04—2019 cloud securitythe-report.cloud/wp-content/uploads/2019/10/cloud... · computing from a...

Cloud SecurityAdditional: Security in Hybrid Clouds – Security Awareness – Secure Development – Digital Transformation – Strategic Alliances

04—2019

Image Service

Questions AWS Azure Google Cloud Platform IBM Cloud OTC OVH

Which operating systems are offered by the provider with which versions? Windows: – Windows Server 2008, 2012, 2016 Build 1809, 2019

Linux: – Amazone Linux 2, 2018.03 – CentOS 6.x , 7.x – Debian 8.x 9.x – Fedora 26, 27, 28, 29 – Ubuntu 14.04.x , 16.04.x , 18.04.x – SUSE Enterprise Linux 12, 15 – Oracle Linux 6.8, 7.x , – Red Enterprise Linux 6.8, 7.3

Windows: – Windows Server 2008 R2 SP1, 2008 SP2, 2012 R2, 2016 , 2019

- Windows Server 2016 Build 1709, 1803, 1809

– Windows 10

Linux: – CentOS-based 6.9 , 7.4 – ClearLinux – Container Linux – Debian 8, 9 – Red Hat Enterprise Linux 7.x – SLES 11SP4 , 12SP3 – Ubuntu 14.04, 16.04, 18.04

Windows: – Windows Server 2008, 2012, 2016, 2019


Linux: – CentOS 6.x , 7.x – Container-optimised OS dev, beta, stable, 69-lts

– CoreOS alpha, beta, stable – Debian 9.x – Ubuntu 14.04.x, 16.04.x, 17.04.x, 18.04.x

– SLES 12, 15 – SLES for SAP 12-sp2-sap, 12-sp3-sap

– Oracle Linux 6.8, 7.x , – RedHat Enterprise Linux 6, 7 – RHEL for SAP 7-4-sap, 7-6-sap-ha

Windows: – Windows Server 2012 , 2016

Linux: – CentOS- Minimal 6.X, 7.x – CentOS-LAMP 6.X, 7.X – Debian Minimal Stable 8.X, 9.x – Debian LAMP Stable 8.X – Red Hat Minimal 6.x, 7.x – Red Hat LAMP 6.x, 7.x – Ubuntu Minimal 14.04, 16.04, 18.04 – Ubuntu LAMP 14.04, 16.04, 18.04


Linux: – openSUSE 15.x, 42.x – CentOS 6.x, 7.x – Debian 8.x, 9.x – Fedora 26, 27, 28, 29, 30 – EulerOS 2.x – Ubuntu 14.04.x, 16.04.x, 18.04.x – SUSE Enterprise Linux 11, 12, 15 – SUSE SAP 12 – Oracle Linux 6.8 , 7.2 – Red Enterprise Linux 6.8 , 7.3

Windows: – Windows Server 2012, 2016, 2019

Linux: – CentOS 6, 7 – Debian 9, 8, 7 – Fedora 29, 27, 26 – Ubuntu 16.04, 17.10, 18.04, 18.10, 19.04

– FreeBSD – CoreOS – ArchLinux

Can own images be uploaded? yes yes yes yes yes yes

Can existing licenses be used to minimize costs? yes yes yes yes yes yes

Is there an image build service? noSupported Formats:

– OVA File – VMDK – VHD – RAW

yesSupported formats:

– VHD – VMDK – VHDX – QCOW2 – RAW

yes Supported Formats:

– VMDK – VHD – VDI – VPC – QCOW2 – RAW


– VHD – VMDK – QCOW2 – AKI – ARI – AMI

yesSupported Formats:

– VHD – ZVHD – VMDK – VHDX – QCOW – QCOW2 – RAW – ZVHD2 – VDI – QED


– AKI – ARI – AMI – ISO – QCOW2 – RAW – VDI – VHD – VMDK

Can images be created from existing cloud instances? yes yes yes yes yes yes

Are different patch levels of images available? yes yes yes yes yes yes

Monitoring


Dashboard yes yes yes yes yes yes

Which cloud resources will be monitored?VMsAppsNetworkLoad BalancerStorage

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

Connection/Usage of external monitoring solutions yes yes yes yes no yes

Costs per month € 49.49 / $ 55.50 € 22.31 / $ 26.45 n/a n/a n/a n/a

MAGAZIN

33 %Rabatt

Telefon:0911/99399098Fax: 01805/8618002E-Mail: [email protected]

Einfachbequemonlinebestellen:shop.linux-magazin.de

ABO-VORTEILE• GünstigeralsamKiosk•Versandkostenfrei

bequemperPost•Pünktlichundaktuell•KeineAusgabeverpassen

OHNE DVD 13,90 €

TESTEN SIE 3 AUSGABEN FÜR 17,90 €

Ubuntu Spezial oder LinuxUser Spezial im Wert von 12,80 €

ODER

SICHERN SIE SICH JETZT IHR GESCHENK!

LM_1-1_Miniabo_AKTION-2019_neu.indd 1 28.08.19 14:24

1 the cloud report 04—2019

EDITORIAL

Editorial

Lately since Europe got the new version of GDPR everybody in the IT world is talking about security. Most of all, data security. Are my data safe in a cloud? Should I revive my own data center? Stay I the owner of my data? For now, we can answer: They can be safe. Maybe approach a hybrid solution. And, of course you stay the owner of your datas!

With this “They can be safe”, the interesting part starts: how? We do not have the answer of that question, but we have some thoughts about it.

But data security is not the only part of security issues. There are questions about the security of data centers, are they fireproof or waterproof? Are they near an airport? What information does my cloud provider give to me? Do I really know, where my data are? Another question is the access. Who can see which data? Are the passwords strong enough?

