Cloud Computing 101Cloud Computing 101

Terry Gray, PhDAssociate Vice President,

University Technology Strategy&

Chief Technology Architect

University of WashingtonFebruary 2009

• Hot or Not?

• Background

• Tradeoffs

• Needs/Expectations

• Role of Central IT

• Institutional Strategy

• Market Transformation

• Case Studies

• Summary

CC Quote #1

“It's stupidity. It's worse than stupidity: it's a marketing hype campaign.”

“Somebody is saying this is inevitable – and whenever you hear somebody saying that, it's very likely to be a set of businesses campaigning to make it true."

Richard Stallman 29 Sep 08 UK Guardian

CC Quote #2

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do.”

Larry Ellison 25 Sep 08 Wall Street Journal

CC Quote #3

"When people talk about cloud computing, they're talking just about taking some stuff, putting it outside the firewall, and perhaps putting it on servers that are also shared or storage systems."

Steve Ballmer 25 Sep 08 @ Churchill Club (InternetNews)

Microsoft Cloud Vision“Software and Services”

"We're taking everything we do at the server level and saying we will have a service that mirrors that exactly. It's getting us to think about data centers at a scale that we haven't thought of before... [to create] a mega-data center that Microsoft and only a few others will have."

-Bill Gates @WWDC, quoted in NY Times 3 June 2008

"We believe that by 2010, at least 25 percent of our Office users will be using some kind of [online] service provided by Microsoft"

-Eron Kelly, Director of Product Management, 2008

The rise of utility computing

So... Cloud Computing:

Hot or Not?Hot or Not?

Nick Carr

Richard Stallman

Larry Ellison

Bill Gates

Background

• Usually web-based apps running “elsewhere”• Early examples: Hotmail (1994) Salesforce (1999)• Also “platform services” -renting computing/disk

• Not traditional "outsourcing the IT dept"• But it impacts current dept'l & central IT svcs

• Both consumer and enterprise services• Many vertical apps, e.g. PCI, CRM

• Think timesharing service bureaus, but with new technology and new business models:

• Low cost via high-scale, uniform tech & contracts• Hybrid “free & fee”; low-touch DIY support

What is Cloud Computing?aka “utility computing”, “SaaS”

Full circle: Mainframe → Mini → PC → "Cloudframe"

Motivation

• Individual– Effectiveness: convenience, flexibility, resilience– e.g. cross-org collaboration; episodic calculations

• Institutional– Efficiency: reduce IT costs; raise PI effectiveness– e.g. reducing datacenter & support costs

→ This is where our students/fac/staff will be!

→ Many of them seek a more “integrated life”

Cloud Dependenciesthe essential ecosystem

• To be effective:• Advanced web browsers

• Fast & dependable networks

• To be efficient:• Multiple, massive datacenters

• Low-touch support paradigm

IT Evolutionfrom artifacts to abstractions

• Build e.g. Pine

• Buy (a right to use) e.g. Exchange

• Borrow (open source) e.g. Thunderbird

• Barter*/Rent (cloud svcs) e.g. Gmail

The last two are transformational, especially in bad times

* eyeballs for ads

IT EvolutionWho ya gonna call (for commodity IT)?

Individual

Departmental

Central

Cloud

Goodbye “IT priesthood”... Hello “Consumer Computing”

In the beginning...

IT Evolutioncloud applicability will grow over time

ExtremeComputing

MundaneComputing

Cloud

Dedicated

MundaneComputing

Cloud

Dedicated

2008

ExtremeComputing

MundaneComputing

Cloud

Dedicated

MundaneComputing

Cloud

Dedicated2012

History

1949: ADP founded (Cloud's spiritual ancestor?)

1994: Hotmail

1999: Salesforce.com

2003: MySpace; Nick Carr's “Does IT Matter?”

2004: Gmail, Facebook

2005: YouTube

2006: Amazon S3/EC2, Google Apps

2007: MS announces ExchangeLabs

2008: Zoho selected by GE (400,000 seats)

A Tale of Two Cloudsor maybe twenty...

Application Services (SaaS)e.g. Gmail

Platform Services (PaaS)e.g. Amazon EC2, S3

- Saas vs. PaaS - Microsoft vs. Google vs. ... - Consumer vs. Business - Free vs. Fee - Internal vs. External - etc...

