Professional Documents
Culture Documents
Click on the video below to watch our interview with RAIMUND GENES
The ability to move IT infrastructure, applications and storage onto the Internet has sparked curiosity, enthusiasm, scepticism and sometimes panic from Canadian chief information officers. We walk through the adoption process from beginning to end, looking at the skills and strategies you need to be successful. A special report
Now were talking private cloud, not just virtualization. Windows Server is changing the conversation.
The virtualized server is a big deal. It helps businesses, big and small, make IT more efcient. But what comes next? Enter the private clouda way to manage your infrastructure as a pool of computing resources to deliver your applications and best serve the ever-changing needs of your business. Windows Server Hyper-V and System Center put you in control with complete end-to-end service management, as well as the ability to tap into the power of the public cloud. And thats really the whole point of having a private cloud in the rst placecontrol. Its your private cloud. If you want to run different hypervisors and operating systems, that should be your choice to makebecause the technology and vendors you use are there to serve your business needs, not the other way around. IT is no longer just about hardware. Or software. Or maintenance. Its about nding new efciencies and new ways of doing things that help your companys bottom line. So the less company brainpower you devote to xing old things, the more you can dedicate to coming up with new things. More computing power. And more available brainpower. Thats Cloud Power. Microsoft.ca/cloud/privatecloud
TABLE OF CONTENTS
14
Trend Micros CTO was in Toronto recently. Hear his thoughts on building security into your cloud project.
BUILD IN SECURITY
Trend Micros CTO speaks out 14
10
5 20
TEST YOURSELF
Our cloud computing assessment tool 22
16
C LO U D C O M P U T I N G I N C LO S E- U P
EDITORS LETTER
EDITORIAL EDITOR-IN-CHIEF
Shane Schick
Grant Buckler Vawn Himmelsbach Peter Galanis Rafael Ruffolo Sheldon Polowin
ART & PRODUCTION SENIOR GRAPHIC DESIGNER
CONTRIBUTORS
The cloud doesnt really come with an operating manual, but what youre about to read is as close as most CIOs will ever get.
CREATIVE DIRECTOR
CORPORATE
Michael R. Atkins
PRESIDENT & GROUP PUBLISHER
CHAIRMAN
Fawn Annan
IT World Canada is an affiliate of International Data Group (IDG), the worlds largest publisher of computerrelated information and the leading global provider of information services on information technology. IDG publishes over 300 computer publications in 85 countries. Ninety million people read one or more IDG publications each month. CIO Canada is published 6 times per year by IT World Canada Inc., a unit of the Laurentian Media Group, Michael R. Atkins, Chairman, 55 Town Centre Court, Suite 302, Scarborough, Ontario M1P 4X4 Telephone: (416) 290-0240 Fax: (416) 2900238. Publishers of Network World Canada, ComputerWorld Canada, Canadian Dealer News and Direction Informatique. One year subscription rates: Canada $55, US $65 (US) and foreign $95 (US). Single copies $6.00. Please add GST where applicable. Address subscription to CIO Canada Circulation Department, 55 Town Centre Court, Suite 302, Scarborough, Ontario M1P 4X4. When notifying us of a change of address, please include address label to assure continuity of service. All rights reserved. The contents of this publication may not be reproduced either in part or in whole without the consent of the copyright owner. The views expressed in this publication are not necessarily those of the publishers. Requests for missing issues are not accepted after three months from date of publication. Date of publication May 2011. Printed in Canada. GST Registration # R122605769 ISSN: 1195-6097
HOW TO CONTACT CIO Canada Telephone: (416) 290-0240 Fax: (416) 290-0238 Mail: CIO Canada, 55 Town Centre Court, Suite 302, Scarborough, Ontario M1P 4X4 E-mail: cio@itworldcanada.com Also, employees may be reached using a combination of their first initial and last name, for example: sschick@itworldcanada.com Online: www.ITworldcanada.com SUBSCRIPTION INQUIRIES Telephone: (613) 475-3217 or 1-800-565-4007 Fax: (416) 290-0239 or 1-800-565-8148 E-mail: circulation@itworldcanada.com For printed and electronic reprints, please contact Jeff Coles at 416-290-0240 or jcoles@itworldcanada.com
We acknowledge the financial support of the Government of Canada through the Canada Periodical Fund (CPF) for our publishing activities.
PUBLICATIONS MAIL AGREEMENT NO. 40063800 RETURN UNDELIVERABLE CANADIAN ADDRESSES TO CIRCULATION DEPT IT WORLD CANADA INC. 302-55 TOWN CENTRE COURT SCARBOROUGH ON M1P 4X4 E-mail: circulation@itworldcanada.com PAP REGISTRATION NO. 10784
C LO U D C O M P U T I N G I N C LO S E- U P
C LO U D C O M P U T I N G I N C LO S E- U P
Gorilla clouds?
