Startup In The Cloud Information Systems For Startup Companies Based On Cloud Computing
Hans Martin Galliker FH BKO-C06
Startup In The Cloud Information Systems For Startup Companies Based On Cloud Computing
Bachelor Thesis – Individual Work
Bachelor Of Arts In Business Communication University Of Applied Sciences In Business Administration Zurich
Submitted To: Beat Hofer, Executive MBA General Manager, PanOptimum GmbH
Submitted By: Hans Martin Galliker FH BKO-C06
Maihusen, 6215 Beromuenster, Switzerland Zurich, February 26, 2010
Management Summary Cloud computing is a technology that enables to use software as a service. Cloud computing service providers assure to deliver the software at less cost than ever. The services are promised to run without downtime and require solely an internet connection and a browser. Some services are completely free, such as Google Mail, whereas others like Salesforce are paid according to the effective usage. Cloud computing promises flexible business processes in order to keep up with constantly changing markets, shorter lead times and better connectivity by using the intelligence of social networks. These promises are not unheard, the business press is constantly giving an account of cloud computing. But what does it mean for startups, entrepreneurs and small companies? This thesis Startup in the Cloud examined whether cloud computing is secure, affordable, simple, lawful, available to all industries and whether it is encouraging innovation. The research results have shown that startups and small companies are able to benefit from the cloud computing services the most. The absence of capital expenditure is excellent news for startup companies and they also have a leveraged advantage out of the flexibility that cloud computing offers. Simply because smaller organisations can capitalize faster on new market opportunities in comparison to larger companies. The downside is the dependency on the service provider, the reason being that data is stored in a data center and depending on the contract and technical hurdles can it prove to be difficult to move to another service provider. However, by seriously assessing the business requirements and analyzing the risks, it is possible to compare offerings from different service providers in order to avoid being locked. Furthermore, supranational organizations, public institutions, non-profit organizations, private communities and even the IT industry aim towards an open cloud with compatible, public standards. Cloud computing has been given the potential to democratize global business opportunities, as principally anyone with internet access has the chance to use sophisticated information systems. This seems to be an interesting prospect for startups, entrepreneurs and small companies from all over the world. The author of this thesis recommends strongly to assess the opportunities that cloud computing offers to them.
i
Table of Contents Management Summary........................................................................................................................ I Declaration........................................................................................................................................... V Methodological Approach ............................................................................................................... Vi Initial Position ..................................................................................................................................... 1 Defining Cloud Computing ................................................................................................................ 2 Definition ................................................................................................................................................ 2 Essential Characteristics ........................................................................................................................... 3 Service Models ........................................................................................................................................ 6 Deployment Models.................................................................................................................................. 8 Cloud Computing Security..................................................................................................................... 10 Cloud Computing Enablers And Trends ................................................................................................. 11 Connecting Clouds............................................................................................................................. 11 Open Standards And Open Source Community ................................................................................ 12 Service Orientation ........................................................................................................................... 13 Grid Computing ................................................................................................................................ 13 Significance: Defining Cloud Computing ............................................................................................. 14 Political Implications And Standardization .................................................................................... 15 Understanding Global Governance To Enable Global Business Opportunities .....................................15 Activities On Continental Level ............................................................................................................. 19 United States...................................................................................................................................... 20 Asia.................................................................................................................................................... 22 Europe................................................................................................................................................ 23 Standardization....................................................................................................................................... 25 ISO Standard For Cloud Computing ................................................................................................ 25 Overlapping Competencies ............................................................................................................... 26 Bottom-up Standardization ............................................................................................................... 26 Significance: Political Implications And Standardization ...................................................................... 27 Market, Economics And Trends ...................................................................................................... 30 Business Benefits In General .................................................................................................................. 31 Benefits For Startups And Small Companies In Particular .................................................................... 32 ii
Fundamental Business Economics .......................................................................................................... 34 Cloud Computing In Large Enterprises ................................................................................................. 35 Variations And Industries ........................................................................................................................ 36 Ever Changing Business Requirements .................................................................................................. 38 Relationships As A Driver ................................................................................................................. 38 Buyers Become Sellers...................................................................................................................... 40 Human Interaction Management ...................................................................................................... 41 Trends..................................................................................................................................................... 44 Encouraging Innovation By Simplicity ............................................................................................. 44 Software Paradigm Shift Away From Conventional To Pay As You Go ..........................................45 Freemium - Cloud Computing As A Potential Cost Trap .................................................................. 46 Hosted Open Source Business Opportunities .................................................................................... 46 Paradigm Shift Of Change – From Push To Pull And From Mass To Micro Markets ...................... 47 Mega Data Centers............................................................................................................................ 47 Brokering Cloud Services ................................................................................................................. 48 Significance: Market, Economics And Trends ....................................................................................... 49 Evaluation Guide............................................................................................................................... 50 How To Approach A Cloud Computing Evaluation? ............................................................................. 50 Who Is Initiating And Attending The Evaluation? ................................................................................ 51 Introduction To CSA Guidance For Cloud Security Assessment ........................................................... 52 CSA Guidance: Section 1. Cloud Architecture ...................................................................................... 56 Domain 1: Cloud Computing Architectural Framework ................................................................... 56 Domain 2: Governance And Enterprise Risk Management .............................................................. 60 Domain 3: Legal And Electronic Discovery ..................................................................................... 61 Domain 4: Compliance And Audit.................................................................................................... 61 Domain 5: Information Lifecycle Management ................................................................................ 62 Domain 6: Portability And Interoperability ....................................................................................... 62 Domain 7: Traditional Security, Business Continuity And Disaster Recovery ................................. 62 Domain 8: Data Center Operations.................................................................................................... 62 Domain 9: Incident Response, Notification And Remediation ......................................................... 62 Domain 10: Application Security ...................................................................................................... 63 Domain 11: Encryption And Key Management ................................................................................ 63 Domain 12: Identity And Access Management ................................................................................. 63 Domain 13: Virtualization................................................................................................................. 64 Orientation In The Cloud Computing Jungle ........................................................................................ 64 Significance: Evaluation Guide .............................................................................................................. 65
iii
Conclusion: Cloud Computing Information Systems For Startups .............................................. 67 Table Of Tables................................................................................................................................... 68 Table Of Illustrations......................................................................................................................... 69 Bibliography....................................................................................................................................... 70 Annex: Consulting Experts............................................................................................................... 79
iv
Declaration I certify that: ! the thesis being submitted for examination is my own account of my own research ! the data and results presented are the genuine data and results actually obtained by myself during the conduct of the research ! this thesis in identical or similar form has not yet been submitted to any other board of examiners
Zurich, February 26, 2010
….......................................... Hans Martin Galliker
v
Methodological Approach The following methodologies have been applied: ! Literature research ! Consulting experts Experts have been consulted in order to get answers on specific questions of interest: ! Both, experts with a distinct academical background and experts with rather practical background have participated ! A questionnaire with results can be found in the annex The following table shall give an overview of how the methodological approaches have been applied: Theoretical only *
Mixed theoretical and Rather practical ***
Own assumptions &
practical **
conclusions ****
Initial Position
x
Problem Analysis Defining Cloud Computing Political Implications and Standardization
x (H) x x
Markets, Economics and
x
Trends Evaluation Guide
x
Conclusion
x
Table a: Application of methodological approaches. Annotations: (H) main questions and assumptions hypothesized / * Without results from “Consulting Experts” and completely derived and supported by literature / ** Includes results from “Consulting Experts” and extensively derived and supported by literature / *** Includes results from “Consulting Experts” and enhanced with derived opinions from the author of this thesis / **** Setting in context Assumptions & Findings with own experiences
The citations within text, footnotes and bibliography have generally been made on the base of Chicago Manual of Style (Note with Bibliography). This style has been introduced in 1906 and is now in its 15 th edition. It is widely used in the Angle-Saxon area for scientific publications and books and is the base for several other styles. 1 The following list reflects the accredited value of the source types that have been used. In general, the sequence gives an account of the importance given, the exception proves the rule. The designations in the 1
cf. University of Chicago, “The Chicago Manual of Style Online - 15th Edition: Chicago-Style Citation Quick Guide.” vi
brackets specify the citation type due to the Chicago Manual of Style (Note with Bibliography) according to which the citation elements are structured: ! Documents from standardization bodies with widely recognized acceptance from the business and the academic world (Book or Report or Document) ! Scientific books (Book) ! Scientific publications ( Report) ! Scientific journals (Journal) ! Online articles from “serious” newspapers ( Newspaper Article) ! Videos (Video) ! Conference presentations ( Presentation) ! Blogosphere (Blog Post) ! An online database application filled with survey replies from consulted experts ( Interview) ! Emails (Email) ! PDF's from commercial companies ( Document) ! Informal websites (Web Page)
vii
Startup in the Cloud
1
Initial Position Founding a global operating, sustainable company is the dream of many young people. In order to fulfill this dream, fresh ideas, drive, innovation, reliable partners and efficient information handling, amongst many other points, are required. Inspiration and creativity knows no boundaries and many, somewhat challenging, ideas may at first have been scorned, only to be finally acknowledged as something which truly adds value to our society. There is a new wave of technology; some call it a new business philosophy, which could help young entrepreneurs to make their dream come true. It is called cloud computing. Cloud computing promises to provide highly-scalable information systems over the internet. All that is required is an internet browser. No investment capital is needed as it follows the pay-as-you-use principle. If what the business press and cloud computing pioneers say is true, then cloud computing could offer unforeseen opportunities to broad levels of the population, no matter where, as long as internet access is granted. It could, in a manner of speaking, enable young people to “Startup in the Cloud”. But is cloud computing secure, affordable, simple to implement and in line with national laws? Does it foster innovation and is it available to all industries? Is it possible to cover the information system needs of multinational startup companies based on cloud computing? This bachelor thesis will answer these questions in a neutral and comprehensible way. It highlights the needs of startup companies who probably have the highest demand for smart but affordable information systems. The thesis is divided into four main parts: ! Defining cloud computing: Describes the characteristics of cloud computing ! Political implications and standardization: Highlights possibilities and opportunities for those who could benefit most from cloud computing ! Market, economics and trends: How cloud computing can be used and the most important trends ! Evaluation guide: How to approach an evaluation of cloud computing The intended readers are startup companies, entrepreneurs who want to make a change, executive management level from smaller companies and chief information officers, but also everyone else who is interested in technology and in doing business.
Startup in the Cloud
2
Defining Cloud Computing “Cloud Computing is a new term for a long-held dream of computing as a utility, which has recently emerged as a commercial reality.” 2
University of California
Cloud computing does not have a birthday and it was not formally invented. Some underlying technologies have been used since the beginning of computing. Cloud computing is basically a new way of delivering computer resources as a service. According to IDC's analysis, this emerging market for cloud services is estimated to grow from $17.4bn in 2009 to $44.2bn in 2013. In spite of these numbers, cloud computing is not yet clearly defined and is still in an early, but dynamic development process. 3 4 5
Definition There is no universal definition for cloud computing, as it is a highly controversial topic. The most heard criticism is that cloud computing is nothing new and therefore does not need a definition. To complicate matters further, no cloud computing standard work has been published yet with an acceptance analogue like for example Kotler's “bible” in the field of marketing.
6 7 8
However, the most used definition source is a two-pages word document which was initially written in 2008 by the Computer Security Division of the US National Institute of Standards and Technology (NIST) and since then has continuously evolved under the auspices of NIST after extensive consultation between IT governance institutions, industry and academia.The European Network and Information Security Agency (ENISA), which also gained authority in the cloud computing area, has leveraged the NIST definition by accepting it in November 2009 as the leading cloud computing definition. 9 10 11
2
in dependence on Parkhill, 1966, "The Challenge of the Computer Utility", cited by Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 2.
3
cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 21.
4
cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 7.
5
cf. Gens, Mahowald, and Villars, 2009, "IDC Cloud Computing 2010 - An IDC Update", cited by Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security , 4.
6
cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” 1.
7
cf. Chen, Paxson, and Katz, What’s new about Cloud Computing Security? , chap. 2.
8
cf. Balachandran, “The Messiah of marketing.”
9
cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 2.
10 cf. Object Management Group et al., “Cloud Standards Coordination.” 11 cf. Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security , 14; 93.
Startup in the Cloud
3
Illustration a: Visual Model of the NIST Working Definition of Cloud Computing. Source: Reproduced according original source by NIST, 2009.
The following sub-chapters are structured according to the NIST definition and quote in each case at the beginning the appropriate definition followed by further considerations. “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics , three service models, and four deployment models.”12
Essential Characteristics Many attributes can be accredited to cloud computing, but according to NIST these five essential characteristics can be named: First, on-demand self-service, second, broad network access, third, resource pooling, forth, rapid elasticity and fifth, measured service. With one of them missing, cloud computing can in the strict sense not be called as such, or at least the usage value will be limited if one is missing. To improve the reader friendliness, are the conclusive literally quotes set in grey tone. 1. On-demand self-service: “A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.”
12 Mell and Grance, “The NIST Definition of Cloud Computing v15.” 13 Ibid.
13
Startup in the Cloud
This can help smaller companies to overcome the obstacles for sophisticated e-business cooperations. For example, with the latest generation of cloud-based payment services is it possible to easily include payment systems into web applications. Specialized service providers such as PayPal make such cloud web services available to their customers (from end-users up to multinational companies) and require no more extensive contracts and long-term commitments. It is just pay-as-you-go via credit card. Small companies or even micro businesses such as startups now have online commerce opportunities that go beyond traditional online shopping. 14 15 16 17 2. Broad network access: “Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).” 18
While platform independence has released applications from proprietary hardware, can cloud computing applications be used from anywhere, anytime with any type of device, as long as it has a browser. 19 3. Resource pooling: “The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.” 20
The Cloud Security Alliance (CSA), an often cited non-profit organisation with individual members from science and industry, has chosen to align with the NIST definition but argues the undervaluation of virtualization by subordinating it to resource pooling, the same applies to multitenancy. 21 In fact, virtualization is both; a strong enabler for the upraise of cloud computing and at the same time not necessarily a requirement. Cloud services can for example be deployed directly on a server without (hardware) virtualization layer. However, virtualization is usually deployed because the virtualization can adjust better to changing performance requirements and uses the resources more 14 cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 6. 15 cf. Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction, 71-72. 16 cf. Reese, Cloud application architectures , 174. 17 cf. Lawson, “PayPal opens door to developers.” 18 Mell and Grance, “The NIST Definition of Cloud Computing v15.” 19 cf. Velte, Velte, and Elsenpeter, Cloud Computing: A Practical Approach , 92. 20 Mell and Grance, “The NIST Definition of Cloud Computing v15.” 21 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 15.
4
Startup in the Cloud
5
efficiently. Widely known are enterprise hardware virtualization technologies such as VMware or the open-source Xen hypervisor, which for example is used by Amazon Web Services (AWS), a wellestablished cloud service from the cloud computing provider pioneer Amazon. Virtualization can also happen on the software layer, as for example SaaS is using it to offer different users, different, decoupled services while running only one software. 22 23 Many other definitions than the one from NIST define the multi-tenancy model as an integral characteristic of cloud computing. CSA describes its role as follows: “Multi-tenancy in cloud service models implies a need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies. Consumers might utilize a public cloud provider’s service offerings or actually be from the same organization, such as different business units rather than distinct organizational entities, but would still share infrastructure.” 24 The architectural approach of multi-tenancy can lead to improved operational efficiency because the shared infrastructure, data, metadata, services, and can be shared across many different consumers. 25 26 4. Rapid elasticity: “Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.” 27
Some conditions must be met to profit from rapid elasticity. Not every application can simply be put in a cloud environment, it needs to be“architected for seamless scale-up and scaledown in a linear fashion in response to load or declarative policy […] automatic scaling requires additional levels of management of the basic cloud system infrastructure, and it may not be consistently available across cloud system infrastructure providers.”
28
5. Measured Service: “Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).” 29
22 cf. Reese, Cloud application architectures , 6. 23 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 186. 24 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 17. 25 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 42-43. 26 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 17-18. 27 Mell and Grance, “The NIST Definition of Cloud Computing v15.” 28 Knipp et al., Creating Cloud Solutions: A Decision Framework , 41. 29 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 1-2.
Startup in the Cloud
6
The measured service characteristic distinguishes the usage-based cloud computing pricing from hosting (rent) and common outsourcings which are to a greater or lesser extent inflexible contracts.
30
Service Models Cloud computing consists of three distinctive service models which are Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Additionally, several other secondary variations exist. 31 1. SaaS - Cloud Software as a Service: “The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specifi c application confi guration settings.” 32
SaaS is sometimes described as the user level of cloud computing because SaaS applications are ready to use and just need to be logged in via a browser. Basically, no administrative hassle occurs, at least as long as no change to the SaaS provider is planned. 33 SaaS can often be adjusted to company processes and user-specific look-and-feel but usually lack the possibilities to customize it on a deeper level. Some application providers are addressing this problem by offering Application as a Service (APaaS). They open up the hood to their customers by letting them configure, customize and extend the application thanks to integrated development, deployment and management services. These services are optimized for cloud computing by supporting the delivery of the end application as a multi-tenant cloud service without losing the finegrained elasticity of the cloud computing infrastructure. Typical APaaS offerings are the online database application Zoho Creator and Salesforce's Force.com platform service. 34 The development does not happen on a low level; it applies the metadata-driven programming of the model-driven architecture. However, compared with pure SaaS leads APaaS to additional complexity – this is something that startup companies usually try to avoid. Rather than looking for precise adjustments they look for elasticity and seamless integration to other information systems. 30 cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 20. 31 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 15. 32 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 33 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7; 29. 34 cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 8. 35 cf. Ibid., 2; 8-10.
35
Startup in the Cloud
7
2. PaaS - Cloud Platform as a Service: “The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.” 36
PaaS is sometimes described as the developer level of cloud computing, as it is the developers and tech-savvy users who make the infrastructure layer available to the (end-)user. A difference is made between the sub-categories Programming Environments and Execution Environments . Cloud programming environments (for example Django Framework) depend on “conventional” programming languages and selectively complement them with additional functionalities. Parts of the software are decoupled which eases the adaption of “conventional” environments atop cloud computing environments. By contrast cloud executing environments (for example Google Apps) rely usually on their own programming environment. However, the borderline between cloud programming environments and cloud execution environments has become more blurred. 37 38 3. IaaS - Cloud Infrastructure as a Service: “The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of selected networking components (e.g., host fi rewalls).” 39
IaaS is sometimes described as the IT level of cloud computing because IaaS is close to the hardware that is commonly operated by so-called “typical” IT personnel such as infrastructure system engineers. IaaS providers (for example IBM Blue Cloud) isolate the hardware from the upper development and application layers in order to maintain a high flexibility to scale-up/out and protection against hardware failures. This abstraction is usually done with the already mentioned hardware virtualization. The aspect of deploying complex existing applications and its middleware to IaaS is probably less relevant for non-IT startups, because they usually start on the greenfield and are therefore more likely candidates for ready to use SaaS applications. 40 41 42 36 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 37 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7. 38 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 33-35. 39 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 40 cf. Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7. 41 cf. Buyya et al., “Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility,” 600. 42 cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 7.
Startup in the Cloud
8
Deployment Models According to NIST, cloud computing instances can be operated according to four different deployment models: Private Cloud, Community Cloud, Public Cloud and Hybrid Cloud . However, it cannot be assumed that every cloud provider support all of these deployment models.
