KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Okay, well, good afternoon everyone. And thank you for joining this webinar on choosing the right cloud. My name is Mike Small, and I'm a senior Analyst with co I've been many years in the it industry. And I've seen many changes in that industry. And the cloud is one of the latest of these changes. And so this webinar is going to help you to look at the cloud from perspective of a service provider or from the perspective of a service consumer to help you to choose which of the variants of the cloud are appropriate for your particular problems in organization.
So before we, we start a little word about KuppingerCole KuppingerCole is a European it Analyst that provides research advisory decision support, and networking for it. Professionals. We particularly provide research services, both for it customers, as well as it vendors, we provide advisory services for both of those. And of course, every year we run a major event, which is the European identity and cloud conference. This is very successful, attracting many hundreds of people from around the world.
So please make sure that you put those dates in your diary and book for next year's cloud conference. So this webinar, basically you are going to be muted centrally. You don't have to do anything to mute or unmute yourself. This will be controlled from the center. The webinar is being recorded and the podcast will be available tomorrow. And we'll have a series of questions and answers at the end. And you can ask any questions using the toolbar to ask these questions and we'll deal with them when we come to the end of the webinar.
So the webinar is also something which is contributing to your continuing education co is registered as a provider of continuing education credits. And so there are a set of learning objectives, which you can see on the screen, which this webinar will cover. And at the end of the webinar, there will be a short test and you, you need to take this test and pass it in order to qualify for the, for the, the, the, the CPE, which is one group internet based CPE. So the agenda for the webinar is that we're going to, first of all, all talk about cloud service models.
And there are several of these that we're also going to talk after that about the cloud delivery models, and then look at what the risks are that you're associated with the cloud in particular, and how we can use understanding these risks to choose the right cloud. And part of choosing the right cloud is understanding how it is that cloud service providers can be certified. And also how it is for us to assure ourselves that the service that we're receiving from the cloud is in fact, the one that we expected and that the cloud provider is providing what we have paid for.
So let's start off with the cloud service models. So basically the cloud simply provides another way to obtain an it service. And there are three different ways that this service can be delivered. And you can look upon this as being a continuum from service delivery in house, through to through service delivery provided by some kind of managed service or some kind of commercial applications through to the, the service being provided as, as a cloud service.
So if we consider the, the basics of this, which is the, the it computing resources and the storage resources that in the, in the early days, the only way you could get computing was in fact to buy your own computer and buy your own discs. And that's what we've described on the bottom of this slide is in house it deployment, then systems became managed by outsiders. So we outsourced services, or we outsourced the provision of those services to a third party. And that led to the idea of managed it services, but effectively what we were getting was still the same thing.
It was simply computing power and storage resources. Now that is provided as a cloud service called infrastructure as a service and infrastructure, as a service allows you to obtain computing resources and storage resources over the internet, and to obtain them on a paper use basis through companies like Rackspace and Amazon web services. For example, now moving a level up in the, the stack here. The next thing was that when we got these computers, we actually wanted to develop systems that would do what we wanted.
And in order to do that development, we had what would've been described as an in-house it platform that consisted of some kind of infrastructure, some kind of compilers, and the things that we had chosen to use to build our tools. Now, in in fact, this moved on and most people wouldn't build their own compilers nowadays or build their own databases. What they would do is they would use a commercial platform. For example, Microsoft, they would use for, for, for example, Oracle is an example of a, of a cloud provider of a provider of databases.
And they would use compilers from whoever it is that they particularly chose. Now, in the cloud, you can move a level up from just simply buying computing resources to buying a platform. This platform gives you the ability to develop a cloud service using the APIs provided by the cloud service provider. And examples of that are, for example, the Microsoft Azure or the Oracle, the Oracle public cloud.
Now moving to the top level of this, the purpose of all of this usually was invite to develop some application, which was going to be useful to the company and going back in time, people had to develop all their own applications themselves, and indeed the banks are, are an example of that, where these applications for managing your account were developed in the sixties and the seventies. And they're still there now for many areas of application, these have become commercially available applications.
So you can buy E R P you can buy CRM, you can buy SAP to, to manage your finances in your business. Well, those are traditional ways of obtaining those services. And now through the cloud, you can obtain that kind of service directly as software, as a service, without needing to develop it yourself or needing to own any of their new computers. And he's called software as a service. And examples of that are office 365. And also for example, salesforce.com and, and, and other things of, of that nature. So that is a summary of those cloud, what those cloud services are.