In Geoffrey Moores books (Crossing the Chasm, Gorilla Game, etc) the gorilla is the market-share leader whose position is sustained by proprietary technology that has high switching costs (Wikipedia says so!!). Ive always said owns the architecture and costs too much to change vendors with Cisco being one example, Intel another and Microsoft being the other major case study. Crossing the Chasm also talks about the need to transition from early adopter stage to mass market penetration in order to grow and gain momentum. So, how does this apply to cloud computing? One of the questions that needs to be answered is: Where in the technology adoption curve has cloud computing (or IaaS, PaaS, and SaaS independently if you want) crossed the chasm? Is cloud computing even a single specific market segment or is it really multiple market segments (each with its own chasm)? Another question that begs to be answered (so that we can invest in the winners, not the losrers) is: Who is going to be the Gorilla of cloud computing? Or will there ever be a single gorilla? Is there an architecture for cloud computing that someone owns or controls? How easy is it to switch from one cloud supplier to another? I think that part of the problem these days is thinking that cloud computing is a single product type targetting a single market segment. It is not. That would be equivalent to saying that distributed computing is a single product meeting a single need in the marketplace. Once we can identify the market requirements that cloud computing can meet, then we will be much farther along in developing the solutions, establishing standards and judging success. Only then will we get past the technology hype cycle. Another issue is that most of us are already users of cloud computing (depending on how you define it). For example, Twitter and Facebook sure look like SaaS to me (although the pay-as-you-go part is not relevant). Most of us dont really think of public applications such as Hotmail or Gmail as being cloud computing, but perhaps we should be changing our views. The question is, do you think the ideas Crossing the Chasm ideas apply, that they are relevant, that they predict the future and, perhaps most importantly, that they allow us to pick the winners? Don Sheppard, CIO, ConCon
Contestants from our annual Blogging Idol contest were asked to weigh in on the hottest topic in IT. What they told us
Why should I care?
I was speaking at a Computerworld Canada event in Calgary and Edmonton in 2010. The focus was on Linux as the proper operating system for the cloud. While I brought over a decade of Linux in the enterprise experience to the discussion, my real focus was on the solution for business rather than the fact it was delivered as a cloud application or service. When we think of the cloud it is clear that there are a number of different perspectives on what is a cloud, as well as offerings from the cloud. Basically as rule of thumb cloud offerings fit into these categories: Infrastructure Services Software Storage Storage is the newest type of offering in the cloud. My personal experience has been focused on the most popular category, which is software, more commonly known as SaaS (Software as a Service). We use solutions for Payroll, HR, Sales and Marketing CRM, and our US Core Business suite so I have gone through this discussion multiple times. Th fact is that the solutions we chose were not about the cloud at all; they just happen to be delivered via the cloud. This again reinforces the old axiom that you should select software based upon your business needs and not by the technology. The cloud is after all just an alternate delivery model, not some revolutionary new technology. In fact, without divulging my age, I remember when you bought IT services (because computers cost too much for most business) in time multiplexed models. That was a cloud of sorts based upon the general definition used for a cloud today. The clouds of today, though, are uniquely identified because a key requirement for todays cloud is the use of the Internet as a connection methodology. With cloud solutions today there appears to be over-enthusiasm, that they are the new panacea, when in fact it is just another way to deliver very valuable solutions. Nigel Fortlage, CIO, GHY International
C LO U D C O M P U T I N G I N C LO S E- U P
The mosT comprehensive soluTions for The cloud. on earTh. Microsoft Office 365 Windows Azure Windows Server Hyper-V Learn more at Microsoft.ca/cloud
If cloud computing is to take off in Canada, we may need to rethink the procurement process. A grassroots effort is launched
n Neil McEvoy wants businesses to get on to his cloud.