43
1. Private cloud: “The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.” 44
Private clouds and efficient on the premises installations can have many common characteristics such as virtualization or the same programming models and tools. The difference is the ability of private clouds to move workloads into their own infrastructure and outside sets of infrastructure at the same time. However, as the structure is already reasonably in the public cloud and has gained some independence, it can offer unforeseen opportunities because of the ability to turn the tables by opening their (private) cloud services to external partners to collaborate or to run it like a profit centre. 45 46 In the strict sense can private clouds not be categorized as cloud computing because “it lacks the freedom from capital investment and the virtually unlimited flexibility of cloud computing.”47 Nonetheless, the fact that private clouds can be run behind the organization's firewall can make it a feasible entry point to the world of cloud computing “for companies that either have significant existing IT investments or feel they absolutely must have total control over every aspect of their infrastructure.” 48 49 2. Community cloud: “The cloud infrastructure is shared by several organizations and supports a specifi c community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.” 50
Enterprises, groups or individuals who have a common purpose share their collective distributed computing power in order to accumulate many community cloud subsets that are all connected within trusted Virtual Private Networks.51 43 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 1. 44 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 45 cf. MacDonald and Smith, “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing.” 46 cf. Bittmann, “Building a Private Cloud: Are We There Yet?.” 47 Reese, Cloud application architectures , 19. 48 Ibid. 49 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 3.2. 50 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 51 cf. Cloud Computing Use Case Discussion Group, “Cloud Computing Use Cases White paper - Version 3.0,” 30-31.
Startup in the Cloud
“There are growing concerns over the control ceded to large cloud vendors, especially the lack of information privacy […] the distributed resource provision from Grid Computing, distributed control from Digital Ecosystems, and sustainability from Grid Computing, can remedy these concerns […] Replacing vendor clouds with nodes potentially fulfilling all roles, consumer, producer, and most importantly coordinator [...] by utilizing the spare resources of networked personal computers collectively to provide the facilities of a virtual data centre and form a Community Cloud.” 52 The concept of a community cloud is challenging because of its technical complexity and issues related with distributed computing, the heterogeneity of the nodes, varying quality of service and other security constraints.
53
3. Public cloud: “The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.” 54
The University of California, Berkeley (UC Berkeley) expands the NIST definition of a public cloud as follows: “When a Cloud is made available in a pay-as-you-go manner to the general public, we call it a Public Cloud; the service being sold is Utility Computing.” 55 Utility computing means that only the current needed amount of resources is being provided. Due to technical and commercial developments, utility computing has finally made its commercial breakthrough in the form of cloud computing because it is now possible to consume these resources in the simple manner of Apple's App Store for the iPhone marketed off the shelf, automatically deployed and deducted. 56 57 58
52 Briscoe and Marinos, “Community Cloud Computing,” chap. 1. 53 cf. Ibid., chap. 5. b). 54 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 55 Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 4. 56 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 25-26. 57 cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 19. 58 cf. Buyya, Pandey and Vecchiola, 2009, in a collected edition of Jaatun, Zhao, and Chunming, Cloud Computing: First International Conference, CloudCom 2009, Beijing, China, December 1-4, 2009, Proceedings , 42.
9
Startup in the Cloud
10
4. Hybrid cloud: “The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).”
59
Illustration b: Hybrid Cloud. Source: Cloud Computing Use Case Discussion Group, 2010.
Hybrid clouds are often used to swap specific functionalities or peak performance requirements to third party cloud providers. 60
Cloud Computing Security “It seems that having your data in the cloud on machines you do not control is very emotionally challenging to people.” 61
George Reese, enStratus
A restrained point of view regarding moving its data into the cloud can certainly not only be accredited to the natural disposition of IT decision makers. In fact, cloud computing has not yet grown up, critical voices about the insufficient security are unmistakeable. The different aspects need to be considered according the specific requirements, a serious assessment may help to identify potential issues.
59 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 60 cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 27. 61 Reese, Cloud application architectures , 63.
Startup in the Cloud
11
“We believe that there are no fundamental obstacles to making a cloud-computing environment as secure as the vast majority of in-house IT environments, and that many of the obstacles can be overcome immediately with well- understood technologies such as encrypted storage, Virtual Local Area Networks, and network middleboxes (e.g. firewalls, packet filters).” 62
UC Berkeley
There are three main fields that cover most security aspects of cloud computing: First, legal aspects, second, regulatory compliance and third, standards compliance . Each of these main fields is connected with political questions regarding global governance of the information society. These, several other issues and additionally a guiding model will be introduced later on in this thesis.
63 64 65
“An important point to keep in mind is that the cloud does not introduce any new security threats or issues. To put security in perspective, cloud computing as a whole can be considered the ideal use case to highlight the need for a consistent, transparent, standardsbased security framework regardless of cloud deployment model.” 66 Cloud Computing Use Case Discussion Group
To put it in a nutshell: A safe car does not necessarily mean a safe drive!
Cloud Computing Enablers And Trends Besides the already mentioned key technologies and concepts of which cloud computing is based on, other aspects should be mentioned. The ability to connect clouds, virtualization, open source software & community and additionally technologies from which cloud computing has borrowed its flexible, modular, interconnected nature; service orientation and grid computing. Connecting Clouds The connecting of clouds can bring the benefits of easily connection applications. It requires suitable Application Programming Interfaces (API). API's enables the cloud applications and services to communicate in the background whilst remaining invisible for the user. For example is it possible to connect to a SaaS address database application with an SaaS accounting database in order to implement a seamless workflow between the two programs. API's exist not exclusively in the
62 Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 15. 63 cf. Zittrain, The future of the Internet and how to stop it , 1. 64 cf. Reese, Cloud application architectures , 63-64. 65 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 10. 66 Cloud Computing Use Case Discussion Group, “Cloud Computing Use Cases White paper - Version 3.0,” 43.
Startup in the Cloud
cloud computing world but an industry consensus in favour of common, open, standardized API's becomes apparent. 67 68 Open standards are also important for the “emerging service model definitions associated with cloud service brokers, those providers that offer intermediation, monitoring, transformation/portability, governance, provisioning, and integration services and negotiate relationships between various cloud providers and consumers.” 69 Open Standards and Open Source Community The call for open standards concerns all areas where closed, proprietary solutions can cause incompatible capabilities and interfaces on behalf of consumers. Utility computing and proprietary software are not a good match. The fundamental call for open standards is also justified due to the fact that dominant software stacks used in cloud environments are free open source software. 70 71 “Open source software is defined as computer software that is governed by a software license in the public domain, or that meets the definition of open source , which allows users to use, change, and improve the software. The flexibility to alter the source code is essential to allow for continued growth in the cloud solution. Open source software is the foundation of the cloud solution and is critical to its continues growth.” 72 George Reese, enStratus
In the meantime, open standards are becoming crucial for enterprise solutions and to a certain point important for enterprise customers in order to maintain their employer credibility and competitiveness on the human resources market. The reason is thus that “open source technologies tend to attract large and vibrant communities and ecosystems around them, with one result being a variety of products and services tailored for enterprise use. So if an enterprise is not happy with the service or support it is receiving from one vendor, it can turn to a different vendor for that service and support – and if all else fails, it has ready access to the source code and the communities that created and maintain it.” 73 74
67 cf. Velte, Velte, and Elsenpeter, Cloud Computing: A Practical Approach , 120-122. 68 cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” 19. 69 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 16. 70 Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 19. 71 cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 16. 72 Reese, Cloud application architectures , 27. 73 Sun Microsystems, Inc., “Open Source & Cloud Computing: On-Demand, Innovative IT On A Massive Scale,” 5-6. 74 cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 6-8.
12
Startup in the Cloud
13
Service Orientation Generally, regarding all the five essential characteristics , three service models, and four deployment models NIST also adds: “Cloud software takes full advantage of the cloud paradigm by being service-oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability.” 75 In this context, service-oriented means that the cloud applications are composed on independent, interoperable, loosely coupled, discrete services that are connected via standardized interfaces. Such services are stateless if a parallel running service from the same source can be reused, without interrupting the other service. Statelessness as well as low coupling and modularity are embodied in cloud software if Service-oriented Architecture (SOA) is used, what is commonly the case. The semantic interoperability extends compatibility by intelligent, contextually selective allocation of and in between services. The affirmation of NIST for the total structured architecture of SOA or similar service-oriented architectures or web services to enables an almost borderless freedom of the service execution. 76 77 This freedom of service execution was exactly for what reason SOA was intended for. Its emergence was technically influenced by Object-oriented Programming (OOP) which already came along with characteristics like abstraction, encapsulation, modularity and by the Object Engineering Process (OEP) which models (for example with Unified Modeling Language ) business requirements into a blueprint for software developers. This combination has been an important step towards bridging the gap between business and technology and corresponds with the nature of SOA and as a consequence of cloud computing. 78 79 Grid Computing There would be no cloud computing without the world wide web. The word web is an abbreviation of network. Sun Microsystems (SUN) has been one of the companies that pushed the development of linking networks the most. Its chief researcher John Gage mentioned 1984 that the network is the computer. Back then, he did not foresee the internet or cloud computing, but he already realized then that computer infrastructure and data does not necessarily need to be tied together and that comprehensive networks can lead to better collective results. Some years later, in the early 1990s, was the term grid computing introduced in dependence to the power grid. The idea was simply that computing becomes a utility, same as electricity, consumable at every place where there 75 Mell and Grance, “The NIST Definition of Cloud Computing v15,” 2. 76 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 43. 77 cf. Ibid., 55-57. 78 Stantchev and Schroepfer, 2009, in a collected edition of Abdennadher, Advances in Grid and Pervasive Computing: 4th International Conference, GPC 2009 , 25. 79 cf. Oestereich, Analyse und Design mit UML 2: Objektorientierte Softwareentwicklung , 21-24.
Startup in the Cloud
14
is a network. Such distributed computing calls for the decoupling of location, data, network connection and processing power hardware. Several computers can share one task, it does not matter where they stand, they just need to be connected with a network. Comparably, the virtualization follows a similar approach; the hardware layer is abstracted from the software layer. The concept is just the other way around. In grid computing share many computers the execution of one software, while the virtualization enables to run several software on one or more hardware devices. Cloud computing would not have made such a strong impact without virtualization and is also inseparable from the distributed network approach of grid computing. 80 81 82
Significance: Defining Cloud Computing For startups, entrepreneurs and small companies, the following aspects of cloud computing regarding its characteristics and technology may be of special interest: ! Cloud computing as utility computing facilitates the use of sophisticated information systems ! Ready to use applications without the need for infrastructure ! Rapid provisioning lowers go-to-market lead time ! Possibility to inter-connect (via API) different SaaS applications in order to establish comprehensive workflows
80 cf. Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 21-22. 81 cf. Fingar, Dot.cloud: The 21st Century Business Platform , 25-27. 82 cf. Stanoevska-Slabeva, Grid and Cloud Computing: A Business Perspective on Technology and Applications , 5.
Startup in the Cloud
15
Political Implications And Standardization The internet is a global phenomenon – the information society is becoming reality. Global solutions are needed to address issues which the information society is facing and open standards are what cloud computing is in need of. Global solutions may offer new markets and significant opportunities for startups and young entrepreneurs on all continents. However, the political conditions and global standardization efforts must be understood in order to get an indication of the future of the information society and its most important “tools”, such as cloud computing.
Understanding Global Governance To Enable Global Business Opportunities In the field of Information and Communication Technology (ICT) is the executive United Nations (UN) agency International Telecommunication Union (ITU) having the paramount responsibility. Its vision is to bring the ICT benefits to all the citizens of the world by assisting the governments and the private sector of UN member countries in mobilizing the necessary technical, financial and human resources.. 83 In 2002 initiated the former UN general-secretary Kofi Annan the World Summit on the Information Society (WSIS) to involve all stakeholders, individual privacy activists as well as business organisations and mentioned later on: “What do we mean by an information society? We mean one in which human capacity is expanded, built up, nourished and liberated, by giving people access to the tools and technologies they need, with the education and training to use them effectively.” 84 WSIS has been created to find multinational answers to the challenges of the information society. A focus point of its work is bridging the digital division between western countries and developing countries. WSIS measures indicators of its UN member countries regarding their development state of the ICT infrastructure and how the population is ready to use it. WSIS is deducts implications about the design of action plans, about how to govern the internet and about the usage of which financial mechanisms to create a sustainable incentive system. WSIS has created in 2006 two executive institutions that should help them to reach the goals. First, the UN Group on the Information Society (UNGIS) that coordinates with the relevant UN bodies and organizations such as the World Bank, the International Monetary Fund (IMF) or the World Trade Organization (WTO)
83 Lips, 2006, in a collected edition of Koops et al., Starting points for ICT regulation: Deconstructing prevalent policy one-liners, 41-46. 84 Annan, 2005, cited by Hayden, Thompson, and Levy, The SAGE handbook of research in international education, 206.
Startup in the Cloud
16
and second, the Internet Governance Forum (IGF) which should solve substantive and policy issues. 85 86 The findings of WSIS give a consolidated overview about the status quo of the global information society. They are valid for developed and developing countries alike, whereas the bigger parts of the programs are conducted in developing countries. Developing countries offer relatively higher growth opportunities than developed countries – a convenient initial position in the eyes of startups and entrepreneurs from all over the world. 87 Subsequently, listed below are itemized excerpts which resulted from the efforts of WSIS and its affiliated organisations. They were chosen by the author of this thesis according to characteristics that may be of interest for small and startup companies. As cloud computing is a relatively new generic term that contains existing technologies and challenges of the information society with its underlying ICT, cloud computing was introduced in the terminology of WSIS not earlier than in 2009. The main topics are firstly, ICT access and use, secondly, The broadband divide, thirdly, Availability of local content and fourthly, Data privacy. Each main topic is followed by a critical acclaim regarding the information systems perspective with particular notice towards cloud computing:88 1. ICT access and use: “In many respects, the digital divide continued to narrow in 2008. An important milestone in the progress towards a global information society has now been reached: over half the world’s population has obtained at least some level of connectivity. In addition, 80–90 per cent of the world’s population now lives within range of a cellular network, double the level in 2000. […] One of the benefi ts to emerge from mobile telephony has been the versatility of short message services (SMSs), which are used for increasingly innovative purposes, including fi nancial transactions, market price updates, news transmission, emergency alerts and other important functions. […] At the end of 2008, half of the world’s Internet users were in developing countries, especially in Asia. Regionally, Africa and the Middle East are experiencing the fastest mobile and Internet growth. […] Large disparities in terms of penetration and affordability still exist, both across and within countries and regions […] the digital divide debate is increasingly shifting away from measurements of basic connectivity to issues of speed (bandwidth)” 89
85 cf. Doria and Kleinwächtger, 2009, co-authored by Cerf et al., Internet Governance Forum (IGF): The First Two Years , 7. 86 cf.International Telecommunication Union (ITU), 2007, on behalf of Touré and Panitchpakdi, World Information Society Report 2007 - Beyond WSIS , 13. 87 cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and Increasing Impact , 45. 88 cf. Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society outcomes at the Regional and International Levels - Report of the Secretary-General , 3-6. 89 Ibid., 3-4.
Startup in the Cloud
17
The formula is simple, without ICT equipment, business development is difficult. The continual growing rate of the world's population which have access to communication instruments is good to know for entrepreneurs. Globally seen, it leads to millions of new potential customers by every year. 90 Still, there is a long way to go. Developed countries have one hundred times more secure servers compared to developed countries. Reliable information systems and especially secure e-commerce platforms are required to enable online business. A benefit of using cloud computing is that simply a browser is required that supports encryption; for example Firefox, which is freely available.
91 92 93
Adding to the circumstances is the fact that many people in developing countries use mobile technology, including for financial transactions. With this background in mind, it is foreseeable that if they acquire up to date equipment, there will be less constraints regarding the usage of new technologies compared to developed countries. On the contrary to developing countries, IT departments have built up the structures and gained conceptual experience over the period of decades in developed countries. For them is it possibly more “emotional challenging” to let their data manage by a cloud computing provider compared to an entrepreneur in a developing country that until a year ago was doing financial transactions solely via SMS or not at all and now has the chance to use sophisticated cloud computing applications. 94 Cloud computing could give companies in developing countries the chance to compete with companies in developed countries at eye level. Engagements in cooperation are also an option due to the fast developments of social networks that now cover most aspects of business. These competitive improvements and possible cooperations could lead to solid economic growth in the developed countries, which is necessary to reduce poverty and to build up a stable civil society. Initiatives such as the 100$ One-Laptop-per-Child (OLTP) have had positive effects on the spot in developing countries and also helped the western society to recognize the need of developing countries for ICT infrastructure and education. It was even an initiator for the now very popular netbooks. 95 2. The broadband divide: “In spite of the remarkable progress achieved by developing countries in deploying ICT and bridging the digital divide, they remain at a disadvantage in terms of broadband coverage […] with Africa accounting for less than 1 per cent. The “digital divide” is therefore giving way to the “broadband 90 cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and Increasing Impact , 3. 91 cf. Ibid., 130-131. 92 cf. Zittrain, The future of the Internet and how to stop it , 235-237. 93 cf. Cohen, “The United Nations of Cloud Computing.” 94 cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and Increasing Impact , 131. 95 cf. Subramanian, “Cloud Computing and Developing Countries – Part 2.”
Startup in the Cloud
18
divide” […] The slow response discourages or even prevents people from using applications that would improve effi ciency and enhance productivity […] The United Nations system and other partners – including Governments, civil society and the private sector – are focusing on broadband issues as part of their efforts to assist developing countries achieve WSIS targets and meet the Millennium Development Goals.” 96
The awareness of the importance of broadband requires honest, forceful efforts of both, the governments that are leveling the way with regulations and an investor friendly environment and the private sector which should take the risk to invest in these yet to be developed markets. If the basic broadband infrastructure will be available everywhere around the world, it will be a logical consequence that the bandwidth will be used with modern business tools as well. It will be up to the choice of the startups, SMB's and entrepreneurs in these developing countries whether they prefer to use cloud computing information systems or to wait until they can afford to build their own data centers. 97 98 3. Availability of local content: “From the perspective of making ICT available to all, the lack of local content on the Internet and other forms of ICTs (such as mobile devices) is of growing concern […] Locally produced content can help empower the poor by e.g. providing them with online learning facilities, creating new business opportunities; improving access to agricultural market information and weather forecasts […] If the profitability of firms depends on the willingness among the poor segments of society to pay for local content, it is plausible that the private sector alone cannot create the right market conditions to fi ll this gap […] It would be useful to make an inventory of best policy practices aimed at advancing local content.”
99
Advanced information systems offer at least a partial content management functionality that supports multi-language. Content Management Systems (CMS) can be API-connected with mashup services that integrate content such as news, maps or market information to interconnect into one localized, user-friendly web platform. Such localized services can be especially interesting for startups to fill a local market niche. The needed internet web 2.0 technology is widely available for free and does not necessarily require cloud computing. 100 101
96 Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society outcomes at the Regional and International Levels - Report of the Secretary-General , 4. 97 cf. Subramanian, “Cloud Computing and Developing Countries – Part 2.” 98 cf. Ibid. 99 Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society outcomes at the Regional and International Levels - Report of the Secretary-General , 4-5. 100cf. Knipp et al., Creating Cloud Solutions: A Decision Framework , 10. 101cf. Vembu, “Startup in the Cloud - Consulting Experts - Interview with Sridhar Vembu from Zoho Corp. about Innovation,” col. 4.
Startup in the Cloud
19
4. Data privacy: In the recent past, privacy has become one of the central themes of the emerging information society, not least in the light of the expanded role of search engines on the Web and of the fast spread of social networking services […] There is also a perceived threat to the personal integrity of users from entrusting too much personal information in the hands of large corporations (e.g. Yahoo, Google, Facebook, MySpace […] Trans-border data fl ows have the ability to circumvent national laws […] The main purpose of data protection legislation is to ensure that personal data are not processed without the knowledge and, except in certain cases, consent of the data subject […] These trends may suggest a need for more effective and up-to-date public policies and regulations at the international, regional, national and local levels. Cyber security and inadequate data privacy solutions are dealt with differently by countries with dissimilar priorities, challenges and levels of development. Many different national approaches have surfaced, but a global response to this truly global problem is yet to emerge.