A Tale of Many Clouds“The Cloud Multiverse”

All of these co-exist, along with hybrids, e.g. local + cloud

Cloud Business Models

• Fee for service / subscription (advantage MS)

• Free / Ad-based (advantage Google)– Our eyeballs = their inventory– Advertisers = their customers

• Most vendors use both models

• High-scale efficiency & self-support is crucial

• Initially: focus on individual consumerNow: add enterprise deals w/premium svcs

Sweet Spot?

• Accepted wisdom: Small – Medium BusinessPaaS especially attractive for Start-Ups

• BUT: large research universities can be thought of as federations of hundreds of independent businesses... YET: Higher-Ed is still split over CC use

• Datacenter issues will drive eScience choices

• Large businesses are just starting to embrace e.g. GE's 400,000 seat Zoho deal

Some Cloud Computing Vendors(at different service layers)

Application Service(SaaS)

Application Platform

Server Platform

Storage Platform Amazon S3, Dell, Apple, ...

3Tera, EC2, SliceHost, GoGrid, RightScale, Linode

Google App Engine, Mosso,Force.com, Engine Yard,Facebook, Heroku, AWS

MS Live/ExchangeLabs, IBM, Google Apps; Salesforce.comQuicken Online, Zoho, Cisco

Tradeoffs

Traditional Out-tasking

Tradeoffs

Advantages Allows enterprise to

focus on strategic core competencies

Easier to re-allocate resources & staff

Can leverage financial structure

Disadvantages Loss of control,

agility, flexibility High contract

management overhead

Quality control can be hard

TCO ???, Security ???, Liability ???

Cloud-SourcingSummary of Tradeoffs

Why it's becoming a Big Deal Use high-scale/low-cost providers; geo-diversity Any time/place access to docs via web browser Rapid scalability; incremental cost; load sharing Share of mind: no need to focus on commodity IT

Concerns Performance, reliability Control of data, service parameters Integration among tech silos Application features, choices Privacy, security, compliance, etc

CC Attractionsin more detail

Cost Flexibility; rapid scalability and de-scalability Data replication; geo-diversity Easier cross-institution collaboration Any {time, place, device} access via web browser Alternative if dept'l or central IT non-responsive This is where our students/fac/staff will be! Priorities: no need to focus on commodity IT Future of computing, esp. eScience

Cloud Concerns

Control vs. Locality– Central vs. decentral redux– Vendor surprises (e.g. feature changes)– CC does not lend itself to bureacratic control

Technical limitations – Accessibility and UI limitations of web apps– Reliability, performance, security; offline use– Lack of IAM integration (e.g. groups; logins)– Lack of interoperability (e.g. cal, groups, dir)

Institutional risks...

Institutional Concerns

• CISO– Security– Ability to do forensics after a compromise– Liability transfer

• Attorney General, Risk Management– Compliance, especially eDiscovery– Also ITAR, HIPAA, FERPA, etc– Indemnification

Why use cloud-computing?

Scalability: Handling load peaks (EC2 instances for a new facebook app)

Why not use cloud-

computing?

Ooops...

“74% ... prefer SaaS”

Why some enterprises are not interested in SaaS

Forrester Research study:

66% Integration issues61% Total cost of ownership concerns55% Lack of customization50% Security concerns42% "We can't find the specific app. we need"39% Complicated pricing models39% Application performance34% "We're locked in with our current vendor"

Challenging Assumptions

SaaS/Cloud Apps enable virtual desktops and platform flexibility

Needs & Expectations

Things We Need from the Cloud

• All the usual (e.g. reliability, perf, security, cost)

• Serious business partners (e.g. security, SLAs)

• Flexibility, choice

• Interoperability

• Interoperability

• Interoperability

Typical Vendor Preferences

• Desktop– Microsoft– Apple– Linux

• Mobile– Blackberry– Iphone– Android– Pre...

• Backroom– Microsoft– Linux & Unix– Apple

• Cloud– Google– Microsoft– Amazon– etc...

Claim: Homogeneity is not an option at any real research university

Key: Interoperability

• Across cloud silos

• Across desk/mobile platforms

• Across institutions

• With enterprise IAM

• With stds-based thick clients

• Poster-child: Calendaring

• Beware vendor myopia...

• The cloud is different

Interoperability Model

Cloud Provider B (e.g. Google)

Cloud Provider A (Microsoft)

MicrosoftThickClient

Non-MSThickClient

Generic Web (thin) Client

OpenProtocols

HTTP

ProprietaryProtocols

EnterpriseIAM Server

Role of Central IT

The Elephant in the Room

What is the future of Central IT?

