This document discusses cloud computing and defines key concepts such as infrastructure as a service, platform as a service, and software as a service. It outlines opportunities and risks of cloud computing related to legal, structural, economic and technical aspects. The document also discusses how electronic identification and security will be impacted by cloud computing and proposes possible approaches for Austria, including defining suitability criteria for cloud services and standards for cloud providers.
1. EU-Großpilotprojekte – STORK und SPOCS
Cloud Computing
The Austrian Approach
Peter Kustor
27th September 2011
peter.kustor@bka.gv.at
Cloud Computing | 27.9.2011
Topics
Definition
– general features
Opportunities and risks
– Legally
– Structurally
– Economically
– Technically
Example: eID and cloud
possible approach / requirements for Austria
Cloud Computing | 27.9.2011 2|
Seite 1 29.09.2011
2. EU-Großpilotprojekte – STORK und SPOCS
Definition - general characteristics
Cloud computing represents a (more) responsive and
flexible deployment of IT resources
Cloud computing is not a technology but a business
model for providing IT services – however this demands
for new technologies/ privacy considerations/ resource
management/ law enforcement considerations
the central feature is the consumption-based billing and
the provision of IT services to shared resources
(infrastructure, platforms, software, business
processes/services)
IT-requirements need to be decoupled from the IT
infrastructure
Cloud computing (Public cloud) is a form of outsourcing
of ICT infrastructure
Cloud Computing | 27.9.2011 3|
Definition - characteristics
On-Demand Self Service / Self-provisioning of resources:
resource management by user / customer
Broadband Network Access: all resources are broadband
connected via the Internet or intranet
Resource pooling: the computing resources are pooled in
one place and made available to several users
Massive Scalability: resources can be made available to
the appropriate extent depending on requirements
Rapid Elasticity: resources can be allocated in real-time
and (partly) automated according to the changing needs of
the user
Measured service / pay as you go: consumption-oriented
payment or settlement model
Multitenancy: resources and services are shared
dynamically between all users
Cloud Computing | 27.9.2011 4|
Seite 2 29.09.2011
3. EU-Großpilotprojekte – STORK und SPOCS
Definition – service models
Infrastructure as a Service (IaaS): disposal provision
of basic infrastructure (processing power, memory),
users can run customized software such as operating
systems and application programs
Platform as a Service (PaaS): computing power,
memory and operating system platform with
development tools will be provided at users disposal,
users have control about applications
Software as a Service (SaaS): user will be offered
the whole service (ie mailing)
Process as a Service (PaaS): is resulting out of the
SaaS-level and is characterized by a stronger focus to
the Business Processes
Cloud Computing | 27.9.2011 5|
Definition – deployment models
Public Cloud: the cloud infrastructure and services
are possible to rent for everybody
– Virtual Private Cloud: is a specific public cloud variant, which
is using appropriate safety precautions - the customer may
use an encapsulated IT infrastructure made available, which
is connected using secure VPN (Virtual Private Network)
technology directly with the customer network
Private Cloud: the cloud infrastructure and services
will be operated for a single organization and only
used by this
– Community Cloud: the cloud infrastructure is shared by
multiple organizations pursuing similar goals and interests;
the management of the infrastructure is done by the
organizations themselves or externally by a third party
Hybrid Cloud: ss the mixture of two or more variants
Cloud Computing | 27.9.2011 6|
Seite 3 29.09.2011
4. EU-Großpilotprojekte – STORK und SPOCS
Situation and conditions
Gartner Hype Cycle
Cloud Computing | 27.9.2011 7|
Opportunities and risks - Overview
legal
- Data protection issues, ...
- Influence on contract, ...
- Procurement law
structural
+ faster service provisioning,
+ Flexible bandwidth, ...
- LockIn effects and silo solutions
- Compliance with governance rules, ...
economical
+ standardization of IT infrastructure and services, ...
- functional adaptation cost adjustments,
+/- operating costs vs. capital costs
technical
+ standardization, scalability, ...
- Identity management, technical audit, ...
Cloud Computing | 27.9.2011 8|
Seite 4 29.09.2011
5. EU-Großpilotprojekte – STORK und SPOCS
Legal aspects
Public Cloud:
processing of personal data largely excluded,
no possibility of contractual adjustment
Virtual Private Cloud:
only minor customization options compared to public
cloud model
Private Cloud:
offers the best conditions to meet data protection
requirements
non-personal or not ‘very’ sensitive data are an option
for Cloud usage
Contractual issues and procurement law issues!