While the main topics number one (ibid. ICT access and use) and two (ibid. the broadband divide) can be attributed due to the lack of availability of up to date ICT equipment in developing countries, the main topic number four (ibid. data privacy) is a problem that directly effects every country. Compromises in privacy and security are firstly, a result of lacking legal frameworks on global and national level and secondly, issues due to the lack of standardization. Provided that the international society is truly getting involved to make an effort for these four WSIS goals, it could lead slowly but surely to millions of new internet users all over the world. Many of them will do business and will need modern information systems. By using information systems based on cloud computing, they will have the chance to use up to date applications without first having the need to build up their own infrastructure or initiate the build-up by an outsourcing provider. That can be an interesting prospect for startups and companies in underdeveloped countries but equally for startups and innovative companies in developed countries who are willing to take the risk.102
Activities On Continental Level Global data flows need harmonized approaches to facilitate cloud computing operations which requires consensual cooperation on regulations and standards. International organizations can be of help to achieve this consensus by providing an exchange of information, education and concrete help in developing countries, but basically it is at the liberty of every independent country to set legal standards that cover cloud computing. As most countries have different regulations, even within the European Union, is it difficult to state what needs to be changed in which country. A study conducted by information policy scientist Paul T. Jaeger about cloud computing and information policy has 102cf. Lucas, Progress made in the Implementation of and Follow-up to the World Summit on the Information Society outcomes at the Regional and International Levels - Report of the Secretary-General , 3-6.
Startup in the Cloud
20
summarized the most crucial points that lawmakers and politicians should be aware of and try to improve.103 ! Basic thresholds for reliability ! Assignment of liability for loss or other violation of the data ! Expectations for data security ! Protections of privacy ! Any potential expectations for anonymity ! Access and usage rights ! International standardization to promote transborder data flows in clouds There is a obviously a difference between these points compared with the goals (ibid.: 1. ICT access and use, 2. The broadband divide, 3. Availability of local content, 4. Data privacy) from the WSIS (ibid.). Jaegers points correspond only with 4. Data privacy. The reason is simply that WSIS is intended for the international community including developing countries while Jaegers points are intended for the national level in developed countries. The following chapters provides a glimpse of the situation by presenting extracts of current cloud computing discussions in the United States (U.S.), Asia and Europe (EU). The focus lies on crossnational exchange of data as it is there where cloud computing offers in particular many points open to attack because of its distributed nature. 104 United States To a certain extent most things concerning cloud computing are happening in the United States or in collaboration with U.S. institutions such as NIST (ibid. Computer Security Division of the US National Institute of Standards and Technology) or companies such as Amazon, Salesforce, Google or IBM. The United States are an intellectual and technological leader in the field of cloud computing. Therefore, in order to understand what is happening politically and legally in the United States concerning open clouds and cross-country data exchange, one can draw conclusions to get the status quo on a worldwide level and conceive future implications. It may be interesting to look ahead
103cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280-281. 104cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 15.
Startup in the Cloud
21
to where U.S. visionaries and information society lobbyists wants to lead their government, as this opinion-forming process will have an impact on future directions on a worldwide level.
105 106
The influential non-profit organisation Aspen Institute Communications and Society Program repeatedly composes a memo to every new U.S. president with calls on how to affect the policies in favour of a sustainable society. The 2009 edition, intended for Barack Obama or John McCain, the future president having not been decided by then, focused on policy proposals and general advice on Information Technology (IT). The proposals and advice are U.S.-centered, but as the economy of the United States is still by far the biggest and the innovation capabilities of its scientific institutes and companies still world-leading, especially in the IT field, it can be of interest for the global society to see what the focus of engagement is. 107 108 109 Number six of the six policy proposals (1. Formulate an identity agenda, 2. Mend the Patriot Act, 3. Retraining and immigration reform, 4. Modernize the grid, 5. Deploy world-class broadband, 6. Support an open cloud) is explicitly calling for an open cloud: “Support an open cloud. Traditional notions that governments should hoard data within their borders is an outdated notion with the advent of the global cloud economy. We need to pursue architectures that allow individuals, companies and governments to plug into the best resources on the planet, regardless of where they are located.” 110 One aspect of the open cloud is the dominance of the United States regarding the global management and assignment of top-level domain names and IP addresses. This is still under control of the non-profit organization Internet Corporation for Assigned Names and Numbers (ICANN) which acts on behalf of the U.S. government. The international voices are getting louder that this unilateral control of ICANN by a single government should be replaced by an international independent institution. Whereas there is a consensus about this topic, there is still a big controversy ongoing about how much influence the governments should have with regard to national policy issues. However, the Aspen Institute, to give an example, put its money on the catalyzing effect of the fast changing global information society that will in the long run pull down national hegemonial ambitions. 111
105cf. World Bank Publications, Information and Communications for Development 2009: Extending Reach and Increasing Impact , 137. 106cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280. 107cf. Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction, 72-77. 108cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 72-73. 109cf. O'Halloran, Charity Law Social Policy: National and International Perspectives on the Functions of the Law relating to Charities, 315; 577. 110 Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction, 74.
Startup in the Cloud
22
Cloud computing is given an important role because “the cloud will usher in a seismic shift in the locus of control in our culture, and it will have ripple effects in all walks of life – energy, the environment, national security, learning, health care, business processes, emerging markets and much more. The cloud is about open access, rapid delivery of services, the ability to scale quickly and the power of networks. Ultimately, though, the cloud story is not just about computing, communication or information but about empowering citizens.” 112 These statements – the conversion from top-down to bottom-up power – are radical in its nature but vague in regard to what will happen concretely. Nonetheless, this to be expected shift towards a more democratized access to high-tech resources, true globalization and commercial opportunities that are more independent of company size sounds definitively promising to young people with entrepreneurial spirit, startups and small companies. Asia The Asia-Pacific Economic Cooperation (APEC) is the leading free trade forum in Asia. It is encouraging its member nations to improve ICT and e-commerce. The focus lies on supranational collaboration but without to cede laws and sovereignty to other members, as they are reluctant to do so. While Cross Border Privacy Rules are discussed in privacy-related legislative working groups, cloud computing not yet a big topic. APEC has an Electronic Commerce Steering Group which started discussions about cloud computing with OECD and UN organisations in 2009, but it has not yet resulted in concrete actions or publicly accessible documents. APEC is not purely representing Asia, as it includes countries from South-America, the United States and Canada which naturally also belong to the Asia-Pacific area. On the other hand, the members of the Association of Southeast Asian Nations (ASEA) are purely Asian countries. ASEA have enlarged their association to become the ASEAN Free Trade Area (AFTA) which also includes China and Japan. Cloud computing is not yet on the public roadmap. 113 114 115 The fact that supranational Asian efforts are almost absent should not hide the instance that cloud computing is booming in countries like China, Korea and Japan. A survey done with 400 Asian developers conducted by the Evans Data Corporation (EDC) has shown that 11.3 percent of them are 111 Discussion panel "Critical Internet Rescources" hosted by Aguiar, 2009, co-authored by Cerf et al., Internet Governance Forum (IGF): The First Two Years , 227-228. 112 Aspen Institute Roundtable 2009 consisting of Firestone, Coleman, Brown, Lysyanskaya, Dyson, Clippinger, Taipale, Bregman, Hynes, Burton, Artom, Gupta, Rotenberg, Pearson, Dyson, Dachis, Mancini, rapported by Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction , 77. 113 cf. Pearson and Charlesworth, 2009, edited by Koops et al., Starting points for ICT regulation: Deconstructing prevalent policy one-liners , 133. 114 cf. Bourassa, “20th APEC Electronic Commerce Steering Group Meeting,” 7. 115 cf. Hunton & Williams LLP, “APEC Forum Discusses International Privacy Legislation Developments.”
Startup in the Cloud
23
already developing on cloud services. Interestingly, the public cloud deployment model is the most likely type of implementation which EDC derives from the lower average age of Asian developers compared to their western counterparts. Especially China, with its immense backlog demand for sophisticated information systems and ICT infrastructure, could become a very interesting market. Not only for Western and Indian cloud computing service providers, but also for entrepreneurs in China to work in their huge domestic market and abroad, as well as in order to follow the traces of the Indian IT services industry. 116 117 Europe The European Network and Information Security Agency (ENISA), a sub-organisation from the European Union suggests that “if the cloud provider is in a country outside the European Economic Area and that country does not offer an adequate level of data protection, it is advisable to have in place procedures in accordance with […] Standard Contractual Clauses or Safe Harbor Principles - if the data are transferred to the United States and the cloud provider participates in such a programme [...] however, it has to be stressed that the transfer of data within the territory of Member States is not without problems. Indeed, despite the fact that personal data can freely circulate within Member States, the laws are not consistent across countries. This inconsistency may create obvious difficulties in compliance and thus liability issues. We recommend that the European Commission take steps towards the standardization of minimum data protection requirements in Europe. This is particularly important in the light of the fact that the Data Protection Directive is currently under revision. Moreover, a data protection certification scheme based on minimum data protection standards, which are common across the Member States, may be extremely useful.” 118 The statement of ENISA shows that even within Europe the situation is not entirely solved. It is not clear under which jurisdiction cross-country data flows belong to and which result of the Data Protection Directive is under revision. Some relief of the strain between the European Union and the United States was brought by the EU Safe Harbor Principles . They underpin the data privacy of EUbased customers which have put their data on U.S. systems. Concretely, they are not anymore exposed to the USA PATRIOT Act (acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 – this law had been implemented by George W. Bush after the 9/11 attack) which basically provides the U.S. government full insight into data which they classify as suspect. Admittedly, the EU Safe Harbor Principles are 116 cf. Cohen, “The Future of Cloud Computing Belongs to Asia.” 117 Schindler (EDC), 2009, "APAC Development Survey 2009 v2", cited by Taft, “Asian Developers Moving to Cloud Computing.” 118 Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security , 106.
Startup in the Cloud
24
only valid if the cloud service provider supports them. That can be seen fair from the view of the customer, but it is a burden for the cloud provider who constantly must secure in which country the data effectively is stored and has therefore obey different jurisdictions. This is difficult to manage, weakens the flourishing of the free services market and is generally not longer suited to this day and age of the internet society. 119 120 The Council of Europe focuses rather on the hazard potential and wishes a law enforcement regarding cloud computing. “We need to have access to traffic data, need subscriber information, and experience shows us that such information helps us to prosecute criminals and bring them to court […] we have international cooperation and we can take urgent measures to assure the safety of data in other countries. If a person's data is stored in another country there is probably a lower level of protection of rights. We need to give law enforcement the tools to protect us from cybercrime.” 121 The European Commission criticizes the lack of standardization within the heterogeneity of the European Union, but also within the other continents. They acknowledge the United States to be the world leader in cloud computing and advocate for a globalized open cloud market without making concrete solutions on how to adjust the regulations to ease transnational data flows.
122 123
Finally, the OECD (ibid.) is currently calling upon governments to assure that new laws and regulations are future-proof in a way that they will not limit the potential of cloud computing. They grant the governments an important role in fostering standards, especially regarding service-level management and interaction. They also mention the important role of public procurement by referring to the example of government of Washington D.C., which has switched thousands of workstations to using cloud computing applications. 124 Notably, the cloud computing provider at Washington D.C. is Google Apps – suited to the occasion the following statement from the OECD, which recommend to “use the power of the purse in their IT procurement policies, governments can push companies to find consensus on the key Cloud standards.” 125
119 Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 35. 120Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?,” 280. 121Seger, representative of Council of Europe, 2009, cited by Anderson et al., “Workshop: Privacy, Security Implications of Cloud Computing.” 122cf. Schubert, Jeffery, and Neidecker-Lutz, “The Future of Cloud Computing: Opportunities for European Cloud Computing Beyond 2010,” 57. 123Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 15. 124cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 11. 125Ibid.
Startup in the Cloud
25
Standardization Stable legal frameworks that cover cloud computing are required but experience shows that legislation takes its time. The international community and the national legislative bodies, especially politicians, are not yet advanced in expatiating upon the specific characteristics of cloud computing. As a result they will not decide unless the decision base is clear. Regarding cloud computing internationally recognized standards are a conducive factor. 126 ISO standard for cloud computing On the international level, the non-profit International Organization for Standardization (ISO) is a leading standardization organisation with 165 countries as members. They are defining industrial and commercial standards (for example the ISO 9001 quality standard), which are accepted world wide. In the fields of information technology, ISO is closely cooperating with the non-profit International Electrotechnical Commission (IEC), which focuses on electronics. They have formed in 1987 a Joint Technical Committee known as the ISO/IEC JTC1. They combined their forces to enable a symbiosis of their business organisation background (ISO) and their technology background (IEC) in order to establish a standardization instance that covers computing and by degrees also internet related aspects and especially information systems. 127 In 2000, ISO and IEC expanded its circle by signing a Memorandum of Understanding on electronic business (MoU) with the UN/ECE (United Nations Economic Commission for Europe) whose purpose is “to minimize the risk of divergent and competitive approaches to standardization, avoid duplication of efforts and avoid confusion amongst users [...] the MoU will also provide greater intersectoral coherence in the field of electronic business, an important step considering the uptake of e-commerce.” 128 These joint forces drafted in October 2009 the report Report of JTC 1/SWG-P on possible future work on Cloud Computing in JTC 1 - ISO/IEC JTC 1 N9687, in order to start the process for a new ISO norm. The process has started with the just mentioned proposal stage, followed by the preparatory-, committee-, enquiry-, approval stage and will finally lead one day in the publication stage as a new ISO and/or IEC norm on cloud computing. Furthermore have reputable sources announced that ISO/IEC JTC1 is about to intensify its efforts by having formed a new subcommittee (SC) in November 2009 which will contain working groups
126cf. Ibid. 127cf. Copenhagen University College of Engineering, “JTC1/SC22/WG9 - Welcome to the ISO home of Ada Standards.” 128Houlin Zhao 2000, cited by International Telecommunication Union (ITU), “ITU Telecommunication Standardization Sector (ITU-T) - MoU on electronic business between IEC, ISO, ITU, and UN/ECE.”
Startup in the Cloud
26
for service-oriented architecture (SOA) and web services as well as a study group for standardization of cloud computing. 129 130 Overlapping Competencies ICANN (ibid.) is the guardian of a fully functional internet and has therefore a high interest in a flourishing development of cloud computing. However,there are frictions between the ITU (ibid.), or respectively its multistakeholder forum IGF (ibid.), about the hegemony in internet governance. Subramaniam Ramadorai, chairman of one of India's leading software manufacturers and president of the Business Action to Support the Information Society (BASIS) which is an initiative of the International Chamber of Commerce (ICC), argued wherefore: “One of the schisms that came to light during an Internet Governance Forum meeting was that between ICANN and the ITU. Some have seen this as emblematic of the clash between traditional United Nations culture (a largely government-to-government formal process) and Internet culture (where a range of actors meet as peers) [...] ICANN includes all relevant stakeholders, but it deals with a specific agenda linked to ICANN’s role in the management and technical coordination of the Internet’s domain name system.” 131 It is indeed questionable whether ICANN can have a leading role in cloud computing as they are only specified on managing the domain name system of the world wide web. For the record, Ramodorai answered what he had put on the table: “Only the IGF offers a truly multistakeholder discussion forum where all members are on an equal footing, by form and by definition. It is the only global-level space for discussions that cover the breadth and depth of Internet governance policy issues. The IGF offers a vital place to discuss Internet governance issues from infrastructure and access to the free flow of information and security matters.” 132 Bottom-up Standardization Whether IGF or ICANN feels more responsible for the development of cloud computing is maybe not a crucial question. As a matter of fact are international governance, national legislation, research institutes, politicians, all kind of initiatives and many standardization organisations partly covering cloud computing and its issues. Unfortunately, there are many issues, for example 129cf. Joint Technical Committee 1, Report of JTC 1/SWG-P on possible future work on Cloud Computing in JTC 1 ISO/IEC JTC 1 N9687. 130cf. Cohen, “ISO Forms Group for Cloud Computing Standards.” 131Ramadorai, 2009, co-authored by Cerf et al., Internet Governance Forum (IGF): The First Two Years , 31. 132Ramadorai, 2009, co-authored by Ibid.
Startup in the Cloud
27
transborder data flows, which are not yet solved in spite of the multistakeholder approach. One could be tempted to say that an ant on the move does more than a dozing ox but that would leave out the fact that legislation and standardization are always lengthy processes because they require international compromises. 133 However, internationally seen, there is a wide range of people, companies and non-profit organisations that are not willing to wait until the international governance, the national legislations and the highly-accredited standardization organisations have solved all issues. The cloud computing market is booming and has led to acknowledged quasi-standards and since cloud computing is a combination of existing technologies, a lot of the standardization work has already been done. Furthermore, industrial demand, so-called cloud communities, the open source community that develops fundamental software – these stakeholders drive the development of cloud computing in form of iterative processes. Sridihar Vembu, founder of ZOHO, a leading online office suite based on cloud computing, describes the development as an innovation circle using the example of open source software: “There have been major advances in open source distributed file systems and databases in recent years, spurred by cloud computing. Javascript frameworks like jQuery have enabled major advances in client functionality. Open source and cloud applications have worked in a virtuous cycle of innovation, and adoption.” 134
Significance: Political Implications And Standardization “Many of the public policy issues, including privacy, access, and copyright protection, raised by Cloud computing are similar to Internet policy issues that governments have been struggling with for at least fifteen years. ”135 Michael R. Nelson, Georgetown University and OECD Nelson's comparison of cloud computing suggests itself – cloud computing is offering many advantages and it will probably not be stopped by political and legal issues, it will just be slowed by the lack of standardization and hundreds of millions of world citizens that do not yet have suitable internet access and devices. The following list summarizes the findings of Political Implications and Standardization itemized after developing country, developed country and outlook.
133cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 11. 134Vembu, “Startup in the Cloud - Consulting Experts - Interview with Sridhar Vembu from Zoho Corp. about Innovation,” col. 6. 135Nelson, Briefing Paper on Cloud Computing and Public Policy , 11.
Startup in the Cloud
28
Developing countries: ! ICT and cloud computing are needed and offer an immense potential for the people and for cloud service suppliers ! Many entrepreneurs will for the first time have the chance to use sophisticated information systems thanks to cloud computing ! Lack of broadband access is a fundamental problem ! Mobile internet can be a favourable solution even though are specialized cloud applications are required Developed countries: ! Mainly data privacy issues due to laws and regulations that are not yet adjusted to the emerging reality of information society and cloud computing ! Transborder (cross-national) data flows are a key issue ! The cloud in 2010 is U.S.-centric but other countries will increase their efforts Outlook – Expected trends: ! Solving these legal issues will take many years ! These legal issues will not hinder cloud computing in quickly gaining market shares ! Standardization will lower costs and improve innovation ! The call for open clouds will increase ! Empowering citizens: More democratized access to high-tech recourses will facilitate to true globalization. Radical paradigm shift from top-down to bottom-up thanks to open access, rapid delivery of services, the ability to scale quickly and the power of networks Not for the first time in human history have legislation and formal organisations been overtaken by the market reality. There is no way back, cloud computing will be setting various standards by all means and cannot be called anymore a marketing ephemera. Cloud computing has an immense potential for startups, small businesses and entrepreneurs as such and for the information society as a whole.136
136Ellison, 2008, reported by Johnson, cited by Wyld and IBM Center for the Business of Government, Moving to the Cloud: An introduction to Cloud Computing in Government , 11.
Startup in the Cloud
29
For startups, entrepreneurs and small companies, the following aspects of cloud computing regarding its political dimensions and standardization efforts may be of special interest: ! Along with cloud computing will the globalization will further increase and with it global business opportunities ! Cloud computing will become accepted because it is politically desired and the standardization efforts are steadily advancing ! Entrepreneurs in developing should campaign for more broadband internet connections
Startup in the Cloud
Market, Economics And Trends
“The cloud represents the reinvention of commerce...the control point has shifted so that suddenly commerce and communication are end to end, with no regard to borders.” 137 William Colemen, Aspen Institute Roundtable
“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?” 138 Larry Ellison, Oracle
“Cloud computing is nothing new. All of these technologies have existed for quite some time. That's like saying the iPhone is nothing new because all the technologies existed prior to its arrival. For an innovative company like Apple, it's great that their competitors lack such imagination, as it leaves the field wide open.” 139 Ray DePena, Los Rios Community College
“We don't know where the data is in cloud computing, and it does not matter because it's much cheaper, it's more efficient and it can be accessed from anywhere.” 140 Laurent Bernat, OECD
137Coleman, 2009, edited by Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction , 71. 138Ellison, 2008, reported by Johnson, cited by Wyld and IBM Center for the Business of Government, Moving to the Cloud: An introduction to Cloud Computing in Government , 11. 139Depena, “The Beauty of the Cloud.” 140Bernat, 2009, edited by Anderson et al., “Workshop: Privacy, Security Implications of Cloud Computing.”