The weakest part of security is sitting in front of the screen. Am I aware of the things I can influence in a good or in a negative way? Customer, stay in touch with your provider. And provider, keep in mind, that you need the trust of your customers, so be trustworthy.

In this issue Jurlind Budurushi leads to some general security topics, Trendmi-cro introduces their security approach, Birgit Hess from SAP is talking about the challenges concerning security and digitization and Karsten Samaschke tells you how you develop secure.

Furthermore, Julia Hahn thinks about strategic alliances in a globally working industry and Christiane Zehrer gives practical tips about the agile transforma-tion.

All the best for you and a lot fun while reading!Friederike Zelke

ImprInt2

Publisher Cloudical Deutschland GmbH, Edisonstr. 63, 12459 Berlin

Managing directors Michael Dombek and Karsten Samaschke

Publishing director / Editor in chief Friederike Zelke

Editorial office Julia Hahn, Emelie Gustafsson

Online editorial Stefan Klose

Artdirection and Layout Anna Bakalovic

Production Andreas Merkert

Editorial office contact [email protected]

Sales contact [email protected]

Copyright © Cloudical Deutschland GmbH

the cloud report published by Cloudical Deutschland GmbH

Edisonstr. 63, 12459 Berlin

Managing directors Michael Dombek and Karsten Samaschke

Mail: [email protected]

the-report.cloud

ISSN 2626-1200

The Cloud Report is published quarterly at the beginning of January, April, July and October. The Cloud Report is available in two ver-sions: the online edition which can be accessed online or via downloaded from the homepage, and the printed edition which can be subscribed at a price of 20 Euros a year via the personalized customer portal in which a personal account is set up. When you register, please enter the information to specify the execution in which you want to obtain the report. The subscription can be cancelled at any time via the personal access of the subscriber, by mail at the latest two weeks before the publication of the new edition via the e-mail address: [email protected]. We collect relevant personal customer data for the subscription. Individual issues can also be purchased without a subscription at a price of: 5 Euro, in this case too, relevant personal data will be used to fulfil the purchase contract. Further information can be found at: http://the-report.cloud/privacy-policy

the cloud report

IMPRINT


the cloud report

TABLE OF CONTENT

EDITORIALEditorial 1

FOCUSA two-away approach towards

security in Cloud Computing 4Addressing Security Challenges

in Hybrid Cloud Environments 12Secure Development 18

INTERVIEWInterview with Birgit Hess 22

PROJECT LEADERSHIPGlobal Strategic Alliances in the IT Ecosystem 26

Agile Transformation for small- and medium-sized enterprises: first steps 30

CONFERENCESGlobal Digital Women and

the SAP Kitchen 34

ADVERTOIRIALSWelcome to the Club! 17

Go Community meets again 35

TESTSWe are testing clouds 36And the winners are … 37

Test Results 38

Digital inputAgile methods and tools

Customer-friendly output





Focus4

By enabling a long-held dream of computing as utility1, Cloud Computing has become one of the major technol-ogy trends in the last decade. Due to its’ flexible and agile nature, Cloud Computing is continuously and significant-ly transforming a large part of the IT industry2. Its’ philo-sophy shift from a system- to a service-oriented approach has paved the way to develop innovative ideas, i.e. new services and/or business models, without the necessity of large capital expenses in computing and/or human re-sources. In addition, Cloud Computing naturally supports the raise of so called data economy, i.e. the ability to mon-etize data, for instance through big data analytics3,4, or by enabling new paradigms such as “bring users to the data”, especially relevant in fields processing very large amounts of data, like the space industry5, or weather forecast insti-tutions6. However, despite the many benefits and use cas-es, one of the major concerns for adopting Cloud Comput-ing is security7.

Focus

A two-away approach towards security in Cloud Computing

Consequently, the main goal of this series of articles is to provide an overview of security challenges in Cloud Com-puting, and respective solutions addressing such challeng-es. In order to achieve this goal, this series introduces a two-way approach, a holistic and a pragmatic approach. The holistic approach focuses on security challenges in Cloud Computing from a big picture overview, introducing the necessary theoretical background and the respective, the-oretical solutions. The pragmatic approach focuses on se-curity challenges in Cloud Computing from a practical per-spective, introducing implemented security controls and offered security products by various Cloud Service Pro-viders. Further, identifying potential gaps of such controls and/or products. Last, but not least, providing best practic-es for addressing such gaps and securing the configuration and operation of various Cloud technology solutions.

The first part of this series introduces the fundamentals of Cloud Computing.

this article is the first of a series of articles providing an overview of security challenges in cloud computing, and respective solutions addressing such challenges.


Cloud Computing Fundamentals

In practice Cloud Computing is a synonym for “Some-body’s else’s, computer that can be accessed and used through the network, remotely”.

Even in this oversimplified model, depicted in Fig. 1, a number of security challenges arise:1. How to ensure that the client Alice uses is trustworthy?2. How to ensure that leaked information is session re-

stricted, in case the client Alice uses is malicious?3. How to ensure that Alice is connected to the correct,

remote computer?4. How to ensure that the remote computer Alice is con-

nected to is trustworthy?5. How to ensure that leaked information is session re-

stricted, in case the remote computer Alice is connect-ed to is malicious?

6. How to ensure that the remote computer is accessible only from specific networks and machines?

7. How to ensure that the communication link is secured against eavesdropper?

8. How to ensure that only authorized users have access to the remote computer?

9. How to ensure that authorized users have access only to their data?

10. How to ensure that Alice behaves secure while using Cloud services?

Note that for a thorough understanding and analysis of security in the context of Cloud Computing, it is necessary to introduce a standard baseline that is well-known, and largely accepted by the community. Such baseline regard-ing Cloud Computing is provided by the National Institute of Standards and Technology (NIST8), in the special publi-cations 800-145, and 500-292.

