Peter Vermeulen Consulting Director IDC

Peter Vermeulen Consulting Director IDC

Navigating through the Cloud Peter Vermeulen Research Director IDC Benelux

Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.

Agenda

How real is the Cloud? Why should you be interested? What can it do for you? How do you deal with key obstacles? What to do tomorrow? © IDC

Sep-11

4

How real is the Cloud?

© IDC

Sep-11

5

Where Are We Now? Public IT Cloud Services spending

We Are

Here

Mainstream markets

Early markets

$55B (2014)

Late market

“the Chasm” $16B

(2010)

© IDC

Sep-11

CIOs: we don’t use the cloud… • …until we reminded them of all the possible uses for the cloud. Any use at all

Full use any area

Based on responses to a detailed question with 14 different potential usage areas © IDC

Sep-11

7

What is the cloud used for?

© IDC

Sep-11

8

Likely Public Cloud Workloads Q. Likely to deploy via Public Cloud in 2-3 years? (scale: 1-5; 1=not likely, 5=very likely) Collaboration Apps Email Data Backup/Archive Web Apps IT Help Desk CRM/SFA

53.7% 49.3% 45.3% 41.8% 38.3% 37.8%

Partner-facing Apps IT Management Apps Server Capacity Storage Capacity Marketing Apps Personal Apps Data Analysis/Mining

37.8% 37.3% 37.3% 36.3% 33.8% 33.3% 31.3%

0%

10%

20%

Source: IDC Enterprise Panel, (unpublished), November 2010 n = 201 © IDC

30% 40% 50% % responding 4 or 5 (Likely to Very Likely)

60%

Sep-11

Why should you be interested?

© IDC

Sep-11

10

What attracts CIOs to the cloud today? Q. Primary drivers for using/considering public clouds? (scale: 1-5; 1=most important, 5=least important) Pay-as-you-go (opex)

48.0%

Easy/fast to deploy to end-users

40.0%

Pay only for what you use

39.0%

Allows us to reduce IT headcount

23%

Encourages standard systems

21.0%

Makes sharing with partners simpler

21.0%

More sourcing choices

20.0%

Faster deployment of new services

19.0% 0%

Source: IDC Cloud Survey (unpublished), December 2010 n=603

It’s about cost © IDC

10%

20%

30%

40%

50%

60%

% responding 3, 4 or 5

It’s about more than cost Sep-11

How Can the Cloud Support CIOs’ Ongoing Journey? Consolidate:

Business Processes

Reduce Costs & Improve Quality

Interface & Access

Applications Virtualized

Information Virtualized

Infrastructure Virtualized Storage

© IDC

Virtualized Processing

Service/Resource Mgmt & Security

Integration, Event & Deployment

Collaboration/Messaging

Virtualized

Virtualize: Simplify Access, Improve End-to-End Mgmt & Maximize Use

Automate: Add Speed, Predictability & Reduce Labor

Sep-11

Big Virtualization and Private Cloud Consolidate

Virtualize

Automate

s

f lO e v

In

g sin a cre

Hypervisor

© IDC

rge e nv Co

a nfr I T dI

ctu tru

Provision

Private Cloud

re

Le

Self Provision Metering & Chargeback

Metering & Chargeback

Mobility

Mobility

Mobility

Hypervisor

Hypervisor

Hypervisor

Sep-11

Business Processes

Cloud Applications

Interface & Access

(“Software-as-a-Service”)




© IDC





Virtualized

Sep-11

Business Processes Interface & Access




© IDC



Integration, Integration, Event Event & & Deployment Deployment


Virtualized

Cloud Platforms (“Platform-as-a-Service”)

Sep-11





© IDC





Virtualized

Cloud Collaboration

Sep-11





© IDC





Virtualized

Cloud Storage

Cloud Servers/ Processing

Sep-11

Business Processes Cloud

Interface & Access

Applications Virtualized Virtualized



© IDC


Software Service/Resource Serv Mgmt Service/Resource Mgmt & Security Security &



Virtualized

Systems Infrastructure (“Software-as-a-Service”)

Sep-11

What can it do for you?