And here are some pictures to help you understand infrastructure as a service is basically providing you with access to computer power represented by the, the little computers and storage. And those are usually dis delivered, using an idea called virtualization where one physical server, in fact, supports many virtual virtualized servers.
And, and you, as an end user can run that service yourself. You can run that, that virtualized server yourself and the service provider provides the infrastructure, which can change all of the different pieces of hardware that are needed to deal with that, that, that, that requirement that you've got. And as your workload grows, depending upon what you've paid and what your agreement with the provider is, they can make more and more storage and more and more computer power available to you on demand. And you just pay for what you use.
So now moving on to the platform as a service platform, as a service takes the virtual server, which was basically the raw computing and the raw storage power, and provide you with a set of services, which give you programming tools, APIs, which allow you to build upon those raw resources, your own applications and data, which can then be hosted in the same environment, or if you want taken away to any other similar environment. And an example of this is invite the Microsoft Azure. So this is moving a level higher in the stack.
And then at the top area service software, as a service is providing the end user with a working application without the need for the, the, the user of this, to either develop the software or to run the software. And examples of that are indeed Amazon and salesforce.com and the Oracle E R P and CRM packages. So those are the kinds of service that are normally provided through the cloud. So what does this actually mean in terms of strengths and weaknesses?
Well, so first of all, the big strength of the cloud is that you like need no or limited capital investment, that you can deploy things much more quickly. Typically, if you were really good at buying hardware and so forth, you might take two or three weeks or even two or three months in order to buy things, which you can literally sign up to now with a credit card. And that the other main strength of this is that in fact, if you have something that fluctuates in demand, you can very quickly be sure that that increasing demand will be satisfied side.
The problems with the, with the cloud in general is to do with how you set up the agreements. So for example, you may find yourself with a price, which is determined through a contract, which says you pay for whatever the highest demand that you have was there are a lot of compliance issues, which we'll talk about later, such as for example, where your data is held. And there are rules about where certain kinds of data, there are the general security concerns of confidentiality, integrity, and availability.
And although you don't have to have any capital upfront paying or rental, as you go along, may end up with you paying more than you would've done, if you'd have bought just what you needed at the beginning. So looking at the different kinds of service, the benefit of infrastructure as a service is that it runs what have you had at the moment, providing what you have at the moment conforms to the requirements of the infrastructure that is provided, which may, may not be a problem.
It depends on how you have built your applications, but largely speaking, if you had applications that run the units, then they're, they're fine. If you're using web, then you have certain kinds of issues with that platform. As a service gives you the benefit that you can develop an application for the cloud, which can be immediately deployed. But the problem, if you think about it is that you've been provided with a set of APIs from a provider. And those APIs tend not to be ones. They tend to be proprietary ones so that if you use Oracle, you kind of locked into Oracle.
If you use Microsoft, you're locked into Microsoft. If you use the Amazon, then you tend to be locked into Amazon. Software is a service is great. It's just an application on your desk when you need to use it. And it's great if the functionality meets exactly what you want, if it doesn't, then it's much less easy to have a tame version. And the other big area to do with this is how you can get your data back, who owns that data and how you can get it back. And there are a number of stories about organizations that use cloud service.
Didn't clarify, who owned the data, and they have problems in getting that data back at the end of their contract. So those are the strengths and weaknesses of the different service models. So now let's look at the delivery models because the cloud consists of a service, which is delivered, and the way it's delivered also has a profound influence on what it means from the issues that we've been in discussing. So what everybody talks about when they talk about the cloud is they usually think they're talking about what is called the public cloud.
And the public cloud is a system where the application law, the computer services that you are using are in fact shared with everyone and anyone, and the cloud service provider will provide those services to anybody who rolls up with a credit card. So you're not absolutely sure who your co tenants are, and that may lead to some concerns at the other extreme. You can actually say, well, I will buy these services in using the cloud, but I want them to be provided in a way that's private to me.
So if you use a private cloud, then you are actually really just delivering the service in a slightly different way. You can have an internal private cloud, or you can have an external private cloud.