Cloud Computing | 27.9.2011 9|
Structural aspects
rapid provisioning of services leads to cost reductions
however, higher consumption rates can quickly lead to
unexpectedly high costs
Cloud computing using an ad hoc approach may lead
to a "silo" solution
data exchange between applications can be difficult
insufficient knowledge about internal costs or lack of
comparability
structural dependence on suppliers of cloud solutions
Cloud Computing | 27.9.2011 10 |
Seite 5 29.09.2011
6. EU-Großpilotprojekte – STORK und SPOCS
Economic aspects
fully standardized IT infrastructure and services lead
to cost advantages
functional adaptations or their integration into existing
business processes at higher cost
cost advantages in purchasing (through massive
bundling) versus loss of efficiency in the use of
standard services without adjustments for
administration
due to the usage-based billing running costs will be
replaced by investment cost; for private cloud
services, this argument applies only partially
Cloud Computing | 27.9.2011 11 |
Technical aspects
Standardization
+ competition between providers
- without standards depending on the CSP operators
Scalability
+ almost unlimited resources by CSP
- simultaneously load peaks in the worst case lead to a halt.
Identity and rights management
- security concerns in the implementation of the CSP, especially the privileged user
accounts (administrator)
Tenancy, security
+ is a core structure requirement for CSP, and should therefore be carried out "state of the
art“
Cloud Management
+ default management services are provided through web portals for convenient disposal
- Integration of tools to CSPs in customer-specific processes not yet tested
Technical revision
- seperation of customer-specific data (log files, …) must be regulated by contract -
currently, no standardized offers
Patch Management
+ rapid roll out of standardized patch management patches through unified infrastructure
- difficulty of testing the compatibility of patches, consideration of specific customer
requirements.
Cloud Computing | 27.9.2011 12 |
Seite 6 29.09.2011
7. EU-Großpilotprojekte – STORK und SPOCS
eID and the cloud – is there something new?
The cloud as such is not bringing excitingly new
technologies
– It is the combination
– It is the scale
– It is the commercial aspect
– It is the standard – the conformity
By this the cloud might reach the “break through point”
Cloud Computing | 27.9.2011
eID and the cloud – is there something new?
It is changing some of the basic assumptions
The one to one model CLIENT-SERVER is no more
possible
– it is CLIENT - CLOUD - SERVER
– for legal considerations
– for contractual considerations
– for technology considerations
– for data protection and privacy
considerations
Most users will not yet recognize this difference
Cloud Computing | 27.9.2011
Seite 7 29.09.2011
8. EU-Großpilotprojekte – STORK und SPOCS
eID and the cloud – is there something new?
eID and security will bring highly impacting
changes
The cloud will show the need to react
– eID and technological quality
– security and crypto-based technologies
– policies and standards
Yet there is a big difference
– encryption and crypto-based
confidentiality hardly possible
– user control on the physical level non-existent
Cloud Computing | 27.9.2011
Impacts of Cloud Computing on eID
New approaches (like eID) must be “cloud
compatible”
– From the point of view of security
– From the point of view of privacy and intellectual property
protection
We might possibly need to twist on both ends
– In the eID domain
– In the cloud domain
– To yield contractual, legal/regulatory, commercial and
technical acceptance
Cloud Computing | 27.9.2011
Seite 8 29.09.2011
9. EU-Großpilotprojekte – STORK und SPOCS
Cloud - Chance and Risk
CLOUD will enable and enforce broad usage of
crypto-based services
– eID and access control
– storage and confidentiality of data
– standard security for all
at the same time knowledge and with this
awareness will be lowered at the users side
Cloud Computing | 27.9.2011
possible approach / requirements for Austria (1)
Pilot and analyse cloud projects
– exchange of Information and experience
– Studying and experimenting on cloud solutions e.g. eID SSO
etc.
Cloud-compliant application
– develop new applications cloud ready
– establishment of criteria, what defines "cloud compliant“
Suitability criteria for cloud
– definition of suitable criteria for applications for assessing
which cloud model they fit
Cloud standards
– definition of standard requirements for Cloud Providers
– definition of a standard process model in the implementation
of cloud applications
Cloud Computing | 27.9.2011 18 |
Seite 9 29.09.2011
10. EU-Großpilotprojekte – STORK und SPOCS
possible approach / requirements for Austria (2)
Cloud assessment
– definition of criteria catalogue and development of models for
assessment
Cloud sustainability and openness
– implement applications in the cloud so that migration is
defined / assessed and / or service for alternative cloud is
feasible (service runs at two different cloud providers)
Cloud in the administration
– evaluation and assessment of one / several government cloud
for Austria and across borders
Cloud – next steps:
– Identify potential services, pilot them, learn, share, …
Cloud Computing | 27.9.2011 19 |
Cloud Computing / Austria
Thank you!
Peter Kustor
Federal Chancellery of Austria
Ballhausplatz 2
Wien, Februar 2011
1014 Vienna
Phone: +43 53115 2554
peter.kustor@bka.gv.at
http://digital.austria.gv.at
Cloud Computing | 27.9.2011
Seite 10 29.09.2011