The challenge for enterprises is how to understand the options that are available to them when considering obtaining services from the cloud and, in particular, how to judge the risks involved in consuming cloud services. These problems are somewhat more complex than similar ones that arise when considering outsourcing where, typically, the customer is able to dictate terms and conditions. In contrast, the large scales of the operations of cloud providers, together with the associated cost structures, mean that the vendors and the marketplace can be expected to dictate (standard, one-size-fits-all) security service levels. Moreover, concerns develop from the traditional security concerns of confidentiality, integrity, and availability, to whether agents, brokers, and other service providers and integrators will act appropriately as stewards1, to whether operations and assurance will work across supply chains, and to whether the whole system – which will contain a multitude of such relationships, potentially all influencing one another – will be sustainable and resilient.
It's not just cloud consumers that will be concerned. Each firm in the ecosystem will be vulnerable to any changes that happen not only within that environment, but also externally. For example, how exposed will they be to high-impact security incidents that affect multiple supply chains? Or to skill shortages and liquidity changes that affect multiple groups in different ways? Is there a danger that some 'shocks' will permanently damage the ecosystem upon which they rely?
We are seeking to help cloud stakeholders understand the options they have to improve stewardship outcomes. How should regulators impose rules and regulations? How much influence does a single consumer have? How does this change if they act as a group? How much transparency into operations should be demanded by consumers and offered by providers? How should all the stakeholders act to deal with factors exogenous to the market, such as, the state of the economy, business trends and technology changes, or shifts of human skills?
Specifically, we aim to provide effective ways for stakeholders to explore their assumptions about the value and uncertainty associated with engaging with cloud ecosystems.
Stewardship In The Cloud Ecosystem
To simplify our discussion and analysis we distinguish three types of firms in cloud ecosystem: cloud consumers, cloud service providers, and cloud platform providers. Cloud consumers represent large and small enterprises that are making a transition from reliance on internal IT departments to consuming cloud services. Cloud platforms represent a bundling of platform- and infrastructure-as-a-service offerings2. Cloud service providers represent software providers that are able to leverage (and are conditioned by) platforms to offer software-as-a-service with particular agility, cost, and security profiles. Figure 1 shows these basic components in the context of exogenous factors such as attacks, regulation, and financial conditions.
The cloud ecosystem
Stewardship concerns arise from all components in this framework. That is, all the cloud stakeholders will be concerned with whether firms in their supply chain are meeting stewardship commitments and expectations, and that they understand and can meet their own stewardship obligations. For example, how are firms incentivized to keep my information confidential, and will the ecosystem support my needs for federated surveillance. We report on an exciting research project that will generate new ways of thinking about cloud risk and security, and develop pragmatic decision-support tools for cloud stewardship.
Equally, they will all (perhaps implicitly, and certainly regulators and policy-makers) be concerned with the structure of the overall ecosystem, as conditioned by regulation and incentives, and as affected by potential shocks. Specifically, responsible stakeholders – that is, the good stewards of the ecosystem – will seek to ensure that they can expect the ecosystem to be sustainable, to be resilient, and to deliver good stewardship outcomes not only for themselves but also for the wider ecosystem community. For example, will the ecosystem be resilient to the failure of a few providers, and will regulation destroy the agility benefits upon which key consumers rely? Figure 2 shows some of the typical fast and slow dynamics of change to which the ecosystem must be, respectively, resilient and sustainable.
The dynamics of the evolution of the ecosystem will be affected by how easy it is for companies to switch between different cloud service providers. Where moving supplier is hard, companies will be more reluctant to adopt cloud and need better up-front risk and stewardship planning. The lock-in effect will also determine how service providers respond (if at all) to competition within the ecosystem and to exogenous shocks.
Fast and slow dynamics of the cloud ecosystem
Modeling For Policy & Strategy
In our analysis of this ecosystem, we draw quite significantly on research carried out on ecological ecosystems3.