Clearly, if you do it that way, then you lose some of the scalability in some of the benefits that were coming from using the public cloud. There is an in between path, which is called the community cloud and a community cloud is where a number of organizations which have similar concerns and similar types of activities say that only organizations of this kind will be sharing with you. An examples of that are for example, medicine. And I'll give you a very good example in a moment.
And then that is the so-called hybrid cloud, which in some ways is the best or the worst of all worlds because in the hybrid cloud, which is sometimes known under the acronym of cloud bursting, you can say, well, when I have a normal workload, I normally just use my internal systems. But if I have a peak, then I've written my, my, my, my programs, or I've got an agreement with a cloud service provider that allows me to, for a period of time, quickly burst into the cloud to satisfy these extremely high needs.
So you could do it for example, with infrastructure as a service where suddenly you need some extra virtual machines to sustain the workload. And those are provided by some external provider, for example, Rackspace. And so under those circumstances, you may be sharing with other people from time to time. And just as a explain the community in the private PLA or the people sort of don't see the cloud as being something that's secure.
But I, I bring this example up as an interesting one, which is in the UK, there is a thing called the national health service, which is a sort of Federation of all of the hospitals and all of the healthcare providers in the UK, which is public, they funded.
And that, that there are clearly very strict controls on how data concerning patients and their health conditions can be moved around for sometimes for some years, there has been a male service, which is available to all of those healthcare providers, which is in fact, securely classified and securely managed to government standards of restrictive status. It is provided by a consortium of third parties, including companies like cable wireless and BT and so forth, which makes it a secure service.
And it's, I, it is either a community cloud or a private cloud, depending upon how you view the organization of the NHS. And it's actually very good because it means that someone can have a stroke in a, a rather out of the way place. They can have a cat scan in their local hospital, but a neurologist can receive the results of that cat scan at the other end of, of, of the country at whatever time of day or night. And that that transmission can be made securely using this cloud service.
So looking at the strengths and weaknesses of these different clouds, the basic strength of the public cloud is to do with scalability in that scalability. The fact that you are providing a service on such a large scale makes it very hard to attack because you can't provide the resources needed to bring it down. It makes it very scalable in, in the sense that there's a lot of resources there. So an individual can demand a great deal, but it's still only a small amount in terms of the total capacity available.
The problem with the public cloud is the lack of control that you, as the end user have over compliance and the supply chain and things like auditing and access to that for forensic data or where the data is indeed held. Now the private cloud on the other hand, no longer has this benefit of scale. It becomes more a question of the benefit if you will, can be simply to do with the fact that you are buying the service in a different way, but he does give you the ability to have much more control over how that service is delivered.
What access is allowed, what a legal compliance there is of the service. Of course, the problem is to do with the scalability of that and the community of the, the community cloud tends to give you similar benefits to scale to the public cloud in the sense that because you're sharing with many people, the, the total scale of the thing is bigger than it would've been for you on your own, but it is still less, less scalable and less tolerant than, than potentially a public cloud. So those are some of the benefits and weaknesses of these different ways of delivering the cloud.
Now there, a lot of organizations will say, well, we wouldn't even think of moving to the cloud because we are so concerned about privacy and compliance, and we've done surveys, which you can find on our website, which are show that these concerns are major issues, which prevent organizations from moving to even a private cloud. So let's look realistically at what the risks really are, and the risks can be divided into these three areas they are to do with policy and organization there to do with technical issues and there to do with legal issues.
And of these, you can see on the left, these are the ones that are most frequently staking to do with compliance, which is that organizations may have spent a lot of money trying to be sure that they are compliant to do with loss of governance of their it, to do with their reputation. That can be solid by other co tenants and issues to do with whether or not you are locked in. So rather than talk to this rather dry slide, I'm going to bring out some of the issues using some examples.
And the first one is, do you know whether you are actually using cloud, many organizations will say, oh, well, we wouldn't use the cloud. But the thing is that the cloud is available to anybody with a credit card. And here is an example of how you can buy a system, which is actually salesforce.com for up to three pounds a month per user. And this is well within the departmental budget in fact, is well within the credit card limits of many of the departmental managers.
And so this leads you to the problem that it's possible that in some of your remote offices, that people may think they've done things better by buying a service like this, to help them to do their job. And so one of the big issues to do with choosing cloud is actually to have a process that allows organizations to, to, to actually say they want the cloud, which actually helps them to get that cloud in a reasonable period of time.
