer access to the DOTS Talent Solution application.

In effect the so called “cloud” environment comprises a dispersed infrastructure that arises from the pooling of numerous interconnected computers to form a virtual platform. The advent of new technologies such as load balancing has substantially made possible the effectiveness of this new business model for the deployment of IT infrastructure. It has allowed a service model to grow whereby large organisations instead to investing substantial capital in IT infrastructure are able to engage with a cloud provider to rent to them as a service the computing power needed for their business operations. This has a flow on effect of allowing the same client organisations to down-size their internal IT resources without compromising their business operations. This is important as every modern organisation is now dependent upon IT in order to compete and operate effectively and efficiently.

One of the essential elements of a cloud environment is that its architecture is completely independent from the physical technology that it relies upon in order to provide the relevant service. From an economic perspective this allows the service provider to offer extreme flexibility as resources can be dynamically allocated or de-allocated on a pay as your need basis. It is this flexibility that is highly attractive for organisations. All modern organisations operate within a dynamic business environment and therefore as their business environment rapidly changes so too does their IT needs.

Now there are a number of things that need to be understood before a cloud contract is entered into, namely:

What does cloud computing actually mean (there are things types available) — which one best suits your organisations needs;
The security framework for the cloud environment;
Performance guarantees for availability;
The actual location of the date centre and DR centre;
The type of DR environment for the data centre;
The storage of data and accessibility to such data when needed;
Transitioning out of the arrangement and costs involved.

It is beyond the scope of this paper to deal with all of the issues involved in cloud computing. A good expansive discussion can be found in Thomas Trappler’s book “Contracting for Cloud Services”. Though this is a US styled book is gives great in sight into what should be addressed in any cloud contract.

Types of Cloud environments

NIST Definition

Depending on the needs of the client, a client has a choice as to what cloud environment they may wish to invoke. Consequently, a client needs to understand the strengths and weaknesses of each type a cloud environment available (this is discussed below). This obviously does give rise to some difficulty in the market place because businesses are expected to understand what is available to meet their respective needs.

To assist business, the US Government’s National Institute of Standards and Technology (NIST) has provided a definition which describes the characteristics that should exist before an environment can be attributed as being a cloud environment:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.1

From this definition the following essential elements can be discerned:

On-demand self-service;
Broad network access;
Resource pooling;
Rapid elasticity;
Measured service.

Cloud Service Models

A cloud environment can be provided via one of three service models:

Infrastructure as a service
Platform as a service; or
Software as a service.

Infrastructure as a service

Client is able to load all system and application software onto infrastructure owned by the Cloud Provider. Customer has full access to environment but does not deal with hardware issue. In essence the client rent access to the infrastructure which may (most likely) also be used by other clients of the cloud infrastructure provider. In essence this is true time sharing of hardware.

Software owned/licensed by client such as the DOTS application Platform owned/licensed by Client Middleware applications like ColdFusion or java platforms such as TOMCAT etc. Infrastructure/Hardware owned by cloud provider Operating System like MS Windows Server 2010 VM Ware Data storage Load balancing across the infrastructure

Now from a provider’s perspective all the provider is supplying is access to their spare infrastructure capacity. This will usually be limited to processing capacity (server farm). The client has to manage the platform and software layer. Hence, if there is an update or enhancement to the software then the client has to load the patch/enhancement. The service provider is only responsible for the infrastructure which will usually include all security both physical and virtual.

Platform as a service.

Client is able to load all application software onto infrastructure owned by the Cloud Provider

Some providers with relevant expertise will also contract to provide platform capacity and thus leave the client to only manage the relevant software that they desire to utilise. Again under this model the client will manage all patches to the software whereas the service provider will be responsible for everything other than the software. This model is very popular for software development companies where by the service provider will provide the development environment.

Software as a Service

Client is able to use all application software that is situate in the cloud environment that is operated by the Cloud Provider

Software owned/licensed by client such as the DOTS application Platform owned/licensed by cloud provider Middleware applications like ColdFusion or java

platforms such as TOMCAT etc. Infrastructure/Hardware owned by cloud provider Operating System like MS Windows Server 2010 VM Ware Data storage Load balancing across the infrastructure

This model is a fully outsourced environment by which the client is relying entirely upon the service provider.