30
Startup in the Cloud
31
Whatever one thinks of cloud computing, fact is that a large number of the internet society is already using cloud computing based on online software probably without being aware. Examples are: Google's Gmail with its online collaboration office suite Google Docs, Facebook or the photo sharing application Flickr from Yahoo. 141 However, the main usage area of the above mentioned examples is the private market whereas one of the most common reasons to use cloud computing is to allow it to assist business operations. This following chapter Market, Economics and Trends focuses on the business-economical aspects of cloud computing, the market as such, where cloud computing is not yet a feasible option, as well as trends.
Business Benefits In General What are the real business benefits of using cloud computing? The Information Systems Audit and Control Association (ISACA), which is an international association that is defining IT Governance standards, arranging education and certifications for its almost 100'000 members (typically Information Security Auditors or Chief Information Officers) , has pointed out the following business benefits: 142 ! Cost containment: Scalability without high upfront capital expenditure ! Immediacy: Provision and utilization of new services and processes within days instead of months for ordering as well as configuration and operationalizing in traditional IT ! Availability: Due to economies of scale cloud providers can afford to invest in high-end bandwidth and systems that small companies could not afford ! Scalability: Cloud computing solutions can flexibly react on arising performance or capacity demands and provision them on demand ! Efficiency: Spending less time for operational IT activities ! Resiliency: Better protection against unexpected events as the data is stretched between different geographic areas The degree of the benefit that companies realize in reality may differ as the case arises. Additionally, others may mention other benefits or not easily quantifiable effects such as improved innovation due to easier setup of Customer-Driven Innovation solutions. 143
141cf. Fingar, Dot.cloud: The 21st Century Business Platform , 63-64. 142cf. Spivey et al., “Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives,” 6-7. 143cf. Fingar, Dot.cloud: The 21st Century Business Platform , 84.
Startup in the Cloud
32
A survey from the European Network and Information Security Agency (ENISA) that analyzed what possible business benefits of cloud computing are most tempting to small- and medium businesses (often called SME / SMB). Avoiding capital expenditure in hardware, software and IT personnel was most named. Flexibility and scalability of IT resources was voted second and business continuity and disaster recovery third. 144 “Cloud computing promises a powerful new platform for innovation. It allows entrepreneurs to develop, deploy, market, and sell cloud applications worldwide without having to invest in expensive IT computing infrastructure.” 145 This definition of the Internet Society is less technical but emphasizes the entrepreneurial aspects of having the hands free for real business.
Benefits For Startups And Small Companies In Particular “When a business owner starts up a new business, he wants to set up operation in a scalable, flexible fashion. Building an IT department is a low priority compared to marketing the product, investing in research and development, or securing the next round of funding. In the past, a mature IT infrastructure was a sign that a startup company was ready for an initial public offering (IPO). A company would demonstrate scalability by implementing a robust enterprise resource planning (ERP) solution and hosting it on the premises.” 146 This appraisement of the in the cloud computing scene recognized authorities Tim Mather, Subra Kumaraswamy and Shahed Latif is roughly categorizing the situation of startup companies and contrasts it to the up to now more mature information systems of bigger enterprises. 147
144cf. Catteddu and Hogben, An SME perspective on Cloud Computing , 8. 145Internet Society, Advisory Council (AC) Consultation on Cloud Computing for OECD Foresight Forum October 2009 , 1. 146Mather, Kumaraswamy, and Latif, Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance , 28. 147cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 6; 71.
Startup in the Cloud
33
Illustration c: The various offerings of cloud computing covers different levels of abstraction, the focus on consuming applications by the end user / business man is provided by SaaS. Source: Reproduced according original source by LSE Research Online, 2009.
Assumed that the average startup and small business is not an IT company, it is clear the the main interest of this target group is to use, respectively consume applications, not to develop them. Therefore are consumption-ready SaaS (see illustration c) applications probably the most used cloud computing service model of startups and small businesses. 148 “It also gives smaller businesses access to the same industrial-strength computing systems as large multinational corporations, boosting the competitiveness of small and medium-sized business. By allowing government and business in developing countries to access sophisticated computing platforms without having to make large hardware and software investments or manage complex IT deployments, cloud computing can help jump-start economic development. All that is required to access cloud computing solutions is a browser with broad-band access.” 149
Internet Society
The notion that cloud computing can help small businesses to compete with multinational cooperations at equal terms is certainly a promising statement. The positive aspects that cloud computing could have in developing countries can be highly welcomed as well (ibid. chap. Political Implications and Standardization) .
148cf. Briscoe and Marinos, “Community Cloud Computing,” 3. 149Internet Society, Advisory Council (AC) Consultation on Cloud Computing for OECD Foresight Forum October 2009 , 1.
Startup in the Cloud
34
Fundamental Business Economics
Conventional (on premises)
Cloud Computing
Capital expenditure:
Operational expenditure:
- Hardware
- Subscription charges
- Software licenses - Occupying IT personnel Capacity planning
On demand
Contract
Pay as you go
Security, Disaster management
Security, Service level agreement
Table b: Conventional IT concept (old paradigm) compared with the cloud computing model (new paradigm). Source: Own comparison based on literature according bibliographic footnote, 2010.
This table compares fundamental business economic figures between the conventional IT approach with on the premises implementation of a client/server architecture and the cloud computing model. Some literature describes the conventional approach as old paradigm and the cloud computing model as new paradigm. 150 151 152 Investing and running an own IT equipment requires capital expenditure (capex), while using an external cloud service that offers pay-as-you-go service falls into ongoing operational expenditure (opex). Both, capex and opex are generating cash flow, but the absolut amount of cash flow cannot be compared directly. 153 “A payment on a capital good like a server is one of a series - each of which the enterprise is committed to, no matter if the server is being used or not. Once you purchase a capital good, you're stuck with it, as anyone who has purchased a car understands. Even if you're no longer excited about owning it, the finance company still expects its monthly payment.” 154 This commonplace of business economics should is especially important regarding the depreciation on a once purchased equipment. It is applied either on the full lifetime, or, if it is sold earlier, the accumulated depreciation is causing a loss.
150cf. Thommen, Managementorientierte Betriebswirtschaftslehre , 398-400; 511. 151cf.Reese, Cloud application architectures , 48; 51-54. 152cf. Nelson, Briefing Paper on Cloud Computing and Public Policy , 1. 153cf. Thommen, Managementorientierte Betriebswirtschaftslehre , 511. 154Golden, “Capex vs. Opex: Most People Miss the Point About Cloud Economics.”
Startup in the Cloud
35
The incurred operational expenditures can be set in contrast with the following example: “If you rent a car, you are committed to it only as long as you want to use it -- and once you've paid for that use, you have no further financial obligation. And guess what, pretty much everyone understands that you pay a premium for that flexibility, for example, a rental car costs more per day than the same car would, if purchased. In MBA-speak, there is an option value in that flexibility, for which a premium is paid.” 155 Dispersing the costs over the time is for startup companies probably even more crucial than for established companies, because startup companies often do firstly not have enough capital, secondly, enough securities to borrow money and thirdly they lack a fixed strategy for protection of investments. Therefore the question of capex vs. opex is a crucial factor for startup companies and is a point for cloud computing. It is possible to use common Total Cost of Ownership (TCO) models to calculate the cost for a cloud computing solution and compare it with a conventional on the premises installation. However, before this is possible, a serious assessment is needed to specify what the true benchmark for the old and the new solutions are. 156 “Cloud readiness requires viewing current offerings through the lens of a service provider. Cloud vendors offer services with certain defined commitments and associated costs for delivery. If you cannot express existing service capabilities in the same manner, how can a meaningful build vs. buy cost comparison be done?” 157 Jim Damoulakis, CTO of GlassHouse
Cloud Computing In Large Enterprises Antonio Palacin, director of the international IBM SAP International Competence Center, about the ability of cloud computing solutions regarding business process management: “In specific areas "yes". E.g. simple processes could be hosted in a cloud: eMail, data repositories for backup, etc. In other areas where mission-critical data and access rights are targeted I still do not see how this can be ensured.” 158 Cloud computing, especially public cloud, has obviously not yet achieved full acceptance by large corporations. A similar objection mentioned Rick Franckowiak, Information Technology Director at Johnson and Johnson perhaps spoke for the industry when he was 155Ibid. 156cf. Baun et al., Cloud computing: Web-basierte dynamische IT-Services , 91-93. 157Goodman, “The CIO’s Guide To Cloud Computing,” 6. 158Palacin, “Startup in the Cloud - Consulting Experts - Interview with Antonio Palacin from IBM Deutschland GmbH about Simplicity.”
Startup in the Cloud
36
stating: “Cloud computing can solve the problem of overtaxed internal resources...but not, at least not yet, for the highest-risk applications involving sensitive data.”
159
Vishal Sikka, Chief Technical Officer at the ERP vendor and SAP notices: “You have to get it right-and not only from a cost and go-to-market perspective, but from an integrity perspective. For us, it is far more important to roll this out in a controlled way to make sure the customer comfort is there and grows with the software, rather than to go out there and meet some arbitrary definition of some guy's take on cloud computing or SaaS. […] So we will get it right, and we will take our time. Yeah, it took a little bit longer than we thought, but we can afford to.” 160 SAP is the market leader in the business-to-business area for ERP software. Microsoft on the other hand is the overall number one software vendor. Microsoft obviously sees the time coming for cloud computing and extends their Azure cloud offerings. In February 2010 Microsoft has announced to offer cloud web connectors from their office suite MS Office 2010 towards social networks such as Facebook or LinkedIn. Obviously is Microsoft focused on the business-to-consumer market which is more volatile than SAP's enterprise market. On can guess that if Microsoft is pushing cloud computing, that will have an effect on the rest of the market. 161
Variations And Industries There are many sophisticated information systems with lots of functions for different industries in the market. It is beyond the scope of this thesis to name them here, but even googling the categories reveals an immense diversity: Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Enterprise Relationship Management (ERM), Management Information Systems (MIS), Business Intelligence (BI) and many more. It can be difficult not to lose the track, as these terms are not standardized. Vishal Sikka, Chief Technical Officer at the ERP vendor SAP notices: “I sometimes find it amusing. When vendors call their little salesforce-automation application a "platform", that does actually bother me, as a technologist, to be honest with you.” 162 There are complaints in the market that many vendors have started to market some cloud computing services but only in a slim entry version without the whole range of functionality. Maybe this entry level functionality is enough for many startups and small businesses. But the question 159Franckowiak, 2009, cited by Sansom, “Up in a cloud?,” 15. 160Wailgum, “SAP CTO Vishal Sikka talks clouds,” 2. 161cf. Foley, “Microsoft's Azure cloud is officially open for business.” 162Sikka, 2009, reported by Wailgum, “SAP CTO Vishal Sikka talks clouds,” 2.
Startup in the Cloud
37
should be raised why they are not yet porting the full versions to cloud computing as well. Probably that will change as the demand for cloud computing services is on the rise and the competition between the vendors as well. In either way is a serious assessment of the business- and service-level requirements necessary and it will be a good starting point for a supplier research. A possible requirements framework is freely available from Cloud Security Alliance (see also chap. Evaluation guide).163 164 Daniel Stadelmann, founder and general manager of wedoit, a company that is specialized on IT consolidation projects, identified an obstacle that could slow down the breakthrough of cloud computing. “It is increasingly difficult to find skilled specialists for the consolidation projects we do. I assume this would be even more difficult regarding cloud computing projects.” 165 Daniel Stadelmann, wedoit
163cf. Hummeltberg, Informationsmanagement , 4. 164cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 20. 165Stadelmann, “Startup in the Cloud - Consulting Experts - Interview with Daniel Stadelmann from wedoit AG about Industry,” col. 2.
Startup in the Cloud
38
Illustration d: Overview of some cloud offerings assigned to different services/taxonomies. Source: OpenCrowd, 2009
Ever Changing Business Requirements “The prospects look bright for workers with specialized technical knowledge and strong communications skills [...] as companies are increasingly looking to technology to drive their revenue.” 166
Alfred P. Sloan Foundation
Relationships as a driver Information technology has expanded the communication channels and as a result, revolutionized the way we live relationships. Every aspect of our business life is becoming digitalized, relationships as well as they are literally evolving digital social networks. Customers have received more power by having globalized access to information through the internet where they are able to compare suppliers and their products. 167
166Alfred P. Sloan Foundation, “Information Systems Overview,” 7. 167Hayes-Weier, “Alternative IT Software is New Reality,” 8-9.
Startup in the Cloud
39
The world has changed into one big market with extreme competition and “To make a difference, the customer must be put in the center of the business activities, just transacting orders is not enough anymore, the relationship of existing and future relationships must be developed and improved.” 168 Reinhold Rapp, German Economic Forum
Many companies are changing their strategies, for example to customer relationship management (CRM) which is “a user-centric marketing- or corporate strategy supported by information- and communication technology with the intention to establish marketing-, sales- and service concepts in a sustainable, profitable and holistic way.” 169 Evangelos Xevelonakis Xenis, Swiss Valuenet
Sophisticated information system solutions bring in line people, processes, and technology to utilize the synergies and to develop and strengthen relationships within the company and outside.
170
Open your eyes and ears, is explained by business strategist Peter Fingar by stating: “Newcomers disrupt established industries with business model innovation that not only incorporates their suppliers, and their suppliers' suppliers, but also places their customers at the very center of their business processes – and taps the creative abilities of all employees to meet the ever-changing needs of their customers.” 171 Business models that can cope with customer needs and other stakeholders require information systems which can be flexible adjusted to changing customer requirements and ensures a constant interaction with all stakeholders via different channels including social networks. The example of the CRM strategy can also be used to highlight the importance of seriously evaluating new information systems, because CRM is a typical IT buzzword that can have many meanings. It can mean the just mentioned marketing- or corporate strategy, but also mean simple versions of CRM tools which are not much more than an address book with email functionality. There are cloud computing solutions available for both types. However, it is depending on the requirements which solution shall be chosen but if an established small business considers to to implement the CRM as their core strategy, cloud computing based systems should included in the assessment as well, because they may be interesting regarding the costs and some of them offer comprehensive integration with other cloud based online collaboration solutions, adaptors to social networks, business intelligence and more.
172 173
168Rapp, Customer Relationship Management: Das neue Konzept zur Revolutionierung der Kundenbeziehungen , 43. 169Xevelonakis, “CRM - Erfolgreiches Kundenbeziehungsmanagement mittels Differenzierungsstrategien,” 6. 170cf. Information Today, Inc., “What Is CRM?.” 171Fingar, Dot.cloud: The 21st Century Business Platform , 16. 172cf. Goldenberg, CRM in Real-time: Empowering Customer Relationships , 138. 173cf. Biddick, “Why You Need A SaaS Strategy.”
Startup in the Cloud
40
Illustration e: Business Process Spectrum: Information systems need to comply with the soaring demand for relationship and communication. Source: Harrison-Broninski, 2009.
Buyers become sellers The need for modern information systems in order to correspond with modern business requirements can go beyond strategies such as CRM. The requirements are ever accelerating: “Putting the customer at the center, and providing customer experiences that delight, drives all the rest. By taking such an outside-in versus inside-out view, such companies are not longer sellers to their customers, they become buyers for their customers, going to the ends of the earth to find the most cost-effective sources of high-quality goods and services to deliver to their customers.” 174 By stating this, Fingar brings in another paradigm shift, underlining that the model buyer-seller model will need to be enhanced. The seller becomes the extended arm of the buyer. A popular example is the online retailer Amazon, where customers usually buy books, but can easily change their role and become a seller of books or even furniture. Social network components are built in reviews from other customers or hints like other customers who bought this book also bought XY. This makes it possible for Amazon to offer the customer a comprehensive shopping experience with all kinds of information and interaction possibilities that can be of value. To realize such solutions, sophisticated information systems are needed such as top-notch content management systems, databases, data warehouses, data mining tools and many more which connect the solution within itself and to the stakeholders and associated supply chains. These systems offer an extended functionality but should not be too static in order to stay flexible regarding changing requirements. Larger enterprises may have all the necessary infrastructure and software, but startups usually do not have them. Such solutions are not
174Fingar, Dot.cloud: The 21st Century Business Platform , 16.
Startup in the Cloud
41
cheap in neither way, but if startups can start with using cloud computing services instead of having the need to buy and set it up by themselves, a successful start seems more realistic. 175 176 Human Interaction Management Information management scientist Keith Harrison-Broninski presented in 2005 the Human Interaction Management (HIM) approach which focuses on human interaction rather than on task processes. While workflow management is a controlled process; a fixed, scripted behavior and Business Process Management (BPM) is a coordinated process that is suitable for structured, collaborative processes. HIM has contracted processes based on agreements which are flexible and allow to adopt dynamically the processing of regular and irregular processes and interactions. HIM follows, not entirely but to a certain point a bottom-up approach to enable self-regulating abilities.
177
Illustration f: Human Interaction Management - An Evolution of Process Management. Source: Reproduced according original source by Korhonen, 2006.
HIM supports human work processes, which depend on interaction and are dynamically shaped by the participants. The model takes greater notice of five main features of human working activity: Connection visibility, structured messaging, support for mental work, supportive rather than prescriptive activity management, processes change processes. HIM has four levels of how to turn strategy into action. First, the Strategic Control, where the aims and measures for each high-level process are defined. Second, Executive Control, where outline processes consisting of a mixture of roles, interactions and users are defined. Third, Management Control, where the outline processes for 175cf. Bellomo, How to sell anything on Amazon ... and make a fortune! , 13. 176cf. Reese, Cloud application architectures , 20-24. 177cf. Qi Sui, Dong-Qing Yang, and Teng-Jiao Wang, 2009, in a collected edition of Chen, Liu, and Zhang, Advances in Web and Network Technologies and Information Management , 5731:141.
Startup in the Cloud
42
initial execution are defined and where an on-going re-definition of the process itself is possible and finally fourth, Agreements which defines interactions, deliverables and business rules in a kind of contract that is continually renegotiated during the life of the process. Before a HIM system can be introduced, it is necessary to define the five principles: 178 179 180 1. Team Building: Who has what personality and skills and is involved in which processes. The responsibilities are set according to role objects 2. Communication: Interactions should be traceable 3. Knowledge: The mental effort which is invested in researching, comparing, considering, deciding, and generally turning information into knowledge and ideas must be structured 4. Empowered time management: The process owner or an interaction partner acquires the responsibility over the sequence of activities. Every task or work process must be easily set in context with the organizational strategy and restricted business rules 5. Collaborative, real-time planning: The process definition is an intrinsic part of the process itself. Every new activity or problem that needs to be solved gets assigned a so-called “story” which defi nes a description, involved parties, responsibilities, methodology to use, tools, interaction partner and whatever else is of importance. It can be readjusted throughout the life of the process
One of the main elements of HIM is the bottom-up approach called Stories, which allows the participant in accordance with his role to start collaborative work processes and to evolve it on-thefly as part of the work itself. The adherents of HIM praise the effectiveness of this approach, because of the emphasis on collaborative human work that can now easily be integrated in a structured way. On the other hand, the emphasis does not lie on efficiency, because routine work processes are more and more often largely automated and deserve therefore less attention.