But to get it in a way which takes into account the organiz risk appetite, the concerns and what the data that's actually being moved consists of, then some people will say actually the, the cloud means that we no longer have to care about business continuity, but even though the cloud itself is massive, there can still be things that happen that can make the cloud not available. And here is an example where the wrong kind of lightning struck one of the major data centers in, in Ireland, and this caused a power failure, which caused some clouds to go offline.
And at this point it became clear that the resilience of the cloud is something to talk about, but it's another thing in reality. And it took some time for all of those services to be correctly brought back online and said that the people that were using them suffered a, a visible and measurable outage. So just because you have the cloud, doesn't mean to say, you can forget about business continuity, you have to have a cloud. And the other question, which it comes to the fore of people's minds, it's how securely is the data handled.
And you need to look into this in some depth, because there are a number of ways that data can be mishandled. And one of the simple examples is to do with what happens to data when you delete it, where we all know as, as it professionals, that actually data isn't deleted by the delete operation, it's simply removed from indexes. And so in a, a situation where you are sharing, sharing devices with other tenants, that data potentially is available to other tenants when you are not, when you've finished with it.
And in the worst, the more possible scenarios the actual devices may be thrown away and bought by a third party who then may be able to find your data on them. So the better cloud providers will actually make clear statements about how data is disposed of and what happens to it when it's deleted. And then of course there is the question of the contract, and it's certainly true that the, the lawyers haven't caught up with with understanding the, the, the full implications of the cloud, and most of the public clouds give you an end user license, which is taken or leave it.
You can't actually negotiated. And that those li those licenses or those contracts that you've implicitly entered into are usually a great deal, less onerous in terms of what obligations they put on the provider than they would have been. Had you gone to an outsourcer and they have an all those total exclusion of liability for the provider for things that would happen.
So, and, and finally, there is the question of what happens if one of your co tenants does something bad, and the systems are then seized by the law enforcement agencies. And here's an example that it apparently occurred in the us where one of the network, one of the network service providers was in fact rated by the FBI, and this caused a number of services to go offline. And indeed it may well be that your service could be provided in a legal jurisdiction that is not particularly favorable to, to, to your current place.
And that the, the, the, the law enforcement powers in there may, may legally hold you to, to ransom. So you need to check on all of those things. So how do you actually overcome these things? How do you choose the right cloud?
Well, many organizations have become very adept at providing services themselves, and they understand now how to provide those services themselves. Some organizations are providing themselves and are not satisfied that they know how to, to, to do it themselves. But if you go to the cloud, then you are moving away from something that's under your direct control to something that's much more indirectly provided. So that rather than simply being able to walk into the it department and say, this is what I want.
You have to actually go through an external process of negotiating something in order to get what you want, or indeed, if you want to find out what's happening, you have to go through hoops to, to discover that. And if it doesn't work, it may be a great deal, more difficult to get rid of them. Then it would've been to fire the it manager. So basically the key to this is to do with governance. And this may seem fairly trite, but it is particularly the case when you're using the cloud, that you really have to understand why you want something.
So you have to have an understanding of the real business requirement, and then specify the service that you require in terms of the business need, rather than simply saying, oh, I'm going to move to the cloud because my competitors have moved to the cloud. From the perspective of risk, you then understanding the business need, can use this to assess the risk of that in terms of its probability and impact, and then come to a risk response. Then importantly, you have to clarify who is responsible for what, for the, for what in doing that.
And, and when you finally decide to make the move, you have to have some way of being sure that what you are getting is in fact, what you have paid for. So in terms of specifying the service required, it's certainly more than just simply looking online and saying, goodness, me, that looks like we should have something. You still got all of these issues that you have to go through. For example, you have to understand what the data it is that you are moving to the cloud.
And probably the single most important thing is to look at the data that you are moving to the cloud, because that data tends to determine everything else. And that determines what compliance needs you have. Do you have an issue concerning the geographic location of the data? How secure is that data? What would the impact be of that data going missing? Would you be fine? Would you lose your business?