exist yet, in order to encourage the research and development necessary to develop it. The founder of Toronto-based Level 5 Its an idea the British government has Consulting has launched a project called the used to promote development of its clean Canada Cloud Network, which he hopes will technology sector, McEvoy says. He isnt help stimulate the growth of cloud computaware of other examples of its use, though ing in Canada. Part of the project is a webhe agrees that the effect might be similar to site, OpenRFP.net, where McEvoy is posting the way the U.S. space program once helped information about Canadian government stimulate development of new technologies contracts. that later found broader use. The idea is to put the procurement process Cloud computing is immature in Canada online and make it openly accestoday, says Darryl Humphrey, sible, McEvoy says. He hopes to a senior manager at Deloitte encourage cloud-related compaand a member of the consulting nies both Canadian and foreign firms global leadership team for to work together to create cloud. In general I would say proposals to address government our market is characterized by needs. cautious buyers and somewhat McEvoy says he aims to put distracted vendors. smaller cloud-related companies Research firm Internain touch with major contractional Data Corp. (Canada) Ltd. tors bidding on big government recently profiled 10 Canadian NEIL MCEVOY has also created a Canada contracts, such as an effort to cloud startups, saying in a Cloud Network move Elections Canadas Web statement that its a good time LinkedIn Group. site to hosting in the cloud. The to be an emerging cloud comwide variations in traffic on that pany in Canada. site quite low except for major peaks during The Canadian cloud market is small and elections makes it a perfect candidate to be has unique needs due to factors such as hosted in the cloud rather than on dedicated privacy laws, Humphrey says, so its tough to in-house servers, McEvoy notes. achieve much scale. That part of McEvoys project goes hand in Government can help with that, he says, hand with another, which is advocating for and one way to do it is through procurement. more use of government procurement as a When you look at the Canadian market, way of stimulating new technology research there are not that many players that can in Canada. provide scale and the federal government is A lot of what Im looking to do is identify one of those. best practices in innovation in general, The Canada Cloud Networks efforts to says McEvoy, who was a business developinfluence government procurement are in ment manager for PricewaterhouseCoopers their very early stages. McEvoy has written for about a year before starting Level 5. He a white paper on the subject entitled Canada previously worked for British Telecom and Cloud 3.0: Building Canadas Digital Economy founded and ran a European application Advantage Through Cloud Computing. As for service provider. approaching government officials about his He thinks one of those best practices ideas, he says, thats really my next phase. is something called forward commitment So what has he done so far? About a halfprocurement. The idea, he says, is for governdozen companies, some Canadian and some ment to state a buying requirement for the U.S. players looking to build their presence type of innovation we want to see in the marin the Canadian market, have signed up for ketplace. In short, the government calls for access to OpenRFP.net, which is free. In proposals to supply technology that doesnt time, McEvoy says, hell be looking to sign up
8
corporate sponsors for the project, and vendors will pay to participate in joint proposals. One of the companies involved today is Kaulkin Information Solutions, the Rockville, Md., maker of kloudtrack, a software as a service tool for governance, risk management and compliance. Kloudtrack forms part of the basis for Canada Clouds OpenRFP platform, says Mike Binko, the companys president and chief executive. By using cloud-based software to run OpenRFP, McEvoy is practising what he preaches, Binko comments. Neil as far as I can tell understands that the cloud is a useful platform or utility if you will to kind of exchange and share data, he says. Binko says there are some projects in the U.S. trying to bring companies together around open access to RFP data, but OpenRFP is the only one he knows of in Canada so far. its an emerging approach, he says. One beneficiary is Esotera Secure Storage Solutions in St. Johns, NL. The company offers secure cloud-based storage systems, and is developing software called VM Aware to help cloud-based applications scale smoothly, says Tom Chalker, Esoteras president and chief technology officer. Through OpenRFP, Chalker is working with Joyent Inc., whose cloud software stack VM Aware will rely on, and with hosting providers. Chalker hopes to get a piece of the Elections Canada project thanks to OpenRFP. Without it, he says, contracts like this are usually out of such a small companys reach. We would have to put a lot of resources together in order to be able to put together a response to an RFP. Chalker says smaller technology companies usually only get a piece of such big contracts when larger prime contractors seek them out to meet specific needs. According to McEvoy, stimulating Canadas nascent cloud computing sector will do more than just help home-grown companies in that business. His white paper refers to much-discussed concerns about the level of innovation in this country, and suggests that part of the cause of this innovation gap is that information technology organizations lack money to spend on innovation because most of their budgets are tied up in keeping their current systems going. Moving more computing into the cloud, he argues, would alleviate that problem. Humphrey says cloud services can make the businesses that use them significantly more efficient. He says some organizations can see cost reductions of 50 to 80 per cent from using large infrastructure-as-a-service providers. Thats a major piece of capital that you can now redeploy into your actual business, he says.
C LO U D C O M P U T I N G I N C LO S E- U P
BROUGHT TO YOU BY
www.youndit.ca
NEW!
n Does the private cloud actually exist? Some public cloud providers and industry analysts say the private cloud is really just a virtualized data centre. Others including large enterprise vendors say its the only real option for Canadians, considering security and privacy issues.
10
C LO U D C O M P U T I N G I N C LO S E- U P
Most, however, wouldnt argue that one of the greatest potential benefits of the cloud is cost savings through scale. Originally, when people started talking about cloud, they didnt make the distinction between public and private, but now its become a rather heated debate. What happened is that many traditional enterprise vendors started to see the cloud as a threat, said Ronald Schmelzer, managing partner with ZapThink. The public cloud threatened to permanently move IT resources outside of organizations, so those vendors jumped on the cloud bandwagon with private cloud. But that, he said, kills the benefit of cost savings. If you own the cloud, youre not going to see any economic advantage. Anyone who says they are doesnt understand it or is being misleading. If organizations want dynamic provisioning or pooled resources that they can bring online or offline as needed, they can take the same architectural approach as the public cloud and apply their own internal resources. When Joe in finance needs some resources, hes going to get it dynamically provisioned by the pool, and maybe get some economic benefit from not having to buy another server, said Schmelzer. But while that borrows some of the architectural components of cloud, its a different concept; in fact, the public cloud becomes competition for these same resources. The whole idea of the cloud should be about economies of scale, he said. The public cloud is a trajectory, since a lot of small companies, especially startups, are simply not buying infrastructure anymore. This goes back to the so-called private cloud strategy. A lot of its going to be a handful of large enterprise vendors working with their own customer groups. One of the essential characteristics of a cloud is that its measured and paid for as a service, so if you build it yourself, its not a cloud, said A.J. Byers, executive vice-president of business services with Primus. Ive had debates around whether a company can build a private cloud and
Right now the auditors are forcing companies into choosing dedicated private cloud environments because of PCI compliance.