Focus6

Definition

Cloud Computing is a model for enabling ubiquitous, con-venient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly pro-visioned and released with minimal management effort or service provider interaction.

NIST further defines Cloud Computing by describing five essential characteristics, three cloud service models, and four cloud deployment models. In addition, the Cloud Security Alliance describes three more characteristics of Cloud Computing. They are summarised in visual form and explained in detail below (fig. 2).

Essential Characteristics

This section introduces eight essential characteristics of Cloud Computing. While the first five characteristics are introduced by the NIST special publication 800-145, the last three are introduced by Cloud Security Alliance.

On demand self-serviceA consumer can unilaterally provision computing capabil-ities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.

Broad network accessCapabilities are available over the network and accessed through standard mechanisms that promote use of heter-ogenous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations.

Resource poolingThe provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with dif-ferent physical and virtual resources dynamically assigned and reassigned according to customer demand. There is a sense of location independence in that the customer gen-erally has no control or knowledge over the exact location of the provided resources but may be able to specify loca-tion at a higher level of abstraction (e.g., country, state, or datacenter). Example of resources include storage, pro-cessing, memory, and network bandwidth.

Fig 1: Simplified Model of Cloud Computing

Fig 2: Characteristics, Service and Deployment Models in Cloud Computing

Broad Network Access

Private

Service Oriented Architecture

Multi-tentant capability Pay per Use Model

Resource Pooling

Public

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

Rapid Elasticity

Community

Measured Services

HybridDeployment

Models

Service Models

Essential Charateristics

On demand Self-Servie


On-site Out-sourced

Rapid elasticityCapabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured serviceCloud systems automatically control and optimize re-source use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, reported, providing transparency for both the provider and consum-er of the utilized service.

Service Oriented ArchitectureA basic requirement for Cloud Computing, as Cloud ser-vices are usually offered over REST-API.

Multi-tenant capabilityA basic requirement for Cloud Computing, as resources are shared between different customers.

Pay per Use ModelOnly the actually used resources are payed.

Service models

Software as a ServiceThe capability provided to the consumer is to use the pro-vider’s application running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web brows-er (e.g. web-based E-Mail) or program interface. The con-sumer does not manage or control the underlying cloud in-frastructure including network, servers, operating systems, storage, or even individual applications capabilities, with the possible exception of limited user specific application configuration settings.

Platform as a ServiceThe capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, librar-ies, services, and tools supported by the provider. The con-sumer does not manage or control the underlying cloud infrastructure including networks, servers, operating sys-tems, or storage, but has control over the deployed appli-cations and possibly configuration settings for the applica-tion-hosting environment.

Infrastructure as a ServiceThe capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to de-ploy and run arbitrary software, which can include oper-ating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but

Fig 3: Deployment of a Private Cloud

Focus8

Fig 5: Deployment of a Community Cloud

Fig 4: Deployment of a Private Cloud

has control over operating systems, storage, and deployed applications; and possibly limited control of select net-working components (e.g. host firewalls)

Deployment models

PrivateThe cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises (fig. 3).

PublicThe cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or governmental organization, or some combination of them. It exists on the premises of the cloud provider (fig. 4).

CommunityThe cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security require-ments, policy and compliance considerations). It may be owned, managed, and operated by one or more organiza-tions in the community, a third party, or some combination of them, and it may exist on or of premises (fig. 5).

HybridThe cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or pub-lic) that remain unique entities, but are bound together by standardized or proprietary technology that enables data

On-site

Out-sourced


Fig 6: Deployment of a Hybrid Cloud

Fig. 7: Reference architecture is introduced by NIST

Focus10

and application portability (e.g. cloud bursting for load bal-ancing between clouds, fig. 6).

Reference Architecture

The Cloud Computing reference architecture is intro-duced by NIST in the special publication 500-292. This reference architecture serves to identify the major actors, their activities and functions in Cloud Computing (fig. 7).

Cloud ConsumerA person or organization that maintains a business rela-tionship with, and uses services from Cloud Providers.

Cloud ProviderA person, organization, or entity responsible for making a service available to interested parties.

Cloud AuditorA party that can conduct independent assessment of cloud

Fig 8: Scope Control in Cloud Computing

services, information operation systems, performance and security of the cloud implementation.

Cloud BrokerAn entity that manages the use, performance and delivery of cloud services, and negotiates relationships between Cloud providers and Cloud consumers.

Cloud CarrierAn intermediary that provides connectivity and transport of cloud services form Cloud providers to Cloud consumers.

Scope Control

The management responsibility in Cloud Computing, depicted below, depends on the Cloud service type and whether the Cloud deployment is private. Thus, each Cloud Actor is responsible for implementing specific se-curity controls throughout the life cycle of the Cloud en-vironment (fig. 8).

Sources: a 1. Parkhill, D. The Challenge of the Computer Utility.

Addison-Wesley Educational Publishers Inc., US, 1966. a 2. Bayramusta, M., Nasir, V. A.. A fad or future of IT?: A

comprehensive literature review on the cloud com-

puting research. International Journal of Information Management, 2016, 36. Jg., Nr. 4, S. 635-644.

a 3. Mosco, V.. To the cloud: Big data in a turbulent world. Routledge, 2015

a 4. https://bigdatawg.nist.gov/Day2_08_NIST_Big_Da-ta-Kearns.pdf, last accessed 27.08.2019

a 5. https://eo4society.esa.int/wp-content/up-loads/2019/04/EO4Alps_Report_Roadmap.pdf, last accessed 27.08.2019

a 6. https://indico.cern.ch/event/676472/contributions/2905736/attach-ments/1609308/2555018/20180301_ECMWFs_IO_and_Storage_Challenges_in_the_path_to_Exascale_Nu-merical_Weather_Prediction.v2.pdf, last accessed 27.08.2019

a 7. Avram, M.. Advantages and challenges of adopting cloud computing from an enterprise perspective. Pro-cedia Technology, 2014, 12. Jg., S. 529-534.

a 8. https://www.nist.gov/

Dr. Jurlind Budurushi Security [email protected]

cLouDIcAL

Raum für #CloudExcellence

CLOUDICAL

Delivering CloudExcellence

CloudExcellence.io

Focus12

Focus

Addressing Security Challenges in Hybrid Cloud EnvironmentsEnterprises are increasingly using hybrid environments, but this move can present risks and challenges, especially for organizations adopting Devops. How can hybrid environment security fit naturally into develop-ment processes?