© IDC

Sep-11

19

Economics of the Cloud • Economics of Scale • Virtualization • Multi-tenancy • Leveraging multiple cloud providers

• Economics of Optimization • Pay only for what we use • Mix of public, private clouds • Infrastructure arbitrage


Compute

Compute

When the Cloud starts making sense Inactivity Period Average

Average Usage

Usage

Time

Successful services needs to grow/scale Keeping up w/ growth is big IT challenge Complex lead time for deployment

Average Usage

Time

Unexpected/unplanned peak in demand Sudden spike impacts performance Can’t over provision for extreme cases Source: Great Charts by Microsoft Azure Team, 2010 Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.

Compute

Compute

Se cu r it

On & off workloads (e.g. batch job) Over provisioned capacity is wasted Time to market can be cumbersome

y

Time

Average Usage

Time

Services with micro seasonality trends Peaks due to periodic increased demand IT complexity and wasted capacity

Cost/Benefit Analysis – Switching costs – People costs – Opportunity costs – Risk (uptime/downtime) – Management/optimization costs – Intangible future costs- compliance, regulation – Flexibility costs


Low

High

Off-Peak

Peak

High

Low

Multi-Year

Annual

Month-Month

Workload

Commitment Volume

Time

Bandwidth

N-Possible # of Configurations (288)

Per Unit Cost Flexibility Lower Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.

Higher

Workload

Commitment Volume

Time

Bandwidth

N-Possible # of Configurations (288) High

Low

“I’m paralyzed by figuring out how to make this work”Off-Peak VP of Operations, SaaS ISV

High

“We are being pushed to do this at such a breakneck pace that we Annual don’t have the Multi-Year time to really evaluate all the options” -

Peak

Low

Month-Month

SVP of IT, Large Insurance Firm

Per Unit Cost Flexibility Lower Copyright IDC. Reproduction is forbidden unless authorized. All rights reserved.

Higher

How do you deal with key obstacles?

© IDC

Sep-11

25

What are the sorts of worries that are stopping cloud usage?

 Governance issues are three of the top four reasons why CIOs are worried

about the cloud • These concerns are not show-stoppers but do need to addressed © IDC

Sep-11

26

Cloud Supplier Attributes Users Want Q: Importance of IT cloud services supplier attributes (1=not significant, 5=very significant) Offer competitive Offer performance-level

pricing

83.2%

assurances/SLAs

Understand my business

81.1%

and industry

Can move cloud offerings back

68.0%

on-premise

Can provide a complete

67.2%

solution

61.9%

Are future-oriented, an innovator Can support many

of my IT needs

Have a large network

54.1%

presence

46.3%

established company

Have done business with

40.6%

my organization 0%

Source: Frank Gens & IDC Enterprise Panel © IDC

55.4%

of partners

Have local Are a large,

58.2%

30.4% 10%

20%

30%

40%

50%

60%

70%

80%

90%

% responding 4 or 5 Sep-11

Private Clouds Have a Lot of Appeal Q: How does the appeal of private clouds in your organization compare with that of using public cloud services? Don't Know 15%

8% “Less”

Much more appealing 18%

Much less appealing 2% Less appealing 6%

55% “More”

Just as appealing 22%

© IDC

More appealing 37%

Sep-11

Private-Public Gap Won’t Be As Big Q: Rate your likelihood

to pursue the cloud model for the following

Collaboration Apps Web Apps Data Backup/Archive Business Apps Personal Apps Public

Storage on demand

Private IT Management Server on demand BI/Analytics App Dev/Test/Deploy Technical Apps 0% Source: IDC

10%

20%

30%

40%

50%

60%

70%

80%

90%

% rating 3, 4 or 5 (scale: 1 = not at all likely, 5 = very likely)

© IDC

Sep-11

Hybrid Environments Will Dominate appliances

Hybrid hosted/ managed

custom-built

Private • Designed for, and access restricted to, a single enterprise (or extended enterprise) • An internal shared resource, not a commercial offering • IT Org is the “vendor” of the shared/std service to its users © IDC

• Enterprise’s cloud services portfolio includes both private and public cloud services • Some specific services are delivered through a combination of public and private models (e.g., private cloud “bursting to” a public cloud service)

Integrated Mgmt

Public • Designed for a market, not a single enterprise • Open to a largely unrestricted universe of potential users

Sep-11

What to do tomorrow?