181 182 183
According Peter Fingar approaches like HIM in combination with cloud computing could result in “management structures and styles to become organic networks rather than hierarchical, function-divided monoliths [...] leaders don’t give commands, they transmit
178cf. Korhonen, “BPM - A Systematic Perspective,” 25. 179cf. Harrison-Broninski, Human interactions: The heart and soul of business process management , 20. 180summarized by the author of this thesis, structure according Harrison-Broninski, “Human Interaction Management,” 6. 181cf. Harrison-Broninski, “The Future of BPM,” 22-24. 182cf. Qi Sui, Dong-Qing Yang, and Teng-Jiao Wang, 2009, in a collected edition of Chen, Liu, and Zhang, Advances in Web and Network Technologies and Information Management , 5731:141. 183cf. Harrison-Broninski, “Human Interaction Management.”
Startup in the Cloud
43
information, trusting the team members’ competencies and gaining accountability through transparency [...] true leadership is about cooperation, not control” 184 185 HIM is not widely known and not much literature can be found, nor is the IT industry's adoption of the theory very advanced at this point in time (February 2010). Significantly, the only enterprise software that is offers HIM as the core concept is HumanEdj, notably developed by the company (Role Modelers Ltd) where the creator (Harrison-Broninski) of the HIM principles works. Nevertheless, HIM is starting to get a grip, for example SAP has introduced a HIM module for its ERP suite. In the end-user market the productivity application Getting Things Done (GTD) has taken on parts of HIM and has become quite popular with it. David Allen, the founder of GTD and the author of the bestseller book with the same name, explained in an interview that cloud computing and HIM could be the best possible combination. The reason he thinks so is because cloud computing is able to connect different platforms and applications in order to manage them on the meta-level. Each part of the five HIM principles (ibid.) can be made better thanks to cloud computing due to the fact that it is predestinated to interconnect the involved human-driven processes .186 187 188 The following comparison categorizes HIM on the architectures map and underscores its democratized user-level approach: 189 190 IT Analysts
Business
Business People
Analysts SOA
BPM
HIM
IaaS
PaaS
SaaS
IT Level
Developer Level User Level
Table c: Service-oriented architecture (SOA) is primarily the domain of IT analysts, BPM is the domain of business analysts. The bottom-up approach of HIM makes it possible for business people to define the processes, in other words providing support for the way humans work and interact with each other. Source: Own conclusion based on Fingar, 2009; Rayport and Heyward 2009.
If HIM would become more popular in form of several competing HIMS (Human Interaction Information Systems) or as a supplement to existing business process management software, it could lead to a considerable productivity advantage. It would be desirable, if the HIM approach would be 184Fingar, Dot.cloud: The 21st Century Business Platform , 146. 185cf. Fingar, 2009, edited by Meyer, Review: Peter Fingar, Dot.cloud: The 21st century business platform built on cloud computing, 5. 186cf. SAP, “Getting Started with Human Interaction Management.” 187cf. Qi Sui, Dong-Qing Yang, and Teng-Jiao Wang, 2009, in a collected edition of Chen, Liu, and Zhang, Advances in Web and Network Technologies and Information Management , 5731:141. 188cf. Mack, Video: David Allen - GTD and Cloud Computing . 189cf.Rayport and Heyward, “Envisioning the Cloud: The Next Computing Paradigm,” 7. 190cf. Fingar, Dot.cloud: The 21st Century Business Platform , 143.
Startup in the Cloud
44
taken on by the open source community. What the world need is nothing less than a highly competitive but free open source business platform of the 21st century! The open source community has already achieved to develop an impressive number of free, open source business software such as vTiger (CRM), Compiere (ERP), Pentaho (Business Intelligence), Essential Project (Enterprise Architecture), Liferay (Office Collaboration) or Alfresco (Enterprise Content Management). The rather radical, because democratized bottom-up HIM approach needs maybe to be newly developed from Scratch, probably that is why there is not yet (HumanEdj has been free but is now closed source) a free, open source HIM available. Especially startups and small businesses could profit a lot from using an integrated solution that leverages productivity by a more effective communication which dynamises and even democratizes the processes in companies. 191 “Today, customers are able to connect to the cloud without installing software or buying specific hardware. A bit reason for their desire to use the cloud is the availability of collaborative services. Collaboration is the opiate of the masses in cloud land” 192 John Rittinghouse, Cloud Evangelist
Trends Encouraging Innovation by Simplicity "In pursuit of knowledge, every day something is acquired; in pursuit of wisdom, every day something is dropped" 193 Laozi John Adair, professor for leadership, has mentioned this quote from Laozi to show that wisdom always tends towards simplicity. The reason being that simplicity reduces things to essentials. It is important to store solely essential information and to keep the information systems simple, otherwise change will be become difficult. Information systems need to become accelerators of change and open ways to let innovation happen. Every change can be a chance for constantly improving the companies productivity. The information system solutions have to leverage this process of organizational maturity and learning. It must be possible for startups and small companies to take advantage of advanced information systems to become more innovative than their larger competitors. 194 195
191cf. Geeknet, Inc., “SourceForge - Find and Develop Open Source Software.” 192Rittinghouse and Ransome, Cloud Computing: Implementation, Management and Security , 62. 193Laozi (a.k.a. Lao Tzu) ~100 BC, cited by Adair, How to grow Leaders: The seven Key Principles of effective Leadership Development , 51. 194cf. Ibid. 195cf. Avgerou, Information systems and the economics of innovation , 180.
Startup in the Cloud
45
However, a lot of functionality leads to complexity. And if complexity is not handled the right way it becomes complicated: “Data moves between processes, and processes move between departments. Once you get everybody running on the system, you don't know what ripple a change could create throughout the organization.” 196 Complicated is exactly what startups and small companies do not need. They are looking for simplicity, low costs and being able to adjust their business processes quickly to changing market needs. Following this approach, they can concentrate on their core business. If cloud computing applications support startups and small companies in that way, then they are becoming enablers for innovation.197 198 Software paradigm shift away from conventional to pay as you go The to be expected paradigm shift away from purchasing software licenses to on demand, pay as you go software, will fundamentally transform how enterprises procure and consume technology solutions. Major vendors that still make the largest part of their profits with the conventional license model have to adjust their strategy. 199 One of these major vendors, Microsoft, is just one amongst many in the enterprise software market but still dominant in the end-user desktop market, has publicly disclosed its cloud-computing strategy in 2008. They expect that cloud computing will lead to a hybrid model of the current onpremises model and to SaaS that is run on centralized, massive data centers that are operated by major IT companies. 200 201 Ray Ozzie, Microsoft's chief software architect states: "At the back-end side, it depends on the size of enterprise and the workload, as well as the segment of the enterprise and whether it is highly regulated or whatever. The decisions regarding what to keep on-premises versus what to distribute into the cloud will vary dramatically. Very small businesses will put almost everything into the cloud. Very large businesses will put all their infrastructural systems, such as mail, phone systems and document management, into the cloud. Enterprise applications that have high integration requirements and a lot of legacy issues will stay on premises. What happens in the middle is a mix.” 202 203 196Mittelstaedt et al., “IT evolution: Why ERP systems face extinction.” 197cf. Ibid. 198cf. Gunasekaran, Global Implications of Modern Enterprise Information Systems: Technologies and Applications , 2. 199cf. Reese, Cloud application architectures , 47-53. 200cf. Verberne, “Global Software Top 100 - Interim Update.” 201cf. Kooten, van and Verberne, “Enterprise Software Top 10: Salesforce running up the ranks.” 202MacDonald and Smith, “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing.” 203cf. Ibid.
Startup in the Cloud
46
Furthermore he explains Microsoft's position whether the switch will happen evolutionary or revolutionary: “Cloud computing won't be successful if organizations and developers have to reinvent everything. That's not what customers want. They want a smooth transition.” 204 Freemium - Cloud Computing as a potential Cost Trap Many cloud computing providers offers some basic services for free to attract customers. Ray Ozzie, Microsoft explains: “Give your service away for free, possibly ad supported but maybe not, acquire a lot of customers very efficiently through word of mouth, referral networks, organic search marketing, etc., then offer premium priced value added services or an enhanced version of your service to your customer base […] It works even better with web native services. A customer is only a click away and if you can convert them without forcing them into a price/value decision you can build a customer base fairly rapidly and efficiently. It is important that you require as little as possible in the initial customer acquisition process. Asking for a credit card even though you won’t charge anything to it is not a good idea. Even forced registration is a bad idea. You’ll want to do some of this sort of thing once you’ve acquired the customer but not in the initial interaction.” 205 Richard Stallman, a leading advocate of free software and founder of the Free Software Foundation warns the public that cloud computing is a trap. The ICT industry is using Freemium to catch buy into locked, proprietary systems that would cost them more and more over time: “It's stupidity. It is worse than stupidity: it's a marketing hype campaign […] somebody is saying this is inevitable – and whenever you hear somebody saying that, it's very likely to be a set of businesses campaigning to make it true […] One reason you should not use web applications to do your computing is that you lose control […] It is just as bad as using a proprietary program. Do your own computing on your own computer with your copy of a freedom-respecting program. If you use a proprietary program or somebody else's web server, you are defenseless. You are putty in he hands of whoever developed that software.” 206 Hosted Open Source Business Opportunities While some open source ambassador, such as the just mentioned Richard Stallmann, do not like the business models of many cloud computing offerings, has venture capitalist Bernard Dallé another story to tell. Bernard Dallé from Index Ventures who transacted the investments in Skype and MySQL, made the experience that many companies, who hesitated up to now to go with open source software, because they thought it is too risky, now start using cloud computing without having the 204Ibid. 205Wilson, “My Favorite Business Model.” 206Stallmann, 2008 Johnson, “Cloud computing is a trap, warns GNU founder.”
Startup in the Cloud
47
concerns against hosted open source solutions. This can lead to interesting business opportunities for open source companies which are now able to address niche applications to well-funded enterprise companies. These open source do not even need to host the cloud computing based open source applications themselves. They can use established IaaS or PaaS providers while concentrating of the developing, marketing and making services and support of their SaaS applications.
207
Up to now, the open source industry consists usually of innovative, rather young people with moderate incomes that dedicated a lot of their time to improve the open-source solutions out of the belief that the open-source society is helpful for our society. It can be seen as more than desirable that these young people of the open source world now are able to become successful entrepreneurs. This will hopefully underpin the necessary shift towards a business culture that take its social responsibility more seriously! Paradigm Shift of Change – from Push to Pull and from Mass to Micro Markets “The cloud represents the reinvention of commerce, from a push to pull model and from mass to micro market economics as the long tail dominates value creation enabled by network effects, which accelerates globalization, greatly increases productivity and improves the quality of life for all. The control point has shifted so that suddenly commerce and communication are end to end – with no regard to borders – location and even time independent. We are just at the beginning of an escalating slope of change that affects how we will live socially, culturally, politically. This is a once-in-a-millennium paradigm shift.”
208
William Coleman, Aspen Institute Roundtable
Mega Data Centers Major IT companies like Google, IBM, Amazon or HP are assessing the economies of scales and are building as a consequence so called “mega data centers” with enormous dimensions that offers an unseen before efficiency. Microsoft is defining the deploying data center infrastructure into the following stages of development: 1. Traditional setup: “Installing a server in a rack, deploying operating system, configuring networks 2. Rack level of deployment: Dozens of servers at a time which arrive prebuilt and are installed by a third party 3. Modularity to the level of containers: The cutting edge. Fully confi gured containers with 2'000 servers are implemented in a shell building with enough power and cooling systems 207Dallé, 2009, cited by Asay, “Open source: The money is in the cloud.” 208Coleman, 2009, reported by Lasica, Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction , 71-72.
Startup in the Cloud
48
4. Fully modular: Currently in trial phase. Is intended to become the primary model of choice within one year. Fully modular system without shell buildings. The whole system consists simply of modular server containers, power backup containers and cooling containers that are connected to form an independent ecosystem of massive data center computing power. The lead time from detecting the need for additional computing power to placing into operation will be some weeks only” 209
This may sound a bit futuristic to both, IT professionals and normal business people, but it is a fact and these major vendors will use all their market power in order to gain market shares and utilizing these new “mega data centers”. Vendors in the consumer market will leave nothing undone to adjust their strategy in a way, that the millions existing customers, end-users and small businesses alike, will switch to their cloud application offerings. 210 211 Not only end-users are targeted, enterprise customers as well. Microsoft's chief software architect describes it that way: “I fundamentally believe that all the enterprise applications that we sell as software will also be a service. I know that every time you add a zero to the order of magnitude, you can do it more efficiently. So, if we are serving 100 million Exchange mailboxes, we'll do it better than if we're serving 1 million or 100,000. There is a significant advantage there.” 212 Global vendors with such efficient state-of-the-art infrastructure coupled with the effective usage thanks to cloud computing will be highly competitive compared to conventional on the premises models. Especially compared to shall businesses, can they massively profit from economies of scale. At small businesses are the necessary IT skills are often not in-house available. 213 Brokering Cloud Services As already mentioned, cloud computing services are expected one day to be become an ubiquitous commodity, just as the electricity from the power grid. Rajkumar Buyya, computer scientist, is concretely studying what concepts would be needed regarding the trade. “As Cloud platforms become ubiquitous, we expect the need for inter-networking them to create market-oriented global Cloud exchanges for trading services. Several challenges need to be addressed to realize this vision. They include: market-maker for bringing service providers and consumers; market registry for publishing and discovering Cloud service providers and their services; clearing houses and brokers for mapping service requests to 209MacDonald and Smith, “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing.” 210cf. Ibid. 211 cf. Metz, “Will Google regret the mega data center?.” 212MacDonald and Smith, “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing.” 213cf. Thommen, Managementorientierte Betriebswirtschaftslehre , 791.
Startup in the Cloud
49
providers who can meet QoS expectations; and payment management and accounting infrastructure for trading services.“ 214 His next statement suggests how important the efforts for the standardization of interfaces and coordinated risk management systems are: “The state-of-the-art Cloud technologies have limited support for market-oriented resource management and they need to be extended to support: Negotiation of QoS between users and providers to establish SLAs; mechanisms and algorithms for allocation of VM resources to meet SLAs; and manage risks associated with the violation of SLAs. Furthermore, interaction protocols needs to be extended to support interoperability between different Cloud service providers.“ Further efforts are necessary in order to establish open clouds that offer unlimited flexibility without cutting back security. That the quality is given is especially important for startups and small businesses, as they do not have the risk assessment instruments and experiences that larger cooperations have. 215
Significance: Market, Economics And Trends For startups, entrepreneurs and small companies, the following aspects regarding cloud economics, its market development and participants and finally future trends of cloud computing may be of special interest: ! Operational expenditures instead of capital expenditures are favoured will be valued especially by startups ! Constantly changing business requirements need information systems that offers the same flexibility without becoming complicated. The modular, often service-oriented cloud computing systems can be a good base, depending on the offer of the cloud application provider ! The IT industry is very keen as it can help them to change their business model from hardware and licenses to services. This will lead to more standardization efforts and to more competition what will expand the variations of offerings and will lower the prices as well ! By contrast to enterprise cooperations which their long grown information systems, can startups start on the greenfield with a completely new solution based on cloud computing
214Buyya et al., “Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility,” 614. 215Ibid.
Startup in the Cloud
50
Evaluation Guide “Cloud computing is gaining interest as a potential driver of value generation and cost savings for migrating and creating new applications, but enterprises must choose carefully from among varied architectural alternatives based on their degree of alignment with business processes and existing architectural constraints.” 216 Eric Knipp et al., Gartner Group
How To Approach A Cloud Computing Evaluation? When taking a look in a library, results in several books in the category requirements engineering can be found. Requirements engineering is usually quite at the beginning of information system evaluations. Questions to be asked are:
217
! Why? Requirements of the market: Customer and user needs, business requirements- and goals as well as other needs ! What? Requirements of the product: Characteristics, system requirements ! How? Requirements of the component: Software requirements This sounds quite logical so far. However, after having browsed through the requirements engineering books, one has the impression that it looks all very technical and abstract. Maybe too technical for business people? Is their business mindset compatible with the mindset of IT specialists? To what extent is the classic software development process applicable when it comes to considering a new business application based on cloud computing? As a matter of fact, it is not the principal idea of cloud computing consumers to develop software. Therefore, the requirements engineering approach may be too heavily “software development-oriented”. As most potential cloud computing consumers will lean toward ready to use Software as a Service (SaaS), requirements engineering will probably not be suitable. “Because of the wide degree of differentiation among provider offerings and potential use scenarios, best practices for constructing, hosting, and maintaining cloud-based enterprise solutions are still evolving.” 218
Eric Knipp et al., Gartner Group
216Knipp et al., Creating Cloud Solutions: A Decision Framework , 1. 217cf. Ebert, Systematisches Requirements-Engineering und Management Anforderungen ermitteln, spezifizieren, analysieren und verwalten , 23. 218Knipp et al., Creating Cloud Solutions: A Decision Framework , 1.
Startup in the Cloud
51
As cloud computing is still a new discipline, not much literature can be found to answer these questions in a holistic way. Nonetheless, the cloud computing society has developed best practices. One of them was developed from the Cloud Computing Security Alliance (CSA). A community of often well-known individuals from science and the IT industry, has developed the Security Guidance for Critical Areas of Focus in Cloud Computing (CSA Guidance), which is currently in version 2.1. They give indications what are the most crucial points in the fields of security, legal and privacy issues that should be considered during an assessment of cloud computing based information systems. 219 The author of this thesis assumes that such a framework can be especially helpful for startups and small companies, as due to its compact dimensions it is more likely to be read whereas complex literature would probably not be read at all. Instead, an ad hoc decision would be made based upon the business functionality of the cloud computing application only. Following the pragmatic approach of CSA, are the consecutive paragraphs which adopts the entire structure of CSA Guidance and cites only excerpts of the effective content and compares it with other literature. Additionally, to emphasize the practical value, are the excerpts from CSA guidance enhanced with information from a practical survey (see annex). This survey Startup in the Cloud - Consulting Experts has been been conducted by the author of this thesis in order to get practical first hand feedback as complemental information on whether cloud computing can be the right choice for startups and small companies.
Who Is Initiating And Attending The Evaluation? Having an idea how to approach such an evaluation is one thing, the other is who has the overall responsibility from the business side? One paragraph earlier, it was assumed that startups and small companies would tend to ad-hoc approaches. But how to do it better? Who should attend such projects? Antonio Palacin, on of the interviewees from the Consulting Experts survey, has given the following advice: “It depends on the industry. In general, the link between business requirements and the associated information systems should be owned by one of the managing directors. This person should have a counterpart in each line-of- business or main organization within the company. Those departements should summarize their needs. Finally it is the task on C-level to derive the right catalogue of services and to combine the different requests.” 220 Antonio Palacin, IBM
219cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 4. 220Palacin, “Startup in the Cloud - Consulting Experts - Interview with Antonio Palacin from IBM Deutschland GmbH about Simplicity,” col. 1.
Startup in the Cloud
52
This answer targets rather bigger companies but the message is clear: Assessing businessrelevant information systems are a top priority and need to be attended by the founders of a startup company and the same at smaller companies. Evangelos Xevelonakis Xenis, managing director of a CRM consulting strategy company who attended the Consulting Experts survey as well, confirms this impression by stating: “It depends on the company's size. But I think the CEO is the appropriate person.” 221 Evangelos Xevelonakis Xenis, Swiss Valuenet
Introduction To CSA Guidance For Cloud Security Assessment The following sub-chapters are structured according CSA Guidance and quote in each case at the beginning the corresponding information from CSA Guidance followed by the further considerations including the survey results. The guidance is divided into section one, Cloud Computing Architectural Framework , section two, Governing in the Cloud and section three, Operating in the Cloud. To improve reader friendliness, literal quotes from CSA Guidance are set in a grey tone. Additionally, it should be mentioned that the CSA guidance is written in the 4 th person. The editors of CSA guidance follow this approach in order to attain better acceptance from practitioners. As there are different cloud services and deployment options (ibid.; for example SaaS service model or public cloud deployment) , CSA mentions that no guidance or list can cover all circumstances and that the CSA guidance simply helps to guide the evaluation through a decision phase. It shall not be seen as a full risk assessment framework or methodology for determining the whole set of possible risk threats. 222 Deciding What, When, and How to Move to the Cloud The introduction part Deciding What, When, and How to Move to the Cloud in the CSA guidance is complete list in order to improve the contextual understanding of the following chapters. Furthermore, in real life situations it can be assumed that many startups and small businesses even fail to exercise basic assessments. These would be well advised to consult at least this introduction part.