Enterprises are harnessing hybrid cloud technologies to power their digital transformation: the integration of flexibil-ity, agility, and unique cultural shifts into business process-es to enrich customer and stakeholder experience. Gartner predicts that by 2020, 90 percent of organizations will be adopting or using hybrid cloud infrastructures and services (i.e. using multiple cloud services).1 The hybrid cloud envi-ronment enables businesses to portably manage workload requirements by using public cloud platforms to run appli-cations, while using the resources of private cloud infrastruc-tures to manage the data needed to run the applications.

Hybrid cloud security accordingly has unique require-ments. And given how this technology enables workloads to be run on different platforms and environments – from on-premises to private and public infrastructures – tradi-tional and defined security will inevitably fall short. Also, with the adoption of containers and microservices, secur-ing workloads can be seemingly complicated. For enter-prises adopting DevOps, it can be especially challenging to incorporate security into an approach that focuses on rap-

id development and delivery across cloud instances and containers. While it helps meet tight timetables, DevOps can also run the risk of overlooking security.

Trend Micro’s Hybrid Cloud Security platform helps se-curity teams address the challenges that stem from using hybrid environments.

The♣♣ th♣♣reat landscape

Today’s threat landscape can be a challenge for enter-prises. In the first half of 2018 alone, 47 new cryptocur-rency-mining malware families and 118 new ransomware families were seen.2 Threats are also diversifying into infra-structures that are critical to enterprises, like web servers and application development platforms. In 2017, for in-stance, the Erebus Linux ransomware hit a South Korean web development company and affected 153 Linux servers and more than 3,400 businesses. The impact: over USD 1 million in losses as well as damaged reputation and a costly remediation process.3


Indeed, cloud workloads require a security strategy that can navigate today’s evolving and ever-increasing threats. For customer’s security teams, exposure to vulnerabilities and threats translates to adverse impact to their organi-zations’ bottom lines. The impact is exacerbated when stacked up with stringent compliance requirements, such as the implementation of privacy by design, as mandated by the European Union General Data Protection and Reg-ulation.

For enterprises already adopting DevOps, an unsecure or vulnerable application or software can mean wasted resources, as they have to constantly rework and rebuild them to meet security and compliance requirements. Inte-grating security early into the development life cycle sig-nificantly reduces disruptions while helping IT and DevOps teams address security gaps or misconfigurations faster.

Thus, defense-in-depth security capabilities are need-ed, and they must have visibility across the application or software’s life cycle – from pre-deployment to runtime. For example, security mechanisms such as intrusion detection

and prevention systems (IDS/IPS) and firewalls help thwart network-based threats and exploits, while application con-trol deters anomalous executables and scripts from run-ning. It is projected that by 2022, application control will be employed in 60 percent of server workloads.4 For DevOps teams, baking in security into the development life cycle means security as code. This can be achieved through scal-able application programming interfaces (APIs) and scripts designed with security from the first build in order to mini-mize superfluous work.

Breaking up siloes

As mentioned before, more than 90 percent of enterpris-es will be employing a multi-cloud strategy for their work-loads by 2020.5 And despite the increasing popularity of containers in application development, organizations will continue to use other virtualization technologies and com-puting platforms, like on-premises or physical software and servers, virtual machines, and even serverless infrastruc-

Figure 1: A consolidated solution with multiple security tools lowers the maintenance, budget, and overhead associated with support and operational functions. Deep Security provides API integrations to seamlessly build across leading cloud, virtualization, container and data center environments.

Focus14

tures. Furthermore, many enterprises are also expected to use a combination of traditional and cloud-based services for their operations.

Incorporating security across these multiple computing platforms can pose a challenge. IT teams have to juggle dif-ferent and incompatible security tools, which unnecessar-ily create convolution in their management. This unwant-ed complexity can also mean higher overhead by possibly slowing down incident response, as siloed and disparate platforms will drive security teams to manually monitor each of them. This, in turn, creates bottlenecks in incident and compliance reporting. From a DevOps perspective, siloed teams and tools create blind spots, as security may tend to be neglected (such as overlooking vulnerabilities in the code) as they rush to deploy applications faster.

An effective security strategy thus ensures visibility into the applications and their underlying infrastructures, con-sistency in their security, and adaptability across various environments. Visibility across multiple environments is a major concern6 for enterprises: It gives organizations gov-ernance over the underlying infrastructures or platforms that they use to host, run, and manage their workloads. In turn, security teams can streamline the processes for au-dits, compliance reporting, and risk management. Security tools should be easily integrated across various computing environments but must be also purpose-built for the plat-

form on which DevOps teams create and deploy their ap-plications.

Trend Micro Deep Security combines the capabilities of multiple security tools, reducing the number of point solu-tions and providing a single dashboard with full visibility into leading environments like AWS, Google Cloud, Micro-soft Azure, and VMware. The platform lowers the cost and complexity of securing workloads across multiple environ-ments by providing different flexible purchase options. This allows for automation of security operations, via extensive application programming interface (API) integration, and offering security capabilities that can virtually shield serv-ers from the latest advanced threats like ransomware and network-based vulnerabilities.

