Tag Archives: Cloud Service Brokerage

Cloud Information Assurance must address the whole risk picture

Seeing the Whole Risk Picture

PWC Risk assurance partner Dean Simone.

Prepare for what’s around the corner.

Anticipate and deal with risks that are unknown.

How can we build trust in the cloud to drive business growth?

Extract from a report co-authored by Jan Schreuder PWC Partner

“When adopting Cloud Services PWC clients often ask:

  • What are the risks associated with Cloud Computing and how do we manage them?
  • How will cloud computing impact our regulatory and compliance requirements?
  • How do we maintain control and oversight over the cloud environment?
  • Is moving to a cloud computing environment cost effective?
  • How will cloud computing impact on business continuity and disaster recovery planning?

PWC Cloud Assurance can help clients:

  • Assess and manage the technical, operational, financial, legal, regulatory, tax risks and opportunities associated with cloud adoption.
  • Design and review the project framework to transition services to the cloud.
  • Analyse the business case and costs to ensure business benefits are realistic and achievable.
  • Design and review security and controls before, during, and after the move to the cloud.
  • Design and review business continuity and disaster recovery procedures for cloud services.
  • Provide third party assurance over cloud service providers’ control environment.”

Information Assurance in the Cloud

Alan Calder, CEO of IT Governance Ltd

Three minutes into this video clip Alan looks at risk in the cloud.

03:39 One way of looking at Risk in the Cloud is to look at where risk ownership lives.

03:55 – where Security and Compliance is concerned there is balance with responsibility shared between the Cloud Service Provider and the User.  Risk however is all with the user of the Cloud service.

Nature of the cloud is that you can take and use what you want to but it is your risk your information, your business,  your service.

04:40 – Trust Boundaries in the Cloud shift depending on usage, e.g. IaaS or SaaS

09:15 – Cloud Controls Matrix

LINK to download the Cloud Security Alliance – Cloud Controls Matrix

11:45 Understand Cloud Security

Steve Wozniak, interviewed by a French press agency earlier this week, confessed to the audience that he worries about the insecurity of Apple’s famed iCloud.

“I really worry about everything going to the cloud,” said Wozniak. “I think it’s going to be horrendous. I think there are going to be a lot of horrible problems in the next five years.”

iCloud essentially acts a remote server responsible for synching computing devices. In other words, if a user sends information to one cloud-connected device, the cloud will intercept the information and send it to every other device connected to the cloud space.

“With the cloud, you don’t own anything. You already signed it away,” said Wozniak. “The more we transfer everything onto the web, onto the cloud, the less we’re going to have control over it.”

Matt Honan – How Apple and Amazon Security Flaws Led to My Epic Hacking

“My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.” LINK to Wired article.

Steve Wozniak and Matt Honan have both spoken out about the risk to Cloud Service users losing their content stored in the cloud.  Security Controls require strengthening to protect access to cloud based personal information.

Alan Calder mentioned that SAS 70 has been replaced by Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization.

In addition, Joe Panettieri has written about how SSAE 16 Audits Gain Momentum With Cloud Data Center Providers  LINK

Cloud Service Providers are also keen to achieve accreditation to SSAE 16. One example is a cloud data security company CloudLock who completed their SSAE 16 SOC 1 Audit in May.

Cloud Information Assurance for me is applying the Cloud Controls Matrix to build the end-to-end service model that differentiates between who has ownership for service assets.

It is also about having clear Trust Boundaries in the cloud with crystal clear commercial and contractual responsibilities for service risk .

The Cloud Computing Model with Hyper Hybrid [Connected] Clouds, Cloud Service Providers, Cloud Service Brokers and Cloud Service Users is still in its infancy.  

As such nobody in the end-to-end service chain has an understanding of the whole risk picture but the colour palette is emerging.

