Cloud

Cloud ComputingIn this F2MKE.co.uk blog series I explore cloud computing.  What is it?  What are the advantages versus risks?  What must businesses and schools check before putting their heads in the Cloud?  Does Cloud make sense in these times of austerity?

Want to read more posts about Cloud Computing? They’re all grouped here!

Cloud’ is certainly shaping up to be this decade’s information communication technology buzzword.  January’s BETT Show 2011 – the biggest UK (and arguably world) trade show of educational technology and resources – signalled this with lots of suppliers, large and small, marketing as many of their services and products as in the ‘Cloud’.

But what does ‘Cloud’ really mean?

There has been 4,403 revisions to Wikipedia's definition of cloud computing since the first entry in March 2007

A Google search reveals countless definitions augmenting the confusion.  Some of this is surely caused by suppliers blurring the definition to ensure that their products or services fit.

Elsewhere industry experts are stammering to reach agreement.  In the first 18 days of 2011 alone the Wikipedia entry for Cloud Computing has been revised no less than 87 times.  That’s nearly 5 revisions per day!  The first entry was on the 3rd March 2007 with a simple link to Utility Computing, described as a metered utility approach to the delivery of computing resources.  Since then there have been 4,403 revisions and counting…

My personal preference is for the following succinctly put definition:

“The term Cloud is a metaphor for the Internet.  Cloud is a different technological approach to the traditional data centre or in-house service where physical hardware and connectivity is purchased as required.

Put simply, hosting services in the Cloud in an infrastructure as a service model reduces the need for detailed capacity planning and management – a subscription model for computing power more aligned to utility services such as gas, electricity, telephone, water, etc.”

Examples of Cloud Computing are many.  From office productivity, collaboration and communication tools like Google Apps or Microsoft Office 365, through to backup, file management and media sharing such as Zmanda, Dropbox, Flickr and YouTube.

If the software that you are using and the files that you are creating are independent of your PC; and you can access them at anytime and from anywhere with an Internet connection, using only a web browser, then you are working in the Cloud.

In fact, there is arguably little that the typical office and home user, student or teacher, can’t do today in the Cloud, that they can using software installed on a local PC or server.

So…  I get what Cloud Computing is.  But what are the advantages and what are the risks?

 

In Part 2a of Every cloud has a silicon lining we’ll explore the advantages of Cloud Computing versus the risks.

The emergence of Cloud computing posed a threat to some of the largest and most powerful IT businesses in the world… And it may still do so?  It was inevitable that cumuliform clouds would reign before settling into cirrostratus.

And this tempestuous climate was fuelled by arguments about security and supplier lock-in, reliability and capacity, cost and efficiency…  The arguments continue.  Part 2 of Every cloud has a silicon lining aims to distil the key arguments and offer an objective view.  Oh, and perhaps start off a few more debates? 😉

Let’s tackle security first.

Security concerns are an all too familiar first line of defence against change in the IT world.  Often this is to protect current preferred working practices, or a sound profiteering business model, but mostly because change means risk.  Oh and change!  However, security should not be downplayed and should play a key part in any decision-making process.

Trusting all of the important tools and data that you rely upon to deliver your business, or run your school, to a group of masked cherubs sitting on a cloud somewhere in the ether deserves an initial gulp!  But step back for a moment and meditate upon that gulp…

Masked Cherub on a Cloud

The majority of security breaches are caused by humans.  A cloud provider’s business model relies upon massive economies of scale, ergo less humans, ergo less room for human error – be it deliberate or not.

You would typically enter into a contract with a third party – cloud provider or not – with some, at least basic, clauses and penalties around loss of data or service.  Would you have similar reassurances within your own business?   

There are cost implications to consider here too.  When searching for your perfect cloud providing partner you can specify all manner of security standards that must be contractually adhered to.  The likelihood is that they are geared up for this to be able to appeal to as wider market as possible and achieve the aforementioned economies of scale – it’s a core part of their business – but are you?  How much would it cost your organisation to achieve and maintain the ISO/IEC 27001/2 standard?

How much more would it cost to be certain that your hardware, software and the place(s) that it’s all kept stays as secure as possible?  ‘Simple’ patch management alone can be a surprisingly bulky overhead.  Large cloud suppliers will afford better security tools, experts and infrastructure.

