Are cloud computing and VPN opposites

Cloud Computing What Decision Makers Need to Know. A holistic view beyond the technology


1 Cloud Computing What Decision Makers Need to Know A holistic view beyond technology Positioning, contract law, data protection, information security, compliance guidelines

2 Imprint Published by: BITKOM Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e. V. Albrechtstrasse 10 A Berlin-Mitte Tel .: Fax: Contact: Susanne Dehmel, Working Group Data Protection Thomas Kriesel, Working Group ITC Contract and Legal Formation Lutz Neugebauer, Working Group Security Technologies Dr. Mathias Weber, Working Group Cloud Computing and Outsourcing Editor: Dr. Mathias Weber Editorial assistant: Monika Kreisel Design / layout: Design Bureau kokliko / Anna Müller-Rosenberger (BITKOM) Copyright: BITKOM 2010 This publication represents general, non-binding information. The content reflects the BITKOM opinion at the time of publication. Although the information was created with the greatest possible care, there is no claim to factual correctness, completeness and / or topicality; in particular, this publication cannot take into account the special circumstances of the individual case. Use is therefore the responsibility of the reader. Any liability is excluded. All rights, including the reproduction of extracts, are held by BITKOM.

3 Cloud Computing What Decision Makers Need to Know Cloud Computing What Decision Makers Need to Know A holistic view beyond technology Positioning, contract law, data protection, information security, compliance guidelines

4 Contents Foreword 6 List of Abbreviations 8 Management Summary 10 1 Cloud Computing as a New Paradigm for Providing IT Services Challenges for Companies Cloud Computing Definitions Definition of Cloud Computing Service Levels Characteristics of Important Cloud Types Regional Dimension German and European Cloud Business Potential of the Cloud Computing Drivers and Barriers Assessment of Cloud Computing as an Evolution or

5 Cloud Computing What Decision Makers Need to Know 2.



8 Foreword Cloud computing offers great opportunities for Germany as a high-tech location. Thanks to cloud computing, companies can rent computing power, storage capacities and software to the extent that they are actually needed. This saves companies costs and becomes much more flexible. In this way, small and medium-sized companies in particular can take advantage of highly innovative services without investing in the construction and maintenance of large data centers. Cloud computing enables companies to concentrate on their core business. They can work more efficiently, offer higher qualities and further expand their competitive advantage. The entire German economy benefits from this. The Federal Ministry of Economics and Technology launched the Cloud Computing action program this year together with business and science. BITKOM is an important partner in this. It is our common goal to recognize and seize the great opportunities of cloud computing for Germany at an early stage. We want to better tap innovation and market potential, create innovation-friendly framework conditions and help shape developments on an international level. Due to its great technological and economic importance, cloud computing also plays a central role in the new ICT strategy of the Federal Government of Germany Digital 2015. Many companies are currently gaining initial experience with cloud computing. Others don't even know what possibilities cloud computing offers at all. These guidelines provide you with detailed and practical information and recommendations on this topic. This means that the advantages of cloud computing can be recognized more quickly and better used. With the guidelines, BITKOM makes an important contribution to our cloud computing action program. This is how Germany becomes fit for the future. Rainer Brüderle Federal Minister for Economics and Technology 6

9 Cloud Computing What Decision Makers Need to Know Cloud computing introduces a fundamental change of direction in the supply and use of IT. Many IT services that were previously produced individually for individual customers will in future be obtained from the network in a standardized form. For users, cloud services offer a way to increase their ability to act in global competition and also to reduce costs. Many companies are currently gaining initial experience in the use of cloud services. You want to use cloud computing more broadly if your high requirements for data protection, information security and the ability to integrate with the existing IT systems are met. Cloud computing opens up completely new opportunities for individual companies as well as for Germany as a business location. In order to seize these opportunities, industrial providers and users as well as politics and science must act quickly and jointly. The action program of the Federal Ministry of Economics and Technology provides a suitable basis for this. BITKOM brings its projects into the action program with the aim of contributing to the development of a competitive industry for cloud services in Germany. These projects also include this guideline Cloud Computing What Decision Makers Need to Know. More than 30 authors have compiled their know-how in order to provide concentrated answers to the questions that companies ask themselves when using cloud computing. I wish all interested parties stimulating reading and good luck with the use of cloud computing. Prof. Dr. Dr. h.c. mult. August-Wilhelm Scheer 7

10 List of abbreviations GTC General Terms and Conditions AktG Aktiengesetz ASP Application Service Providing BAFA Federal Office for Economics and Export Control BaFin Federal Financial Supervisory Authority BDSG Federal Data Protection Act BGB Civil Code BilMoG Balance Sheet Modernization Act BITKOM Federal Association for Information Technology, Telecommunications and New Media e. V.