1 Comment

Filed under Business

Gartner research note sets out how the Cloud Services Brokerage market will grow

Cloud Services Brokerages Challenge Traditional IT Service Providers for Cloud Services Delivery

There is confusion about why the term “cloud services brokerage” is needed when traditional IT services firms already embrace an array of cloud services. We examine why we need the term “cloud services brokerage” in cloud computing and the broader traditional IT services market.

Tiffani Bova | Daryl C. Plummer

Published: 1 May 2012 ID:G00233235

Key Finding

  • Cloud services brokerage (CSB) defines a role and key value propositions for new cloud-enabled IT services offerings that the market is demanding.
  • CSBs have cloud at the center of their solutions and business models, whereas traditional IT services providers are transforming and transitioning their portfolios to include cloud services. CSBs won’t likely offer traditional application and infrastructure services without the presence of at least one cloud service.
  • Many traditional IT services providers are struggling to define their path in cloud services, as they face challenges in delivery, growth and profitability, without undoing their core business, which has been immensely successful and profitable.
  • CSBs do not eliminate the roles that IT services providers have played and will continue to play in the market. Instead, CSBs are focused on providing seamless and flexible access to multiple cloud services (many of which may reduce costs or complexity around consuming multiple cloud services). CSBs will introduce more competition and place more pressure on existing, and sometimes incumbent, providers to reduce scope, scale and complexity in their offerings.
  • Understanding the value that a CSB provides by consuming multiple cloud services gives internal IT leaders who are driving cloud adoption a focused way to understand what they should be focused on. Also, it gives traditional IT services providers guidance on which IT service roles will be most affected by cloud.
  • Many traditional IT services providers are pursuing cloud services as new offerings; however, these are not the same roles that will drive the growth of a composite CSB market. A CSB plays a specific role within the cloud services value chain and is not required in all instances.

Recommendations

  • Sourcing, vendor managers and CIOs: If cloud services are the center of a desired solution, then use the CSB select/evaluation criteria versus the traditional IT services criteria (see “Essential Provider Selection Criteria to Use When Outsourcing the CSB Role”), because the CSB attributes address a different set of requirements.
  • When planning your overall cloud strategy, taking into consideration the most effective and efficient acquisition and support model should include the option of leveraging a CSB, especially if you plan to consume more than three different cloud services.
  • Develop internal IT skills that are focused on business process management and how a cohesive hybrid IT environment can deliver expected business results.

Analysis

CSB is a term that describes the market, model and role that support the intermediation between cloud services and cloud consumers. This intermediation, and a definition of the term, is described in detail in “Cloud Services Brokerage is Dominated by Three Primary Roles.” Also brokerage, as a business component, emerges whenever a service provider-service consumer model is established (see “The Role of CSB in the Cloud Services Value Chain”). Stock brokers, real-estate brokers, travel brokers and third-party advisory/intermediary firms represent simple and well-known examples of a brokerage. The existence of brokerage models is not in question. However, the issue arises in the IT sector, when trying to compare the brokerage models with traditional IT service models. This research examines the reasons that “brokerage” as a term and a concept in cloud computing is necessary and useful. It will allow us to distinguish when traditional IT service language and approaches are good enough versus when cloud services brokerage language is more appropriate (see Note 2). This research offers traditional IT services providers and end-user organizations guidance on how new CSBs will position themselves in the market to differentiate from the traditional IT services provider.

IT Services Were Here First

One complaint that brokerage naysayers advocate is that the language of brokerage (e.g., aggregation brokerage, integration brokerage and customization brokerage) is already covered by traditional roles such as technology aggregator, solutions aggregator, system integrator (SI), independent software vendor (ISV) or distributor. They argue that there is no need for new terminology to describe what is already being done by these providers. Some traditional aggregators even go so far as to say they do not like the term “broker” because it minimizes their value into something that can be quickly commoditized. We respectfully suggest that traditional language is not always appropriate when applied to cloud-based solutions (see Note 1). The differences in the cloud model identify significant differences in how aggregation, integration and so forth must be done to deliver on the cloud computing value proposition of agility, efficiency, new capabilities and reduced cost. Traditional IT services providers often have access to, and can make direct changes to, specific technologies, which is not necessarily true in cloud delivered services (such as software as a service [SaaS], platform as a service, infrastructure as a service, and business process as a service).