Seattle Times April 1971 Hwy 99

We're Not Dead Yet!

“The IT department is far from dead yet - and will play the central role in managing the shift to the utility model and the coordination between Web-based services and those supplied locally.”

-Nick Carr

Also: "The End of Corporate Computing"

Which is good...

Institutional Value-Add

• Many cloud services originally targeted individuals, not institutions

• e.g. Windows Live, Google Team Edition• Contract is between vendor and end-user

• Institutional involvement brings:• Better risk management (e.g. Dept'l oversight)• Better compliance options (e.g. eDiscovery)• Group management for provisioning, billing• Branding opportunities

• Some services need to be kept internal• Key issue: locality vs. control & responsiveness

Role of Central ITa question of degree

• Support institutional compliance goals• Assist with policy and guideline definition• Partner selection; relationship & svc management

• Improve the user experience• Foster interoperability across vendors• Integrate with campus apps & IAM services• User support??? (Not necessarily)

Policy Development

• Data protection guidelines– Local – External – Mobile

• Appropriate cloud use guidelines

– There are things that should not be in the cloud!

Institutional Strategy

Strategic Choicesgiven that cloud use is already widespread

• What are the institutional goals for cloud use?– How do partner contracts affect institutional risk?– What about other external and mobile data?– What is the target adoption rate? How soon?

• What is role of central IT? – How much central app and IAM integration?– How much centrally-provided user support?

• Cloud computing is transforming IT

• Cloud usage is growing & unstoppable

• Institutional risks are greater if we do nothing

• Central role: enable, increase compliance, usability

Key questions:

Strategic Assumptions

How much central integration & support?Lead, follow, or get out of the way?

Institutional Goalsfor any central cloud computing role

• Compliance (e.g. eDiscovery, FERPA)

• Cost savings / avoidance (e.g. datacenter)

• Individual effectiveness ...

– IAM integration (e.g. group mgt)

– Application integration (e.g. calendar, Catalyst)

– Cross-vendor interoperability

Increase:

Institutional Risks

• Operational (service or business failures)• Individuals have biggest stake here for now

• Financial (surprise support or integration costs)• High-touch support model could kill future savings

• Compliance (failure → liability cost)• Primarily unauthorized disclosure of sens. Info• Limited forensics ability → notification cost• Ability to respond to legal requests for data

NB: 1) these kinds of business risks are uninsured 2) departments assume $$ liability for failure to comply w/UW policies 3) external/mobile data risks are not limited to cloud computing

Risk Mitigationcompared with status-quo

Contract terms added

Data security guidelines to define appropriate cloud use

Partner contracts provide for “admin” accounts

Inability to comply with FERPA

Disclosure of confidential data

Inability to respond to eDiscovery request

Example Policy Choices

• Appropriate use? (e.g. HIPAA, GLB, classified?)

• Partners: who and how many?

• Service eligibility: who and for how long?

• Premium services: how to fund/bill?

• Name spaces: common or free-for-all?

• Password policy: Same, different, don't care?

• User support tools: integrated or separate?

• Departmental or UW branding & administration?

Recommendationsfor central IT role to add value, reduce risk

• Lead & Follow • Encourage cloud use; Partner w/MS, Google, Amazon• Provide expertise & coordination; Assist policy efforts

• “Get out of the way”• Facilitate master contracts meeting UW & dept needs• Enable, don't mandate; soft-launch

• Moderate Integration (IAM and application)

• Balance usability/compliance goals w/TCO • Avoid both too little/too much; slippery slopes

• Minimum User Support• Manage central “Admin” accounts• Embrace low-touch DIY support paradigm

Is There Consensus?

• Cloud use should be encouraged, consistent with compliance obligations

• Institutional risk is reduced by executing partner contracts and incenting their use

• Institutions should leverage the cloud's low-cost user support model as much as possible

Market Transformation

Response: MS Live & BPOS

Microsoft's Challenge

• Software-and-Service theme: – Innovator's Dilemma: new cannibalizes old– How to preserve cash cow while embracing cloud?– Natural focus on traditional base

• Will focus on base undermine larger opportunity?

• We in central IT empathize with this challenge!!

• Key to broader success: interoperability standards

Case Studies

Case Study: DreamHost

23 May 08: Tom says...

“we are taking some steps to stop providing email. It’s just not something people are looking for from us, and it’s something the big free email providers like Yahoo, Microsoft, and Google can do better.”