12 Management Summary Cloud Computing as a New Paradigm for the Provision of IT Services Cloud Computing is often discussed in the information industry as a new technological approach, as a next step in the evolution of information technology. However, cloud computing is more than just a topic for IT or technology management in companies - it will change both business life and society in the long term. The new properties of use on demand or payment on use are important, but only the greater independence of business processes from the provision of resources, the acceleration of innovations and the greater flexibility for a breathing business give cloud computing the explosive power of a revolution in business. The starting point is the specific needs of the customer. The description of services as the central content of the contract decides which legal contract types are to be used and thus which legal regulations apply in the event of service disruptions. These are often not practical. It is therefore advisable to agree on specific criteria for service provision and the consequences of disruptions in service level agreements. Another important aspect is to agree on the necessary usage rights for the software that is provided in the cloud. If subcontractors are involved by the cloud provider, provisions must be made in particular to fully implement the legal requirements on the second or third service level. Cloud computing can be categorized into two basic organizational forms and three service levels: Services as complete software, platform or infrastructure are obtained from private clouds and public clouds. As part of a holistic strategy, the business scenario determines which forms of cloud computing will be used. In addition to the technical requirements, the framework conditions specified by contract law, data protection, information security and compliance are decisive for use. These are the focus of the guide. The diversity of the cloud services offered on the market reflects the various individual customer situations. During the contractual implementation, the customer-specific initial situation and its requirements must therefore be carefully considered in order to determine the content of the agreement necessary for the contract and to enable its practical implementation. Data protection Contractual regulations The cloud computing contract defines the services to be provided and mutual obligations. It must contain all the necessary agreements to carry out cloud computing within the legally permissible framework, including regulations for data protection, information security and compliance. If possible, German law should be agreed. Data protection can, but does not have to be, an obstacle to cloud computing. On the one hand, the type of data processed and, on the other hand, the form in which cloud computing (private or public) is operated is decisive. The processing of technical or economic data in any form of the cloud is unproblematic, as long as it does not represent business secrets. However, if the data falls into the category of HGB or tax-relevant data, restrictions due to the 10

13 Cloud Computing What decision-makers need to know Financial management is prescribed. On the other hand, personal data and even more sensitive data (e.g. information on health or religion) require increased protection. In these cases, the potential savings that cloud computing strives for can usually not be fully realized. Solution approaches in the case of the private cloud are the setting of so-called corporate binding rules within the group or the conclusion of contracts with external service providers, as they are already known from order data processing. When relocating personal data to third countries with a not as high level of protection as in the European Economic Area, the EU standard contractual clauses must be used. The use of public clouds and derivatives thereof such as Hybrid clouds can only be used to a very limited extent due to the difficult control of confidential processing of personal data. Encryption solutions are available here, however, provided that the key does not need to be passed on for processing. This means that today only a certain part of applications cannot be mapped in cloud computing. This primarily concerns health data, the disclosure of which to third parties is forbidden under the StGB. The more restrictive requirements of individual German supervisory authorities can only be enforced to a limited extent from the point of view of EU harmonization. Information security Ensuring information security plays a central role in cloud computing. A defined procedure must already be applied at the time of the decision about the use and the subsequent operational integration of cloud computing systems into company IT infrastructures. From a technical point of view, the secure operation of cloud computing also includes compliance with the classic protection goals of confidentiality, integrity and availability. Specifically, the security of individual components of a cloud computing architecture must be considered and guaranteed. In addition, organizational precautions contribute to the information-secure use and operation of cloud computing architectures. However, cloud computing not only requires security, it can also provide it. This is called Security as a Service (SecS), which offers security functions as a service for other systems to use. Cloud Compliance Cloud compliance describes the demonstrable compliance with rules when using or providing cloud computing. Compliance creates the necessary transparency and security for all stakeholders involved. In this respect, cloud compliance makes an important contribution to dissolving the current reluctance among potential customers of the cloud market. Cloud compliance is thus also a pioneer in making all the advantages of cloud computing fully usable for providers and providers. There are still a number of hurdles to overcome before it can be implemented on the market. These concern, for example, the novelty and complexity of the topic, the multitude of service offers and business models of the providers, unclear or contradicting cloud definitions and, in general, the lack of standards in the market. A compliance management system (CMS) is a useful tool in this situation. It supports providers and users alike in identifying and evaluating the specific compliance requirements in a risk-oriented manner and in initiating targeted measures to ensure and maintain compliance. The basic idea of ​​a CMS can be condensed into the core issues of requirements, risks and risk measures. These core topics are discussed in detail in the Cloud Compliance chapter. 11