A.J. BYERS PRIMUS
I would say no, he said. But he does believe in the private cloud only one hosted by a third party. As a service provider we can build public and private clouds and hybrids of that as well. What defines private cloud, he said, is that the resources are offered to a single organization. And the No. 1 reason why customers are choosing private cloud is because of a perception that its more secure which is a huge technology debate right now. We believe over the next 12 to 24 months we will see security auditors understanding cloud deployments better, said Byers. The auditors force companies into choosing dedicated private cloud environments because of PCI compliance. Today in Canada, he said, you cannot become a PCI-compliant company and process credit card transactions in a public cloud. One of the big reasons why people move into the private cloud is because they need to process large numbers of credit card transactions. But we do believe PCI can occur in the cloud. Customers are also concerned about where their data resides. If it sits in a U.S. data centre, it then becomes subject to the U.S. Patriot Act, which could allow the American government access to that data. Despite these concerns, Byers says we need to get people out of the mindset that there are security risks in public cloud. For smaller businesses, the public cloud is simply the most cost-effec-
tive option. Ultimately, the smaller the cloud, the less cost-efficient it is, so a private cloud doesnt see the same kinds of cost savings that a public cloud typically does. In a private cloud you know exactly what resources are available to you, but theres not a huge demand for private cloud except for larger enterprises or where theyre working for the government or have unique security needs, said Byers. However, some industry players just dont consider this to be cloud and, in fact, say private cloud is a matter of cloud-washing by those who dont benefit from public cloud, namely large enterprise vendors. We absolutely believe that there are people taking technology thats existed for years and repackaging it for cloud, said Andrew Kovacs, senior manager of communications and public affairs with Google. Theres a lot of cloud-washing going on. Thats why Google has adopted a new term, called 100 per cent web, which he says does a better job of capturing the benefits to customers. Certainly theres lots of talk about building clouds with concepts like virtualization, he said. There can be some benefits to companies, but we do not consider that a cloud. The big differentiator, he said, is multi-tenancy. What that means to end-users is scale; when an organization is operating at that scale, end-users can innovate faster and the applications are more secure and reliable. Typically, it takes an organization 30 to 60 days to apply a security patch, for example, whereas in a cloud environment that can be done almost immediately. We dont really talk about private clouds, said Kovacs. Theyre usually referring to just hosting software in a data centre rather than hosting it in their own business, or they may host it with a third party, but its still single-tenant software. The software still requires upgrades and patches and comes with the additional costs of managing the software yourself. And some offerings pitched as cloud still require customers to install software, he said. With Microsoft, you still need to install
C LO U D C O M P U T I N G I N C LO S E- U P
11
Is public cloud or private cloud right for your organization? Its easy and smart to have both
intervention from a service provider. But should they take advantage of public cloud services, such as Amazon EC2 or Google App Engine, or build their own cloud behind the firewall? The question might miss an essential point: They can have it both ways.
Some organizations will want the affordability and flexibility of externally managed cloud services. Others will see the internal cloud as the best approach for certain services. But the vast majority will fall on the spectrum somewhere between those two extremes. The most effective way to run your service portfolio is to find the right source for each servicetherefore many organizations can benefit from a hybrid delivery model using both public cloud and private cloud resources. The important thing is to let your enterprise strategy guide your approach to the cloud. Heres a quick overview of each delivery model and how it can support an enterprise strategy.
n In a mobile, connected world, everybody needs access to everything. They expect instant results anytime, anywhere. While this opens up a world of possibilities, it also places heavy demands on IT. How can enterprises keep up? Many Canadian CIOs are considering cloud technology because it can be rapidly provisioned and released with minimal
12
C LO U D C O M P U T I N G I N C LO S E- U P
include additional automation, scale management, greater portability and enhanced management of an IT environment. And while the private cloud isnt built to allow for multi-tenancy, most organizations dont need it, he said. The truth is nobody truly has infinite scale, but certainly Amazon comes closer to infinite scale than the average business, he said, adding that there are only a few companies out there that really need something approaching infinite scale. For the vast majority of apps within a traditional data centre, when organizations talk about scale, they typically mean they need to scale from 10 machines to 13 for a day or two or maybe a week. Even if they have an app that requires something approaching real scale, thats something they can put in a public cloud.
