Cloud Busting Roundtable: sponsored by Eduserv
Participants at the Roundtable:
Peter Heather, Head of IT & Systems, WaterAid
Peteris responsible for the development, implementation and management of IT and systems in WaterAid globally to ensure they are fit for purpose for a growing international development NGO and leading the information technology support service and infrastructure across WaterAid globally to ensure effective communication, information sharing, accountability and learning.
Alan Downey, Information Security Manager, Marie Curie Cancer Care
Alan is a Senior IT Manager with over 12 years experience of Information Security and 6 years IT Audit within Public, Private, Charity and Local Government sectors, including international organisations and companies of a diverse nature, ranging from IT/Telecommunications, Electricity, Education and local councils, in both permanent and contract work placements.
Aimee White, Website and IT Manager, Charity Finance Group
Aimee ensures the use of technology supports the delivery of CFG’s strategy, making sure that technological solutions support the smooth running of the business. Aimee joined CFG in April 2011 as the personal assistant to the CEO, and moved to the position of Website and IT Manager in July 2012.
Brian Shorten, Chairman, Charities Security Forum
Brian is chairman at the Charities Security Forum, the premier group for information security professionals working in the charity sector, he was previously at Cancer Research UK, MCI and Standard Bank London. He is a highly qualified information security management expert with experience in the financial and telecommunications industries.
Mark Child, partner, Kingston Smith Consulting
Mark joined Kingston Smith Consulting in March 2009. He is the Partner leading the technology risk management practice line. Prior to joining Kingston Smith Consulting, Mark was EMEA Director for the consulting firm Jefferson Wells and prior to that global
Director of Information Technology Audit at Aviva. Mark’s clients range from financial institutions to charities and not-for-profit clients.
Stephen Murgatroyd, The Institute of Operational Risk & British Computer Society
Stephen has been Co-opted to the The Institute of Operational Risk Executive Committee with a mandate for day-to-day management of membership approvals and implementation of system improvements in a more rigorous and formal way, which has evolved from an informal manual system into a semi-automated non-trivial system.
Ed Zedlewski, CIO and Deputy CEO Eduserv
Ed has been Deputy Chief Executive of the not-for-profit IT supplier Eduserv since
its incorporation in 1999, and prior to that played a critical role in the development of the technology services that subsequently became part of Eduserv. He led the architecting of the Athens Access & Identity Management technology (the principal IdM
system used across Higher Education and the NHS).
John Simcock, Client Director, Eduserv
John joined Eduserv in early 2010 and manages major accounts across charity and the public sector. Prior to joining Eduserv John worked for Computacenter as the
Client Manager for a large Government client and for Fujitsu/ICL managing
key Partners and System Integrators. John has over 35 years’ experience in the
IT industry and has a broad range of skills and experience.
Cloud Busting Roundtable:
Cloud Computing provides a quick way of accessing computing services and resources cost effectively, delivered as a service over a network, without the need to invest in hardware and independent of your physical location.
But is this the way it is perceived? Looking at cloud from a definition perspective, Alan Downey noted he had seen quite a bit of cloud throughout his career. “It seems to encompass anything anybody wants: whether a simple application or a main infrastructure.”
He did add though that charities have traditionally gone with what they know and cloud can, in some cases, be a shift in mind set. “But charities have to start changing,” he warned. “Especially with social media: charities have to start thinking about cloud because it is too expensive to put new technology developments like this in-house.”
Peter Heather noted it is about not having things on premises everywhere: “But it is also different things to different people and quite broad. So you have to define it in the context of what you are doing and why.”
Brian Shorten said: “I see it as quite old-fashioned. It is an electronic version of bureaus we used to have. So an organisation needed more computing power but didn’t have enough resource.”
Stephen Murgatroyd described it as simple outsourcing. “And there is another side of it which is utility metering computing, which has been compared to gas or electricity supply, but lacking level of standardisation of either.”
Mark Child noted there are four types of cloud: private, public, community and hybrid cloud. “The definitions of each vary. It is not a new development. It has been around as long as the internet. There are real misunderstandings about where it is advantageous and where it is not.”
This last point dominated the discussion.
Aimee White said it is outsourcing involving on demand, rapidly provisionable, scalable, flexible infrastructure, platform and software services.