Case Study: DreamHost

Noteworthy rebuttal :)

27 May 08: Tancred Says...

“This is totally rubbish. I have been with dreamhost for at least 5 years. I host with you for one reason. SSH + pine.”

Case Study: Bechtel 2000: Mandate to cut IT costs by 25% Used Six-Sigma process to focus on inefficiencies Internal report cards; compare w/ other companies Achieved 30% improvement Data Center consolidation: >30 → 12 → 3 Networking: Use the Internet; become an ISP Now: embracing web-based cloud computing,

becoming client agnostic; virtual desktops; becoming more “university like” re net security and desktop management.

MS shop, but looking at Google Apps, etc

Case Study: UW

Widespread Use @ UWwithout any central involvement

• 50% of students forward their UW email to cloud

• Popular cloud apps:• Facebook: 64K UW users; now big in classes• Google Gmail, Docs, Calendar• Windows Live (esp. Messenger)• Doodle (meeting scheduler)• Blackboard online used by Foster & UWB

• Platform services• Amazon EC2/S3• Slicehost

UW Faculty Quotes

• I have been subscribing to FilesAnywhere as a file storage/versioning system for my (distributed) research group for about 5 years.• I have used WebEx audio/web conferencing and NetMeeting for several software demos and collaborative work sessions.• Last year I used AOL IM Chat as a virtual meeting space for one session of a class of 20 students that would otherwise have been cancelled due to ice/snow. I thought was a good experience, and several students commented positively on it in their evaluations.• Various UW committees that I'm part of have used Google docs to share files and write together.• I've used AOL IM for online office hours and seedwiki for students to share information about the books they were using for course research.• Blogspot.com - students required to start, maintain and post to their own blogs (in lieu of a Moodle discussion forum)• Adobe ConnectPro and GoTo Meeting for synchronous presentation/discussion.• Skype for one-to-one office hours with DL students• Voicethread (one of the coolest tools I've seen in awhile) for asynchronous video chat/discussion.• One faculty used Office Live Workspaces last year in a class, he also is working on a new certificate that we are starting in Second Life.• Our entire distance Master's program is delivered using Adobe Connect (which is a cloud service that is hosted on campus, but the same idea). All of those classes also use Windows Messenger for chat.• A huge percentage of other classes use Facebook, Google Apps, BootCamp, WordPress etc. Basically name one and you'll find some class using it.• I use Facebook in my courses as well as PBWiki.• In the past, I used Live Office Workspace.• I use GoToMeeting and Webex for some outside presentations as well as Adobe services.• Our corner of the Dean's Office uses Google Calendar, and we're exploring switching the whole office over to it.

Summary

Terry's Top Ten CC Questions

1. What is it?

2. Isn't this just grid computing?

3. Isn't this just like the old time-sharing service bureaus?

4. Is this just about "Google Apps"?

5. Is anyone at our institution really using these services yet?

6. There has been a lot of talk about the privacy, security, and compliance (e.g. eDiscovery) risks associated with services such as Google "Apps for Edu" offering. What's the scoop?

7. Doesn't a contract with Google, MS, Amazon, etc, create unnecessary risk?

8. Aren't there things we should not use cloud services for?

9. Isn't it true that no large corporations are using these services due to security and compliance concerns?

10. If we ignore this problem, won't it just go away?

Recap

• Cloud computing is transforming IT• Already widely used by UW individuals• Emerging as integral to research & teaching

• Key concern: institutional risk management• Policies needed for all cases: local/external/mobile• Risk of status quo >> risk of partnership

• Key questions re central role (compliance, usability)

• How much central integration & support?• Lead, follow, or get out of the way?

Central IT Recommendations

• Lead & Follow • Encourage cloud use; Partner w/MS, Google, Amazon• Provide expertise & coordination; Assist policy efforts

• “Get out of the way”• Facilitate master contracts meeting UW & dept needs• Enable, don't mandate; soft-launch

• Moderate Integration (IAM and application)

• Balance usability/compliance goals w/TCO • Avoid both too little/too much; slippery slopes

• Minimum User Support• Manage central “Admin” accounts• Embrace low-touch DIY support paradigm

Discussion Topics

How committed are vendors to interoperability? Web-based ads vs. thick clients Goal of broad contracts w/cloud providers Does a contract increase or decrease risk? Consequences of no institutional contract? Geographic issues: PRA/FOIA, Patriot Act, etc Health care opportunity; HIPAA Policy/guidelines for using cloud services...

Relationship to data security standards?

Discussion

UW: meeting the cloud head-on