Another differentiator of private cloud is it allows organizations to move apps within their own network environment at a time when theyre comfortable with it. While public cloud may do the job, most organizations at least in the near term are going to struggle with concerns about security, service-level agreements and how they actually measure the cost, said Thiele. If you move an app into the public cloud, it may look cheaper on paper, but in the long run could cost more than expected, and thats something that organizations need to sort out. Almost every time Thiele hears people saying theres no private cloud, those people are involved in or directly selling public cloud services. Its not about whether public cloud can replace private cloud, he said. Those questions are immaterial. In some cases, an organization can only
get approval for private cloud, which gives them 80 or 90 per cent of the benefits, until they can eventually move to the public cloud. Over time, my guess is a majority of apps will be public cloud, in two to five years. IT needs to be able to transition in a moderated, grandfathered way, he said. Taking baby steps means cloud in all its forms has tremendous value. In the long-turn, Thiele believes hybrid cloud has the best chance of success for major enterprise apps because it offers the benefits of scale and geographic dispersion, with some of the benefits of single-tenancy. While Thiele disagrees with the notion that there is no such thing as a private cloud, he doesnt think thats the point. To assume there is no such thing as private cloud is to ignore the obvious that every organization treats their IT a little bit differently, whether we like it or not.
applications from months to minutes. For services that require tighter control For Canadian CIOs in particular, security, over your data, deploy an on-demand reliability and privacy are top of mind as service delivery environment that provides they try to balance the need for innovation, easy access to self-service resources from a optimization and risk management for the secure environment. enterprise. Some organizations, for example Building internal cloud services doesnt in the public sector, may have additional mean you have to rip out your current regulatory requirements to environment. You can often consider. Canadian enterextend and protect your current prises can have very distinct investments by transforming needs for cloud services so legacy and virtualized infrait is important to ensure that structure into fully automated your service offers these cloud environments. important features: A private cloud can require Security, governance and more IT resources up-front to compliance standards, with build. But a well-designed prithe ability to know exactly vate cloud that takes full advanwhere your data is physically tage of its compute resources PETER GALANIS is stored for compliance and can lead to a solid return on your the president of HP Canada, based in reporting purposes IT investment. A finely tuned Mississauga, Ont. Open, modular platforms automated private cloud also that dont lock you in gives your staff the freedom to Automation and management for end-to- focus less on management and more on the end service quality applications that drive the enterprise. The ability to ensure availability, quality and performance levels A hybrid delivery model The ability to seamlessly interact with for flexibility and be managed across a hybrid delivery The reality is, most organizations will benefit service model from consuming both public and private Private cloud for self-service resources cloud services in addition to services run
from their traditional IT environments. A hybrid delivery model combines all three sources into one unified whole. With multiple sources at your disposal, you can optimize your service portfolio to provide the right service to the right source at the right time. For example, a financial services company might run a new mortgage lending credit check service from its private cloud, while simultaneously accessing compute resources for its developers from an enterprise cloud service provider. If use of the credit check service proves to be highly sporadic, the company may decide to move it to an off-site enterprise cloud that can better accommodate the service volatility. Using a hybrid delivery model ensures that the best options are available for each workload.
C LO U D C O M P U T I N G I N C LO S E- U P
BUILD IN SECURITY
n Just putting your app into a public cloud without rethinking how it works can open chief information officers up to disastrous consequences, according to Trend Micro Inc. chief technology officer Raimund Genes.
Speaking at a Trend Micro cloud security awareness event in Toronto recently, the companys technology leader said that turning over control to a third-party vendor for your cloud infrastructure should compel you to rethink -- and maybe even redesign -- your applications. You have to design your applications so that theyre more reliant to these outages in the public cloud, Genes said. When you design it well, it doesnt matter if the data centre goes down. He added that the companies that simply mirrored their apps and put them into Amazons cloud can attest to the outages and data losses they experienced recently. But the one high-profile company that didnt fall to the wrath to the massive outage, Genes said, was NetFlix Inc. Last December, the movie streaming giant published a tech-related blog about what it had learned while using Amazon Web Services as its computing platform. The best way to avoid failure, the company said, is to plan to fail constantly. Internally, NetFlix refers to its software architecture in AWS as its Rambo Architecture. Each system has to be able to succeed, no matter what, even all on its own, wrote blogger John Ciancutti, who works as a vicepresident of personalization technology at NetFlix. Were designing each distributed system to expect and tolerate failure from other systems on which it depends. If our recommendations system is down, we degrade the quality of our responses to our customers, but we still respond. David Aspey, vice-president of cloud security for Trend Micro, said that NetFlix came out of the Amazon outage with flying colours because they paid for dedicated servers to run a virtual private cloud in addition to a public cloud. The outage had nearly no effect on them, he added. At Trend Micro, its team of architects have designed its private cloud to actually sustain outages at two of its five worldwide data centres. Another headline grabbing security disaster in the world of cloud computing occurred at Sony Corp., after the companys PlaySta-
