Steven C. Markey
Cloud computing has been around for several years now; however, this paradigm is just starting to hit critical mass. As organizations look to leverage the cloud, it behooves IS professionals to understand how these solutions may be deployed. This article provides an understanding of how organizations large and small are leveraging the cloud for cost savings, a faster time to market, and/or to realize additional value with their technology.
nControl is a small consulting firm based out of Philadelphia, Pennsylvania, USA. Being a small business, the firm uses the public cloud extensively, mostly with the Software as a Service (SaaS) delivery model in which an organization uses a prebuilt application for processing. Examples of SaaS applications used include customer relationship management (CRM), web-based surveys, email marketing campaigns, fax services, project management and income tax filing.
nControl has realized the following benefits from using SaaS solutions:
The firm uses other cloud delivery models as well, specifically Platform as a Service (PaaS). PaaS requires that an application be built and configured on top of existing hardware and virtual operating system (OS) resources by the cloud consumer. nControl uses this platform for relational database services and web site hosting. PaaS requires more involvement from the cloud consumer; however, this model affords the company more flexibility and agility than the traditional software model for delivery of computational resources.
nControl has been using the cloud for more than four years and is happy with the benefits. That said, there are also challenges with using the cloud, e.g., the costs associated with using PaaS-based databases (or what is called Database as a Service [DBaaS]). Deploying an Oracle 11g instance through a cloud service provider (CSP) can cost US $200-plus per month. Furthermore, if the company takes a backup and/or snapshot of the data on that database, it cannot be ported over easily to another provider. The portability issue extends to the SaaS space when employees try to sync data between Microsoft Outlook and the SaaS-based CRM.
To mitigate the risk associated with going to the cloud, nControl relied heavily on the thought leadership of the Cloud Security Alliance (CSA). CSA, in conjunction with partners such as ISACA, has created matrices, best practices and software standards to use when evaluating a CSP, which nControl used. Furthermore, the firm relied upon the CSP having relevant certifications and assertions from, for example, the American Institute of Certified Public Accountants (AICPA) (SAS 70), the American National Standards Institute (ANSI)/British Standards Institution (BSI) (ISO 27001), and the US Department of Commerce (Safe Harbor).
When thinking of a community cloud, which is a pool of shared resources found within a private cloud deployment model, a good example is the Illini Cloud. This collaboration among the State of Illinois school districts is well executed.
Jim Peterson, the technology director for the Bloomington (Illinois) School District, noted that:
Jason Radford, who is a system administrator for the Bloomington School District, suggested that:
Peterson and Radford are planning the following as their next steps: leveraging vertical/regional data automation, which is analogous to master data management (MDM), for data snapshots of the community as a whole. They are also using hypervisor-neutral technologies, such as Cloud.com, for enhanced portability/interoperability. Both cloud implementers are working on expanding the community cloud to other interested stakeholders/parties, namely other states and school districts. The Illini Cloud team is also working on packaging cloud software/service solutions as a stack for the consumer. Finally, the team is working with consumers to reduce their reliance on office automation solutions (e.g., MS Office) and/or manual business processes for information processing.
As the team looks to enhance the Illini Cloud, it will continue to leverage security and privacy controls to mitigate risk. By leveraging manual safeguards and native VMware and Cisco-based automated access controls, the team members can rest assured that they are compliant with the various regulations required of public education institutions (e.g., the US Children’s Online Privacy Protection Act of 1998 [COPPA]). To further lock down the environment, the team is also looking to establish federated identities.
As the cloud grows in scale, additional organizations will use it to deliver other value-added services. This is especially true for larger organizations because they have the economies of scale to set up various deployment models. A great example is Pfizer’s high-performance computing (HPC) environment.
Pfizer, one of the largest pharmaceutical conglomerates in the world, uses a hybrid cloud for additional computational power during worldwide research and development (WRD) efforts, such as US Federal Drug Administration (FDA) trials and human genome research. The company leverages an external private cloud Infrastructure as a Service (IaaS) delivery model offering—Amazon Web Services’ (AWS) Elastic Compute Cloud (EC2) in addition to the Virtual Private Cloud (VPC)—for additional resources when needed. Being a large organization that is heavily regulated, the entity’s data are stored within its internal data centers. However, through the use of encryption for data in transit, the company leverages EC2 computational resources when necessary, via a secure connection.
The benefit of using an external private cloud, such as AWS EC2, for additional computing power is the elasticity of the cloud. In essence, Pfizer pays for only what it uses when it uses it. However, there is risk involved. So, to mitigate the risk and comply with FDA and national and/or statutory jurisdictional data privacy regulations, the organization uses encryption, virtual firewalls/networks, network and system monitoring, and identity and access management (IAM) mechanisms.
By having to implement the various controls mentioned previously to ensure the security and privacy of such regulated data, the organization observes a different level of cost savings than other industries. However, as FDA trials ebb and flow during the course of business in the pharmaceutical industry year by year, the flexibility and the agility to provision and/or deprovision resources are of paramount importance. Furthermore, as new technologies such as homomorphic encryption, which allows for computations to be executed on native ciphertext (as opposed to a need to decrypt the ciphertext for processing), are introduced, the ability of heavily regulated industries to do faster computational processing in the cloud will increase.
IS professionals must be ready to articulate the pros and cons of this new environment, and where and how it can provide added value for the business. The examples provided here present thought leadership on what can go to the cloud and how to get there. Furthermore, these case studies show that an organization of any scale can go to the cloud.
Steven C. Markey is the principal of nControl, a consulting firm based in Philadelphia, Pennsylvania, USA. He is also an adjunct professor and the current president of the Delaware Valley (Greater Philadelphia) chapter of the Cloud Security Alliance (CSA). Markey holds multiple certifications and degrees, and has more than 11 years of experience in the technology sector. He frequently presents on information security, information privacy, cloud computing, project management, e-discovery and information governance.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.