Would you, would you simply be some, are you holding something that you really want everyone to know? Like your catalog and, and then how important is it that the services continuously available? What would happen if the business service became unavailable? How would you react to that who is allowed to access that service and how do you, you control those things. What do you do about privileged users? How do you deal with things like separation of duties and privileged access? And finally, how do you monitor what is going on?
And all of those things have to be in your specification for the cloud service. Then let's look at the risk response just because you're moving to the cloud. Doesn't mean to say that you don't have a choice. You need to look at the assets that you're moving, which is usually your data and what threat there would be. And I mentioned some of those before, what is, what are the various threats? Now you can then view some scenarios. And the important thing is to look at how lightly that is and what the impact would be of that particular event.
And so you may have some things that are very likely, but really have very little impact. You may have some, some things that are not very likely, but would have a big impact. And you also, as an organization, tend to have a view of your tolerance of risk. And so you perform some kind of an analysis to decide whether you will accept that risk, whether you're going to take action to reduce it or mitigate it, whether you have a way of ensuring against it, or whether you would simply avoid it by not using the cloud at all.
And so then finally you have to assign responsibilities and I've got a series of slides, which are not comprehensive, but which give you an illustration of what you need to take into account. So for example, one of the things is compliance, and if you're going to be compliant, then you need to understand what your responsibility is and what the responsibility of the provider is. And to make sure that you divide those responsibilities up, that you understand what you are responsible for, and that you understand what the provider's responsible for, and it's written to some kind of contract.
So again, we come back to this thing for compliance, the single most important thing is to classify and identify any legal and regulatory requirements. And that usually comes back to what is the data that you are moving there. And if in fact you do move it there, then you have to understand that the cloud provider must assure you that they are capable of processing that data in accordance with those requirements.
Then let's look at business continuity that the division of responsibility between you as the customer and the provider is that you, as the customer need to understand how to keep your business running. And that may mean that you have to survive without the service that you move to the cloud under some circumstances. So how are you going to do it? And what aspects are involved in that cloud?
Now, the provider also has a responsibility and they are going to make some guarantee about the availability of their service. And they have to have some kind of a plan for how they deal with the, the things that can happen that could render that service unavailable. And it's your job to ask them how they would manage that and to decide whether or not the answers they give you are in fact, going to be satisfactory. Then you have the question of data return and data ownership. So this is the third of these examples.
And one of the things that is often forgotten in moving things out to a third party is actually knowing what you are moving to the cloud and understanding what the ownership is of that. And the then understanding the mechanism for getting data back. And I know of one large UK company that was using a cloud service for market lead generation, where effectively potential customers were sent information.
And depending upon their responses to that information, there was a classification by the cloud system as to whether or not they were likely to be a customer and whether or not to offer them a particular product. And when the organization decided to move to another service, they found that the contract said that they didn't own the lead data, and there was a long and bitter battle in order for them to be able to get that data. And they had in fact to pay for it. So having the contract and having an understanding of all of these things and having a division of responsibilities is key.
So what this really means is that it's all to do with good governments. And the final step of good governance is in fact, having a way of monitoring the performance of the service against the requirement. And what you are looking for is a set of key performance indicators, which will measure how well the service is providing, providing what business requirements you have and how these can be related back to your business goal. And how can you measure them when somebody else is in fact, providing the service. And that takes us onto the question of cloud certification and assurance.
And so what is actually needed for this is some kind of standards against which you can measure cloud services and that these standards can be used both by the customer and the provider. So where are we with this?
Well, what we have is we have a, a well expanding list of frameworks from things that have been around for many years, like COVID and ISO 27,001 onwards through things from the auditors, which we will talk about in a moment through to relatively new and specific things to do with the cloud security Alliance and the Jericho forum and so forth. Now, there are also some programs in there which are shared assessment programs.
So some, some related organizations in particular to the banks had in fact set up a common framework within which one bank would assess a supplier against a set of common criteria, so that that assessment could be used by other organizations. Then more recently in a Anissa, came out with a thing called procure secure, which is a set of recommendations for how you can securely procure services.
The German BSI came up with specific security recommendations for cloud computing providers, and finally missed after several years, came up with first of all, a definition of the cloud, and then a synopsis of recommendations, which were issued in may.