Trend Micros Raimund Genes discusses the Amazon incident and others
BY RAFAEL RUFFOLO
14
C LO U D C O M P U T I N G I N C LO S E- U P
tion Network was hacked in mid-April. The personally identifiable information of 77 million PSN accounts were exposed in the data breach. This breach, Genes said, garnered Trend Micros attention far more than the Amazon outage because it involves cloud data security as opposed to backup and storage policies. He said that with Trend Micros SecureCloud technology, which allows enterprises to encrypt data on private and public clouds, organizations can ensure that they encrypt different portions of their cloud-based data with different encryption keys. Genes said the PlayStation breach turned into such a large-scale problem for Sony because the company only used one encryption key for all its data as opposed to a variety of different keys. Genes said that because cloud computing is not cost effective without virtualization, Trend Micro will be investing
heavily into the protection of virtualized machines and cloud-based servers in the future. The companys Deep Security product line, which covers that functionality, is being developed at the recently acquired Third Brigade Inc. offices (now Trend Micro Canada) in Ottawa. Other priorities for Genes include developing better patch capabilities for virtual servers and tackling the growing AV storm issue. In an anti-virus storm, thousands of virtual machines start their manual scanning cycle at the same time, consume too many resources and bring down the network. Genes said Trend Micro is working with VMwares vShield technology to enable one scan on the hypervisor level and have all the virtual machines communicate back for their update. You only have one scan and you dont have to load AV technology on every
virtual machine, he said. To round out his views on cloud security, Genes also talked about mobile devices and the rise of multiple operating systems like Apples iOS4, RIMs BlackBerry OS and Googles Android. He also predicted that the decline of Microsoft Windows as a dominant desktop OS, plus the shift of Web users to mobile devices, will force hackers to broaden their targets over the next five years. Were seeing a diversity of devices that will make it more difficult for the attacker, which has been focused on Windows, Genes said. For CIOs and security vendors, that means the focus will have to shift away from whether the device will be hacked to how to track and manage the devices. What happens if an employee loses a device and leaves it in a cab? Genes said. How can I ensure that no third-party can use it?
C LO U D C O M P U T I N G I N C LO S E- U P
n More companies in Canada are turning to the cloud or, at least, thinking about it for flexibility, agility and cost savings. But there is often the perception that using cloud-computing services could compromise corporate and customer data, or may
16
C LO U D C O M P U T I N G I N C LO S E- U P
misinformation out there. U.S. where judges hear applications Private-sector privacy laws made by Department of Justice require that you ensure a compalawyers for search warrants (and rable level of security for personal other such things) and theres information, regardless of whether nobody on the other side to oppose you permit it to be managed by those applications. a Canadian company or a nonWe have a secret court in CanaCanadian company. And some da, said Fraser. We have a bunker highly regulated industries, such as in Ottawa where judges hear lawyers banking, have special rules that may from the Department of Justice and include additional regulation for CSIS for warrants to do things as outsourced services. potentially offensive as break into The Patriot Act is the big thing your house and install wiretapthat people freak out about, he said, ping equipment. These orders can but we have a Canadian version specifically provide for authorities to of the Patriot Act, which is just as go back in and change the batteroffensive. ies. So people dont often think that Heres the deal: In 2001, the U.S. Canada is engaged in these types of Congress passed the USA Patriot cloak and dagger things, and we are. Act, which expanded the powers Our definition of anti-terrorism is as of law enforcement and national broad and offensive as the U.S. security agencies to carry out inCanadian authorities have virtuvestigations and obtain intelligence ally identical powers under the in connection with anti-terrorism Canadian Security Intelligence investigations. Service Act, he said, which permits But the provisions that secret court orders have attracted the most that authorize CSIS criticism, said Fraser, to intercept commuhave equivalents under nications or to obtain Canadian law. Regardanything named in less of where information the warrant. resides, it will always be On top of that, subject to lawful discloCanada has a mutual sure to law enforcement legal assistance treaty or national security bodwith the U.S. (as well WATTIEZ LAROSE: ies. In Canada, he said, as informal agreeIt may be difficult to this includes search warments), so if the FBI customize contracts to make them rants under the Criminal wants data and its in comprehensive. Code of Canada and the the hands of a CanaCanadian Security Inteldian company, the FBI ligence Service Act. Many European calls the RCMP or CSIS. So when countries also permit broader law you dig into it, that cross-border enforcement and national security issue, at least in most cases, really is access to information than in both not the large issue that many people the U.S. and Canada. are led to believe it is, he said, addOf course, where the data sits ing that the Patriot Act has become can have an impact on that data. If shorthand for just saying no. its in North Korea or China, its at Only British Columbia and Nova high risk, said Fraser. In the U.S., Scotia have laws strictly regulating it may in some cases be significant, the export of personal information but in most cases it wont be. How from Canada by public bodies, said interested would the FBI be in getFraser. For all other jurisdictions, ting their hands on that data and including the federal jurisdiction, would they be able to justify getting export is permitted, but the public a subpoena? In most cases no, he body must ensure a comparable said. And if its a person of interest level of security for personal inforthey can get it in Canada. mation, regardless of whether its Many people are surprised to managed by a Canadian or nonlearn theres a secret court in the Canadian company.