221Xevelonakis, “Startup in the Cloud - Consulting Experts - Interview with Evangelos Xevelonakis Xenis from Swiss Valuenet about about Simplicity,” col. 1. 222cf. Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 9.
Startup in the Cloud
Identify the asset for the cloud deployment “At the simplest, assets supported by the cloud fall into two general buckets: 1. Data
or
2. Applications / Functions / Processes
We are either moving information into the cloud, or transactions / processing (from partial functions all the way up to full applications). With cloud computing our data and applications don’t need to reside in the same location, and we can even shift only parts of functions to the cloud. For example, we can host our application and data in our own data center, while still outsourcing a portion of its functionality to the cloud through a Platform as a Service. The first step in evaluating risk for the cloud is to determine exactly what data or function is being considered for the cloud. This should include potential uses of the asset once it moves to the cloud to account for scope creep. Data and transaction volumes are often higher than expected.” 223
Evaluate the asset “The next step is to determine how important the data or function is to the organization. You don’t need to perform a detailed valuation exercise unless your organization has a process for that, but you do need at least a rough assessment of how sensitive an asset is, and how important an application /function / process is. For each asset, ask the following questions: 1. How would we be harmed if the asset became widely public and widely distributed? 2. How would we be harmed if an employee of our cloud provider accessed the asset? 3. How would we be harmed if the process or function were manipulated by an outsider? 4. How would we be harmed if the process or function failed to provide expected results? 5. How would we be harmed if the information/data were unexpectedly changed? 6. How would we be harmed if the asset were unavailable for a period of time? Essentially we are assessing confi dentiality, integrity, and availability requirements for the asset; and how those are affected if all or part of the asset is handled in the cloud. It’s very similar to assessing a potential outsourcing project, except that with cloud computing we have a wider array of deployment options, including internal models.”224
223Ibid. 224Ibid., 9-10.
53
Startup in the Cloud
54
Ray Ozzie, Chief Technology Officer at Microsoft has been asked in an interview with Gartner Inc., one of the leading IT analysts, how the security concerns of moving to cloud computing should be adressed. His answer has not been too short but it mentions some reasonable points. “There's no perfect solution. Security is inherently risk management. If it's described as a black-and-white issue, we'll never get there. Whether on-premises or off-premises, everything is vulnerable. So, we just basically invest at different layers of the architecture. There are different aspects of that investment. Oddly enough, it starts with the lawyers and with our policy folks. We have to understand the regulatory environment in every single jurisdiction that we or our customers want to serve. The analogy that I'll make that might resonate is that we are with cloud computing right now where we were with encryption with mass market products and exports controls in the early 1990s – which is that everybody had their own export and import restrictions, which prevented a software developer from writing something with crypto in it and getting it shipped.”
Ray Ozzie, Microsoft CTO
Map the asset to potential cloud deployment models “Now we should have an understanding of the asset’s importance. Our next step is to determine which deployment models we are comfortable with. Before we start looking at potential providers, we should know if we can accept the risks implicit to the various deployment models: private, public, community, or hybrid; and hosting scenarios: internal, external, or combined. For the asset, determine if you are willing to accept the following options: 1. Public 2. Private, internal / on-premises 3. Private, external (including dedicated or shared infrastructure) 4. Community; taking into account the hosting location, potential service provider, and identification of other community members. 5. Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside. At this stage you should have a good idea of your comfort level for transitioning to the cloud, and which deployment models and locations fi t your security and risk requirements.” 225
Evaluate potential cloud service models and providers “In this step focus on the degree of control you’ll have at each SPI (refers to Software as a Service, Platform as a Service, or Infrastructure as a Service) tier to implement any required risk management. If you are evaluating a specifi c offering, 225Ibid., 10.
Startup in the Cloud
at this point you might switch to a fuller risk assessment. Your focus will be on the degree of control you have to implement risk mitigations in the different SPI tiers. If you already have specifi c requirements (e.g., for handling of regulated data) you can include them in the evaluation.” 226
Sketch the potential data flow “If you are evaluating a specifi c deployment option, map out the data fl ow between your organization, the cloud service, and any customers / other nodes. While most of these steps have been high-level, before making a fi nal decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud. If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points.” 227
Conclusions: Deciding What, When, and How to Move to the Cloud “You should now understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable. You’ll also have a rough idea of potential exposure points for sensitive information and operations. These together should give you suffi cient context to evaluate any other security controls in this Guidance. For low-value assets you don’t need the same level of security controls and can skip many of the recommendations — such as on-site inspections, discoverability, and complex encryption schemes. A high-value regulated asset might entail audit and data retention requirements. For another high-value asset not subject to regulatory restrictions, you might focus more on technical security controls. Due to our limited space, as well as the depth and breadth of material to cover, this document contains extensive lists of security recommendations. Not all cloud deployments need every possible security and risk control. Spending a little time up front evaluating your risk tolerance and potential exposures will provide the context you need to pick and choose the best options for your organization and deployment.” 228
226Ibid. 227Ibid., 10-11. 228Ibid., 11.
55
Startup in the Cloud
56
CSA Guidance: Section 1. Cloud Architecture While the content of the preliminary part Introduction to CSA guidance For Cloud Security Assessment has been completely taken over in this chapter Evaluation Guide, will only excerpts be cited from the now following domains 1-13 and some of them completed with interview excerpts from the survey Startup in the Cloud - Consulting Experts . Nonetheless, the structure will be completely taken over to give an undistorted overview what the CSA Guidance has to offer to startups and small companies.The domains 13 domains in total are assigned according the following three sections: ! Section 1: Cloud Architecture examines Domain 1 ! Section 2: Governing in the Cloud examines Domains 2-6 ! Section 3: Operating in the Cloud examines Domains 7-13 Domain 1: Cloud Computing Architectural Framework This first domain is the most voluminous as it contains many definitions. Several of the definitions and sub-chapters have already been examined earlier in this thesis (ibid. Defining Cloud Computing) and will therefore not again be expatiated unless it contains important extra information. The sub-chapters are: ! What Is Cloud Computing? ! What Comprises Cloud Computing? ! Essential Characteristics of Cloud Computing ! Cloud Service Models ! Cloud Deployment Models ! Multi-Tenancy ! Cloud Reference Model ! Cloud Security Reference Model ! What Is Security for Cloud Computing? ! Beyond Architecture: The Areas Of Critical Focus What Is Cloud Computing? Has been examined earlier in this thesis (ibid. Defining cloud computing) .
Startup in the Cloud
57
What Comprises Cloud Computing? Keyword: NIST definition of cloud computing. Has been examined earlier in this thesis (ibid. Defining cloud computing) Essential Characteristics of Cloud Computing Keywords: On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service. Has been examined earlier in this thesis (ibid. Defining cloud computing) . Cloud Service Models Keywords: Software as a Service, Platform as a Service, Infrastructure as a Service . Has been examined earlier in this thesis (ibid. Defining cloud computing) . Cloud Deployment Models Keywords: Public Cloud, Private Cloud, Community Cloud, Hybrid Cloud . Has been examined earlier in this thesis (ibid. Defining cloud computing) . Multi-Tenancy Keyword: Single instance serving multiple client organizations. Has been examined earlier in this thesis (ibid. Defining cloud computing) . Cloud Reference Model “Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks. IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS as described in the Cloud Reference Model diagram. In this way, just as capabilities are inherited, so are information security issues and risk.” 229 The Cloud Reference Model illustration can be found in the next chapter, in fact it compromises only the left part; Cloud Model. Cloud Security Reference Model The structure of the Cloud Reference Model, strictly speaking the inherited character regarding the capabilities and risks, makes it necessary to consider the significant trade-offs to each model. The trade-offs between the three different cloud deployment models have to be examined regarding integrated features, complexity versus openness and also security.
229Ibid., 18.
Startup in the Cloud
58
“SaaS provides the most integrated functionality built directly into the offering, with the least consumer extensibility, and a relatively high level of integrated security (at least the provider bears a responsibility for security). PaaS is intended to enable developers to build their own applications on top of the platform. As a result it tends to be more extensible than SaaS, at the expense of customer- ready features. This tradeoff extends to security features and capabilities, where the built- in capabilities are less complete, but there is more flexibility to layer on additional security. IaaS provides few if any application-like features, but enormous extensibility. This generally means less integrated security capabilities and functionality beyond protecting the infrastructure itself. This model requires that operating systems, applications, and content be managed and secured by the cloud consumer.” 230
To attain a holistic view of the security and compliance situation, the Cloud Reference Model is expanded to become the Cloud Security Reference Model . The gap analysis according the figure below shows “how a cloud service mapping can be compared against a catalogue of compensating controls to determine which controls exist and which do not – as provided by the consumer, the cloud service provider, or a third party. This can in turn be compared to a compliance framework.” 231 If such a gap analysis is accomplished, the risk manager in bigger companies becomes already a bit friendlier while such an analysis in small companies it is a good start in order to watch out for possible cloud computing provider.
230Ibid., 19. 231Ibid., 23.
Startup in the Cloud
59
Illustration g: Cloud Security Reference Model. Source: Reproduced according original source by Cloud Security Alliance, 2009.
What Is Security for Cloud Computing? As already mentioned, the security controls for cloud computing and any other IT environment are mostly the same. But one of the key characteristics and at the same time maybe the strongest critic point is that “cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties.” 232 Beyond Architecture: The Areas of Critical Focus CSA categorizes into the two broad categories governance and operations: “Governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture.” 233 The following comparison shall give an impression of considerable legal, regulatory and standardization aspects. CSA calls the issues, UC Berkeley obstacles and ENISA risks. It is roughly 232Ibid., 24. 233Ibid., 26.
Startup in the Cloud
60
about the same thing but the author of this thesis points out that it can only be compared limitedly as the perspective is varying from case to case. While CSA's issues and ENISA's risks are arranged according a structured, holistic approach, has UC Berkeley listed ten obstacles. Nonetheless, the reader may be able to draw his own useful conclusions. 234 235 236 Issues as per CSA
Obstacles as per UC Berkeley
Risks as per ENISA
Governance (Domains 2-6)
Policy and Organisation
Governance and Enterprise Risk
Vendor Lock-in
Management
Loss of Governance
Legal and Electronic Discovery
Compliance Challenges
Compliance and Audit
Availability of Service
Information Lifecycle Management
Data Lock-In
Portability and Interoperability
Data Confidentiality and Audibility
Technical Risks
Data Transfer Bottlenecks
Data Leakage
Operational (Domains 7-13)
Performance Unpredictability
Distributed Denial of Service Attacks
Traditional Security
Scalable Storage
Loss of Encryption-Keys
Business Continuity and DR
Bugs in Large Distributed Systems
Conflicts-hardening Procedures
Data Center Operations
Scaling Quickly
Incident Response, Notification and
Reputation Fate Sharing
Legal Risks
Software Licensing
Data Protection
Remediation Application Security
Cloud Provider Acquisition
Software Licensing
Encryption and Key Management Identity and Access Management
Influencing Risks
Virtualization
Network Problems Unauthorized Access to Data Centers
Table d: Collection of aspects that need to be considered while assessing cloud computing solutions. Source: Own comparison based on literature according bibliographic footnote, 2010.
Domain 2: Governance and Enterprise Risk Management Outline of Domain 2:“The ability of an organization to govern and measure enterprise risk introduced by Cloud Computing. Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues, are some of the items” 237
234cf. Ibid., 26-28. 235cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing , 14. 236cf. Catteddu, and Hogben, 2009. "Cloud Computing: Benefits, Risks and Recommendations for Information Security", European Network and Information Security Agency, cited by Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing,” chap. 4. 237Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 26.
Startup in the Cloud
61
Domain 2 contains the following four sub-domains: ! Governance Recommendations ! Enterprise Risk Management Recommendations ! Information Risk Management Recommendations ! Third Party Management Recommendations 238 Domain 3: Legal and Electronic Discovery Outline of Domain 3:“Potential legal issues when using Cloud Computing. Issues touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws, etc.” 239 Daniel Jost, on of the interviewees from the Consulting Experts survey, is working in the IT of an insurance company. His experience is that cloud computing can be an option them, but only if it has been trough a serious risk assessment. 240 “Large cooperations have the advantage that they are experienced with storing the data at different locations. They will carefully assess an offering regarding the protection of data privacy before they would move in the cloud.” 241 Daniel Jost, CSS Group
“The 20th-century-built walls of privacy show serious cracks now. The parapets are rather useless in facing the threats of the internet. This is the very moment for rebuilding them.”
242
Ray Garcia, Harvard University
Domain 4: Compliance and Audit Outline of Domain 4:“Maintaining and proving compliance when using Cloud Computing. Issues dealing with evaluating how Cloud Computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and
238cf. Ibid., 31-34. 239Ibid., 27. 240cf. Ibid., 35-36. 241Jost, “Startup in the Cloud - Consulting Experts - Interview with Daniel Jost from CSS Gruppe about Simplicity,” col. 7. 242authored by Garcia, in a collected edition of Roig and et al., “Proceedings of the First Workshop on Law and Web 2.0,” 72.
Startup in the Cloud
otherwise) are discussed here. This domain includes some direction on proving compliance during an audit.” 243 244 Domain 5: Information Lifecycle Management Outline of Domain 5:“Managing data that is placed in the cloud. Items surrounding the identification and control of data in the cloud, as well as compensating controls which can be used to deal with the loss of physical control when moving data to the cloud, are discussed here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned.” 245 Domain 6: Portability and Interoperability Outline of Domain 6:“The ability to move data/services from one provider to another, or bring it entirely back in- house. Issues surrounding interoperability between providers are also discussed.” 246 Domain 7: Traditional Security, Business Continuity and Disaster Recovery Outline of Domain 7:“How Cloud Computing affects the operational processes and procedures currently use to implement security, business continuity, and disaster recovery. The focus is to discuss and examine possible risks of Cloud Computing, in hopes of increasing dialogue and debate on the overwhelming demand for better enterprise risk management models. Further, the section touches on helping people to identify where Cloud Computing may assist in diminishing certain security risks, or entails increases in other areas.”247 Domain 8: Data Center Operations Outline of Domain 8:“How to evaluate a provider’s data center architecture and operations. This is primarily focused on helping users identify common data center characteristics that could be detrimental to on-going services, as well as characteristics that are fundamental to long-term stability.” 248
243Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 27. 244cf. Ibid., 37-38. 245Ibid., 27. 246Ibid. 247Ibid. 248Ibid.
62
Startup in the Cloud
63
Domain 9: Incident Response, Notification and Remediation Outline of Domain 9:“Proper and adequate incident detection, response, notification, and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the cloud brings to your current incident handling program.”
249
Matthias Schunter, one of the interviewees from the Consulting Experts survey, is security scientist at the IBM research center in Zurich. He ssupposes a shift from the market towards a higher security level. “Large cooperations only choose cloud provider with a long, trustworthy security record. That will urge providers to increase their quality in order to increase their market.”
250
Matthias Schunter, IBM
Domain 10: Application Security Outline of Domain 10:“Securing application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS). Some specific security issues related to the cloud are also discussed.” 251 Domain 11: Encryption and Key Management Outline of Domain 11:“Identifying proper encryption usage and scalable key management. This section is not prescriptive, but is more informational is discussing why they are needed and identifying issues that arise in use, both for protecting access to resources as well as for protecting data.” 252 Domain 12: Identity and Access Management Outline of Domain 12:“Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity and Access Management (IAM).” 253 254 249Ibid., 28. 250Schunter, “Startup in the Cloud - Consulting Experts - Interview with Matthias Schunter from IBM Deutschland GmbH about Security,” col. 7. 251Cloud Security Alliance (CSA), Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 , 28. 252Ibid. 253Ibid. 254cf. Ibid., 63-67.
Startup in the Cloud
64
Domain 12 contains the following sub-domains: ! Identity Provisioning – Recommendations ! Authentication – Recommendations Federation ! Recommendations Access Control Recommendations ! IDaaS Recommendations Domain 13: Virtualization Outline of Domain 13:“The use of virtualization technology in Cloud Computing. The domain addresses items such as risks associated with multi-tenancy, VM isolation, VM coresidence, hypervisor vulnerabilities, etc. This domain focuses on the security issues surrounding system/hardware virtualization, rather than a more general survey of all forms of virtualization.” 255 256
Orientation In The Cloud Computing Jungle Although several if not most contributors to the CSA guidance are members of the cloud computing industry, an industry nota bene which wants to sell cloud services. Nonetheless, the author assumes that the CSA guidance from the Cloud Security Alliance is a honest piece of work in order to help the cloud computing market to mature. The maturity transformation will take several years because due to the complex nature of cloud computing the friction surface is naturally spacious. Regarding not loosing the orientation while assessing cloud computing solutions, there can be excepted a wide range of literature; from application-oriented to the point of fundamental and anticipatory scientific considerations. Several definitions, models and quasi- standards are about to emerge that are guiding and illuminating the risks and chances. Subsequently, these lists are further elaborated in order to give a cloud computing status quo overview with recommendable information sources. 257 Definitions about cloud computing: ! Widely accepted cloud computing definition from NIST (ibid.)
255Ibid., 28. 256cf. Ibid., 68-70. 257cf. Chen, Paxson, and Katz, What’s new about Cloud Computing Security? , 2-3.
Startup in the Cloud
65
Maturity of the cloud computing industry: ! Major vendors make some efforts toward inter-compatible, open clouds (ibid. Market) ! Total size and diversified composition of the market (ibid. Defining Cloud Computing) Literature with “How To” character: ! Cloud Computing Architectures by George Reese ! Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance by Tim Mather et al. ! Cloud Computing Use Cases by the Cloud Computing Use Case Discussion Group ! Cloud Computing: Implementation, Management and Security by John Rittinghouse Scientific considerations which have an effect on the market: ! A Berkeley View of Cloud Computing as a much cited reference document 258 ! Research challenges for Enterprise Cloud Computing as a much cited reference document 259 ! Cloud Computing and Information Policy: Computing in a Policy Cloud? is one of a few sources about policy and cloud computing 260 White papers, presentations and reports from official organisations: ! Cloud Computing: Benefits, Risks and Recommendations for Information Security from the ENISA which represents a reputable multistakeholder view 261 ! Briefing Paper on Cloud Computing and Public Policy on behalf of the OECD 262 Cloud Computing Architecture and Risk Management Model: ! Cloud Computing Architectural Framework by the Cloud Security Alliance that offers a reference model, standardized, architectural requirements and and challenges (ibid. siehe practical part)
258cf. Armbrust et al., Above the Clouds: A Berkeley View of Cloud Computing . 259cf. Khajeh-Hosseini, Sommerville, and Sriram, “Research Challenges for Enterprise Cloud Computing.” 260cf. Jaeger, Lin, and Grimes, “Cloud Computing and Information Policy: Computing in a Policy Cloud?.” 261cf. Catteddu and Hogben, Cloud Computing: Benefits, Risks and Recommendations for Information Security . 262cf. Nelson, Briefing Paper on Cloud Computing and Public Policy .
Startup in the Cloud
66
These recommendations are an excerpt of convenient information that were also used as research source for this thesis. Further information can be found in the bibliography. It may help the reader to orientate and draw conclusions for the benefit of his own projects.
