Acting on my mandate as the CIO of a US-based international shoe manufacturing company, I am ready to initiate geographically distributed cloud-based computing model. The major concerns in implementing this option include security, regulation, and redundancy. This extends my mandate to tackle these issues and maintain high redundancy rates of 99.999% availability so that international shareholders such as web customers, manufacturers and retailers could be served well. In deciding which option to make, reference must be made to addressing foreign policy and national security provisions made by the Export Control. My review will therefore be focused on reading Addressing Export Control in the Age of Cloud Computing and suggesting the company’s best direction to pursue.
Key Policy Questions and Issues the Company Might Face
Export Control in the United States plays a critical role in ensuring that the national interests and foreign policy regulations are adhered to. The United States imposes restrictions on certain software, products, and technology exports. Trade, Defense, Interior, Power and other U.S. departments monitor the information flow from the U.S.
Cloud computing is a new and emerging concept. One of the most fascinating aspects of cloud computing is the autonomy it offers. While it has not been with us for long, it is undisputed that it has proven to be a significant catalyst for commercial and small and medium-sized enterprises success and hopefully will continue the next decades. Clouds are of particular interest not only in the expansion of the trend to outsource IT to reduce overhead management and extend existing restricted IT infrastructures, but also in particular, they reduce the entrance barrier for new players to deliver their respective goods and services to a wider market with minimal entry and exit costs and infrastructure. The lack of obligations in terms of term or quantity, pay as you go pricing model, and unlimited entry and exit tend to provide a license for impulsive behaviour. Tempting as it may be to move delivery to the cloud, IT managers know that their company depends on careful planning (Lorna Uden, 2012).
The main policy issues the firm is likely to face include privacy, jurisdiction and protection. The concept of jurisdiction is applicable where data originates from one location i.e. US and finding itself elsewhere, i.e. Europe. Europe. Because export control mainly concerns data transfer, the question of whether the organization can comply must be addressed as it adopts the cloud (Villasenor, 2011).
The products and services offered by the company also need to be scrutinized to establish whether they comply with Export Regulations. This company is a shoe manufacturer and the first question that should come to mind is whether shoe goods are subject to legislation regulating export controls. Information concerning the products and the technologies used to manufacture the products is of great concern. The flow of information in the clouds is ubiquitous and it remains notable if export control regulations apply to them as well. This is because method of processing information and the information technology environments utilized for production are complex and fall under export control. Notably, software deployment and utilization techniques explicitly implemented to leverage cloud computing environments may arise export control violations when some components of the cloud are based outside the US (Villasenor, 2011).
Cloud-Based Services Recommended Affording High Redundancy
It also facilitates collaboration between remote locations. Hence, it is economical and facilitates valuable service delivery. There are a number of cloud service providers in the market. The two major industry players analyzed for this paper includes Microsoft Azure and Amazon’s Web Services (Lorna Uden).
Cloud computing can be offered in four major types. These include private clouds, public clouds, community clouds and hybrid clouds. Private clouds are developed for an exclusive group of trusted users that uses a single tenant operating environment. An example of this offering is an organizations data centre that provides services to employees or users in remote locations. The services are designed to fit their demands and access privileges are restricted to them alone. This defines private cloud computing. Though the user can access the pool of resources necessary for their operations, they are not located in their proximity.
Public clouds are an opposite of private clouds. Services and resources in public clouds are provided to organizations who do not which to invest in an in-house hosting. A subscriber will access the services via internet. Examples of this offering are Amazon’s Elastic Compute Cloud (EC2), Simple Storage Services S3 and Simple DB (Rittinghouse JW, 2009).
Community clouds are a development by a group of people pursuing a common objective. NIST defines community clouds as an infrastructure shared by several organizations in a community with specific shared concerns. It is a subset of public clouds that is tailored to perform a specific function in government, healthcare, finance and educational industries (Claybrook, 2014).
Amazon S3 is the preferred cloud solution to be implemented by the US-based shoe manufacturing company. Amazon S3 is Amazon’s Cloud Storage service. It has a simple web-service interface that allows storage and retrieval of any amount of data, at any instance from anywhere in the world. It provides users with highly scalable solutions, reliability, security, and efficiency. The service is especially important for web developers or organizations who want to develop their own applications because it is designed to simplify web-scale computing. Other than storage and development, Amazon S3 provides data transfer service such as AWS Govcloud Region for USA government. The recommendation for Amazon is based on compliance with export control rules and regulation compliance and security and performance guarantees (Amazon, Amazon SimpleDB, 2014).
Amazon’s S3 pricing model is pay when you use it. The prices are computed on a monthly basis based on the services provided and the location of S3 bucket. It attracts no minimum fee, hence a favorable option for many organizations. Gateway security is offered in three choices: Gateway-Stored volumes, Gateway-Cached Volumes and Gateway-Virtual Tape Library (Amazon, Amazon, 2014).