The ecological ecosystem consists of various organisms that exist in a habitat or a series of linked habitats. The ecosystem will be affected by the way in which the organisms interact (because of their biology) as well as external influences such as the weather, fires, or pollution. In studying an ecosystem and its dynamic behaviors, we can start to see how resilient it is to different shocks and so start to manage it in a sustainable way. Analysing cloud-based services ecosystems from such a perspective leads us to develop helpful stewardship concepts.
Instead of organisms in various habitats, we have an ecosystem of cloud stakeholders. Instead of the interaction between these entities being driven from their biology, it is driven by their need to maximise (or at least satisfice) their utility, so influencing their policies and decisions. "is utility will usually be implicit in each company's decision making, but will drive a customer's choice of services, as well as the terms and conditions offered by the service and platform providers.
We have developed a series of economic and mathematical models that explore numerous aspects of the emerging cloud ecosystem. Based on these models, we have developed one rich system model that has (hundreds of) firms consuming IT, (hundreds of) firms offering services, and several platform providers offering IT resource capacity. Unlike our preceding models, which have been based on empirical studies or well-established economic methods, this model is designed to allow security professionals (and other stakeholders) to visualize and explore the implications of exogenous and endogenous factors on cloud stewardship.
The system model can be executed to simulate a range of phenomena: consuming firms' switching from internal IT to the cloud, or changing service providers; new service providers entering the market with different cost and security properties; and new platforms offering different conditions for the service providers. The behavior of each firm is conditioned by utility functions that govern, for example, whether they will prefer a secure but restricted service to a cheap and flexible one.
There are a number of parameters so that we can explore. For example, the average difference in outcomes for firms with different stewardship priorities, or the relative success of different policies and attributes of platforms and providers. Soon we hope to be able to explore and illustrate resilience of this ecosystem to shocks such as massive and swift reductions in available (financial) capital, or the impact of major (ecosystem-wide) security failures.
Illustrating how sustainability and resilience will be explored
Figure 3 shows a typical target output of a simulation based on the model. Clearly, much will depend on how the model defines (and stakeholders interpret) 'value added by the ecosystem'. The point is to explore and discuss the conditions that will lead to shocks − for example, an economic shock such as a 'credit crunch', a highly intrusive malware incursion, or a radical shift in infrastructure technology − and what attributes are important for resilience, recovery and, ultimately, sustainability.
The model has been developed as part of the UK Technology Strategy Board-funded 'Cloud Stewardship Economics' project. This project, led by HP Labs' Cloud and Security Lab, brings together companies (Sapphire, Validsoft, Marmalade Box), mathematicians and economists from the Universities of Aberdeen and Bath, Lloyd's of London, and the IISP. In this project, we have performed a series of empirical studies of how it is that certain enterprises are consuming cloud services, and how they manage stewardship concerns. We have used these studies to develop a series of economic models, including a switching model, that uses real option theory to help firms re-use all the financial modeling (taking into account the time value of money) associated with valuing different states and handling uncertainty, in the context of whether and when to 'switch' from internal IT to cloud computing. We have also developed models of macro-migration behavior and the expected benefits of on-demand services, which we have used to inform and calibrate our system model.
Engaging The Profession
We plan to use this model to support scenario-planning workshops with security professionals and other stakeholders in order to generate new ways of thinking about cloud risk and security. We also plan to develop pragmatic decision support tools for cloud stewardship.
A visualization of the modeled cloud ecosystem
We still need to develop our models, and our modeling infrastructure, to support real-time simulation that allows clients to explore the influence of parameters that are endogenous and exogenous to the cloud market, see Figure 4. We will also make further efforts on refining and encompassing ongoing conceptual and economic research on cloud stewardship.
Our next step is to take our current model and scenario plans and run a workshop with the security profession 2012.
1. Stewardship can be considered to be the maintenance of effective institutions to facilitate or encourage activities that are deemed important.
2. This ignores many of the drivers involved in creating services that exploit large scale security and easy to use 'platforms', but allows us to concentrate on interactions nearer the business layer.
3. We have also been inﬂuenced by work on stewardship in ﬁnancial reporting.