Because cloud providers do not generally allow a third party to have general access to all back-end systems, code, technologies, or even visibility into how the service is built or architected, the ability to have (implementation or integration) control, is severely limited. This represents a major difference, for example, in how one must approach integration in the cloud versus on-premises, custom-built implementations.

We Must Use More-Effective Terms When Describing Changes to Markets

In the cloud brokerage world, the new terminology is intended specifically to introduce the concept of three or more independent parties (provider, consumer and broker) working together, where no one of them has complete control over the actions of the others. Brokers intermediate rather than control; Traditional SIs, ISVs and aggregators control more often than intermediate. In the cloud, intermediation is more about coordinating the inputs and outputs of multiple services, rather than about controlling how their technology is implemented. This highlights the core difference. Using the traditional IT services language can imply that a certain level of technology control or assurance is available in the cloud when it is not. Neither the integration brokerage nor the consumer controls the technologies or the business workings of the original cloud service providers whose services are being integrated. In this way, cloud brokerages are responsible and must manage the risk of failure, low service quality, inadequate security assurance, and liability between providers and consumers — all through a relationship in which the brokerage is the customers’ single point-of-contact for multiple cloud services, even where they have little control over certain outcomes.

However, at no point does Gartner suggest that cloud services brokerage should replace traditional IT services or minimize them. Instead, we offer CSB as a set of roles (within a composite CSB market and using CSB models) that can be adopted by traditional IT services companies whenever they need to add additional value to cloud services on behalf of their customers (such as hybrid cloud solutions, or integrated cloud services). For example, the SI role and the CSB aggregation role are not the same, but they represent complementary approaches to solving customer problems in managing products or services from multiple providers. A CSB must interact with at least one or more cloud service, otherwise the term is inappropriate and the CSB would continue to be considered a traditional IT services provider because it was providing integration services.

Also, other differences are worth noting. Gartner has identified six key differences that make CSB something more and less than traditional IT services.

No. 1: The Buyers Can Be Different

Cloud brokerages will have buyers ranging from individual consumers to small or midsize businesses (SMBs) and large enterprises. This range of buyers is seldom served by traditional IT services providers exclusively.

No. 2: The Cloud Brokerage Cannot Modify the Actual Service Implementation or Own the Technology

In traditional IT service scenarios, the SI usually has access to, and sometimes complete control over, the technology within the provider solutions that they are delivering. The potential removal of that control places different burdens on the integration brokerage, which has to integrate or aggregate services it has little ability to change.

No. 3: The Technology Used for Integration, Customization and Management Can Be Different as Can the Integration Scenarios

CSBs may use different technology than the traditional system integrators employ to deliver solutions to their customers. These technologies not only require different skills to use, they apply to different kinds of integration scenarios. Federation, API management, governance (for policy management and enforcement), and offline asynchronous access are among the simple differences. Cloud brokerage technologies for integration and governance in shared multitenant environments account for more than half of the difficulty in integrating cloud services, as opposed to on-premises technologies.

No. 4: The Contract Is Managed Differently

Although the relationship management side of purchasing cloud services will remain relatively the same as traditional IT purchases, the CSB model will lessen the need for high-touch, high-trust relationship-intensive models when it comes to contracting with all the individual cloud service providers that customers choose to work with.

Cloud contracts will typically involve multiple companies that are given assurances only through the contract that may rely on outcomes to manage. In other words, a cloud integration brokerage must integrate services where the only guarantee of performance or availability is through the established SLA agreed on in the customer contract or the brokerage agreement.

Although this happens at times in traditional technology integration, in the cloud, the added restrictions makes it much more difficult to get detailed information about the system underlying the services being integrated, which can cause significant risk for CSBs.