Significance: Evaluation Guide For startups, entrepreneurs and small companies, the following aspects in the field of legal, regulatory and standards may be of special interest: ! Technologically speaking is cloud computing secure ! Security is inherently risk management ! An assessment framework such as CSA Guidance is specialized on cloud computing ! Assessing cloud computing solutions needs enough management attention
Startup in the Cloud
67
Conclusion: Cloud Computing Information Systems For Startups While concluding the significant findings from the four main chapters Defining cloud computing , Political implications and standardization , Market, economics and trends and Evaluation guide, it is evident that cloud computing has an immense potential, not only for startups and small businesses, but also for global society. As sophisticated information systems are becoming available as a service, it liberates companies from having to build up and operate their own infrastructure. This is especially welcomed by entrepreneurs in developing countries as well as by startups and small businesses. It allows them to benefit from higher service levels and lower costs which the cloud service provider can offer due to economies of scale. On the opposite side, enterprise cooperations usually stick to their conventional, long standing solutions or, on the other hand, avoid public clouds, preferring private clouds which they can run on their own systems. This way they are able to avoid risks that could occur through the handing of their mission-critical data to third-parties such as cloud services providers. The risks consist mainly of legal nature, lack of standardization, and are not classical security risks. Although cloud computing is politically desired, it will take time until the national legal systems have adopted to the internet realities of today, such as transborder data flow. On the standardization side, countless efforts from non-profit organizations and the industry are taken towards open, intercompatible cloud standards which would foster innovation and lower costs. However, it can be assumed that these legal and standardization issues will not hinder cloud computing from its successful procession. These issues can be mastered by seriously assessing the business and service-level requirements as a starting point in order to compare the various offerings that are available for most industries. Assessment frameworks and guidances which are adjusted to the characteristics of cloud computing are publicly available. With all factors taken into account, cloud computing is a secure, affordable, lawful option for startups and small businesses from all over the world a secure, affordable, lawful option that is becoming more and more available for most industries and can help them concentrate on business innovation. The writer of this thesis strongly recommends considering cloud computing, but points out the need for a serious assessment in order to avoid losing control of the data whilst being locked with a specific cloud computing provider.
Startup in the Cloud
68
Table Of Tables Table a: Application of methodological approaches. Annotations: (H) main questions and assumptions hypothesized / * Without results from “Consulting Experts” and completely derived and supported by literature / ** Includes results from “Consulting Experts” and extensively derived and supported by literature / *** Includes results from “Consulting Experts” and enhanced with derived opinions from the author of this thesis / **** Setting in context Assumptions & Findings with own experiences ......................................................... vi Table b: Conventional IT concept (old paradigm) compared with the cloud computing model (new paradigm). Source: Own comparison based on literature according bibliographic footnote, 2010......................................................................................................................................... 34 Table c: Service-oriented architecture (SOA) is primarily the domain of IT analysts, BPM is the domain of business analysts. The bottom-up approach of HIM makes it possible for business people to define the processes, in other words providing support for the way humans work and interact with each other. Source: Own conclusion based on Fingar, 2009; Rayport and Heyward 2009......................................................................................................................... 43 Table d: Collection of aspects that need to be considered while assessing cloud computing solutions. Source: Own comparison based on literature according bibliographic footnote, 2010. .........60
Startup in the Cloud
69
Table Of Illustrations
Illustration a: Visual Model of the NIST Working Definition of Cloud Computing. Source: Reproduced according original source by NIST, 2009. ............................................................ 3 Illustration b: Hybrid Cloud. Source: Cloud Computing Use Case Discussion Group, 2010. .............10 Illustration c: The various offerings of cloud computing covers different levels of abstraction, the focus on consuming applications by the end user / business man is provided by SaaS. Source: Reproduced according original source by LSE Research Online, 2009. ...................33 Illustration d: Overview of some cloud offerings assigned to different services/taxonomies. Source: OpenCrowd, 2009................................................................................................................... 38 Illustration e: Business Process Spectrum: Information systems need to comply with the soaring demand for relationship and communication. Source: Harrison-Broninski, 2009. ................. 40 Illustration f: Human Interaction Management - An Evolution of Process Management. Source: Reproduced according original source by Korhonen, 2006. ................................................... 41 Illustration g: Cloud Security Reference Model. Source: Reproduced according original source by Cloud Security Alliance, 2009................................................................................................ 59
Startup in the Cloud
70
Bibliography Abdennadher, Nabil. Advances in Grid and Pervasive Computing: 4th International Conference, GPC 2009. 1st ed. Berlin; New York: Springer, 2009. Adair, John. How to grow Leaders: The seven Key Principles of effective Leadership Development . 1st ed. London; Philadelphia: Kogan Page, 2007. Alfred P. Sloan Foundation. “Information Systems Overview.” Sloan Career Cornerstone Center, April 19, 2009. http://www.careercornerstone.org/pdf/infosys/infosys.pdf . Anderson, Janna, Andie Diemer, Eugene Daniel, Shelley Russel, Drew Smith, and Dan Anderson. “Workshop: Privacy, Security Implications of Cloud Computing.” Sharm El Sheikh, Egypt: Elon University, 2009. http://www.elon.edu/e-web/predictions/igf_egypt/cloud_computing.xhtml . Armbrust, Michael, Armando Fox, Rean Griffith, Anthony D. Joseph, Randy H. Katz, Andrew Konwinski, Gunho Lee, et al. Above the Clouds: A Berkeley View of Cloud Computing . Berkeley: Electrical Engineering and Computer Sciences (EECS), University of California, February 10, 2009. http://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf . Asay, Matt. “Open source: The money is in the cloud,” December 3, 2009. http://news.cnet.com/830113505_3-10408562-16.html .
Avgerou, Chrisanthi. Information systems and the economics of innovation . 1st ed. Cheltenham; Northhampton: Edward Elgar Pub., 2003. Balachandran, Bala V. “The Messiah of marketing,” July 17, 2006. http://www.thehindubusinessline.com/manager/2006/07/17/stories/2006071702171100.htm .
Baun, Christian, Marcel Kunze, Jens Nimis, and Stefan Tai. Cloud computing: Web-basierte dynamische IT-Services . 1st ed. Informatik im Fokus. Berlin; Heidelberg: Springer, 2009. Bellomo, Michael. How to sell anything on Amazon ... and make a fortune! 1st ed. New York: McGraw-Hill, 2006. Biddick, Michael. “Why You Need A SaaS Strategy.” Why You Need A SaaS Strategy, January 16, 2010. http://intelligententerprise.informationweek.com/showArticle.jhtml;jsessionid=5FTQXL0YBW3KVQE1GHPSKHWATMY32JV N?articleID=222301340 .
Bittmann, Thomas. “Building a Private Cloud: Are We There Yet?,” February 17, 2009. http://blogs.gartner.com/thomas_bittman/2009/02/17/building-a-private-cloud-are-we-there-yet/
.
Startup in the Cloud
71
Bourassa, Richard. “20th APEC Electronic Commerce Steering Group Meeting.” Singapore: Electronic Commerce Steering Group (ECSG), 2009. http://aimp.apec.org/Documents/2009/ECSG/ECSG2/09_ecsg2_summary.pdf .
Briscoe, Gerard, and Alexandros Marinos. “Community Cloud Computing.” Beijing: LSE Research Online, 2010. http://eprints.lse.ac.uk/26516/1/community_cloud_computing_%28LSERO_version%29.pdf. Buyya, Rajkumar, Chee Shin Yeo, Srikumar Venugopal, James Broberg, and Ivona Brandic. “Cloud computing and emerging IT platforms: Vision, hype, and reality for delivering computing as the 5th utility.” Future Generation Computer Systems 25, no. 6 (December 11, 2008): 599616. Catteddu, Daniele, and Giles Hogben. An SME perspective on Cloud Computing . Heraklion [Crete]: European Network and Information Security Agency (ENISA), November 20, 2009. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-sme-survey/at_download/fullReport
.
———. Cloud Computing: Benefits, Risks and Recommendations for Information Security . Heraklion [Crete]: European Network and Information Security Agency (ENISA), November 20, 2009. http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment/at_download/fullReport .
Cerf, Vinton G., Sha Zukang, Hamadoun I. Touré, Koichiro Matsuura, Markus Kummer, Nitin Desai, Michalis Liapsis, et al. Internet Governance Forum (IGF): The First Two Years . 1st ed. Geneva: World Summit on the Information Society (WSIS), 2008. http://www.intgovforum.org/cms/hydera/IGFBook_the_first_two_years.pdf .
Chen, Lei, Chengfei Liu, and Xiao Zhang. Advances in Web and Network Technologies and Information Management. Vol. 5731. 2009th ed. Lecture Notes in Computer Science. New York; Berlin; Heidelberg: Springer, 2009. Chen, Yanpei, Vern Paxson, and Randy H. Katz. What’s new about Cloud Computing Security? Berkeley: Electrical Engineering and Computer Sciences (EECS), University of California, January 20, 2010. http://www.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-5.pdf . Cloud Computing Use Case Discussion Group. “Cloud Computing Use Cases White paper - Version 3.0.” Cloud Computing Use Case Discussion Group, February 2, 2010. http://cloud-computinguse-cases.googlegroups.com/web/Cloud_Computing_Use_Cases_Whitepaper-3_0.pdf? gda=iwLqyV8AAAAPGXgkJ5fi30lYg4awQpoEqWScDsHoVk5f48r18wRWOvRsmgvNFNvJoZZD7r3PzEf2eH jnTEKAfBvfYgf3pCOm2Nl_xKuxFIy3-WR9Ezn4SpxzIUqf6s0oL53Wkz8h1XQ .
Cloud Security Alliance (CSA). Security Guidance for Critical Areas of Focus in Cloud Computing V2.1. CSA is a group of like-minded associates (contributor list of this document on page 5-
Startup in the Cloud
72
6) and does not have a location because it is purely located in the internet: Cloud Security Alliance, December 22, 2009. http://www.cloudsecurityalliance.org/csaguide.pdf . Cohen, Reuven. “ISO Forms Group for Cloud Computing Standards,” November 6, 2009. http://www.elasticvapor.com/2009/11/iso-forms-group-for-cloud-computing.html .
———. “The Future of Cloud Computing Belongs to Asia,” November 12, 2009. http://cloudcomputing.sys-con.com/node/1184360
.
———. “The United Nations of Cloud Computing,” June 16, 2009. http://www.elasticvapor.com/2009/06/united-nations-of-cloud-computing.html
.
Copenhagen University College of Engineering. “JTC1/SC22/WG9 - Welcome to the ISO home of Ada Standards,” October 14, 2009. http://www.open-std.org/jtc1/sc22/WG9/organize.htm#jtc1 . Depena, Ray. “The Beauty of the Cloud,” August 18, 2009. http://dotnet.sys-con.com/node/1072760. Ebert, Christof. Systematisches Requirements-Engineering und Management Anforderungen ermitteln, spezifizieren, analysieren und verwalten . 2nd ed. Heidelberg: dpunkt.verlag, 2008. Fingar, Peter. Dot.cloud: The 21st Century Business Platform . 1st ed. Tampa: Meghan-Kiffer Press, 2009. Foley, Mary Jo. “Microsoft's Azure cloud is officially open for business,” February 1, 2010. http://blogs.zdnet.com/microsoft/?p=5085 .
Geeknet, Inc. “SourceForge - Find and Develop Open Source Software,” February 13, 2010. http://sourceforge.net/softwaremap/trove_list.php?form_cat=576
.
Golden, Bernard. “Capex vs. Opex: Most People Miss the Point About Cloud Economics,” March 13, 2009. http://www.cio.com/article/484429/Capex_vs._Opex_Most_People_Miss_the_Point_About_Cloud_Economics
Goldenberg, Barton. CRM in Real-time: Empowering Customer Relationships . 1st ed. Medford: CyberAge Books, 2008. Goodman, Jason. “The CIO’s Guide To Cloud Computing.” GlassHouse Technologies, Inc., 2009. http://www.scribd.com/doc/26327785/The-CIO-s-Guide-to-Cloud-Computing .
Gunasekaran, Angappa. Global Implications of Modern Enterprise Information Systems: Technologies and Applications. 1st ed. Hershey: Idea Group Inc., 2009.
.
Startup in the Cloud
73
Harrison-Broninski, Keith. “Human Interaction Management.” A BPTrends Column, November 30, 2008. http://www.bptrends.com/publicationfiles/ONE%2012-08-COL-HumanProcesses-Harrison-Broninski20081104-proofed-corrected.pdf .
———. Human interactions: The heart and soul of business process management . 1st ed. Tampa FL: Meghan-Kiffer Press, 2005. ———. “The Future of BPM” presented at the SOLEA 2009 - International Symposium on ServiceOriented Locally adapted Enterprise Architecture, Espoo [Finnland], April 23, 2009. http://www.uku.fi/solea/symposium2009/pres/Solea09-Harrison-Broninski.pdf
.
Hayden, Mary, Jeff Thompson, and Jack Levy. The SAGE handbook of research in international education. 1st ed. London: SAGE Publications, 2007. Hayes-Weier, Mary. “Alternative IT Software is New Reality.” InformationWeek, October 16, 2009. http://www.scribd.com/doc/22676189/Alternative-It-Software-s-New-Reality-Information-Week? secret_password=1wniolqlkz65sm5gp0iu .
Hummeltberg, Wilhelm. Informationsmanagement. Hamburg: Universität Hamburg, Faculty of Mathematics, Informatics und Natural Sciences, January 15, 2007. https://uni.unihamburg.de/fachbereiche-einrichtungen/fb03/iwi-ii/IM_Gliederung.pdf
.
Hunton & Williams LLP. “APEC Forum Discusses International Privacy Legislation Developments,” July 28, 2009. http://www.huntonprivacyblog.com/2009/07/articles/international/apec-forum-discussesinternational-privacy-legislation-developments/
.
Information Today, Inc. “What Is CRM?,” February 21, 2002. http://www.destinationcrm.com/Articles/CRMNews/Daily-News/What-Is-CRM-46033.aspx
.
International Telecommunication Union (ITU). “ITU Telecommunication Standardization Sector (ITU-T) - MoU on electronic business between IEC, ISO, ITU, and UN/ECE,” March 5, 2008. http://www.itu.int/ITU-T/e-business/mou/mou.html . Internet Society. Advisory Council (AC) Consultation on Cloud Computing for OECD Foresight Forum October 2009 . Geneva: Internet Society, October 29, 2009. http://www.isoc.org/pubpolpillar/docs/cloudcomputing_200910.pdf . Jaatun, Martin, Gansen Zhao, and Rong Chunming. Cloud Computing: First International Conference, CloudCom 2009, Beijing, China, December 1-4, 2009, Proceedings . 5931 vols. 1st ed. Computer Communication Networks and Telecommunications. Berlin; Heidelberg; New York: Springer, 2009.
Startup in the Cloud
74
Jaeger, Paul T., Jimmy Lin, and Justin Grimes. “Cloud Computing and Information Policy: Computing in a Policy Cloud?.” Journal of Information Technology & Politics 5, no. 3 (10, 2008): 269-283. Johnson, Bobbie. “Cloud computing is a trap, warns GNU founder.” The Guardian. London, September 29, 2008. http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman . Joint Technical Committee 1. Report of JTC 1/SWG-P on possible future work on Cloud Computing in JTC 1 - ISO/IEC JTC 1 N9687. Geneva: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), September 11, 2009. http://isotc.iso.org/livelink/livelink/fetch/2000/2489/Ittf_Home/MoU-MG/Moumg396.pdf .
Jost, Daniel. “Startup in the Cloud - Consulting Experts - Interview with Daniel Jost from CSS Gruppe about Simplicity.” Online Database Application, January 31, 2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/recordsummary/Simplicity_View/363985000000086003/ .
Khajeh-Hosseini, Ali, Ian Sommerville, and Ilango Sriram. “Research Challenges for Enterprise Cloud Computing.” Arxiv preprint arXiv:1001.3257 abs/1001.3257 (January 15, 2010). http:// arxiv.org/ftp/arxiv/papers/1001/1001.3257.pdf .
Knipp, Eric, David Smith, David W. Cearley, and Yefim V. Natis. Creating Cloud Solutions: A Decision Framework. Stamford: Gartner, Inc., December 8, 2009. http://www.gartner.com/resources/171600/171623/creating_cloud_solutions_a_d_171623.pdf
.
Koops, Bert-Jaap, Miriam Lips, Corien Prins, and Maurice Schellekens. Starting points for ICT regulation: Deconstructing prevalent policy one-liners . 1st ed. The Hague: TMC Asser, 2006. Kooten, van, Michel, and Balder Verberne. “Enterprise Software Top 10: Salesforce running up the ranks,” September 4, 2009. http://www.softwaretop100.org/software-top-100/enterprise-top-10 . Korhonen, Janne. “BPM - A Systematic Perspective,” Helsinki, October 3, 2006. http://www.jannekorhonen.fi/blog/wp-content/BPM_Systemic_Perspective.pdf
.
Lasica, Joseph Daniel. Identity in the Age of Cloud Computing: The Next-generation Internet's impact on Business, Governance and Social Interaction . 17th ed. Annual Aspen Institute Roundtable on Information Technology. Washington D.C.: Aspen Institute, 2009. http://www.aspeninstitute.org/sites/default/files/content/docs/pubs/Identity_in_the_Age_of_Cloud_Computing.pd f.
Startup in the Cloud
75
Lawson, Stephen. “PayPal opens door to developers,” July 23, 2009. http://www.infoworld.com/d/cloudcomputing/paypal-opens-door-developers-590 .
Lucas, Sylvie. Progress made in the Implementation of and Follow-up to the World Summit on the Information Society outcomes at the Regional and International Levels - Report of the Secretary-General. General Assembly Economic and Social Council. Geneva: United Nations, March 13, 2009. http://www.unctad.org/en/docs/a64d64_en.pdf . MacDonald, Neil, and David Mitchell Smith. “Gartner Fellows interview with Microsoft's Ray Ozzie on Cloud Computing,” October 30, 2009. http://www.gartner.com/technology/mediaproducts/reprints/microsoft/172235.html
.
Mack, Eric. Video: David Allen - GTD and Cloud Computing . Adobe Flash on Youtube. Notes on Productivity, 2010. http://www.notesonproductivity.com/ICA/NOP.nsf/dx/video-david-allen-gtd-and-cloudcomputing.
Mather, Tim, Subra Kumaraswamy, and Shahed Latif. Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance . 1st ed. Beijing; Cambridge [Massachusetts]: O'Reilly, 2009. Mell, Peter, and Tim Grance. “The NIST Definition of Cloud Computing v15.” Computer Security Division of the US National Institute of Standards and Technology, October 7, 2009. http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc
.
Metz, Cade. “Will Google regret the mega data center?,” August 8, 2009. http://www.theregister.co.uk/2009/08/08/microsoft_azure_migration/
.
Meyer, Dirk. Review: Peter Fingar, Dot.cloud: The 21st century business platform built on cloud computing. San Jose [California]: Adobe Systems, July 31, 2009. www.oevermeyer.net/dmeyer/files/dotcloud_reviewdirkmeyer.pdf .
Mittelstaedt, Robert, Dennis Hoffman, Elizabeth Farquhar, Steven Salik, and Sanjay Modi. “IT evolution: Why ERP systems face extinction -
[email protected]. Carey,” February 28, 2007. http://knowledge.wpcarey.asu.edu/article.cfm?articleid=1378
.
Nelson, Michael R. Briefing Paper on Cloud Computing and Public Policy. Cloud Computing and Public Policy. Paris: Organisation for Economic Co-operation and Development; Committee for Information, Computer and Communications Policy, September 29, 2009. http://www.olis.oecd.org/olis/2009doc.nsf/ENGDATCORPLOOK/NT00004FC6/$FILE/JT03270509.PDF
O'Halloran, Kerry. Charity Law Social Policy: National and International Perspectives on the Functions of the Law relating to Charities . 1st ed. Berlin: Springer Netherland, 2008.
.
Startup in the Cloud
76
Object Management Group, Distributed Management Task Force, Open Grid Forum, Storage Networking Industry Association, Open Cloud Consortium, and Cloud Security Alliance. “Cloud Standards Coordination.” Cloud Standards Wiki, February 2, 2010. http://cloudstandards.org/wiki .
Oestereich, Bernd. Analyse und Design mit UML 2: Objektorientierte Softwareentwicklung . 7th ed. München; Wien: Oldenbourg, 2005. Palacin, Antonio. “Startup in the Cloud - Consulting Experts - Interview with Antonio Palacin from IBM Deutschland GmbH about Simplicity.” Online Database Application, January 24, 2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/recordsummary/Simplicity_View/363985000000070991/ .