Automation and agility

Automation is not just a buzzword: It has become a ne-cessity for many organizations as they further streamline their workload processes to keep pace with a constantly changing technology landscape. Hybrid environments, through containers and other microservices, empower en-terprises with the scalability needed to flexibly deploy and monitor servers or applications. And when thousands of these servers or applications need to be concurrently run or configured, automation becomes vital. Furthermore, in

Machine Learning

IOA Behavioral Analysis &Exploit Protections

Custom Sandbox Analysis

Safe files & actions allowed

Malicious files & actions blocked

Anti-Malware & Content Filtering

Intrusion Prevention (IPS) & Firewall

Integrity Monitoring & Log Inspection

Application Control

Figure 2: A cross-generational blend of threat defense techniques protects runti-me physical, virtual, cloud, and container workloads, as well as scanning of contai-ner images in the software build pipeline.


DevOps, automation means ensuring consistency through optimized and iterative processes, enabling companies to deploy applications faster across cloud platforms.

However, as organizations focus on deploying appli-cations as fast as possible, particularly those adopting DevOps, security is being misconstrued as something that can slow down the development life cycle. A perceived lack of security adoption can be ascribed to how it is some-times misconceived as a roadblock.7 As businesses try to meet time-to-market deadlines, security becomes an af-terthought or may even be circumvented.

Automated security tools enable organizations to inte-grate security into the DevOps process and toolchain (or-chestration, monitoring, continuous delivery, and IT service management). This helps ensure that security is adopted throughout the development life cycle without causing un-necessary friction between development and operations teams. For DevOps teams, automated security helps accel-erate lifecycles while also alleviating the burden of manu-ally testing the application for vulnerabilities or threats. It’s thus unsurprising that 59 percent of surveyed organiza-tions are automating security into their DevOps processes.8

Deep Security helps to defend cloud workloads, ad-dressing the need to protect what is deployed in the cloud as a part of the shared security responsibility for the cloud. It provides elastic security for dynamic workloads running

in AWS, Azure, Google Cloud, and more. Deep Security’s REST APIs allow for security to be integrated with existing toolsets, enabling automated security deployment, policy management, health checks, compliance reporting, and more. The supported tools include: a Orchestration tools: Chef, Puppet®, Ansible, AWS Op-

sWorks, SaltStack®, Kubernetes® a Monitoring tools: New Relic®, AWS CloudTrail®, AWS

Config a Continuous delivery: GitHub®, Jenkins® a IT service management: ServiceNow, Jira®, Slack®

Security in hybrid cloud environments

Hybrid environments provide organizations with agility and efficiency while also reducing costs. But leaving them exposed to threats can have adverse ramifications to an or-ganization’s bottom line, which is why securing them is of great importance. Fortunately, organizations are realizing this at an increasing rate. While incorporating security and implementing best practices into workload processes and development life cycles can be a daunting challenge, it can empower enterprises to be more resilient against threats while keeping pace with the need to innovate.

Trend Micro’s Hybrid Cloud Security solution provides streamlined and automated security integrated into an

Figure 3: Centralized visibility accelerates incident response through intuitive dashboards and actionable insights. This is required to manage risk and meet compliance.

Focus16

organization’s DevOps pipeline while delivering multiple cross-generational threat defense techniques for protect-ing runtime physical, virtual, and cloud workloads. It also adds protection for containers via Deep Security and Deep Security Smart Check, including the scanning of container images during pre-deployment and host and Kubernetes protection at runtime across cloud workloads and hybrid servers.

These solutions enable organizations to focus on se-curity and compliance while still moving in the agile and adaptable world of DevOps. With multiple security capa-bilities and a single dashboard to grant full visibility across hybrid environments they also reduce the number of se-curity tools needed. Trend Micro Deep Security lowers the cost and complexity of securing workloads across multiple environments, with simple procurement and consolidated billing though the AWS and Microsoft Azure Marketplaces.

Sources a 1. https://www.gartner.com/en/newsroom/ press-

releases/ 2017-04-05-gartner-says-a-massive-shift-to-hybrid-infrastructure-services-is-underway

a 2. https://www.trendmicro.com/vinfo/us/security/ research-and-analysis/threat-reports/roundup/ unseen-threats-imminent-losses

a 3. https://blog.trendmicro.com/ trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/

a 4. Gartner, Market Guide for Cloud Workload Protec-tion Platforms, 26 March 2018.

a 5. https://www.gartner.com/en/newsroom/ press-releases/2017-04-05-gartner-says-a-massive-shift-to-hybrid-infrastructure-services-is-underway

a 6. https://www.csoonline.com/article/3198008/ hide-and-seek-security-teams-lack-visibility-in-the-cloud.html

a 7. https://www.wired.com/insights/2013/10/ mythbusting-devops-and-security/

a 8. https://www.infosecurity-magazine.com/news/ developers-outnumber-security-pros/

Figure 4: Security is moving left and covers the entire DevOps processes with both build-time image scanning and runtime workload protection.

Hannes Steiner, Senior Director Sales

Hannes leads the German sales team at Japanese cyber-security vendor Trend Micro. He helps customers secure their infrastructures in a rapidly evolving technological environment.

Trend Micro Deutschland GmbHParkring 2985748 Garching bei Mü[email protected]

The cloud is the entrance ticket for the club of agile companies, as the cloud-native applications can be flexi-bly combined, transformed, extended and customized. However, not every company has in-house appropriate competencies. Thus, T-Systems sup-ports the companies to develop and to operate cloud-native applications in the DevOps-model.

The classical IT-operation manuals, the runbooks, are not in use since long. Why this is so? Firstly, because the applications are becoming even more complex. And secondly because now-a-days the applications are nev-er ready to use. There are constant changes; new functions are added on a regular basis and in rapid succession. Thus, the IT-executives in the compa-nies cannot rely on the standard pro-cesses to resolve the problems in case of malfunction. In fact, a deep know-how is required, as the complexity and rapid changing nature of applications makes a detailed examination of in-cidents necessary in each individual case.

