anatomy of cloud computing deals joaquin gamboa © 2011 levine, blaszak, block & boothby, llp....

Anatomy of Cloud Computing Deals

Joaquin Gamboa

© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.

October 19, 2011

Agenda

Cloud Computing Overview Enterprise Cloud Risks and Responsibilities Deal Tips Closing Thoughts Questions

2© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.


Overview

What is Cloud Computing?

The essential characteristics Hosted and managed by the vendor Made available to customers remotely via an IP-based

network Designed on a “virtualized” shared services / multi-tenant

platform High elasticity and scalability of computing resources Self-provisioning tools provided to customers on-line Available under subscription Usage is monitored with pay-as-you-go pricing



Service delivery categories (the “SPI” framework) SaaS - Software as a Service PaaS - Platform as a Service IaaS - Infrastructure as a Service (VzB and AT&T call this

CaaS or Compute(ing) as a Service)




Obtained via Creative Commons license


Cloud deployment models Public – The purist’s perspective Private – Is it really cloud computing? Hybrid

Private cloud used to host business critical applications and sensitive data

Public cloud for non-core applications and generic data


Key Cloud Computing Drivers

The business case for cloud computing done right

Reduced implementation effort and cost

No lump sum licensing fees or equipment purchases

Rapid transition to new technologies and business processes

Lower total cost of usage

Better resource elasticity and scalability

Improved availability of applications to mobile/remote workers

More efficient and effective management of technology

resources by vendors with specialized skills

IT management-maintenance-upgrade hassles avoided8© 2011 Levine, Blaszak, Block & Boothby, LLP. All Rights Reserved.


Risks and Responsibilities in Enterprise Cloud Transactions

Risks

Familiar IT risks apply to services in the cloud And some risks are heightened

Vendor lock-in Security and privacy


Vendor Lock-In

Three primary concerns Data portability Application portability Infrastructure interoperability

Lock-in concern is exacerbated because many cloud vendors are new entrants, and their long-term viability is uncertain


Vendor Lock-In

Data portability (establish contractual rights to data) IaaS

Customer controls logical access to the applications, database and storage so raw data access isn’t a problem

But vendor tools and assistance to extract and transfer data are still desirable

PaaS and SaaS Data access and control should be negotiated Is data in usable format readily loadable onto new cloud? Are there effective automated tools to extract data?


Vendor Lock-In

Application portability and Infrastructure interoperability IaaS

Applications are customer-provided, but server VM images may be locked-up or configured uniquely for the vendor’s infrastructure

How portable are the server VM images, and how unique is your vendor’s virtualization layer?

PaaS Platforms often use proprietary database structures and unique

infrastructure components Considerable re-programming and architecture changes often required to

move to new PaaS vendor

SaaS Often walled off, with little ability for customers to take applications

elsewhere or in-house


Information Security

Linking control and responsibility can be challenging Start with solution/vendor selection and evaluation Document obligations and consequences in the contract Auditing rights and follow-up

Three layers to consider Infrastructure Application Data


Information SecurityInfrastructure Responsibilities

IaaS Vendor secures from virtualization layer down Customer is typically responsible for logical host security

Monitoring the O/S and application for intrusions and attacks Encrypting in-transit and stored data

Some vendors offer optional security services

PaaS & SaaS Vendor is responsible for securing all infrastructure

components (e.g., access controls, intrusion detection/prevention)


Information SecurityApplication Responsibilities

IaaS Customer owns all aspects of app and database security

management Some vendors offer security management options Extra concerns for providers with application layer access

PaaS Vendor should own security up to the runtime engine Customer owns security for remainder of the app

SaaS Vendor should own security management for the full stack


Information SecurityData Responsibilities

IaaS Customer is primarily responsible for data security, but

clearing and sanitizing infrastructure components is vendor’s responsibility

PaaS For vendor-provided storage, vendor should be fully

responsible Otherwise, it depends on the deployment options selected

SaaS Vendor fully responsible


Privacy and Information Security Compliance

You can assign privacy responsibility to vendors, but you can’t delegate accountability through contracts

Extend the enterprise security / compliance program to the cloud Identify and classify information assets / data, and risk levels Identify / develop appropriate key controls Map controls to vendor (and vendor sub) responsibilities Monitoring, management and audit Regionalize solutions as required

Don’t let the contract fine print undermine the program



Deal Tips

Commitments, Term and Pricing

Term No need to commit to a term, but vendors may try to make

a term financially attractive Anything longer than 1-year should be scrutinized Renewals at the customer’s option

Revenue or resource minimum commitments There shouldn't be any Vendors may offer better unit pricing in exchange for

minimum subscription levels and terms

Commitments may be hidden in termination fees


Commitments, Term and Pricing

Pricing models: IaaS

Per resource / per hour, day, month Charges for upgraded support, maybe implementation

PaaS Per user / month Per resource / per hour, day, month Charges for upgraded resources, support

SaaS Per user or concurrent user / per month, year Per use (e.g., WebEx) Extra charges for customization, implementation, upgraded support Charges for additional storage


Service Levels

Public cloud deals must include SLAs Key SPI SLA metrics

System availability/uptime Management portal/tools availability/uptime Incident response and problem-resolution times Service desk performance Back up data success rate, and restoration times after a

data loss event Service restoration times in response to disasters


Service Levels

Key IaaS-specific metrics Resource deployment timeliness Configuration change timeliness

Key SaaS-specific metrics Application response time End user satisfaction


Exit Strategies

Termination for convenience Be wary of a vendor’s attempt to add termination fees If applicable, termination fees should not be unduly punitive

Termination for cause Uncured material breach by either party Vendor’s “Critical Performance Failure”

Post-termination rights Cooperation and assistance with new cloud vendor or internal

staff Return of any prepaid subscription fees for unused portion of

service period Migration assistance over an appropriate period Access to and assistance with porting tools



Closing Thoughts

Addressing the Cloud

Cloud Myths vs. Reality Not a new technology trend that will pass Will not destroy traditional on-premises IT Lock-in, security and privacy concerns are genuine

Public and hybrid SPIs are valuable delivery methods in the right contexts Approach the cloud with a long-term vision Negotiate cloud contracts today to establish strong

foundations for increasing reliance on cloud services



Questions?

Contact Information

Joaquin Gamboa

Levine, Blaszak, Block & Boothby, LLP2001 L Street, NW., Suite 900Washington, DC 20036Phone – (202) 857-2574Fax – (202) 223-0833Email: [email protected]


mailto:[email protected]

anatomy of cloud computing deals joaquin gamboa © 2011 levine, blaszak, block & boothby, llp....

Documents

block boothby

new cloud

cloud vendors

hybridprivate cloud

contractual rights

rights r

sensitive datapublic

cloud deployment models