One of the most important considerations that is applicable to the shoe-manufacturing company is import and export security. AWS provides a simple but robust Import/Export security framework. If there is a requirement to transfer large amounts of data across different geographic locations, AWS transfers data directly to the desired location using its high-speed Import/Export internal network. AWS Import/Export requires the user to authenticate the storage device using a digital signature and a unique job identifier.
Security Reasons for Selecting the Options
The AWS cloud infrastructure is based on highly secured data centers that employ state-of-the-art surveillance techniques and multi-factor access control systems. Its data centers are located in geographically dispersed locations and are staffed 24/7 with security personnel as well as controlled access.
S3 provides a number of security features which ensure that its data is protected on the data centers. AWS Storage Gateway Security is one feature where the cloud-based storage is connected with the on-premise software appliance to facilitate seamless integration between IT environments and AWS infrastructure.
Amazon S3 is designed to be tolerant of faults even with deficiencies in the infrastructure. Its data centers are built in clusters in many regions across the world, and every data center is online, serving customers concurrently. In case one of the data centers goes down, customer requests and traffic are routed away from affected areas. For the manufacturing company, they have the option of storing data in multiple geographic locations; say US, Germany and Switzerland (Rittinghouse JW, 2009).
Amazon provides highly durable storage infrastructures in its S3 offering. Objects are stored redundantly across many S3facilities and the guarantee of data protection against loss is very high. The level of reliability and availability is effectively guaranteed, whether S3 is used for permanent storage or not cloud provisioning. The durability of an object stored in S3 is 99.999999999% implying that the probability of losing a single object out of 10,000 of them is one in every 10 million years. This level of redundancy surpasses what the US manufacturing company requires. The storage in S3 architecture is designed in such a manner that the concurrent loss can be sustained in two separate storage facilities.
Another option for S3 is that any object that is stored in it is simply a cloud copy of a permanently preserved original copy elsewhere. It implies that if a need occurs the entity can be regenerated or re-derived. In cases where this is a disadvantage, S3 introduced standard storage classes where objects are stored with eleven 9’s of redundancy. For objects that require low redundancy, the reduced redundancy storage is suitable (Amazon, Amazon, 2014).
Extent that Export Controls Play in Your Cloud-Based Solution
The shoe-making business plans to open branches across the globe. This implies seamless integration and exchange of information. In one way or another, export violations may be occurring daily. For instance, if the facility will leverage time zone differences between US and Europe and transfers most of its processing to any particular location when the servers there are not busy (night), then, violations might be occurring frequently. Even though the violation is occurring, the user and the provider are not privy to it owing to the physical location of the servers which is intentionally abstracted.
The Department of Commerce Bureau of Industry and Security has given two advisories which related to provider activities in export control issues, and this advisories will affect the shoe manufacturing company. The first refers to the aspect of providing computational capacity to the user without providing the necessary technical control, data or assistance. If Amazon AWS provides the cloud solution without the technical knowledge on how to use it, it would not be subjected to EAR, but if technical assistance is required to facilitate its use, then the technology is subjected to EAR. Notably, a cloud solution requires some expertise on how to use it, security configurations and other related aspects which are provided by the service provider technical personal. If this path is followed, then Amazon and the company would be affected by EAR controls (Villasenor, 2011).
The second aspect regards deemed exports and concerns the release of technology to a foreign national. To iron out the issue, BIS has made a distinction between cloud providers and cloud service users with respect to this provision. The activity of providing computational services to a client within or outside the United States is not subjected to EAR because, the service provider, in this case Amazon, is not an exporter of technology. Therefore, the shoe manufacturing company will not be affected by sourcing cloud service provision from Amazon.
In conclusion, it is recommended that the cloud provider and the vendor reach a common ground with respect to control of physical location with which cloud services are to be offered. This will help in ironing out issues and preventing unintended export control violations (Villasenor, 2011).
Graphic representation of solutions
- Amazon. (2014). Amazon. Retrieved from APC Back-UPS ES 8 Outlet 550VA 120V: http://www.amazon.com/APC-Back-UPS-Outlet-550VA-120V/dp/B0019804U8/ref=lp_764572_1_1?s=pc&ie=UTF8&qid=1415911499&sr=1-1
- Amazon. (2014, Nov 11). Amazon SimpleDB. Retrieved from Amazon Webservice: http://aws.amazon.com/simpledb/
- Claybrook, B. (2014). Comparing four cloud computing strategies. TechTarget.
- Gardner. (2013 October). Gartner Says Cloud Computing Will Become the Bulk of New IT Spend by . Cloud Strategies and Adoption at Gartner Symposium/ITxpo 2013 October 21-24 in Goa. India.
- Lorna Uden, F. H. (2012). 7th International Conference on Knowledge Management in Organizations: Service and Cloud Computing. Springer.
- Rittinghouse JW, R. (2009). Security in the Cloud. In: Cloud Computing. Implementation, Management, and Security,. CRS.
- Villasenor, J. (2011). Addressing Export Control in the Age of Cloud Computing. Brookings: Center for Technology Innovation.