Establishing who is to blame for a problem is an extraordinary challenge for customers and brokerages alike. It is critical that CSBs keep their focus on demand/experience fulfillment, and responsiveness to incidents/issues to ensure that the relationship is consistently supported by a positive experience.

No. 5: The Channel for Cloud Brokerage May Be Widely Different Than Those Established for Traditional System Integrators

Selling through and with other channels adds a layer of complexity to the CSB role. Determining the best way to market will drive increased adoption. However, in the cloud service value chain, the suppliers and distributors will often be new entrants to the market with relatively unknown capabilities and brands.

No. 6: There Are New Cloud Specialists

This may be the most important reason for having new terminology. New cloud specialists that do brokerage, integration, customization and aggregation do not necessarily come from the traditional IT services world and do not associate themselves with it (see “Who’s Who in Cloud Service Brokerage”). They approach customers with different marketing messages. They have different technical and business-related skills, establish new value propositions, generally have well-established partner ecosystems dominated by third-party cloud-native IT providers, demand new types of relationships (with providers and customers) based on cloud-centric innovation and business models, and use new technologies and integration scenarios to provide cloud-based solutions.

The Impact

Cloud computing is moving fast (“Forecast: Public Cloud Services, Worldwide and Regions, Industry Sectors, 2010-2015, 2011 Update”). The influx of new cloud specialists is helping in the adoption, however there is still a significant skill gap for providers that have cloud experience and internal domain expertise for implementing and integrating multiple cloud services (see “Cloud Adoption at Risk Without Big Channel Investments”) broadly across the market.

Gartner predicts that the number of CSBs that will go for scale and large market reach will be in the hundreds worldwide, and include communications services providers, IT wholesale distributors, retailers and large direct market resellers (to name a few) because they have the existing customer relationships with a majority of the SMB market and are pushing for greater relevance in cloud. This is not to say that others won’t become CSBs, which are more locally focused on vertical markets or segments and keep their offerings to a tightly managed set of services.

Companies taking on the CSB role are expected to handle certain scenarios that would previously have primarily been the domain only he traditional IT services providers. This suggests that there is some urgency to either capture market share in the cloud for those original providers before new companies do it, or that traditional providers will likely acquire the new cloud specialists that are brokerages, to fill out their cloud portfolio. One other option is that companies need to do it before the original cloud service providers acquire new cloud specialists to fill out their new cloud channel ecosystem.

Conclusion

The relationship between CSBs and other types of IT services sourcing and delivery models can be confusing. In particular, the question is often asked: What is the difference between CSBs and traditional IT services offerings?

For clients who have followed Gartner’s cloud research, certainly both terms include similar concepts, since brokerage deals with aggregation, integration, custom development, or even governance/management of cloud services are also attributes of traditional IT services providers’ offerings.

The answer for IT providers and buyers of cloud services lies in examining what is different enough about cloud computing to warrant the CSB term. Service providers need a mental framework for deciding how to migrate services to the cloud, while consumers of cloud services would benefit from the same mental framework to be used in helping them decide how to pick the right cloud brokerage providers.

Please not that the above text is not a complete version of the research note most of the six key differences have been edited.

Cloud Service Model

Key difference No.4 – The Contract Is Managed Differently

The traditional approach to managed services is to create a thin retained layer or carve out responsibility to the procurement capability for oversight and governance of the Service Provider.

With the Cloud new Service Delivery models will evolve and the role of the Cloud Service Broker will be to stitch the end-to-end service value chain together.  The complication with these new ways of working is that the CSB has limited control of the service provided to the Business.

I do not agree with Tiffani / Daryl that the answer lies in a Service Level Agreement with defined penalties.  This will not enable the CSB to provide predictable service levels.

What is required is a refresh of the way that Service Management Practices will enable the Business, Retained IT and the CSB to review Business Outcomes instead of service metrics and process measures.

For example – the cloud enables elasticity and can provide capacity on demand to process  a significant volume of invoices during peak periods where previously they may have been stuck in the system or a backlog built up.