Security Framework

Irrespective of the selected cloud environment, the security framework deployed must be understood by the cloud client. Now even though the IT security will involve the usual high end IT security technologies such as firewalls, anti-virus applications and other high protective mechanisms, the physical security must not be overlooked.

An excellent analysis of cloud security can be found in the Cloud Security Alliance document “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1”.2 Another good source dealing with security is the Australian Defence Department’s paper “Cloud Computing Security Considerations”.3 This publication has a very good checklist for practitioners dealing with cloud security. Further the Queensland Government has adopted the DSD document pursuant to the QGCIO’s publication “Cloud Computing Guideline”4 for Queensland Government agencies.

Now depending on the importance of the client and the situation involved it is recommended that the contract should have at least the following aspects covered:

The right to audit the cloud environment. For example, there have been a number of DOTS clients that have required a security penetration test be undertaken by a reputable security organisations like Cap Gemini, Ernst & Young, NCC Group, or HP Security as well as many others operating in the sphere. Now it is important for both the client and the provider to have confidence in the security framework that has been deployed. Remote attacks can be set up in sand-pit environments so as to not compromise any live data.
The right to inspect the data centre. Certification(s) are not sufficient in themselves. For sensitive circumstances a physical audit of the date centre should be undertaken prior to contracting and there should be encapsulated in the contract the right for the client to visit at least one per year during the contract term the data centre either by itself or through its nominated agent/contractor.
Testing prior to any major upgrades or enhancements deployed. Now some clients require a penetration test be undertaken against sandpit that is to be set prior to the deployment of any new versions of the software. This is not uncommon within Government. That is, the SAAS provider must engage an independent third party to undertake a security test prior to deployment or commercial release of any new versions of the software. The resultant report must be provided to the client and if the client is satisfied then the provider can commercially release the software to the particular client. It is not uncommon for the report to then be used (if favourable) as a marketing tool covering security of the SAAS environment. Of course, the security audit provider will impose certain restrictions on the use of such material but this can be negotiated.

Performance availability/SLA

Performance availability is another important issue that must be addressed. NOW, clients need to understand the importance of the service that they are contracting. If the service is NOT mission critical or financial critical then it is commercially unrealistic for them to insist upon a service availability for 99.9% or higher. For example, the DOTS application is a talent management solution and as such it does not generally fall within the mission critical aspect of an organisation. Hence, the DOTS availability requirements are usually set at 95% of availability. Now there are 8,760 hours in a year (non leap year). Hence with 95% availability the DOTS application must be available for 346.75 days per year. Since the application is not mission critical, this is not a problem for clients.

For mission critical application it is not unusual for the client to insist upon 99.9% availability. These results in the requirement that the application must available for 364.64 days or in other words the application over any 12 month period can be only non-available for non scheduled maintenance for 8.64 hours. Aligned with mission critical availability is the requirement for liquidated damages covering non-availability.Consequently, the client should arm itself with necessary facts if it desires to increaseavailability obligations to cover mission critical. There will be a cost associated with this increased availability.

Another aspect that needs to be understood is that accessibility will be dependent upon a number of technologies. These technologies will be dictated by the selected model discussed above. If a SAAS environment is being provided then the provider is obligated to ensure that the entire technology stack is available for the selected availability period. Alternatively, if a PAAS environment is being provided then the service provide is not responsible for the application layer but must ensure that the platform stack is available. Finally, if an IAAS environment is being provided by the service provider then the client agrees that they will take responsibility to maintain the platform and application layers.

Irrespective of which environment is being offered by the service provider there will exist some very importance exclusions such as:

Telecommunications capacity and availability. For example, if OPTUS or Telstra infrastructure is not available then this will not be included in the performance obligations;
End user environments (PCs and mobile devices). For example, if the client deploys IPads as part of its end user environment then these devices will not process flash files. There may be other restrictions which are introduced by the client due to the end user technology deployed by them.

Data Centre Localities

Some clients have particular policy requirements as to the locality of any data centres. Aligned with this will be any legal obligations concerning trans-border data flows especially for personal data as defined in the Privacy Act as amended. For example, many governments in Australia require the service provider to guarantee that no government data (whether personal data of otherwise) can be stored on any data repository located outside of Australia. Many clients understand that by moving their data to a cloud environment, they are giving up a certain amount of control over their data. This is a major issue that the contract must address especially when disputes/issues arise.