© IDC

Sep-11

31

What to do tomorrow? Determine your cloud-urgency  Where does the cloud make (most) sense, where not?  How big are the potential gains - realistically?  Compliance to regulation: driver or inhibitor?

Determine your cloud-readiness  People: do you have a strong, multi-skilled team to run this?  Process: governance, service delivery model  Technology: consolidation, virtualization, automation, self provisioning

Cross your chasm  Identify the business results of completed cloud projects  Start pilots / proof-of-concepts in strategic areas with big potential wins  Prepare for hybrid cloud computing (if only to deal with security concerns) © IDC

Sep-11

32

[email protected] © IDC

Sep-11

33

Martien Ouwens Principal Solution Architect Oracle

Data Centre Architecture for Cloud Martien Ouwens Principal Solution Architect

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle.

© 2011 Oracle Corporation

36

Cloud Computing is Top of Mind


Source: Gartner. Leading in Times of Transition. The 2010 CIO Agenda 37

Cloud Drivers Reduce Complexity

Reduce time to Market Green

Strategic

$

Change IT Cost Structure

Tactical Scale on Demand

Metering and Chargeback

Virtualization


Optimizing dev / test environments

38

NIST Definition of Cloud Computing Cloud computing is a model for enabling convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of: 5 Essential Characteristics • On-demand self-service • Resource pooling • Rapid elasticity • Measured service • Broad network access

3 Service Models • SaaS • PaaS • IaaS


4 Deployment Models • Public Cloud • Private Cloud • Community Cloud • Hybrid Cloud

Source: NIST Definition of Cloud Computing v15 39

SaaS, PaaS and IaaS Application

Application

SaaS

•Ready to use

Application applications

•Locked into using available features

PaaS Self-Service Interface

PaaS

Security Identity

Integration Workflow

Application Grid

IaaS Self-Service Interface

IaaS

Virtual Machine

Virtual Storage


UI Services

Admin. •Application development Services & runtime environment •Standardized services Database •Packaging andGrid components•Configuration

•Deployment •Scaling •Lifecycle Management •Raw infrastructure •Utilization resources •User Mgmt. •Flexibility to install Virtual •IDE Network any software Integration

40

Private Clouds and Public Clouds Private Cloud • Exclusively used by a single organization • Controlled and managed by in-house IT

Apps PaaS IaaS

Public Clouds I N T R A N E T

I N T E R N E T

SaaS PaaS IaaS

• Used by multiple tenants on a shared basis • Hosted and managed by cloud service provider

Trade-offs Lower total costs Greater control over security, compliance, QoS CapEx & OpEx

Lower upfront costs Outsourced management OpEx

Enterprises will adopt a mix of private and public clouds


41

Enterprise Evolution To Cloud Public Clouds

Hybrid

IaaS

Public Cloud Evolution

Silo’d •Physical •Dedicated •Static •Heterogeneous

IaaS

SaaS PaaS

Private Cloud Evolution

App1 App2 App3

PaaS

SaaS

Virtual Private Cloud

App1 App2 App3

App1 App2 App3

Private PaaS

Private PaaS

Private PaaS

Private IaaS

Private IaaS

Private IaaS

Grid •Virtual •Shared services •Dynamic •Standardized appliances © 2011 Oracle Corporation

Private Cloud •Self-service •Policy-based resource mgmt •Chargeback •Capacity planning

App1 App2 App3

Hybrid •Federation with public clouds •Interoperability •Cloud bursting

42

Cloud is a Multi-Year Journey Northern Trust PaaS Example

Each release of an architecture platform evolves into what the industry now calls PaaS  JavaArch1.x – Web SSO Security  Web2000 – Co-Hosting applications, enterprise logging, templated environment, scripted builds  JavaArch8 – Messaging API’s, scripted deployments, app metrics, monitoring  JavaArch11 – Virtualized, automated creation, on-demand resources, end-to-end experience Technology Capital Spending 80.00% 70.00% 60.00% % of total capital



50.00% Application Development

40.00%

Infrastructure

30.00% 20.00% 10.00%

PaaS has allowed the business to invest in developing new capabilities rather than Infrastructure

0.00% 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 Ye ar


43

Cloud Computing Readiness May Require Diverse Business Changes  Consider, for example, IT governance & risk management, information modeling & ownership, operations & service management.  How are these areas managed today? • identified responsibilities, documented processes, etc.