Ed Zedlewski summing up the types of cloud highlighted by Child, said there is an expectation of getting a degree of flexibility and scalability. “It also offers at a consumer level a means to accessing skills not readily present within the organisation, and through that offer a range of services with a common service interface.”
John Simcock said cloud is usually defined by its facets rather than anything else. “It is the elasticity and scalability. It is agile and something you can do quickly.”
Away in the cloud
Continuing with the theme of understanding, Heather questioned whether overall cloud was really understood. Simcock accepted this was a challenge. Murgatroyd added that cloud was used for a whole range of reasons and sometimes the lack of understanding was on the risks.
“Sometimes users don’t even know what they are using is provisioned as a cloud service,” warned White.
But Simcock took this on by observing: “There isn’t one cloud. There are many disparate
clouds provided by lots of different vendors and using different technologies.”
“That is why many people find it so confusing – because of this catch all term that suggests one product and one solution. The Cloud is a raft of products under one – rather unhelpful banner,” added White, highlighting the confused nature of cloud and its possibilities within the charity sector.
“People I know have been on workshops on cloud and still did not know what it is when they completed these,” she added.
This issue does dominate the sector.
“With cloud, you are buying from lots of different people and third-parties involved, and there are contractual complexities. There is a real definition breakdown to be had,” said Child offering some understanding. “Cloud doesn’t drive anything. You need the data; that is what is important.” Data, which charities have in abundance, creates a real need for cloud.
Heather noted though for charities; it is a change in financial approach. “Most charities manage their IT over capital and you are really changing to a revenue model. That is quite significant. And probably a one way journey.
“Usually you have a competency [in charities] in IT in managing, but once you lose that, it is difficult to get that back. But it is change from a capital to a revenue model. That has implications for using these services; and when you use them more extensively.”
Zedlewski noted that within this, suppliers, contracts and service agreements have to be managed and understood effectively. But charities do this in other areas of their operations, so should be able to deal with it here.
Even within new developments there was debate about what it meant for cloud. Child says he had seen recently seen a “shared service” offering. “Within the charity sector this could be on to something as many charities have spare server capacity at certain periods.”
But Simcock argued this was cloud and what it does anyway. “But you are surely making the risk a lot bigger by using many technologies,” questioned Simcock.
But Child said that wasn’t necessarily the case. Murgatroyd questioned if they were using part of servers how were they backing-up? “It is the telegraphing [increasing] of the risk,” he warned.
Charity business continuity
The issue of security is vital here for charities. Zedlewski observed that their clients including many charities, demand the security around, not just their data, but also the whole infrastructure network.
Murgatroyd said this brought us back to whether charities relied solely on cloud or some other back-up of data and this raises business continuity issues that need to be addressed.
“As far as risk, are we in the same position [with cloud] as we were with the sub-prime [US mortgage] market and securitisation was supposed to be reducing risk, but in fact amplifying it, that is, unconscious risk,” he said.
“Sometimes organisations don’t understand the complete environment that is running their technology services. So there is an imagining that the cloud is fully resilient. And it can be, but you have to engineer it to be so,” warned Zedlewski.
“The cloud will provide you with a range of tools and you need the technical competence to execute those tools and do the data replication between areas of different geography as well as manage data resilience, so there are no trivial problems that you have to take responsibility for. That is why clients we work with want a management transition to that type of system. As it is not a straight forward process,” he added.
“Isn’t this something that a charity’s IT department should be looking at anyway?” asked Shorten.
Most of it is within their own service agreements, added Zedlewski. Most cloud conference and events are presented by lawyers warned Murgatroyd, having an impact on how it is perceived, which is not always favourably.
“They [lawyers] would say contracts are essential, and they are, but it doesn’t guarantee you with assurance of service or you’re SLA s. So you still have to do your due diligence beforehand and then continuously monitor,” noted Murgatroyd.
“Is the same due diligence taking place?” asked Heather. Downey added: “Going back many years there was a focus on due diligence on your own controls and data centre: you know what to expect; what you are getting. The problem is times have changed.