The advantages of cloud native

Cloud-native technologies are used to develop applications, which are packed in containers and are provided as micro service. This has an ad-vantage that based on the requirement, these can be scaled automat-ically, if the load increases clearly in case of high hit rates. The failure of individual services does not necessarily lead to the failure of the overall system. And last, but not least: New and changed services can go live during the operation and require no downtime. Cloud-native applications are designed to usually provide already prov-en and recognized business values. An example for this is: the quick in-tegration of user-feedback as basis for continuous improvement pro-cesses. The new and existing functions can be much faster developed, optimized and connected to each other with these applications. The re-sult of this is the customized applications, which can keep pace with the high speed of business change.

The traditional operating units are rapidly overburdened with such tasks. Moreover, the developers are inter-ested in concentrating on their core task. In addition, the experience and the know-how with cloud-native ap-plications, agile process models and the interaction of development and operation are often simply missing within the scope of DevOps. Peter Reinecke, Head of Managed PaaS Services in T-Systems says “Ideally the agile operation and ITIL-process-es are combined with each other. This accelerates the development as well as operation”

Here T-Systems can provide help: The provider supports the companies for the development as well as for the operation of cloud-native applica-tions, ensures a 24/7-service model and has the required experience with cloud-specific and agile procedure. Reinecke says: “We rely on the mixed operation teams of T-Systems to com-bine the different knowledge. For this purpose, we have created the role of DevOps-Engineers, who acts as a me-

diator between the development and operation for the companies”.

T-Systems has an extensive experi-ence in the cloud-business, especial-ly with Platform-as-a-Service (PaaS) and in the IT-operation. Thus, the provider is capable of providing the complete range of services for cloud, PaaS, middleware and operation from one provider. This offer is flanked by the security-services of Telekom and independent of the cloud that the companies specifically use. In addi-tion, T-Systems can display both the worlds through its international orien-tation: Dev-Ops-support and consult-ing on-site combined with operational services from distributed T-Systems locations.

Interested companies can get in con-tact with Peter Reinecke, Head of Managed PaaS Services in T-Systems under: [email protected]

ADVErtorIAL

Welcome to the club!

Focus18

Focus

Secure DevelopmentIn a world full of security threats and in a fully automated, fully scalable environment, security has to be one of the biggest concerns for developers. If it would not be, one would not only scale their applications, but their security issues as well…

In this article, we look at how to avoid from insecure applications from a process- and automation point of view.

Security within a software development process

Security is never to be enforced by tools alone, it is a matter of mindset and approach. As with cloud-native applica-tions and within cloud-environments, this holds even more true, since the nature of these applications and environ-ments is a scaling one – if there were any security issues, they would and could be way more widespread, as with with traditional, monolithic applications and within tradi-tional, more separated environments.

The traditional approach

In traditional software development environments, secu-rity is typically understood as an additional layer, an addi-tional step to be executed just before when an application would mature enough to be released. This would allow the developers to focus on their codes, which will be reviewed later on with a list of security issues and findings to be com-piled and to be eliminated.

While this might work out for smaller, monolithic applica-tions, it will not scale for cloud-native approaches with their

continuous stream of new versions and releases. As an ap-proach, it negates security too much by understanding it to be something additional, done by experts. Additionally, iden-tifying and fixing issues at the end of a development process, tends to be very expensive and error-prone on its own (fig. 1).

Therefore, it makes way more sense, to think of security and its place within a software development process differ-ently.

The agile approach

Within agile and cloud-native projects, security has to be understood as something ordinary, something to be part of every iteration. Part of an agile and cloud-native mindset is, to have every stakeholder involved on a regular basis. As such, security experts are stakeholders to be involved with-in every iteration.

In an agile environment, this involvement would imply understanding security engineers and -architects to be stakeholders or experts, not an integral part of the team. This allows for them to either contribute in form of regu-lar, planned formal reviews every two or three iterations, or


to be present during defined sprints and to give feedback then. They would therefore be a part of the project, without being involved all the time (fig. 2).

This approach solves a lot of issues, but is it applicable to cloud-native environments?

The short answer is: No, since it will not help with the complexity of cloud-native applications and infrastruc-tures.

DevSecOps

For cloud-native environments and applications (but not limited to them), the above approach of working with spe-cialists need to be stepped up, since iterations are way shorter, new versions are deployed way more often and the whole process of handling software is more complex than ever before.

In such environments, DevOps is an improved kind of interaction between development and operations teams, allowing for far closer collaboration. Essentially, develop-ment and operations are working with each other all the time, ensuring fast and automated transition into opera-

tions. Each side is taking responsibility, acting jointly and implementing a holistic view on software and infrastruc-tures. This allows for better time-to-market, better analysis for performance- and functional issues, automated scal-ability and deeper integration of software and infrastruc-tures. DevOps essentially is a mindset, to be lived and exe-cuted upon continuously.

The same holds true for security: It needs to become a mindset, it needs to executed upon continuously – jointly with DevOps. The term “DevSecOps” reflects this.

DevSecOps strives to implement security as being a part of an ongoing software development- and release cy-cle. It implies involving security experts into development- and operations processes, right from the start of a project. It is a mindset, developed to prevent software develop-ment- and operations processes from stalling down due to security constraints. It enforces automation of security measures as well as constant involvement into the prod-uct’s development and operations streams (fig. 3).