 Do you have a mechanism for assessing capabilities in each area?  How will you identify needs for changes or improvements to support cloud computing?


44

Where is EMEA on this journey ? Next Generation Data Centre Index • Data Centre Efficiency Research • Conducted by Quocirca • Flexibility, Sustainability & Suportability • Additional Questions on Cloud Computing


45

Cloud Adoption Plans EMEA / USA

> 50% of organizations plan to adopt one or more Private Clouds © 2011 Oracle Corporation

46

Cloud Adoption Plans Benelux

> 50% of organizations plan to adopt one or more Private Clouds © 2011 Oracle Corporation

47

Getting ready for Cloud Computing Next Generation Data Centre Index Results • Successful Organizations : 1. Apply Rationalization and Consolidation to Simplify their Data Centre using a common stack 2. Create a flexible pool of resources with Enterprise Ready Virtualization across the layers of the stack 3. Have constructed a well designed Next Generation Data Centre architecture based on standards 4. Manage the Next Generation Data Centre through a single tool


48

What Do You Want the Cloud to Do? Start with Common Use Cases

Augmentation (Elastic scaling)

Shared Services Development and Test Resource sharing (consolidation) Most enterprises are trying • Shared development and test environments • Hardware & Services consolidation © 2011 Oracle Corporation

49

Focused Implementation Vs. Wide Diffusion

Cloud Maturity

Optimized Cloud

Strategic

Exploiting

Systematic Cloud

Expanding

Opportunistic Cloud Ad Hoc Cloud

Tactical

Exploring Project Level

Program Level

Division Level

Enterprise Wide

Cloud Adoption • Strategic – Complete migration for a given architecture/application, often focusing on revenue enhancement • Tactical – Wide deployment of a limited technology (e.g. virtualization), often focusing on cost reduction © 2011 Oracle Corporation

50

Transforming the Technology Stack

System Elements

Optimized Systems, Optimized Solutions

Massively Customized

Optimized Core

Engineered Systems

Massively Simplified

Evolutionary Approach to IT

Investing in Best of Breed

Applications Expertise


HW/SW Engineered to Work Together

51

Oracle Cloud Technologies Applications

Custom Apps

Cloud Management

Oracle Applications

ISV Apps

Application Performance Mgmt

Platform as a Service Integration: SOA Suite

Process Mgmt: BPM Suite

Security: Identity Mgmt

Oracle Enterprise Manager

User Interaction:

WebCenter

Application Grid: WebLogic Server, Coherence, JRockit Exalogic Elastic Cloud Database Grid: Oracle Database, Database Options Exadata Database Machine

Lifecycle Management Configuration Management Application Quality Mgmt

Infrastructure as a Service Oracle Operating Solaris Systems: Oracle Enterprise OracleLinux Linux Oracle VM for SPARC (LDom) Solaris Containers

Ops Center

Oracle VM for x86 Servers Storage Network Fabric


Physical & Virtual Systems Mgmt

52

Flexible Private Cloud Options

Building Blocks: Server, Storage, Network, Software

Optimized Solution : Enterprise Cloud Infrastructure © 2011 Oracle Corporation

Engineered Systems 53

Optimized Solution for Cloud Infrastructure Build From Scratch with Components

Oracle Optimized Solution for Enterprise Cloud Infrastructure

Oracle Templates

Testing and Validation

 Server Pool pre-configured  Faster deployment

Installation and configuration

Testing and

 Lower Risk

Validation Acquisition of components

Installation and configuration

Pre-implementation System sizing Weeks to Months

Acquisition of components

Testing and Validation Configuration

Days

Hours

•Deployment time reduced from months to hours © 2011 Oracle Corporation

54



55

Architecture Overview Oracle Optimized Solution for Enterprise Cloud Infrastructure