14 In spite of all the optimism that the currently discernible risks of cloud computing can be controlled through suitable compliance measures and thus the advantages of cloud computing can be used on a broad basis, reference is also made to the current limits. Accordingly, situations cannot be ruled out in which satisfactory cloud compliance can only be achieved with disproportionate effort or not at all. We urgently need to work on solving the associated compliance challenges. 12th

15 Cloud Computing What Decision Makers Need to Know 1 Cloud Computing as a New Paradigm for Providing IT Services IT has accelerated business processes; it supports companies in reacting quickly and flexibly to business requirements and enables new business models and processes. IT users are therefore increasingly demanding flexible IT that is geared towards business requirements. Cloud computing is a form of providing jointly usable and flexibly scalable IT services through non-dedicated IT resources via networks. Ideal-typical features are the provision in real time as self-service based on Internet technologies and the billing based on usage. In this way, cloud computing enables users to redistribute investment costs to operating costs. The IT services can relate to applications, platforms for application development and operating or basic infrastructure. The paradigm shift heralded by cloud computing poses a challenge for companies as a whole. A change in corporate strategies is necessary due to cloud computing. Anyone who delegates cloud computing to the IT department fails to understand the nature of this innovation. The family tree of cloud computing is based on two archetypes, the public and the private cloud. Other forms such as hybrid clouds, virtual private clouds, vertical (community) clouds and horizontal clouds are derivatives, combinations or special solutions of these archetypes. Regional clouds denote specific locations of the underlying IT and telecommunications. A simple typification results if one differentiates clouds on the basis of the organizational and the sourcing dimension. In addition, three service levels have been established: IaaS, PaaS, SaaS. With BPaaS, a fourth level is currently being discussed, which arises from SaaS and which moves even closer to the business processes. Cloud computing services are generally of interest to companies of all sizes, but the main areas of use will emerge: Small companies tend to use public clouds, while larger companies prefer private clouds. Cloud computing is an answer to the current challenges facing companies. Because a new reference and a new production of IT can support the business more than before. This creates a basic innovation in business. Evolution in technology, revolution in business can be used to summarize briefly what constitutes cloud computing. Due to its economic advantages, cloud computing will replace a considerable part of the traditional IT service offerings in the medium to long term. Cloud computing is a paradigm that will permanently change the entire information economy, its technologies and its business and thus also the relationships between providers and customers. With cloud computing, global sales are already in the double-digit billion dollar range. The cloud market will also develop in Germany over the next few years with an annual 13

