Not long ago, a researcher at pharmaceutical company Eli Lilly and Co. needed to analyse a lot of data fast. If the results turned out as he believed, the company could have a world-beating drug on its hands.
The only trouble was that the researcher would need 25 servers to crunch the huge volume of data, and he knew it could take up to three months to get approval for the investment. In an industry where the cost of delaying a product is very high, $150 per second according to Eli Lilly’s global head of security Adrian Seccombe, that three-month wait would be very expensive.
Benefits of cloud computing
Seccombe takes up the story:
“[The researcher] went to a tame IT guy who’d been playing around in this thing called ‘the cloud’. The guy got out his credit card, plugged it into Amazon Web Services, and had 25 servers up and running in the cloud within an hour.”
The two realised they’d built the servers wrongly so they had to take them down and start again. The second time, it took them 40 minutes to get the servers up and running.
“Within two hours, they were crunching the data. The research time had suddenly collapsed from three months to two hours,” Seccombe said.
And there is more. When they realised the analysis would not be complete by the time they wanted to go home, they were able to crank up the power and bring on more servers to speed things up. “They wanted to get the data back from the cloud as they felt a little uncomfortable leaving it out there overnight.”
They completed the task and were given a bill from Amazon for $89. At $150 per second, a three-month wait would have cost more than $1 billion.
Cloud computing services: Balancing risk and convenience
The cost comparison is mind-boggling and demonstrates the sheer power of the cloud computing concept. But for Seccombe, the example also underlines some problems with the model and highlights some risks of cloud computing.
“They repatriated the data results, and did it securely over a secure line that goes end-to-end into the Amazon cloud. It was secure and quick.”
Or was it? How could they prove there was no trace of their data left in the Amazon cloud? They had to take Amazon’s word for it.
It is just one of many questions being raised with the advent of cloud computing, Software as a Service (SaaS) and the new collaborative model that relies on companies sharing their digital assets.
And it is why Seccombe, wearing his other hat as a member of the Jericho Forum, a security think-tank, has been working recently with others in the group to come up with some kind of framework to chart how cloud computing can be done effectively and securely.
The result of this work, due to be unveiled officially in March, is a three-dimensional cube that attempts to map out in graphic form the key decisions that companies will have to make when deciding which tasks can be safely consigned to the cloud, which should be kept under lock and key, and how to tie all the various ways of working together.
For the last five years the Jericho Forum has been challenging conventional thought about information security and mapping out the requirements of a “deperimeterised” world where solid boundaries are replaced by mobility and collaboration between organisations.
Last year, Jericho laid out its Collaboration Oriented Architecture (COA) guidelines, which defined how systems could work together without jeopardising security. Now it is going further to map out cloud computing security requirements. The results of this latest exercise raise some challenges for the security industry, but outline some interesting opportunities for those with the vision to seize them.
The cloud collaboration model
The main message of the group is that the cloud can incorporate a variety of approaches, according to the level of control needed over a process.
The cloud collaboration model looks like a Rubik’s Cube with four faces on each side — thereby creating eight separate sub-cubes that represent different types of working.
The three dimensions of the cube are:
- Open/ proprietary
- Perimeterised/ deperimeterised
The model is intended to help companies categorise their business processes and ultimately plan the kind of systems architecture they are going to need going forward to fully utilize the benefits of cloud computing services.
“It’s a mistake to see the cloud as one thing,” Seccombe said. “You can have internal proprietary perimeterised clouds, and you can have external, open, deperimeterised clouds.
“Inside Eli Lilly, we are trying to decide where we want to do what business processes. For example, bringing together the ingredients for a pill — we probably wouldn’t do that with an open, external deperimeterised cloud. That is more likely to be proprietary, perimeterised and internal, still using cloud technologies possibly, but I need more control over it.”
The key going forward is to build efficient and secure interfaces between the various sub-clouds so that business in the cloud can work in a seamless way, and create the necessary services to make it happen.
One of these, for example, could be an independent service to check the repatriation of data from the cloud once a task is finished. “It’s not that we don’t trust Amazon, but it is a question of separation of duties,” he said. “You don’t want the auditor to be the one who’s providing the service.”