+

+

+

+

+


+

Sun ZFS Storage Appliance


56

Oracle x86: Superior 5-year Infrastructure TCO HP, IBM over one-third more than Sun Blade infrastructure Five-year TCO Blades ++Chassis, Networking Five-year TCO 1010×× Blades Chassis + Networking VMware Licenses & Support

$500,000 $450,000 $400,000 $350,000

Up to 38% less

RHEL Support

Oracle Premier Support

$300,000 $250,000

System Maintenance

$200,000

Facilities cost

$150,000 $100,000

Hardware purchase

$50,000 $0 10 × Sun Blade X6270 M2 + NEM

HP 10 × 460c G7 + FlexCurve

10 × IBM HS22 + BNT

HP system maintenance is for 4-hour response time pricing; single enterprise vCenter license required to match functionality but not included.


57

Virtualization Platform: Oracle VM Server Server Virtualization and Management • Oracle VM Manager and Oracle Enterprise Manager - Manage hundreds or thousands of servers - Central Java management server • Web browser-based management console - Advanced virtualization management, including Live Migration, HA/auto-restart, loadbalancing


58

VM Templates Simplify Application Provisioning Traditional Dev/Test Provisioning For every dev/test Application environment: 1.Procure and configure hardware 2.Install and configure OS 3.Install and configure dev (or test) environment

Provisioning with Virtual Machine Images Application

Application Application Middleware Middleware Middleware OS OS OS

Middleware OS

VM Image 1. Package once

3. Deallocate when done

2. Provision rapidly, multiple times


+ Sun ZFS Storage Appliance


59

Oracle Virtual Assembly Builder Package Multi-Tier Applications Oracle SOA Suite

Oracle BPM Suite

Oracle WebCenter

Oracle Identity Mgt

Oracle Enterprise Manager

Oracle Application Grid Oracle Database Grid

Introspection & Assembly

Application A

Application B

Virtualized Software Appliances


Assembly A

Assembly B

+

Deployment Sun ZFS Storage Appliance


60

PaaS Private Cloud Architecture with Engineered Systems

Dept 1 App

Dept 2 App

Dept 3 App

Shared Components Oracle Oracle SOA, SOA, Oracle Oracle BPM BPM

Provided by Central IT

Oracle Oracle Data Data Integration Integration

Enterprise Management

Built by each department

Self-Service Self-Service Interface Interface Oracle Oracle WebCenter WebCenter Content Content Management Management

Oracle Oracle Identity Identity Management Management

OS, OS, Virtualization Virtualization

Application Grid

Database Grid

Exalogic

Exadata

Oracle Elastic Cloud © 2011 Oracle Corporation

61

Oracle Exalogic Elastic Cloud Delivering real business value

Extreme Java Performance

Mission Critical Cloud

Integrated System

Improved up to

Operational Cost Reduced up to

Time to Deploy Reduced

10X

60%

90%


62

Private Cloud Database Consolidation • Oracle enables all levels of consolidation - Infrastructure, Database, Schema

• The higher the consolidation density - The greater the return on investment

• Oracle Exadata Database Machine - Ideal Private Cloud consolidation platform - Fastest time-to-market

• Customers already saving with consolidation


63

Flexible Private Cloud Options

Building Blocks: Server, Storage, Network, Software

Optimized Solution : Enterprise Cloud Infrastructure © 2011 Oracle Corporation

Engineered Systems 64

Oracle Cloud Lifecycle Management Capability Cloud Management Capabilities Self-Service Provisioning

Metering and Chargeback

Policy-Driven Resource Mgmt

Capacity Planning

Assembly Packaging

Foundation Capabilities for Managing Datacenters Configuration and Compliance

Lifecycle Management

Application Performance Management

Application Quality Management

Full App-to-Disk Management


65

Oracle Enterprise Manager ROI Study Multi-customer Study Demonstrates Strong ROI, Business Value ($M)

• ROI of 149% with a payback period of 18 months • Lower downtime by up to 90% • Improve IT staff productivity by up to 75% • Reduce capital spending on servers by up to 20%


66

Oracle IT: Oracle Development

Case Study

Nearly Ten Years Development / Use • Internal hardware resource management application leveraging existing development automation as a ‘private cloud API’ • A self-service reimaging & reboot portal for users • Average server utilization rate exceeds 80% over 7 day work week

