Cloud computing involves the sharing of software, data, hardware, and other resources. Cloud services are services that are delivered and consumed on demand over the Web in cloud computing. Using a cloud service provides faster service from mobile devices and desktop workstations. Service rentals, low operational costs, and lower energy costs are some of the reasons for the increasing popularity of cloud services. For each cloud service, one or more of the four deployment models (private, community, public, and hybrid) are available. The choice depends on an SAP customer’s service requirements. Here is some background information on the four deployment models:

• A private cloud facilitates the processing of services within the organization. It can be managed by the organization or by a third party; it may exist on premise or off premise. It offers services with the least risk of all the different cloud types because it restricts user access and the networks to a particular organization. Private data is stored in known locations. The part of SAP CRM that best benefits from the private cloud model is sensitive SAP CRM data, such as personal data from credit cards used to purchase an item in compliance with regulations (e.g., Payment Card Industry Data Security Standard [PCI DSS]).
• A community cloud goes one step further than a private cloud. It is used by multiple organizations to share risk and security costs. Organizations share interests and concerns such as specific security requirements, policies, missions, and compliance and certification requirements. Unlike with a private cloud, data can be stored with the data of competitors. The facet of SAP CRM that best benefits from the community cloud model would be social networking, such as blogs, feedbacks, and wiki Web sites.
• A public cloud service is available to the general public or a large industry group from a service provider over the Internet. Data may be stored in unknown locations and may not be easily retrievable. The public cloud provider provides access control mechanisms for each use. The part of SAP CRM that best benefits from the public cloud model is SAP CRM non-mission-critical tasks, such as a location finder service that helps a customer find the location of a particular store.
• A hybrid cloud combines one or more public and internal/external private clouds that interoperate with one another. An organization can, for example, outsource non-mission-critical information and processing to the public cloud while keeping mission-critical services and sensitive data in a private cloud within the organization. A hybrid cloud aggregates the risk of combining different deployment types. To ensure data is assigned to the correct cloud type, data needs to be carefully classified and labeled. Examples include cloud bursting for load-balancing between SAP CRM private and public clouds, or for testing scalability of an application in the public clouds using test data (while leaving sensitive data at the data center or a private cloud).

Cloud Service Models

You can choose from the following cloud service models from SAP, which I describe in detail next:

• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)

Cloud Service Type 1. Software as a Service

First, a third-party provider licenses an SAP CRM SaaS application to the consumer (i.e., a company that needs an SAP application, but does not do business directly with SAP) mostly for Web use as a service on demand. This is done either through a subscription or a pay-as-you-go model for one of the four deployment models. SaaS consumers do not have hardware or software to buy, install, maintain, or update. With SaaS, consumers do not control deployed applications, operating systems, storage, or networking. The only skills the consumers must have are the skills to use the application from a desktop or mobile device. They can manually connect to it or initiate an automatic connection of on-premise data to SaaS. You can use SaaS to process business tasks related to SAP CRM such as computerized billing and invoicing, human resource management, and Service Desk. When consumers are done using the SaaS application or the subscription expires, the provider usually disables the application. Consumers must renew a subscription to use the same SaaS application.

Cloud Service Type 2. Platform as a Service

PaaS, which is a hosted service, helps you save electricity needed to power servers and keep them cool. Unlike SaaS, which provides individual SAP CRM functionalities, PaaS provides a full life cycle for the SAP CRM cloud platform on which the provider can build, deploy, run, and manage upgrades and patches. PaaS is a type of virtual private cloud. It focuses on the entire life cycle of a business — that is, all functionalities you need to run SAP CRM (e.g., spreadsheets, word processors, backups, billing, payroll processing, invoicing, and sales pipeline management). The consumer controls the applications of a business life cycle. Unlike with IaaS (which I explain next), the consumer does not control the operating system, hardware, or network infrastructure on which the applications are running. The consumer would find the PaaS useful for a CRM mashup application (e.g., collecting and integrating SAP CRM personal data into a spreadsheet at the click of a mouse). A typical PaaS consists of four types of environment: development, execution, testing, and team development services (e.g., version control and task management). Therefore, you can develop applications from creation to deployment on the Internet. The platform is typically a virtual machine (VM), but it can also be an application framework (and therefore, you can have more than one VM). For example, you (as the consumer with your team) can develop, test, update, and execute an application in a VM to set up a life cycle (e.g., workflow) of tasks the consumer needs to do to get and keep customers. The tasks may begin with getting contact information from potential customers and putting them in the email address book. Once done, the life cycle automatically goes to the next step of choosing a prepared introductory sales letter or a word processor to write up the letter you would send to this customer. When the customer responds with an inquiry for a list of products, you get an email alert. When you answer the alert, the life cycle moves to the next stage — entering the list in a spreadsheet and then sending the product to the customer. After the customer makes his selection, you go to the life cycle stage of preparing an order form and sending it to the customer for his approval. After approval, you then use the spreadsheet to send an invoice of the items with expected delivery times. The life cycle moves forward until your customer is satisfied. Make sure that at each stage of the life cycle, you back up your worksheets, documents, email addresses, pictures, slides, and other material you use to get and keep the customer. Whichever life cycle you choose for your application, the VMs should be in a compatible format. This enables the consumer to take a VM and deploy it with one cloud provider (non-SAP) then deploy it to another cloud provider (SAP) without changes. If the VM format with one provider is not compatible with the VM format of a different provider, the consumer runs the risk of the high cost of changing to the VM format or building a new one from the ground up.

Note In February 2009, SAP acquired the intellectual property rights of Coghead, Inc., a Silicon Valley company that provides a PaaS Web development technology. Coghead works with SAP in various aspects of SAP’s SaaS technology and application initiatives.