The risks to focus upon are browser vulnerabilities – most cloud services are accessed through the web browser and these are a favourite target for hackers.  A large cloud provider may well pose an interesting target for hackers or even terrorists too!  These risks are mitigated by the highly competitive web browser market and the importance that a cloud services provider must attach to their reputation.  In both cases, even if a vulnerability is not exploited, the knowledge that it existed will be damaging.

And what about supplier lock-in?

Moving all of your services and critical data into the cloud could leave you vulnerable should you decide to switch supplier, or wish to share data in your systems with another service provider?   Your supplier may decide to increase costs, or decommission a service that you rely upon?  You may become dissatisfied with the service, or a better alternative could enter the market?  You may wish to pick and choose services from multiple suppliers for a best of breed solution?

For example, your main cloud provider may offer you an integrated Management Information System and learning platform, library, catering and cashless systems.  However, you want to switch learning platform and integrate with an alternative library system.

The immediate question is, “how do I get my data out?”.

There are some actions that you can take to mitigate these risks.  As well as sensible contractual exit clauses, insist upon services that offer industry, better still open, standards for data interoperability.

In the UK (and US, Australia, Norway, etc…) education sector there is the Systems Interoperability Framework (SIF).  For more information search for SIF at F2MKE.co.uk or visit http://www.sifinfo.org/uk/.

Furthermore, the likelihood is that competing suppliers will be eager to win your business and will already have tools available to migrate your data from competitor systems.

In some ways there are parallel risks where an organisation develops and maintains services in-house.  For example, data can be ‘trapped’ in bespoke systems and require bespoke, often expensive, solutions to migrate the valuable data out.  A key employee may decide to leave the organisation and take their specialist expertise with them – or hold you to ransom!?

 

In Part 2(b) of Every cloud has a silicon lining we’ll delve deeper into the advantages of Cloud Computing versus the risks.

So we’ve already taken a look at what the cloud and cloud computing means?  We’ve tackled the issues of security and supplier lock-in.  Part 2(b) of Every cloud has a silicon lining will deal with reliability and capacitycost and efficiency.

But first this… Your business, or school, does have data that is highly sensitive and must have an added layer of security and control; you have to deliver specialist services or functions that simply don’t have a good fit within existing cloud offerings; maybe you have core infrastructure that nestles in the midst of all of your services, gluing them together?  This is where you should consider a mixed ‘public’ and ‘private’ cloud services delivery.  The ‘private’ cloud will typically be a data centre that supports virtualisation, has Internet connectivity and allows you to host these most valuable assets with complete control whilst delivering flexibility, scalability and high availability.

Reliability is a constant concern.  In the world of cloud delivered services this is less about the availability of the cloud and the services delivered from it.  Instead it is about the perception of fragility often attached to the ability of the end-user, or customer, to connect to the cloud.

At the top of the list is the reliability and even availability of decent broadband connections.  In my experience, where reasonable to decent broadband connectivity is available, the root cause of any failure or degradation of service lies much more often than not, somewhere other than the broadband itself.  Changes to, or poorly thought out Local Area Networks;  Misbehaving, or misconfigured gateway servers – proxies, content filtering, caching, etc;  client PCs, etc., etc., are all too often to blame.

Perception is Reality

But to quote a very well respected colleague, “perception is reality.  So how do we go about changing perception – or reality?

With efficiency very much at the fore – or in the case of this article, my laziness.  My view on the solution sweeps up capacitycostand efficiency too 😉

The more services that we move into the cloud, the more reliable the client PC becomes.  All I need to be productive is a device with a slim Operating System and a web browser.  No more installing, updating and fixing applications and bloating of registries.  I don’t even need to worry about the amount of storage on my device, whether it’s a Ferrari or second-hand ‘missed the Government’s scrappage deal’ Rover, or even whether it’s the same device I left home with in the morning!  Whoop, whoop!  From a support point of view the client device becomes almost throw-away.  I mean recyclable.

The more services we move to the cloud, the more we should question the need for locally hosted servers.

“What about the security of my local network?  I’ll need a directory server to make sure that trusted people get to trusted services!”

Really?  If everything is online and your customers and end-users have to login when they get to them, do you really need to worry about all of those extra logins – oh and the licences typically associated with them?  There’s a whole other discussion upon identity management, single sign-on and of course, open standards that’s to be had – and probably elsewhere!

So, we’ve moved out much of the hassle and expense of complex support associated with client software and servers, not to mention hardware refresh costs.

We must have made some savings then?  I doubt that I’d be motivated to be writing on this subject if not..?