Current Metrics  Avg. new VM reservations per day: ~50  Avg. self-service reboots per day: ~25  Avg. self-service reimages per day: ~100


67

Systematic approach to Cloud Advise & Plan

Customer Manages

Assessment: Strategy, Planning, Business preparation

Design & Build

Deploy

Support

Manage

Architecture: Design, project plan, integration into existing environment System installation, configuration, validation and testing Application and data migration and backup integration

Oracle Manages

Sun Blade and Oracle VM Learning Paths Premier Support

Mission Critical Support - Advanced Monitoring


68

Summary Planning Your Successful Cloud Journey

• Decide what kind of cloud is under consideration - Infrastructure, Platform… , Private, Hybrid…. - Strategic or Tactical

• Identify measurable benefits • Use appropriate ROI models • Evaluate organizational readiness • Develop a clear roadmap for deployment


69

For More Information….

oracle.com/cloud


70


71

© 2009 Oracle


72

72

Oracle’s Broad Range of Solutions for Customer Needs High Performing Application-to-Disk Solutions from a Single Vendor


73

Jeroen Koëter IT advocaat Project Moore Advocaten

do 15 september 2011 | Advocaat Jeroen Koëter | Computerworld Cloud Event

Privacy in de cloud

Onderwerpen • Wat is cloud computing? • Gevolgen cloud computing voor verwerking data • Privacy in de cloud

Wat is cloud computing?

Wat is cloud computing? • Essentiële kenmerken – On-demand self-service – Brede netwerktoegang – Resource pooling – Snelle elasticiteit – Gemeten dienst • Opdeling in verschillende modellen: SaaS, Paas, IaaS • Opdeling in verschillende varianten: publiek, privaat, gemeenschappelijk, hybride

Cloud: gevolgen verwerking data

Cloud: gevolgen verwerking data • Verlies of verminderde controle klant over data – Gespreide (internationale) opslag – Locatie data onbekend – Gedeeld gebruik gegevensdragers – Data veel in transit – Data moeilijk te wissen • Afhankelijk van deployment model (publiek of privaat)

Privacy in de cloud

Belangrijkste privacy issues • Toepasselijkheid Wet bescherming persoonsgegevens (“Wbp”) • Verantwoordelijkheid naleving Wbp: Afnemer vs. leverancier • Wat zijn “passende beveiligingsmaatregelen”? • Waar is mijn data opgeslagen: Internationale doorgifte van gegevens

Wet bescherming persoonsgegevens • Van toepassing op iedere geheel of gedeeltelijk geautomatiseerde verwerking van persoonsgegevens • Persoonsgegeven is elk gegeven betreffende – een geïdentificeerde of identificeerbare – natuurlijke persoon • Verwerking is elke handeling met betrekking tot persoonsgegevens

Wet bescherming persoonsgegevens • De Wbp is van toepassing wanneer persoonsgegevens worden verwerkt in het kader van de activiteiten van een vestiging van een verantwoordelijke in Nederland • Simpel(er) gezegd: – als vestiging van bedrijf dat gebruik maakt van cloud zich in Nederland bevindt, dan is de Wbp doorgaans van toepassing – ook als de IT-faciliteiten van de cloud leverancier zich buiten Nederland bevinden! • Locatie IT-faciliteiten ook van belang voor doorgifte van persoonsgegevens

Verantwoordelijkheid naleving Wbp

Hoedanigheid klant - leverancier • Wbp richt zich primair tot verantwoordelijke • Verantwoordelijke stelt het doel van en de middelen voor de verwerking vast • Bewerker verwerkt gegevens voor de verantwoordelijke, zonder dat hij diens ondergeschikte is • Leverancier bepaalt vaak wijze waarop persoonsgegevens worden verwerkt (middelen)

Hoedanigheid klant - leverancier • Klant (verantwoordelijke) mag invulling technische en organisatorische aspecten van gegevensverwerking delegeren aan leverancier • Leverancier daarom in beginsel een bewerker • Leverancier verantwoordelijke als hij gegevens voor eigen doeleinden gaat gebruiken • Kwalificatie in contract is niet doorslaggevend! • Klant blijft juridisch verantwoordelijk voor leverancier