Unless you are prepared to change your mind and be more flexible.” Contracts, he warned with some service providers, are bent towards the provider. “When you ask the service oriented architecture they will give you one that suits someone in the Philippines as well as the UK. So charities have to change to the way they [providers] do it.”
The other thing that has stopped Downey from going to cloud is the possibility of financial penalty in relation to the data. “Because the due diligence cannot prove that controls are in the providers it is difficult to persuade an auditor or security reviewer that you have good controls in place.
“We found that although it is more expensive to buy a system to put in-house, it is cheaper than if we got a fine for one single data breach.” If you bring it back to just costs, noted Shorten, that is ok, but there is more to it than that. “There is also the loss of reputation and brand.”
Taking this on, Child noted: “I have never found an organisation that fully understands its data estate. And you need to understand and manage that.” But it is about separation as well, noted Simcock.
Heather asked, from a charity perspective, wasn’t there a mutual benefit to share
a cloud provision, so you get a better security solution?
“I would class that as a community cloud,” noted Zedlewski.
“What about a private community using a public cloud,” asked Heather. “That is different,” added Zedlewski. “It is about understanding and implementing the
“The ideal is using the lowest cost public cloud,” confessed Heather.
Downey stated he worked on a solution for local government with 29 councils signing-up. “It took the best part of a year for everybody to agree” he said. “It took an immense amount of effort. The concept is fine. The effort to get that done was too much.”
“It can be done,”contested Zedlewski. “There is real momentum and take-up of the public services networks (PSN) and the Cabinet Office is pushing hard on the PSN.
“If you buy into the model of all public sector organisations connecting-up into a core
network you have a shared network and services allowing you to choose the provider and bring in new services in very quickly.”
On this, Eduserv has created a cloud for the higher education sector with 40 different institutions at impact level 2 security level: a higher level of security would normally result in fewer customers , said Zedlewski.
Murgatroyd said some charities ask: why would we be targeted? “Well they may seen as a soft target,” he noted.
“Most hackers don’t look at an organisation’s name, with the exception of anonymous,” noted Downey.
“Cloud is, by the nature of the product, evolving,” observed White “We have not evolved yet. There are many who don’t know how cloud works,” countered Murgatroyd.
Zedlewski accepted: “There is a lack of understanding about Information Security. It is at that point we need to start. Without a change on culture that accepts information security as being important it is often difficult to educate people.”
Trusting the cloud
Within the issue of understanding there is also the issue of trust within cloud.
Murgatroyd said that Ronald Reagan famously said of the missile reduction treaties with the Soviet Union: “‘Trust, but verify’ and this is what any organisation should do.”
Zedlewski added Eduserv’s clients are encouraged to visit their facility to show them and what is done. “It is a welcome opportunity to prove ourselves,” he said.
“It comes back to managing reputational risk,” he noted.
“Charities don’t always make assessments of third parties,” suggested Child.
But Heather countered: “When you are outsourcing, which this is a form of, you should be doing the basics of assessments.”
Child emphasised: “There are many misconceptions about the cloud, but if you do it right you can achieve a really good outcome. But there need to be understanding and alignment with overall IT strategy.”
Heather said it would be good to have more information shared about the positive impact of cloud and importantly the detail, and help with this understanding process amongst charities.
Downey added: “From this I think it is important to talk to senior managers within the organisation. Lawyers coming up with one page clauses would help as a common denominator.”
On the broader issue of cloud Heather observed: “It is about what you need to help your data as an organisation.”
Shorten noted that it is vital to talk to other charities and share knowledge and information to help to this end.
Murgatroyd added it is a people problem. “Charities need to get help, where appropriate.”
In this way, Child noted that charities getting help on this issue is vital. “Charities do struggle in this space. They don’t know what they want to use cloud for and therefore don’t really know the full capabilities of it.”
White said: “It’s important to support and educate end users about cloud services without forgetting the risks of a tranche of services that are evolving daily. It's about challenging charities behaviour.
Zedlewski added: “Cloud is important to think of as an opportunity to work with a service provider that can supply capacity, elasticity and security of services at a lower cost aligned to your own capability and business needs. Also introduce a number of skills: not just technical but management and security skills.”
Simcock suggested some of these are old issues around IT and computing, but the main focus with cloud is data. “That is protection, security, where it is managed. There is not just one cloud.”