The Patriot Act is the big thing people freak out about, but we have a Canadian version of which is just as offensive. We have a secret court in Canada.
DAVID FRASER MACINNIS COOPER
What businesses need to do is benchmark their existing privacy infrastructure and compare it to the privacy infrastructure of the proposed cloud provider. What are the real risks to the data, and to privacy and security? A lot of businesses have significant existing vulnerabilities from insecure desktops, to playing catch-up with security patches, to mobile employees running around with laptops. Or thumb drives. Nothing is more stupid or dangerous, said Fraser. In a cloud model if the computer is lost you lose nothing. Very often, this benchmark leans heavily in favour of the cloud provider that has squadrons of security people. Small businesses, in particular, are vulnerable to power outages and basic continuity issues. A reputable large-scale cloud provider will have multiple data centres, so things will stay up and running. One of the biggest hurdles to widespread adoption of cloud computing is the data concern, said Robert Percival, a partner with Ogilvy Renault. Where is it, what laws govern it, and what obligations do you have under the law? You may have contractual issues with customers or suppliers, for example, or you may have legal statutory obligations, whether thats under PIPEDA privacy legislation or some other applicable statute like health privacy legislation. As a collector of information, a company is responsible under
17
C LO U D C O M P U T I N G I N C LO S E- U P
Everything is ultimately negotiable, but if Im trying to contact Google to negotiate the terms of my Gmail account, its not going to happen.
ROBERT PERCIVAL OGILVY RENAULT
theres an ability to negotiate, or they might at least have a chance. For the sake of efficiency, cloud computing service providers often impose standard term contracts that their clients are not at liberty to negotiate, but which may not properly address all relevant risks. And in a field with little (but growing) competition, businesses may lack the leverage to customize their contract to make it sufficiently comprehensive, said Vronique Wattiez Larose, a partner in McCarthy Ttraults Business Law Group, who negotiates such contracts. This is a model thats meant to be more agile, more flexible, but dont let that fool you from a legal standpoint, she said. It doesnt mean you can forget about the legal provisions that protect you. For example, some regions, such as the European Union, have stringent rules concerning movement of certain types of data across borders. Unless they take certain steps, organizations are prohibited from transferring personal information to countries that do not provide the same level of protection with respect to personal information of EU residents (including the U.S.). In a cloudcomputing context, it may be difficult to determine which countries data will be transferred to and from. And this has implications for businesses in Canada nearly half of small businesses here use cloudcomputing services, according to a
survey by Angus Reid and HewlettPackard Co. The biggest concern with cloud computing contracts is not how they address certain issues, but rather how they fail to address others. Our concern as lawyers is that more often than not, up until now the cloud computing contracts that we see are incomplete in comparison to your standard long and thick outsourcing contract, which would be extremely detailed, said Larose. Thats not necessarily the case for cloud computing, where at the end of the day the concerns are quite similar. Theres a huge element of trust required, which is no different from a traditional outsourcing relationship, she said. The biggest difference is you wont necessarily be negotiating in the same room with the guy sitting across the table from you. Everything is done more remotely, so its hard to build that trust. Dont take for granted that what a cloud service provider offers you will automatically address all of your concerns, she said, though that should be part of any normal due diligence process. If some of your concerns are not addressed, understand the risks and evaluate whether or not you still want to move forward. Although the contract terms may seem commercially reasonable, you need to make sure that the cloud service provider is not turning a blind eye to something that may be material for your organization. If the geographical location of an organizations data is likely to trigger export control issues, your contract should include prohibitions against extraterritorial storage. And its important to understand how and in what format the data is stored, said Larose, and what tools are available to retrieve it should it be required for e-discovery purposes. Find out from the get-go whether or not the cloud service provider has any ability to negotiate the contract. The answer may be no, depending on the business application youre outsourcing, said Larose. You obviously cant negotiate your Gmail. But if its a huge contract and a key
C LO U D C O M P U T I N G I N C LO S E- U P
relationship for the provider, theyre likely to have more flexibility in making everybody happy. However, if you employ contract managers and have to negotiate contracts all the time, it can defeat
the purpose of cloud and you wont be able to achieve the economies of scale that cloud promises, she said. But dont say no to cloud right off the bat, and dont base decisions on false information. Go through the
exercise: See whats there, whats not, evaluate the consequences of any gaps, and make a business decision based on that often, the benefits of flexibility, agility and cost savings will be well worth it.