Passende beveiligingsmaatregelen

Perceptie ondernemingen “Ruim 80 procent van de grote ondernemingen wil voorlopig niet investeren in cloud computing of cloud storage. De belangrijkste reden daarvoor is dat ze zich zorgen maken over de beveiliging van hun applicaties en gegevens.” The State of Emerging Enterprises Hardware 2009 to 2010, Forrester)

Cloud niet per se (on)veiliger • Cloud Security Alliance “Cloud Computing isn’t necessarily more or less secure than your current environment. As with any new technology, it creates new risks and new opportunities.” • European Network and Information Security Agency “[…] the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective.”

Passende beveiligingsmaatregelen • Klant is verplicht tot treffen passende technische en organisatorische beveiligingsmaatregelen tegen verlies of enige vorm van onrechtmatige verwerking van persoonsgegevens (art. 13 en 14 Wbp) • Klant dient ervoor zorg te dragen dat leverancier voldoende waarborgen biedt voor beveiliging persoonsgegevens • De klant moet controleren of de leverancier zijn beveiligingsverplichtingen nakomt

Voldoende waarborgen? • Klant moet voor iedere verwerking – een risicoanalyse uitvoeren (due diligence) – nagaan of de door de leverancier getroffen maatregelen passend zijn • Wbp: balans tussen – risicoklasse (hoe hoger het risico, hoe hoger het vereiste niveau van beveiliging) – stand van de techniek – kosten van tenuitvoerlegging

Contractsbepaling voldoende? “We shall maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of your data.”

Contractsbepaling voldoende? • Nee, beveiligingsmaatregelen moeten worden omschreven in het contract • Echter, vaak terughoudendheid leveranciers vanuit beveiligingsen concurrentieoogpunt • In de praktijk wordt vaak verwezen naar certificering van de diensten of worden de maatregelen in algemene bewoordingen omschreven • Of dit voldoende is zal afhangen van de risicoanalyse die de klant moet maken

Controle • Klant is verplicht om de naleving te controleren • Bezwaar leverancier tegen controle op locatie (audit) • Vaak verwijzing naar certificering of beveiligingsrapportage • Ook hier geldt: afhankelijk van risicoanalyse

Conclusies beveiliging • Aanvullende beveiligingsmaatregelen (aan de zijde van klant, leverancier of beide) • Geen of slechts een deel van de persoonsgegevens naar de cloud • Combinatie publieke cloud en private cloud

Internationale doorgifte

Internationale doorgifte • Cloud computing – gespreide (internationale) opslag – locatie data onbekend – data veel in transit • Doorgifte naar landen buiten EER die geen “passend beschermingsniveau” bieden verboden, tenzij… • Indien leverancier (of een van zijn datacenters) in land buiten EER is gevestigd: complexe doorgifteregels

Internationale doorgifte • Noodzakelijk: weten waar de data is opgeslagen Oplossing? • Toestemming: vaak geen optie • Voor Amerikaanse leveranciers: Safe Harbor • Europese modelcontracten met vergunningen (weinig flexibel en arbeidsintensief) • Lokalisatie / regionalisatie

Lokalisatie - regionalisatie • Sommige leveranciers geven klant geen keuze • Andere geven keuze tussen US en EU • Sommige slaan gegevens klant standaard op in de regio van de klant • Aanbeveling: opslag van / toegang tot EER data alleen in / vanuit EER

Tot slot: hoe verder? • Klant wordt afhankelijk van leverancier, maar blijft verantwoordelijk en aansprakelijk voor nakoming Wbp • Feit: veel cloudleveranciers hanteren standaardcontracten • Privacy compliance niet alleen in belang klant, maar ook leverancier

Vragen? Jeroen Koëter Project Moore Advocaten Leidsegracht 78 Amsterdam www.projectmoore.com www.linkedin.com/in/jeroenkoeter

Bedankt voor uw aandacht! Graag tot ziens bij een volgend Computerworld event.

Heeft u vragen of suggesties? Neem dan contact op met Martine Res, Event Manager Computerworld via [email protected]

Peter Vermeulen Consulting Director IDC

Recommend Documents