For me, a Cloud Service Model means that utility / warranty (defined in the ITIL 2011 Edition Service Strategy core volume)  is delivered from a “Black Box” so rather than focus on managing the CSB the Service Management role will need to become a hybrid manager and focus on enabling Business Change.

Most service organisations already have a Business Relationship Manager role, however these individuals will need to shift their attention away from just Portfolio and Demand Management more towards presenting options to the Business that demonstrate how the Cloud platform can bring new solutions to the table.

Innovative Cloud Solutions

The cloud enables you to think beyond the traditional

You have to make cloud transformative for your Business

If you’re not thinking out of the box you are not really thinking about the cloud in the right way

 You are not doing the things that the cloud makes possible

1 Comment

Filed under Business

What is my Cloud Computing Strategy?

At its most basic level, Cloud Computing allows users to obtain computing capabilities through the internet, regardless of their physical location.  Computing clouds are in essence online huge datacentres containing thousands of servers hosting web applications.  Cloud services from infrastructure to complete business processes can be purchased through web interfaces and turned on and off as they are needed.

Most Business and IT senior executives are aware of the benefits that cloud computing can bring – capital light, lower run costs, agility and faster time to market – all enabled by flexible access to applications and processing power on a pay-per-use basis.

 Red Flag 1 – The discretionary (Variable) and non-discretionary (Fixed – Keep The Lights On) cost management pressure that business place on IT will increase to become the new normal.  In addition use of an IT resource no longer depends on having the capital to own it.  The business is able to source, scale and deliver compute capacity unbound of physical location or labour thanks to the cloud.  

Red Flag 2 – Business Units are already choosing third party cloud vendors and bypassing the in-house IT function, which they find to be too slow, bureaucratic and difficult to work with.  While IT remains cautious, business users have fully embraced Cloud based services. Cloud usage in the enterprise today is widespread and uncontrolled, with security and audit implications.

 It is important to revisit the IT Strategy to incorporate the cloud and the new services it will enable.  With this in mind what guidance is available to help formulate the strategy?  The most common frameworks are ITIL, ISO 38500 and COBIT 5.

ITIL 2011 Edition – Service Strategy

“Strategy Management for IT services (page 136) is intended for managing the strategy of a service provider: it will include a specification of the types of service it will deliver, the customers of those services and the overall business outcomes to be achieved when the service provider executes the strategy.”

“Strategy Management ensures that all stakeholders are represented in deciding the appropriate direction of the organisation and that they all agree on its objectives and the means whereby resources, capabilities and investments are prioritized.”

Figure 4.3 The strategy management process (page 138) illustrates the Assessment, Generation and Execution phases.

Appendix C – Service Strategy and the Cloud (Page 387)

“The basic principle of the cloud is that whatever IT service or utility a customer needs can be provided directly using the internet (or intranet) on a pay-per-use basis.  Customers do not see, nor do they care, how the services are created and delivered.”

ISO/IEC 38500 Corporate governance of information technology

“The objective of ISO 38500 is to provide a structure of principles for directors (including owners, board members, directors, partners and senior executives) to use when evaluating, directing and monitoring the use of IT in their organizations.

 Directors should govern IT through three main tasks:

1. Evaluate the current and future use of IT.

2. Direct preparation and implementation of plans and policies to ensure that the use of IT meets business objectives.

3. Monitor conformance to policies and performance against the plans”.

 COBIT 5

COBIT 5 introduces a Governance Domain which has 5 EDM processes as described in my previous post.

In summary the guidance (What) provided by these three frameworks will help design and establish a robust governance framework; however there is limited (How) detail around the specific approach to take for Cloud enabled services.

Formulating a Cloud Computing Strategy

So let’s explore five key decisions that will need to be addressed in order to formulate a cloud computing strategy:

  • Do we continue to build out our own computing infrastructure?