So one really important thing is to understand service organization control reports, and to give a little bit of a story behind this in the 1990s, when banks and large organizations started to outsource or spin off their it, departments audits found themselves with a problem because in order to actually audit a company's books, they had to be assured that the way those books were maintained was being correctly wrong. And of course, most large companies run their books on their computers.
And so in 1992, in order to deal with that, they came up with a thing called SAS 70, which was a way for the auditors of the it provider to communicate their assessment of the service provided by the service provider to the auditor of the company that whose Books were being written on those computers, but that was auditor to auditor. So in this was not really a generalized thing.
So in 2011, in fact, in June, 2011, there was a new standard for auditors called the statement on standards for attestation engagements, number 16, which defined service organizational control reports type one and type two, so that an auditor auditor can make an attestation about the kind of controls that are in place for a service that he's being run by a cloud service provider. And the type one report says basically that the service exists. And I E that what the, what, what is publicly stated by the provider of that service is in fact, something that describes what really exists.
And then the, the controls that the service provider themselves have said they have, are in fact appropriate and able to achieve the control objectives are the level of security that they, in fact the provider is offering now. So you can see that that's something, but it's certainly not against a gold standard. It's certainly not tested the controls. An SOC type two report actually takes this stage further where the auditor will have made some tests to determine whether or not the controls were effectively operating. And some cloud providers will.
In fact, give you examples of what, what the, these SOC one SCC type two reports are. And here's an example that if you look on the Amazon web services, Amazon web services kind of infrastructure as a service, they will say that they have an S SOC one attestation against a set of control objectives, which are that. So that's an example of what is being offered by one of the cloud service providers. Then you can move a little bit further on that.
The, a American Institute of certified public accountants defined a set of trust services, which is moving up from simply saying, let's actually just consider what the service that the person provided is, is describing to actually set out a set of standard areas that you can test services. And these include security, availability, integrity, confidentiality, and privacy, and an auditor will in fact, test a provider against those principles. And when they test them, they will look to see whether or not they have a policy.
If they have a policy, whether that policy is being communicated, if it's being communicated, they expect to see procedures and processes in place that support it, and some kind of monitoring and effective action. If in fact that the services being monitored and problems are found. So that is again used by salesforce.com. So salesforce.com publish a statement by the auditor Stan young, which says that they have attested the, the salesforce.com meets these criteria for confidentiality, availability and security.
Now, I'm not saying whether this is appropriate for you or not, nor am I saying that for, for, for Amazon web services. What I'm saying is these are potential reports that you can get, and you have to yourself determine whether or not this is appropriate for your own organization. So salesforce.com is a software as a service. So now let's look at another way of way of looking at services.
Now, the, the gold standard, if you will, for information security is ISO. I see 27,001 and two, which is a code of good practice for information security management, which covers confidentiality, integrity, and availability with 134 controls. And some detailed advice that's given. And some organizations will say that they are compliant with that, but not certified. And some organizations will say that they are certified.
Now, the thing to be careful about with certification is certification doesn't necessarily mean that the whole company and all of the data is certified certification applies to a particular set of kinds of data or areas within the company. And here's an interesting one that Microsoft Azure is in, in which runs on the Microsoft data centers worldwide is in fact, ISO 27,001 35 for parts of that infrastructure. It also is a signature to safe Harbor, which is to do with compliance in the way that it processes personally, identifiable data.
Then you also can have a choice of where your data is located in order to ensure that you comply with European rules and regulations to do with privacy of data. So those are some examples of the ways that you can assure yourself that the cloud provider is gonna provide a good service and some of the kinds of reports that you can get as a third party, which will give you information on how that service is being run.
So, in summary, what we are saying is that there are three different ways that you can services that you can buy using the cloud infrastructure as a service platform, as a service and software as a service. And those can be delivered in four different ways through a public cloud, a private cloud, the community cloud, or through cloud bursting. And you have to understand what these differences are and that they aren't all the same and that you can choose which one is necessary and best for you.
And you need to choose that based on the business, need your understanding of the risks and the risk. And what that really means is understanding the value of the data that you're moving to the cloud, and then understanding that because the service is no longer only your control, you have to clearly define what it is you're going to get and who is responsible for what, and to define the controls that you're going to put in place to make sure that the service you are getting is the one that you are paying for.