Rapp, Reinhold. Customer Relationship Management: Das neue Konzept zur Revolutionierung der Kundenbeziehungen . 3rd ed. Frankfurt: Campus Verlag, 2005. Rayport, Jeffrey F., and Andrew Heyward. “Envisioning the Cloud: The Next Computing Paradigm.” Marketspace LLC, March 20, 2009. http://www.marketspaceadvisory.com/cloud/Envisioning-theCloud.pdf.
Reese, George. Cloud application architectures . 1st ed. Sebastopol [California]: O'Reilly, 2009. Rittinghouse, John, and James F. Ransome. Cloud Computing: Implementation, Management and Security. Boca Raton [Florida]: CRC Press, 2009. Roig, Antoni, and et al. “Proceedings of the First Workshop on Law and Web 2.0.” IDT - Institute of Law and Technology (UAB) 3. Law and Web 2.0 (September 18, 2009): 91. Sansom, Clare. “Up in a cloud?.” Nature Biotechnology 28, no. 1 (January 4, 2010): 13-15. SAP. “Getting Started with Human Interaction Management.” http://ecohub.sdn.sap.com/irj/sdn/nw-him?rid=/ webcontent/uuid/10c0a6f1-429c-2b10-2eb4-9841e450f150
.
Schubert, Lutz, Keith Jeffery, and Burkhard Neidecker-Lutz. “The Future of Cloud Computing: Opportunities for European Cloud Computing Beyond 2010.” Brussels: Commission of the European Communities, Information Society & Media Directorate-General, 2010. http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report-final.pdf .
Schunter, Matthias. “Startup in the Cloud - Consulting Experts - Interview with Matthias Schunter from IBM Deutschland GmbH about Security.” Online Database Application, January 25, 2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/recordsummary/Security_View/363985000000077011/
.
Startup in the Cloud
77
Spivey, Jeff, Phil Agcaoili, Joshua Davis, Geir Arild Engh-Hellesvik, David Lang, Jim Reavis, Ben Rothke, Joel Scambray, and Ward Spangenberg. “Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives.” Information Systems Audit and Control Association (ISACA), October 28, 2009. http://www.isaca.org/AMTemplate.cfm? Section=Deliverables&Template=/ContentManagement/ContentDisplay.cfm&ContentID=53044
.
Stadelmann, Daniel. “Startup in the Cloud - Consulting Experts - Interview with Daniel Stadelmann from wedoit AG about Industry.” Online Database Application, January 28, 2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/recordsummary/Industry_View/363985000000085003/
.
Stanoevska-Slabeva, Katarina. Grid and Cloud Computing: A Business Perspective on Technology and Applications. 1st ed. Berlin; London: Springer, 2009. Subramanian, Krishnan. “Cloud Computing and Developing Countries – Part 2,” September 25, 2008. http://www.cloudave.com/link/Cloud-Computing-and-Developing-Countries-%E2%80%93-Part-2 . Sun Microsystems, Inc. “Open Source & Cloud Computing: On-Demand, Innovative IT On A Massive Scale.” Sun Microsystems, Inc., 2009. https://www.sun.com/offers/docs/open_cloud.pdf . Taft, Darryl. “Asian Developers Moving to Cloud Computing,” July 7, 2009. http://www.eweek.com/c/a/Application-Development/Asian-Developers-Moving-to-Cloud-Computing-726568/
.
Thommen, Jean-Paul. Managementorientierte Betriebswirtschaftslehre . 7th ed. Zurich: Versus, 2004. Touré, Hamadoun I., and Supachai Panitchpakdi. World Information Society Report 2007 - Beyond WSIS. World Information Society Report. Geneva: International Telecommunication Union and United Nations Conference on Trade and Development, May 16, 2007. http://www.itu.int/osg/spu/publications/worldinformationsociety/2007/WISR07_full-free.pdf
.
University of Chicago. “The Chicago Manual of Style Online - 15th Edition: Chicago-Style Citation Quick Guide,” 2007. http://www.chicagomanualofstyle.org/tools_citationguide.html . Velte, Toby, Anthony Velte, and Robert Elsenpeter. Cloud Computing: A Practical Approach. 1st ed. New York: McGraw-Hill, 2010. Vembu, Sridhar. “Startup in the Cloud - Consulting Experts - Interview with Sridhar Vembu from Zoho Corp. about Innovation.” Email and Online Database Application, February 2, 2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/recordsummary/Innovation_View/363985000000089005/
.
Verberne, Michel. “Global Software Top 100 - Interim Update,” December 24, 2009. http://www.softwaretop100.org/component/content/article/215-Global-Software-Top-100---Interim-Update
.
Startup in the Cloud
78
Wailgum, Thomas. “SAP CTO Vishal Sikka talks clouds,” June 23, 2009. http://www.cio.co.uk/article/117836/sap-cto-talks-clouds/ .
Wilson, Fred. “My Favorite Business Model,” March 23, 2006. http://www.avc.com/a_vc/2006/03/my_favorite_bus.html
.
World Bank Publications. Information and Communications for Development 2009: Extending Reach and Increasing Impact. 2009th ed. Washington D.C.: World Bank, 2009. Wyld, David C., and IBM Center for the Business of Government. Moving to the Cloud: An introduction to Cloud Computing in Government . Hammond: Southeastern Louisiana University, October 26, 2009. http://www.businessofgovernment.org/pdfs/WyldCloudReport.pdf . Xevelonakis, Evangelos. “CRM - Erfolgreiches Kundenbeziehungsmanagement mittels Differenzierungsstrategien.” Zurich: University of Applied Sciences in Business Administration Zurich (HWZ), 2009. ———. “Startup in the Cloud - Consulting Experts - Interview with Evangelos Xevelonakis Xenis from Swiss Valuenet about about Simplicity.” Online Database Application, January 24, 2010. https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/recordsummary/Simplicity_View/363985000000080003/ .
Zittrain, Jonathan. The future of the Internet and how to stop it. 1st ed. New Haven: Yale University Press, 2009.
Startup in the Cloud
79
Annex: Consulting Experts Source data of the qualitative survey in order to get qualified answers on prevailing questions about cloud computing. The original survey data can be accessed here: https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Industry_View https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Security_View https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Legal_View https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Costs_View https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Simplicity_View https://creator.zoho.com/agrachina/startup-in-the-cloud-consulting-experts/#View:Innovation_View
In case a consulted expert statement has been cited in the thesis, a footnote has been set which is linked to the corresponding entry in the bibliography. All answers of this Consulting Expert survey that have been quoted in this thesis, were translated by the author of this thesis.
Startup in the Cloud
80
Dr. Antonio Palacin on “Simplicity” Interview Partner
Dr. Antonio Palacin, Director of ISICC IBM SAP International Competence Center, Walldorf, Germany
Field of experience
IBM broad product portfolio, Sales and management skills, technical integration of IBM products and SAP applications
More info
http://ch.linkedin.com/pub/antonio-palacin/10/8a7/536
Special subject of interview
Simplicity
Interview Type
Answering predefined questions
In a small company, who can derive business requirements
It depends on the industry. In general, the link between
into information management systems based on cloud
business requirements and the associated information
computing?
systems should be owned by one of the managing directors. This person should have a counterpart in each line-ofbusiness or main organization within the company. Those departements should summarize their needs. Finally it is the task on C-level to derive the right catalogue of services and to combine the different requests.
How easy is it to connect one cloud with another?
Technically many of those business applications are web based applications. Connectivity is not the real problem. Data security and data consistency are still a big problem, even within traditional IT infrastructures. On the cloud it is one of the main inhibitors today.
How to switch from one to another cloud computing
There are no or only little experiences on that. Main
provider?
problem will be to extract all the data and to import into another application hosted by a different provider. Why should a cloud service hoster provide this mechanisme that at the same time is offering his client a way to cancel the contract?!
Will cloud computing help to popularize BPM even in the
In specific areas "yes". E.g. simple processes could be
small company market?
hosted in a cloud: eMail, data repositories for backup, etc. In other areas where mission-critical data and access rights are targeted I still do not see how this can be ensured.
Should small companies understand the concept of EA
The most important thing to understand are the SLA
(enterprise architecture) or is it sufficient if they are able to
(Service Level Agreement) between customer and cloud
compare the business functionality of different cloud
provider. But a basic understanding what is possible will
computing offerings?
also help to question if all promisses are really technically possible.
Can small companies start using advanced functionality
I am not aware of any example that is only provided in the
(e.g. data warehouse) which they hadn't the chance without
cloud. Everything can be ran "on-premise" or hosted by a
cloud computing?
3rd party company based on a traditional IT infrastructure.
Comments
-
Added Time
24/01/10 19:12
Startup in the Cloud
81
Prof. Dr. Evangelos Xevelonakis Xenis on “Simplicity” Interview Partner
Prof. Dr. Evangelos Xevelonakis Xenis, Managing Director and CRM Advisor at Swiss Valuenet, Zurich, Switzerland
Field of experience
Senior Business Analyst with broad experience in Telecommunications and Banking. Particularly interested in CRM Analytics, Campaign Management and Business Engineering
More info
http://ch.linkedin.com/in/xenis
Special subject of interview
Simplicity
Interview Type
Answering predefined questions
In a small company, who can derive business requirements
It depends on the company's size. But I think the CEO is the
into information management systems based on cloud
appropriate person.
computing? How easy is it to connect one cloud with another?
It depends on the environment and the number of different providers.
How to switch from one to another cloud computing
There are some switching costs associated. -contracts, -data
provider?
management, -training
Will cloud computing help to popularize BPM even in the
I do not see here a direct relationship between these
small company market?
concepts.
Should small companies understand the concept of EA
II would say they have to differentiate their solution. it is
(enterprise architecture) or is it sufficient if they are able to
important to design an architecture containing both
compare the business functionality of different cloud
elements.
computing offerings? Can small companies start using advanced functionality
Yes. I think some expensive applications in the BI area and
(e.g. data warehouse) which they hadn't the chance without
CRM. However the topic of data privacy and security has to
cloud computing?
be addressed.
Comments
-
Added Time
24/01/10 20:08
Startup in the Cloud
82
Dr. Matthias Schunter on “Security” Interview Partner
Dr. Matthias Schunter, Research Staff Member of the Network Security and Cryptography Research Group, IBM Zurich Research Laboratory, Zurich, Switzerland
Field of experience
The IBM Zurich Research Laboratory in Rüschlikon is globally at the cutting-edge regarding science and technology
More info
http://www.zurich.ibm.com/~mts/
Special subject of interview
Security and Privacy regarding cloud computing
Interview Type
Answering predefined questions
Which efforts must be taken to resolve the security worries
Depends on type of cloud computing.
of cloud computing?
Infrastructure/Software/...
Is a private cloud as secure as a conventional inhouse IT?
Yes and no. Depends on the quality/experience of the provider. Good provider should be better than bad in-house IT.
Why has public cloud the reputation to be less secure than
Because enterprises loose power and control. More
an outsourced IT environment?
dependence on internet connection.
Cloud computing applications are often based on open
no
source software. Could it become more secure, if the cloud computing applications would be based on proprietary closed-source software? Are cloud computing solutions auditable as good as
no
conventional information management solutions? How are cloud computing solutions fitting in the concepts
unclear. Due to black-box approach usually harder to
and practices of ITIL, especially regarding the security
integrate into ITIL
management? Comments
Ich vermute, dass der Markt von selbst Reifen wird: Heute werden meist nur Spielzeuganwendungen verwendet (oder Startups). Grosse Unternehmen verwenden Clouds nur, wenn der Betreiber vertrauenswuerdig ist und einen
Startup in the Cloud
83
entsprechenden Track record hat. Mittelfristig haben also die Provider ein Interesse die Qualitaet zu erhoehen, um Ihren Markt zu vergroessern. Da Clouds derzeit komplett intransparent sind, koennte es helfen, bisherige rechtliche Anforderungen fuer die Cloud anzupassen. zB Was bedeutet Sarbaines-Oxley, ... in einer Cloud. Dies muesste zu transparenteren Interfaces fuehren. Ein weiteres Risiko ist der lock-in und die Monopolbildung durch die economies of scale. Added Time
25/01/10 10:57
Startup in the Cloud
84
Daniel Stadelmann on “Industry” Interview Partner
Daniel Stadelmann, General Manager of wedoit AG, Luzern, Switzerland.
Field of experience
wedoit AG is a IBM Premier Business Partner and infrastructure and project management specialist with renowned customers such as as Novartis, Pilatus Flugzeugwerke or RBS Coutts.
More info
www.wedoit.ch
Special Subject of interview
Industry / Market readiness for cloud computing
Interview Type
Answering predefined questions
Is cloud computing for all industry sectors an option?
Nein
Can the cloud computing market provide sufficient
Nein! Es ist schon heute sehr schwierig kompetente und
consulting expertise to realize the requirements of
entsprechend Ausgebildete Consultants zu finden, die ein
customers of all industries?
ganz normales Infrastruktur Projekt mit allem drum und dran richtig implementieren können. Das Know-how und die nicht Verfügbarkeit der Spezialisten wird das grösste Problem für den Durchbruch von Cloud-Computing sein.
Which industries are using broadly cloud computing
Im Moment ist es vor allem ein Schlagwort der Hardware
applications?
Hersteller, die damit ihre Produkte zu platzieren versuchen. Wir haben noch keine konkreten Kundenprojekte in denen Cloud wirklich ein Thema ist.
Which industries don't accept their suppliers to store
Alle Kunden die den Wert ihrer Daten kennen, werden diese
business critical data to store in the cloud?
nicht in eine Cloud verlegen wollen! In einer Cloud gebe ich die Kontrolle über die Daten ab. Das damit nur Banken oder Versicherungen Probleme haben glaube ich nicht, ich kann mir vorstellen, dass auch Industriebetriebe mit Patenten und speziellem Know-how damit ein Problem haben.
Are there industries where public cloud computing offerings Ich sehe im Moment keine Brache, die einfach so Ihre will not be accepted for the time being?
wichtigsten Daten in eine Cloud verlagern würden.
How will trading companies have to differentiate
-
Startup in the Cloud
themselves in the future, assuming that most market participants use seamless supply chains with their suppliers? Comments
Cloud bringt einige interessante Ansätze mit, diese sind vorallem für grosse Firmen interessant, die Firmen intern versuchen werden Clouds zu implementieren. Ich sehe im Moment aber nur sehr beschränkt einen Markt für externe Clouds, in die Firmen ihre Daten hineinverlagern werden.
Added Time
28/01/10 11:10
85
Startup in the Cloud
86
Daniel Jost on “Simplicity” Interview Partner
Daniel Jost, System Developer, CSS Group, Luzern
Field of experience
IT System Engineering and Developing
More info
-
Special Subject of interview
Simplicity of cloud computing
Interview Type
Answering predefined questions
In a small company, who can derive business requirements
In KMU ist das Fachwissen für die Möglichkeit der
into information management systems based on cloud
Umsetzung von betrieblichen Prozesse in
computing?
Informatiksysteme selten gegeben. Informatik gehört selten zur der Kernkompetzenz. Somit ist eine Umsetzung con Cloud Computing nur mit erfahrenen Experten möglich, die auch über Branchenverständniss verfügen.
How easy is it to connect one cloud with another?
Bei sauberer Defintion der Schnittstellen zwischen den Applikationen ist der Schwierigkeitsgrad sicher nicht grösser als bei der Integration von verschiedenen serverbasierten Applikation verschiedener Hersteller.
How to switch from one to another cloud computing
Sollte vor Projektbeginn mit dem ausgewählten Provider
provider?
festgehalten werden.
Will cloud computing help to popularize BPM even in the
Akzeptanz wird solange kritisch bleiben, wie Fragen zu
small company market?
Datenschutz (was ist wenn meine Daten auf einem USRechner liegen), nicht mit Sicherheit abgeklärt sind. Im Moment sicher interessant für internationale Unternehmen, welche sich schon heute mit diesen Fragestellungen auseinandersetzen müssen.
Should small companies understand the concept of EA
Für KMU reicht es aus, dass sie die Geschäftsfunktionen
(enterprise architecture) or is it sufficient if they are able to
der verschiedenen Angebote verstehen. Wichtig ist jedoch,
compare the business functionality of different cloud
dass das Vertrauen da ist, wo und was mit den Daten
computing offerings?
passiert.
Startup in the Cloud
Can small companies start using advanced functionality
Wenn cloud computing in KMU ein Thema ist, soll ganz
(e.g. data warehouse) which they hadn't the chance without
bewusst Projekte gesucht werden, die nur mit Cloud
cloud computing?
Computing geschäftsrelevante Vorteile ergeben.
Comments
Zurzeit sehe ich Cloud Computing vorallem für (internationale) Grossunternehmen, welche heute schon Erfahrung darin haben, dass Daten an unterschiedlichen Standorten gespeichert werden. Datenschutz ist dabei aus dem geschäftlichen Sichtpunkt zentral.
Added Time
31/01/10 16:55
87
Startup in the Cloud
88
Dr. Sridhar Vembu on “Innovation” Interview Partner
Dr. Sridhar Vembu, CEO Zoho Corporation, Pleasanton, USA
Field of experience
Founder of AdventNet (now Zoho), PhD in Electrical Engineering from Princeton University
More info
http://www.forbes.com/2008/02/22/mitra-zoho-india-techinter-cx_sm_0222mitra.html
Special subject of interview
Innovation
Interview Type
Answering predefined questions
How can cloud computing lead to new business?
It depends on how the functionality is used. Collaborative tools can help make transparent and well-informed decisions. People at various job positions can share their ideas and contribute to collective innovation. For example, people at different levels in the organization can come up with an innovative idea. This is unlikely to happen in traditional offices. Saas is changing the way you work. But if someone posted some idea not very “sweet” to the boss and got punished for it, then nobody would dare to post his ideas any more, innovation suffers, and we have an organization of yes-men.
If in the future everyone can afford advanced business
Companies do not differentiate themselves because they use
applications because of cloud computing, how can
electricity. Why should business applications confer any
companies differentiate themselves from their competitors?
particular advantage? No matter how advanced a business application is, it’s just a tool. Having the tool improves productivity and efficiency. Companies need to focus on their businesses, always thinking about how to satisfy customers’ needs in a better way? As long as companies are offering what the customers need with better quality, better user experience, they’re differentiating themselves from their competitors.
How will cloud computing change the way to do business?
Thanks to cloud computing, one can do business faster, better and cheaper. By networking geographically different teams, cloud computing enables easy collaboration. Cloud
Startup in the Cloud
89
computing delivers substantial savings in capital expenses and massive productivity gains to businesses. Today, it is possible to set up the essential IT apps needed to run a business in just a few days, entirely online, with a convenient pay-as-you-go model. What brings the future of cloud computing?
Traditional software is hard to integrate; this is an area where cloud applications can shine based on technological advantages in systems integration. I don't know. I believe contextual integration of applications is the key information accessed from a variety of different applications in a single page, for example.
Will the semantic web become reality because of cloud
On the contrary, Saas incubates innovation. Due to the rapid
computing?
evolution of cloud services, and the attractive pricing - often a fraction of traditional software - there is substantial innovation up and down the technology stack. As an example, cloud vendors are pioneering new forms of lowcost network storage, new forms of databases. Both file systems and databases have been stagnant for a long while, and it is cloud computing that brought them new life.
The rise of cloud computing goes along with increased
There have been major advances in open source distributed
usage of open source based software. Will that lead to
file systems and databases in recent years, spurred by cloud
additional innovative business applications and is that
computing. Javascript frameworks like jQuery have enabled
beneficial for future efforts of t The rise of cloud computing
major advances in client functionality. Open source and
goes along with increased usage of open source software.
cloud applications have worked in a virtuous cycle of
How is the open source community anticipating that and
innovation, and adoption.
what are the consequences for the degree of innovation? Comments
-
Added Time
01/02/10 23:12