IT must determine if the computing infrastructure is expensive and too inflexible because a highly virtualised and well managed infrastructure saves money.  Some legacy applications  will remain core and do not lend themselves to a cloud strategy (e.g. SWIFT transactions) however applications approaching end of life should migrate to avoid further investment.

  • Which parts of the Business do we move to the cloud?

IT should consider the cloud for new applications or business processes as requirements evolve.  The cloud can significantly reduce time to market when rolling out new functionality and processes.

  • What type of cloud deployment do we use?
  1. Public Cloud: scalable bandwidth shared with multiple tenants.
  2. Private Clouds : applications and services deployed through the cloud but within the confines of the organisations on premise data centre or off premise (TelCos building private clouds for customers)
  3. Hybrid Clouds: Mixing Public and Private Clouds is the preferred solution for the business because it provides the best balance of flexibility and risk management.  
  • How must our governance framework evolve?

IT must retain control over which services are offered and managed and business units will have a say in getting the technology they need.

  • How do we protect sensitive customer information?

New measures will be required to help ensure that while data can be accessed anywhere and anytime, businesses do not breach data protection laws.

Cloud Computing – Not If but When

What are the actions needed to create the cloud enabled business?

IT must partner closely with business customers across the enterprise to understand and meet their needs in a responsive and cost effective way, while also helping to manage and integrate private, hybrid and public cloud based services alongside existing core business applications and technology.

Appoint a Cloud Leadership Team to drive change across the organisation in a co-ordinated effort that is led by Business and IT champions who aggressively push communications.  The team should develop a position on how the cloud will impact the business – create new opportunities, new channels to market and new competitive threats – and how the technology can accelerate existing needs.  The Cloud Leadership Team will need to specify which changes are going to have the most profound impact and prioritise these initiatives based on business benefit, difficulty of migration and any required investment spend.

IT must develop and implement a roadmap to replatform or replace existing business applications over time and then to build new applications using cloud based platforms.

As IT implements its new cloud strategy the IT function has a great opportunity to transform its role and establish itself as the business’s supplier of choice.

IT will require new skills and capabilities, for example hybrid managers who are close enough to the business to fully understand their issues and how cloud computing can respond to meet their needs quickly and cost-effectively.  These hybrid managers will manage all the current and future cloud vendors and integrate cloud services on behalf of the business.

IT will act as the key service interface between the business units and the various suppliers.  Ensuring seamless data integration between cloud and non-cloud services is a critical element of IT’s new role.

IT will need to assess and mitigate the risk of “lock-in”.  With Infrastructure as a Service (IaaS) cloud makes it easier to migrate relatively smoothly to another provider.  But with Software as a Service (SaaS) data is stored on the supllier’s servers making it difficult to disentangle.

 As companies start shifting computing tasks to outside providers in the cloud, intermediaries have emerged to help them do it.

Cloud Service Brokerage

 “A successful cloud computing strategy often involves customizing services from one or more vendors.  One way to do this is through an intermediary service provider: a Cloud Services Brokerage.  A CSB can make it easier to consume and maintain cloud services, while reducing the cost and risk encountered when an enterprise tries to address these issues alone.” Gartner

If you want to consume SaaS, access an Information store or other services then the Cloud Service Broker provides a single interface and can also offer managed services, professionbal services or Business Process Outsourcing. 

The Cloud Service Broker sits between public cloud services and the customer taking the commodity like cloud services and customising them to be more specific to the customer. CSB also allows the business to extend their control over their applications and data into the cloud.

The Cloud Service Broker adds value when it is aggregating multiple services.

A recent Gartner report outlined three categories of cloud brokers that will enhance cloud services:

Cloud Service Intermediation: An intermediation broker provides value added services on top of existing cloud platforms, such as identity or access management capabilities.

Aggregation: An aggregation broker provides the “glue” to bring together multiple services and ensure the interoperability and security of data between systems.

Cloud Service Arbitrage: A cloud service arbitrage provides flexibility and “opportunistic choices” by offering multiple similar services to select from.

Leave a comment

Filed under Business