Key questions are how to manage service hybrids, how to manage a cloud provider next to a traditional provider, how much of the old relationship models work etc. CIO CANADA: How do you think incidents like the recent Amazon outage will affect the comfort level of CIOs who are considering or already moving into the cloud? FR: CIOs often trust cloud they are concerned about security and compliance, but not really about stability and reliability. When a cloud is down, we see it on the front page of the NYT and this is VERY seldom! Statements like that we heard often from CIOs in the past and it can be assumed that now there is a more strong proof point that things can go wrong. As more and more enterprises leverage the cloud more and more enterprises get affected by downtimes, This will force CIOs asking for more commitments and it will force them to look behind the scenes and understand a bit more of the delivery models behind the cloud services. CIO CANADA: Are there any new skills or competencies for managing cloud vendor relationships? FR: Needed! Not there yet! Cloud service providers have a standardized relationship model. The larger players invest more care taking services these days to cope with the enterprise needs, and enterprises increasingly understand that they need to accept more standardization in this area. The new norm will be where these two work streams (vendor invest and client accept) meet. Shane Schick
19
C LO U D C O M P U T I N G I N C LO S E- U P
n Cloud computing is likely to have a significant impact on the ICT labour force. It will create new human resource requirements and compel many workers to acquire new skills.
Cloud computing requires an understanding of traditional core technologies as well as comprehensive knowledge spanning different technology platforms. As a result, many IT workers will likely have to broaden their knowledge across multiple domains. The industry is changing quickly, says Paul Swinwood, president of the Information and Communications Technology Council (ICTC). Tomorrows IT worker will fully straddle conventional IT silos such as storage, networking, virtualization and security. As with outsourcing and automation, widespread adoption of cloud computing is expected to shift some IT workers from the technical to the business side of operations. Demand will increase in areas such as vendor contract management, cloud integration, analytics, Internet workforce and mobile applicationswith the strongest
20
Revolution or Opportunity?
C LO U D C O M P U T I N G I N C LO S E- U P
Large companies need to assess the benefits and costs of cloud computing relative to the investments they have already made in IT Impact on Service Providers infrastructure. For the small- to mid-sized While the unique attributes and requirebusinesses that account for 99.8 percent ments of cloud computing will transform the of businesses in Canada and 60 percent of occupational structure of the IT employment, its the way of the workforce, many current highfuture. IDC Canada expects value skills will be transferable to that domestic cloud computing the cloud. expenditures will jump from IT data centre managers, for one percent of IT spending toexample, may evolve into cloud day to 33 percent by 2014, with solution advisors. Professionals sales quadrupling to US$758 currently focused on assemmillion. bling and managing application As the cloud becomes adopted services may become cloud by more and more organizaapplication managers. And some tions, roles will shift and skills SHELDON POLOWIN is the senior labour practitioners may become cloud requirements will evolve. Cloud market analyst with deployment professionalsdecomputing represents a real ICTC, based in Ottawa. signing, deploying and maintainrevolution, says Paul Swinwood. ing the technology and software But with the right preparation needed to administer the cloud. Testing and and training, IT workers can take advantage software development will occur increasingly of it and make themselves indispensable to the within the cloud. ICT industry of the future. Traditional data centre workers will have to ICTC is funded in part by the Government of learn to design and populate service catalogues Canadas Sector Council Program.
Scan the QR code on your smartphone to access the MobiBiz website. Get the free mobile app at www.i-nigma.mobi
CUSTOMERS:
How can I reach new customers/new markets through mobile? What different types and vendors of mobile devices should my organization be considering supporting as we use mobile as a marketing channel? How do I measure the success or ROI of mobile tech/app deployments?
Network with Canadas mobile thought leaders. Learn practical insight on how to build your mobile strategy, minimize challenges and capture the new opportunities. Register to attend MobiBiz today! http://mobibizcanada.ca
PLATINUM SPONSOR S GOLD SPONSORS S I LV E R S P O N SOR
RESOURCES
VIDEOS
CLOUD PRODUCTIVITY ON YOUR TERMS
Before you take any next steps, test your knowledge with this assessment
22
C LO U D C O M P U T I N G I N C LO S E- U P
Whether you are an IT professional looking to improve your skills, or a corporation looking for a superior education partner Tech Learning Space has what you need
What is Tech Learning Space?
Tech Learning Space is a unique, online resource for busy IT professionals who demand quality, timely and relevant continuing education in IT management. Available exclusively via the Internet, Tech Learning Space breaks down geographical barriers to quality education enabling anyone with Web access to benefit from the highest standard of online teaching available. Courses are designed and facilitated by some the most accomplished academics and leaders in business and IT today.
s se e ur bl c o il a ng va ri a sp ow n
If you are serious about improving job performance and career development visit: www.techlearningspace.com or call
877-338-6753
I can develop applIcatIons that are lImIted only by my ImagInatIon. I have cloud power.
Windows Azure is a platform for developing, deploying, and running applications in the cloud with virtually unbounded scalability. That means near-infinite capacity when you need it. Its the kind of flexibility that can change the way you run your business. With Windows Azure, inspiration comes less from worst-case planning and more from your imagination. Thats Cloud Power. Find your Cloud Power at Microsoft.ca/cloud/azure