I have estimated the savings to be substantial dependent upon the size or number of organisations taking part.  And that’s without considering industry estimates of between 20% and a whopping 80% savings associated with the adoption of Software as a Service – pretty much summarised as web-based applications that are paid for on a metered basis.  A bit like gas, electricity, or your telephone bill.  So we might need an Ofcloud then?

And with all of these savings?  ‘Simples’.  We have part 2 of the solution.  We invest some of these savings back into broadband.  We address the broadband ‘not-spots’.  We increase capacity and we improve resilience.

“You indicated that there would be some efficiency savings too”.

And there are…

If your organisation is made-up of many satellite sites, locally to globally, then you immediately reduce the support overhead – often specialist resources available to go out to sites, or be based on-site.  These skills are typically in short supply and can be much better utilised!

Productivity is increased with reduced potential causes of downtime.

Customers and end-users can access services from any device, at anytime and from anywhere.

Finally, it is far easier to ‘join-up’ your systems if they reside in the cloud.  Uh oh!  I’m back on the open standards soapbox again.

Single sign-on is currently far more achievable when all your apps are online.  Your customers and end-users benefit from only having to remember one username and password and it is proven that valuable resources are accessed more frequently as a consequence.

This also has positive resonance from a security point of view…  Most of us will try and use the same username and password combination across as many apps as possible.  If these details are compromised once, they are compromised awkwardly, many times across many apps.  How easy is it to get these credentials quickly changed across every app?  Let alone remember which apps!?  Perhaps there’s a market for the credit and debit card Sentinel equivalent for the web?

Schools and Local Authorities should explore Shibboleth.

Update information once and reuse many times.  This is more achievable in the online, or cloud, world.  Efficiency gains are potentially massive.  And the accuracy of information shared around multiple systems inevitably saves time.

Here I go again…  For schools and Local Authorities in the UK (and US, Australia, Norway, etc…) education sector there is the Systems Interoperability Framework (SIF).  For more information search for SIF at F2MKE.co.uk or visit http://www.sifinfo.org/uk/.

 

In Part 3 of Every cloud has a silicon lining we’ll look at the essential checks before schools or businesses put their heads into the cloud.

Cloud Computing : Top 5 checks

1)   Does your cloud provider offer security appropriate to the service?  For example, ISO/IEC 27001 Information Security and CRB (Criminal Records Bureau) checks where access to data about children is concerned. Where does the service operate from and is it covered by Data Protection Act (DPA)?  This is crucial where personal data is sent outside of the European Economic Area (EEA)!  Safe Harbor is an alternative safeguard http://www.export.gov/safeharbor/.

Remember the 8 key DPA principles are:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
    (a) at least one of the conditions in Schedule 2 is met, and
    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

2)   What are the stated availability targets for the service and against what timeframes are these measured?  How quickly will the service be recovered in the event of a major incident, or even disaster?  What penalties, or credits, are in place if Service Level Agreement (SLA) targets are not met?

3)   Do you have enough bandwidth capacity?  Remember, you, your colleagues and your customers may be accessing multiple services from differing bandwidths with varying contention ratios.  Whilst most web traffic is efficient over HTTP and HTTPS (ports 80 and 443), other methods for accessing services such as Citrix, or Terminal Services, can be less efficient – even when encapsulated within HTTP/S.

4)   What options are available for offline productivity?  Gears is Google’s way of offering access to some online files offline by adding additional features to your web browser.  However, Google’s strategy is shifting from Gears to online storage and development ceased in February 2010.

Features available in HTML5 offer equivalent alternatives to Gears and can clearly be taken advantage of by all web service providers.  Unfortunately, HTML5 as a ratified World Wide Web Consortium (W3C) standard is some way off!  However, parts of HTML5 are already implemented in browsers including Web Storage and DOM Storage (Document Object Model) – web application software methods and protocols used for storing data in a web browser.

5)   And finally portability!  How easy will it be to move, or share, your data?  Look for open standards for data migration and interoperability.  In the education marketplace the Systems Interoperability Framework (SIF) is your best bet!  You may also consider options to improve your customer experience through standards for Single Sign-on such as OpenID or Shibboleth (SAML 2.0). This will allow you to provide many cloud services from many different providers, whilst maintaining a single set of access credentials with one-time login and increased security.

Want to read more posts about Cloud Computing? They’re all grouped here!

 

 


 

Leave a Reply

Your email address will not be published. Required fields are marked *