Cloud Service Type 3. Infrastructure as a Service

IaaS goes one step further than PaaS by allowing consumers to pay per use of the infrastructure of traditional computing resources in a virtual on-demand environment over the Internet. Traditional computing resources include servers, data storage, and system and network equipment, as well as operating systems and software to control the services. The consumer can control the operating system, storage, and deployed applications at the VM level. The consumer can scale the number of virtual servers or blocks of storage area up or down. The consumer can also configure virtual services and storage while using the provider’s application program interface (API). Standard APIs give users more flexibility to move to another cloud database provider without major changes while mitigating the risk of changing service providers. IaaS comes in any of the four deployment models. It is a virtual private cloud if the public cloud (hosted by service providers) that it’s built on has highly secure and dedicated resources for each customer. If an enterprise provides cloud services in its own data center, that is considered a private cloud; if it uses cloud services hosted by a service provider, it is a public cloud. If several organizations share interests and concerns in an IaaS, it is a community cloud. As I stated earlier, a hybrid cloud is a combination of two or more deployment models. For instance, it enables enterprises to run workloads on premise and migrate portions of the workloads to public clouds for testing applications. While the public clouds offer the best economies of scale, they can limit security and service level agreements (SLAs). To avoid these risks, the private cloud alternative is more secure due to, for example, a company’s defense-in-depth strategy but it has modest economies of scale. In the middle are the hosted virtual private clouds offered by service providers. The hosted virtual private clouds are built on highly secure or dedicated resources and have greater economies of scale for each consumer. IaaS is well suited for medium-sized businesses that do not have permanent infrastructure IT staff to run the software. In an IaaS deployment for an enterprise that already has permanent infrastructure IT, the enterprise manages its own virtual servers. IT staff would require many of the same technical skills as they would when managing a physical local server. The IT staffer must be able to interface with and navigate through the cloud provider’s support system for the use of APIs (and navigate the VM servers).

Cloud Service Security

Service providers must show they have effective security controls in place to assure their customers that their information is properly secured against unauthorized access, change, or destruction, and that update schedules closely match the customer’s business cycles. Security controls include secure access controls for users with the appropriate level of authority and clearance, a backup and recovery policy, contingency planning, and risk assessment. Controls also include an SLA that sets minimum service availability criteria a provider must meet while delivering the service. If the availability risk is not at an acceptable level, the SLA sets out the remedial action and spells out sanctions for failure to comply. After security controls have been applied, residual risks remain. When new security controls emerge or existing controls are changed due to technology, policy, or legislation, some residual risks may need to be mitigated. It is important to consider security controls for the following cloud computing concerns:

• Different sets of compliance regulations: The distributed nature of cloud services, particularly the public cloud, can add jurisdictional issues to regulatory compliance if each country has a different set of compliance regulations on the export of SAP CRM-related personal data. To mitigate risk, ensure that a policy on jurisdictional issues is in place (e.g., migrate to a private cloud with a known location).
• Poor resource management: Unbalanced resource consumption can offset operational availability of SAP CRM data required by compliance regulations such as the Health Insurance Portability Accountability Act (HIPAA). Reusing IP addresses can lead to an unintentional Denial of Service (DoS). In both instances, availability and security risks are higher. To avoid this, ensure that your SAP CRM system has a backup and recovery policy and resource management in place. Make sure IP addresses are not reused and the assignment of new IP addresses is automatic. For information on recovering resources disrupted during a disaster, see my article “Avoid Losing Valuable Sales and Customer Data by Using Backup and Recovery in Depth” posted to the SAPexperts CRM hub in April 2010.
• Risk of compromise: Third-party access to sensitive information in both known and unknown locations may create a risk of compromise to SAP CRM-related confidential information, particularly when the third party can inject codes into the application source that redirects visitors to the Web site from which the data can be compromised. Other governments, agencies, or corporations could gain access to a customer’s data without his knowledge. To mitigate these risks, ensure secure access controls are in place and the source code is entirely encrypted.
• Virus, botnets, and implementation flaws: SAP CRM SaaS can be affected with a virus that results in a DoS. PaaS as well as IaaS platforms have already been used as Command and Control centers by hackers to direct operations of a botnet (robotic network of computers) for use in distributed denial of service (DDoS) and installing malware software. You can use IaaS clouds for large-scale spam, a DoS, or Command and Control functions. Poor credentials, protocol exposure, and implementation flaws in remote management can threaten the security of IaaS models.

Cloud Computing Governance

As part of SAP CRM cloud computing governance, the consumer and service provider should each appoint or hire a cloud computing security officer to ensure security controls are in place (including business continuity and disaster recovery plans) and mitigate risks after the controls are applied. The officers must collaborate with legal professionals to ensure the appropriate levels of security and privacy are achieved. They should collaborate with a system administrator and network manager on common formats of VM types. In the event of a regional disaster such as a flood, the security officer for the provider must ensure physical servers used in the cloud will fail over to other servers that are not in the same region. He sets the standards for security controls and sanctions for failures to comply. The security officer for the consumer should ask the provider’s counterpart about how laws vary from one country to another regarding data export controls. Country laws governing personally identifiable information can vary greatly — what is allowed in one country can be a violation in another. The security officer should also recommend hybrid cloud deployment as the preferred method for obtaining compliance with regulations including Federal Information Security Management Act (FISMA) and HIPAA in the US, the Data Protection Directive in the EU, and the credit card industry’s PCI DSS. In addition, customers in the EU renting from cloud providers established outside the EU must comply with the EU regulations on export of SAP CRM personal data.