Ultimately, DevSecOps is a matter of culture. It implies understanding security as an integral part and not as an add-on or even as something unwanted. Security needs

Fig. 1: Timeline for security involvement in a traditional environment

Fig. 2: Timeline for security involvement in an agile environment

Fig. 3: DevSecOps Roles

Iteration Iteration Iteration Security ReviewIteration Iteration Iteration Security Review

Iteration Iteration IterationSecurity Review Iteration

Development Operations

Security

Focus20

to be understood as part of development- and operations pipelines, security experts need to be an integral and con-tinuous part of any DevOps-team, security needs to be ap-plied automatically (fig. 4).

To start with DevSecOps, a team needs to ask and an-swer these questions: a What amount of security measurements are required for

a product? a Which intrusion vectors exist and need to be mitigated? a Where and how is data stored and encrypted? a How can automation be achieved? a How important is time-to-market compared to enforc-

ing security for which software?

Answers need to be found continuously; the questions need to be evaluated continuously as well. Environments and Software need to be understood as standardized, automated entities. Trustworthy pipelines and processes need to be established.

Trustworthy pipelines and processes

Trustworthiness is often perceived as security on a per-con-tainer basis, just as setting up and installing virus scanners or firewalls within these environments – but frankly: This would be complete nonsense, since it would affect perfor-mance on each every process of the application and since containers usually only expose HTTP- or HTTPS-ports. Additionally, using virus scanners and firewalls would not enforce security, but instead actually hampering it, since these tools would require a lot of permissions and would imply even bigger security risks and concerns per se.

No, there needs to be a different approach.Security and trustworthiness within cloud-native envi-

ronments on the container level needs to be set up using a secure and trustworthy path for every component to be deployed. This implies: a No use of external, unverified containers (i.e. from Dock-

er Hub) a No use of external, unverified registries (i.e. Docker Hub) a No use of binary, unverified libraries for Java and other

programming languages a Each component to be used needs to be present as

source code

Every built component can be stored in internal registries and repositories – but the only entrance into an environ-ment is as source code only. Base container images and ex-ternal components being referenced need to be managed and approved by a team being responsible for assessment only, involving security-, development- and infrastructure experts. The rule of thumbs is: If it is not approved by that team, it does not exist for the developer.

Within an environment, each and every build- and de-ployment-step needs to be executed in an automated way – there is no such thing as doing it by hand. A CI/CD-pipe-line needs to exist, usually set up using tools such as Jen-kins CI or CloudFoundry.

Code to be used within the environment is only built, tested and deployed by this tools, not by the developer. Compiled code never leaves the developer’s private envi-ronment from a system’s perspective, only source code is to be pushed into a repository and picked up from there by the CI/CD-pipeline.

This pipeline then builds code only once, storing gener-ated artifacts and container images in their respective re-positories. The same artifacts are to be deployed onto each and every environment – configurational differences are applied by external mechanisms, such as environmental variables (fig. 5).

Permissions for developers and operators are another aspect of a trustworthy environment. Usually, most de-velopers (and operators) claim god-like permissions for themselves, since they feel they understand environments and need to be in charge. But this is the completely wrong direction: Developers only need to have user-privileges, their software and services are not supposed to have more permissions than required for getting the job done – and even this needs to be reviewed and checked upon. This holds true for software running in traditional environments as well as for software running inside containers. As a rule, root access or elevated privileges for software should be subject to upfront investigations and to critical reception – initially, they should simply be denied!

As for operators, direct SSH-access to environments and infrastructures needs to be denied as well. Configurational changes need to be scripted, they need to be versioned and to be rolled out automatically. Manual operations, manu-al adjustments and manual fixes need to be denied, every change and every addition to an environment is to be exe-

Fig. 4: DevSecOps timeline


cuted in a scripted, documented way. Permissions for scripts to be executed need to be as low as possible, passwords need to be eliminated – only SSH-keys (being deployed automatically) are allowed for accessing infrastructures. Tools, such as Ansible and Terraform are to be used exten-sibly, instead of relying on manual approaches. Centralized real-time logging is to be set up, operations need to be ex-ecuted automatically utilizing this real-time data, instead of manually using dashboards and interpreting log file entries.

Ultimately, this most often implies a completely new ap-proach on how to handle and operate environments, mark-ing a change from manual operations towards an automat-ed approach. But it is worth the effort, since it eliminates many of the traditional security and trust-issues within op-erational environments.

DevSecOps and trustworthiness – a good start!

The depicted measurements allow for greater trustwor-thiness and higher security. If applied in conjunction with a DevSecOps-process, they make up for a lean and secure solution.

Obviously, they can just be a starting point, since each organization has its own needs and requirements which need to be brought in to the overall picture as well.

A complete approach in regards to a secure environ-ment would emphasize on even more aspects, such as data

management, data security, encryption and SSL-termina-tion, update-cycles of base container images and -compo-nents being used, a pro-active approach to security issues including penetration testing and monitoring of security bulletins, intrusion detection and a very strict rights- and permission management.

The main takeaway is to be: Security starts with process-es and trustworthiness of codes to be run in environments – but it does not end there at all. It is an ongoing process, including a lot of stakeholders and many aspects to be considered, and it needs to be executed upon from the very start of a software- and infrastructure development project. If applied later on, it gets expensive and unman-ageable, providing even more challenges and complexity when set up from the beginning.

And ultimately: It is a matter of mindset and approach, which needs to be understood as a strategic aspect of each project, which must make it impossible to be ignored and to be understood as an add-on.

Fig. 5: A CI/CD-pipeline

Karsten Samaschke Co-Founder and CEO of [email protected] / cloudexcellence.io

cLouDIcAL

IntErVIEw22

INTERVIEW

We need to create a secure cultureInterview with Birgit Hess

Birgit Hess is the Cloud Security Awareness Lead Europe at SAP. A very interesting title, but what does it entail and what can we learn from her?

I had the opportunity to check in with Bir-git Hess after her participation at the SAP data kitchen in Berlin and ask a few questions.