16 growth rate, which is 40 percent. Integration problems with existing IT systems, the lack of trust in data protection and data security concepts as well as the unclear legal situation in individual cases are currently the greatest obstacles to faster market development in this segment. However, challenges in integration or a general distrust of cloud providers are also of great importance as obstacles. The range of possible application scenarios for cloud computing is wide. If the company's own IT structures do not yet exist, cloud services already offer an alternative to in-house operation or to classic outsourcing. The application scenario will be based on the type of service, its importance for the customer, the degree of standardization and the structure of the company using it. A successful entry into cloud computing is possible when all business units develop a common strategy that starts with a common target based on an analysis of business processes and IT. Suitable services can be transferred to a cloud provider taking into account the aspects of law, security, data protection and compliance.It is particularly important to ensure that employees are sensitized and that the purchasing processes are prepared accordingly. Cloud computing technologies cause the previously essentially linear value chain for IT services to break open. For example, Technologies for dynamic load distribution mean that users of infrastructure as a service also become providers of these services. Likewise, functionalities that have previously only been used internally can be made available to external users relatively easily in the software-as-a-service model. The increasing number of providers of highly standardized functions increases the price pressure and, under certain circumstances, the flexibility to change providers. The result is an innovative, dynamic network of providers and consumers of IT services. A multitude of obstacles stand in the way of the advantages of cloud computing. A clear legal framework is an essential prerequisite for the success of cloud computing. Further success factors are sufficient data protection, interoperability between the cloud services (independence from one provider), the balance between individuality and high standardization (integration with the existing IT landscape in the company) and organizational requirements in the company. 1.1 Challenges for companies Companies in western industrialized countries are facing an age of increasing flexibility and unprecedented speed of economic processes. This acceleration was triggered and fueled by the achievements of information technology (IT) and telecommunications (TC), especially the Internet. This increase in dynamism and speed is also taking its toll on IT. More than ever, IT is required to react quickly and flexibly to business requirements, and even to enable new business models and processes. However, the costs of operating the IT infrastructure make up a not inconsiderable part of the company's IT budget. Analysts estimate it at around 75 percent. As a result, IT managers have little room for innovation. At the same time, many data centers are not working efficiently. This 14th year deserves special attention

17 Cloud Computing What decision-makers need to know Fact, because the computing resources that are maintained are usually not made available to current business requirements, but are often reserved for the peak loads of certain services. Finally, there is still the challenge of security and transparency, especially when collaboration on projects crosses company boundaries. Cloud computing is not just an issue for IT departments. The paradigm shift is a challenge for companies as a whole. A holistic change in corporate strategies is necessary due to cloud computing. In particular, the distribution of tasks between the specialist departments and the IT department should be regulated here. This includes, for example, determining who will be responsible for data security and according to which processes IT services are to be purchased. Cloud computing demands a redistribution of roles and competencies and, ideally, also establishes a new understanding of roles. As a result, IT organizations will also change in terms of content and personnel. 1.2 Cloud Computing Definitions Platforms for application development and operation, basic infrastructure. 1 In the future, the operational use of the cloud computing paradigm will continue to establish itself in both industrial and private environments. The guideline therefore describes a transition from conventional IT systems to cloud computing systems. Against the background of this status quo, the defined properties of a cloud or a cloud computing system are ideal. From a technical point of view, to fulfill this ideal, e.g. the degree of automation plays a decisive role. This applies in particular to the automated provision of services by the cloud, which takes place depending on user needs. Such a highly flexible use of cloud services is currently facing both organizational and legal obstacles that counteract the definition of cloud computing. This guideline is aimed in particular at dealing with the obstacles and offers orientation for the additional, practical challenges that arise from the use of cloud computing in this transition phase. Definition of cloud computing service levels Cloud computing is a form of providing shared services and flexibly scalable IT services through non-dedicated IT resources via networks. Ideal-typical features are the provision in real time as self-service based on Internet technologies and the billing based on usage. In this way, cloud computing enables users to redistribute investment costs to operating costs. The IT services can be based on applications. The division of the services into the three service levels Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) has largely prevailed (see table 1). All three levels have in common that the IT services are provided as services (as a service). 1. This definition conforms to the definition of the National Institute of Standards and Technology (NIST). It specifies the definition formulated in the first BITKOM guideline on cloud computing (see Cloud Computing - Evolution in Technology, Revolution in Business, BITKOM Guideline, Berlin Available at with the aim of providing legal clarity create. 15th