And in order to do that, you may have to do some monitoring yourself, but it's really important to understand what, what, what independent certifications in order reports mean, and that that will help you a great deal. So now that's basically the, the, the talk that I like to give. So now I believe we have some time for some questions. Is that the case that you now, we got time for questions. Yes. I'm assuming we do so well, I've got a question here, which says that actually we've talked a lot about, about the cloud and the risks associated with it.
So what is it, are there any opportunities that the cloud creates? Well, indeed the cloud does create a whole series of opportunities and surprisingly in the east end of London in shortage, there is a whole buzzing community that is exploiting the cloud for all kinds of new things. There is a, there is a lady who has a system where you can E effectively build your own doll and you can make your own doll.
And, but the point is that the availability of it services on a paper use basis where You have relatively low risk of entering the market in terms of you don't have to get a lot of capital together means that the new business, new businesses can start up where they could not have started before. And so the one kind of opportunity is literally a person can set, set, set up a business that they could not otherwise have set up. And an example of this is all of the traders that you now find on eBay, which is a kind of cloud service or on Amazon that would never have been able to exist.
Had they not been able to get to the market in that way, from the perspective of organizations, I want to go back and remind ourselves that, that for many organizations running, it is not something that is their, that their primary business goal. And the cloud gives those organizations the opportunity to run their it services in a more cost effective way by buying them in a more commoditized manner than they would otherwise have done. So the cloud provides a whole series of opportunities that, that, that, that wouldn't otherwise have been there.
So that's, that's one of, one of the questions. So I've got another question which is to do with, somebody's asking me, how can I decide if the risks outweigh the rewards of the cloud?
Well, actually, I, I think I've covered this, but I will repeat it because I think it's important that to understand whether or not the risks outweigh the rewards of the cloud, it's really important that you take a good governance approach, which is understanding what the business requirements are. And without understanding the business requirements, it's very easy for organizations to fall into using the cloud because they think it's something fashionable to do or to, for pieces of the organization to decide, to use the cloud without properly considering the full impact.
And so this, this governance based approach is really a very critical way of, of, of, of approaching choosing the right cloud. It is one which starts off from the business need, looks at what that business need really means in terms of a specification understands the risk associated with moving that data to the cloud, develops scenarios, which work out whether or not the, what the risks are and work those out in terms of impact and probability.
And then from that, make a decision about whether or not you're prepared to accept that risk or whether or not you, you, you want to continue to do it in a different way. And if you do move forward into the cloud, then it's really important that you make sure you have the, have, have the ability to, to, to monitor what it is that's happening.
Now, someone else is asking me about what's, what's the view about the delivery of the cloud service? What are the best ways to, to deliver it? And this takes us back to a reiteration of the public cloud, the private cloud, the hybrid cloud, and the community cloud.
And I think that going forward into the future what's going to happen is that people are going to stop thinking about the cloud is this one thing, and start to be more specific in the way that they talk about it, because some organizations are already trying to position themselves so that they can externalize their existing systems by building a private cloud, which is actually run through public infrastructure in order to understand the risks.
So the, the, the benefit of the cloud is really to do with being able to get someone who really understands about running an it, to run those services for you, and kind of a step along the way towards that is building your own internal private cloud, which allows you to move along. That I think that we will see a great deal more in the future of community clouds, where organizations that have similar needs will in fact use the similar kind of similar kind of way of delivery through this community cloud.
Like, for example, the NHS mail, like for example, the banking organizations and, and, and, and so forth. And the public cloud will remain an important way of delivering things for small to medium sized industries that, that, that really, really aren't well placed to, to run their own it services and who really just want what is a commodity and that things that have become commodity will more and more be delivered more efficiently in that way. For example, a few years ago, having something like a CRM system was a major, a major differentiator, but now CRM is really just, it's a utility.
Everybody has it. And so you just want to get it at the lowest possible cost. So we've had three questions, and I think that's probably all that that, that I can can, can manage now. Okay. So thank you very much, everyone, for, for, for your time and attention.
Just one thing to remind you is that if you want to obtain your continuing education credits, then you're going to have to take the exam, which will be the link to which will be sent to you by email, when you finished listening to this and to remind you that KuppingerCole is a well known and very successful industry Analyst that can provide services to both vendors and consumers of it systems. And we focus particularly on security, identity and access management and the cloud. So with that, I'll say thank you very much for your attention and good day to you.