The cloud service provider is permitting the client to export its data to the cloud provider’s infrastructure and in doing so the contract MUST ensure that the client is always in a position to retrieve that data. This may require some careful negotiations. If a dispute arises such as payment for services being provided then the service provider may obstruct the delivery of the data prior to the payment aspect being settled. This could be classified as a form of lien5 even though information is not property in this country.

Another point that the contract must deal with is the retrieval of data in the service provider commits an insolvency event or worse still an administrator/liquidator is appointed. It could arise that the administrator will disavow the contract or even decide to not cooperate with the client. The contract must clearly state that the service provider has no interest at law or in equity in the data and will permit the client to retrieve that data remotely. This will need some expertise as the relevant personnel who were engaged by the service provider at the time of contracting may not be around. A form of escrow arrangement could be considered but this could become very expensive; especially if data is created/altered continuously in a live production environment.

Data Privacy issues

On 25 May 2012, the Federal Attorney General submitted to parliament the Privacy Amendment (Enhancing Privacy Protection) Bill 2012. The Bill is the Government’s first response to the Australian Law Reform Commissions report concerning Australian Privacy Laws and in particular what recommendations the ALRC suggested to bring the Australian Privacy regime to take account of evolving technologies such as cloud computing.

The IPP’s and NPP’s will be recast into one set of Privacy principles known as the Australian Privacy Principles (APP’s). The APP’s have been redesigned so as to accommodate changing technology, emerging privacy issues both domestically and internationally.

Now this paper will not analyse in detail the proposed requirements detailed in the Bill. All practitioners should be aware of the proposed requirements and ensure that their client’s contracts deal with such issues as Trans-border data flow which is dealt with by APP 8. APP 8 sets out a myriad of obligations that will affect those clients who utilise a cloud service provider that has the potential of storing personal information external to Australia.

Type of Disaster Recovery implemented

Disaster recovery and business continuity arrangements must also be addressed. The client should review prior to entering into a cloud contract the Cloud Service provider’s business continuity plan (BCP) and disaster recovery infrastructure. This will obviously need to be addressed in the SLA and so a careful review of all BCP documentation should undertaken. In this regard, clients should be encouraged to visit the cloud provider’s data centres.

Transitioning out of arrangement

Nothing lasts forever even though the Cloud service provider may think otherwise. Transitioning out of the arrangement must be addresses. The transition out provision would in effect be similar to that of any outsourcing arrangement. Luckily the GITC v5.2 contract has some very good provisions which can be utilised to cover this aspect.

Miscellaneous Provisions

As with all IT service contracts there will be a number of miscellaneous clauses such as:

Term: how long will the agreement be for;
Options to renew;
Price increases on an annual basis. There may be a capping mechanism such as CPI or no more that a fixed amount like 5%.
Warranties: these will cover such things as:

Personnel expertise;
Availability of personnel;
No harmful code to be introduced;
Compliance with laws;
Equipment sustainability and change control issues;
Security implemented both physical and virtual;
Upkeep of required certifications; etc.

Exclusions: such a telecommunications and clients own equipment.
Dispute resolution
Audit provisions at option of Client. May need to comply with a notice period.
Confidentiality;
Insurance
Liability: This will be a real issue. The Cloud provider will want it to be capped but the client is trusting the Cloud service provider with the custody of all of its data. For organisations within the finance sector, APRA has made it very clear that the finance organisation cannot shift responsibility to the cloud provider. Therefore the finance organisation has primary responsibility and they will want to want no capping liability or at least the liability being capped to the amount of any insurance coverage. Do not limit to insurance payout because if the insurance company does not payout then the liability could be capped to nil.

Conclusion

Cloud computing can work for clients, but care needs to be taken when advising a client. The client must understand the extent of what is being provided and in particular what is being excluded. The SLA must be very detailed and signed off by the Client and cannot be changed except through some specific change control mechanism.

Finally, I highly recommend the papers and books noted in this paper.

Dr. Adrian McCullagh

Footnotes

1. The NIST Definition of Cloud Computing (2009), http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf.

2. http://www.cloudsecurityalliance.org/

3. www.dsd.gov.au/infosec/cloudsecurity.htm

4. http://www.qgcio.qld.gov.au/qgcio/architectureandstandards/qgea2.0/Pages/Technology.aspx

5. Alien has traditionally only applied to the retention of property as security for some payment. A lien is an encumbrance on one person’s property to secure a debt the property owner owes to another person.eg. A work-mans lien.