18 Table 1: Service levels IaaS PaaS SaaS BPaaS In the context of cloud computing, IaaS is the provision of a scalable IT infrastructure on IT resources that are not clearly assigned via a network. This business model provides for the use of computer infrastructure as required and forms an alternative to traditional acquisitions. The IT services of the basic infrastructure represent the field of activity of the specialists for IT operations as well as the IT service providers. At the technological level, essentially little refined computing and storage capacity on virtualized servers as well as network infrastructure functionality with a high degree of standardization and intelligent system Management provided as a service. In the context of cloud computing, PaaS is the provision of jointly usable runtime or development platforms on non-clearly assigned IT resources via a network. This business model provides an integrated runtime and, if necessary, development environment as a service that is billed to the user based on usage. System architects and application developers deal with the cloud services of the PaaS level. PaaS describes services on the application infrastructure level (databases, integration and security) that are offered on the basis of technical frameworks, i.e. development platforms. They can be used to develop application components and integrate them across platforms. In the context of cloud computing, SaaS is the provision of jointly usable software on IT resources that are not clearly assigned via a network. SaaS is a business model with the philosophy of providing, maintaining and operating software as an ongoing service based on Internet technology, which is usually billed per call and the software is no longer sold as a license to a user. SaaS is aimed at users. Business applications are provided as standardized services by a service provider. Their options for adaptation and integration are often limited. Desktop, collaboration and communication applications as well as industry-specific business processes that are completely abstracted from the technology fall into this area. In addition, a fourth level is currently being discussed, which is identified as (Business) Process as a Service. It emerges from the SaaS level and is characterized by a closer proximity to the business process. When looking at the service levels, it is worth taking a closer look at the license situation: In a real SaaS model, the license costs for the software used are included in the flat-rate usage fee. For software providers, this means a fundamental departure from established license models for software use. The customer must clarify in advance whether he has to ensure the (non-cloud-compliant) provision of licenses. Features of important cloud types The pedigree of cloud computing is based on two archetypes: the public and the private cloud. The other forms are derivatives, combinations or special solutions of these archetypes (see Figure 1). 16

19 Cloud Computing What Decision Makers Need to Know Private Cloud Cloud Virtual Private Cloud Public Cloud If you analyze the current status of the cloud discussion, the various cloud types can be roughly defined using two dimensions (see Figure 2), an organizational one and a sourcing one -Dimension. All cloud types have in principle in common that they have the typical cloud properties via Vertical (Application) Cloud Hybrid Cloud Horizontal (Application) Cloud and three service levels that can be used by the end customer (see Table 2): insourced managed outsourced Sourcing options Figure 1: Family tree of the clouds organizational dimension 1) Sourcing corridors Public Cloud Virtual Private Cloud Hybrid Cloud Private Cloud 1) Deployment models according to The Cloud Security Alliance; Security Guidance for Critical Areas of Focus in Cloud Computing V2.1; 12/2009 Cloud IT as a Service Saas Paas Iaas insourced managed outsourced sourcing dimension Figure 2: Typing of clouds in two dimensions 17

20 Table 2: Comparison of important organizational forms of clouds Public Cloud / External Cloud Virtual Private Cloud Hybrid Cloud Private Cloud / Internal Cloud Description It basically represents a selection of highly standardized, scalable business processes, applications and / or infrastructure services on a variable pay per use basis available for everyone at the same time (multi-client capability). The users are not organizationally connected. The public cloud aims at economies of scale and the consumerization of IT. The users share the underlying infrastructure. A localization of the resources is usually not given. A public cloud is usually owned and operated by an IT service provider. Is a special case of the public cloud. In a virtual private cloud, the user is provided with an IT environment that is isolated and individualized by suitable security mechanisms. In the virtual private cloud, the user can thus have a quasi-individual operating environment that is connected to his IT via a virtual private network (VPN). A hybrid cloud is not a separate cloud type, but rather describes scenarios for every type of coupling between traditional IT, private clouds and public clouds. Overall responsibility remains with the customer, IT operational responsibility is shared: It rests with the respective IT operational manager. The challenge of this model lies in the security and service integration of the various cloud types. Private cloud refers to the provision of cloud computing services only for previously defined users. Private clouds are not public. Management and operation are handled within a company or a joint organization. Access is restricted to persons authorized by the operator and usually takes place via an intranet or a virtual private network (VPN). Private clouds therefore offer an efficient, standardized, virtualized and secure IT operating environment created according to cloud design criteria under the control of the customer (within the customer's firewall). Private clouds allow individual adjustments and can e.g. B. compensate for the security and compliance disadvantages of public clouds, but do not achieve their economies of scale. Secure access via VPN to all three service levels for a restricted group of users: i. d. Usually only for the owner of the private cloud itself, authorized business partners, customers and suppliers Access Using a browser over the Internet to IaaS, PaaS and SaaS services Using a browser over the intranet (secure VPN connection) to IaaS, PaaS and SaaS services Services. For the part of the private cloud: Secure access via VPN; only for the customer himself, authorized business partners, customers and suppliers. For the part of the public cloud: Using a browser over the Internet or via VPN with a virtual private cloud. 18th