What is your current role and what does it en-tail? My current role is Cloud Security Awareness Lead Europe. The role means that I upper the awareness for security, support our sales team in how we make the cloud business secure, so they can pass this on to the customers.

But also, I talk to the customers directly. For the clientele that are new to the concept of cloud it can be a lot of information to take in. They often feel hesitant and need to know how we make the cloud services secure and protect their data.

I sometimes call myself a translator for the cloud security topic. Someone who stands be-tween the customers language and the language of the regulations and technological terms.

I also provide the enablement for our presales team. They are the technical sales people who make the demonstrations of the solutions, ex-plains the functionality and features to our cus-tomers

Additionally, I give speeches. Inside as well as outside of SAP. My speeches aim to raise the interest and the awareness around the different aspects of security. I find this topic very interest-ing and I want others to see that too.

Let’s go back a little. How did you end up in this role? Was it something that you aimed for or was it something that you discovered along the way? I actually stumbled over the topic. Originally, I am a bioengineer, which gives me an advantage then

it helps me to think in structure and processes. When I was working with presales for solution for our cloud business, I received a lot of questions around technical measures around security.

From there I started to get curious and decid-ed to educate myself in the field. Within the SAP network there is a lot of expertise available at your fingertips. So, I simply reached out and met someone very passionate about this topic. They started to train me and soon enough I fell in love!

Can you share with us what it is that you do and what a typical day looks like to you? I have to say that I have no typical day. And for that I’m thankful since I’m easily bored without new tasks. Instead my job is very diverse. I often handle the requests from our sales team. That can be questions regarding solutions or details for the contracts. The actual contracts are han-dled by the legal department, but for the tech-nical details I can assist and describe how we im-plement the requirements.

I give several presentations and I get invita-tions to speak internally and externally. Also, I get asked to participate in panels. Or sometimes I just get pulled into internal projects for aware-ness strategies or communication topics. Always new approaches and aspects to take care off!

What would be your advice to someone that would be interested in getting where you are but are not really there yet? Don’t be scared. As you can see, I was complete-ly outside of this role myself. Start by using the tools around you. In my case I had the luxury to have several experts inside my company but if you don’t there are a lot of opportunities to join networks, read articles and ask around. People with knowledge are often passionate about their topic and want to share.


What have been the most career-defining moments that you are the proudest of? For me there has been three milestones where I felt that I wanted to be and that I was going in the right direction.

The first one was when I first started to learn about the data security topic and talked to my colleagues who gave me their positive feedback. “You got that right! It is complex but you got it “

I realized that I could actually pick this up and that I was good at it. My ability to organize and structure my thoughts served me very well.

My second milestone was the DSAG (Ger-man SAP User Group) conference where I was the moderator. Two days with over 2000 experts on data protection and privacy gathered to dis-cuss all about the topic. During the conference I felt that I had a lot to learn but I also realized that I knew more than I thought. Afterwards, I again received a positive feedback. The participants told me how they appreciated a moderator that knew so much about and was well trained within the topic and that I really could give a good view for the Q and A section. This gave me

confidence. Even being measured together with these experts I felt confident within my topic

And the third one was last year when I had the honor to be invited to the Ada Lovelace Festival in Berlin. I gave a workshop on my favorite topic, “I have nothing to hide”

There I managed to inspire people to a topic that they thought was going to be dry. In their feedback I was told that they were surprised that there were so many things that they sim-ply weren’t aware of, but also that learning more about data protection can be entertaining.

To engage my listeners I make sure to use real life examples that can occur in our everyday life rather than make it too academical. That com-municates clearly that it is real. And that we need tools to handle the topic. I also discuss the fact

Security is the core for our digital future. We have to treat it with care.

IntErVIEw24

the we need to better understand the technology that we use. For example how to manage securi-ty settings on our laptops, home networks or mo-bile devices. For many of us this is new. Especially since the vast majority didn’t learn this in school.

Therefore, I also give workshops for parents and kids together. The parents feel hesitant about the security but do not always understand the technology while their kids understand the technique but may lack of fear. Often the parents have a gut feeling, but not all have the explicit ex-amples of why there is a reason to be careful with your data. I provide a joint language for the par-ents and the kids together to help them set their rules and to understand the need for caution.

So, looking at this a bit more general. What is security to you and where is it needed? Security is the core for our digital future. We have to treat it with care, and we have to un-derstand that if we don’t there can be high risks to our business and to our society. At SAP we realized that a long time ago and we do a lot of things to ensure that our company is as safe as possible. There is no place where it isn’t needed.

For me personally it is the best place to be right now. It is my favorite place!

We now experience changes on a daily basis. And therefore, we can no longer close our eyes, cross our fingers and hope for the best.

How do we need to approach security in ev-eryday life? As a company and individuals. Especially for the usage of Cloud. For companies it is important to have a really strong security strategy.

At SAP we have a security vision, that I like “We continue to drive security into the heart of

the application and to excel in secure collabo-rations for ultimate protection of content and transactions to efficiently help the customers to define, plan and execute measurements for their secure digital transformation.”

It basically says that we thrive this from with-in ourselves and that way we want to ensure to make it as secure as possible for the customer. We use three pillars, secure product, secure op-eration and secure company.

For our products we want a security by de-fault where we aim for zero vulnerability. Where everything is set up as secure as possible from the beginning. We have the data of the custom-er, we do the transactions, but we don’t want to know anything about the data. This is about the architecture.

Second pillar focuses on how to operate. And this is a change. In the past we sold the product and the customer was responsible to run ev-erything securely. But with the cloud we have a shared responsibility. We have to ensure that we have infrastructure, secure networks and all our partners need to be a part of this secure ecosys-tem. We want them to run their operations and system as safely as we do.

To make this complete we have a third pillar; Secure company.

We need to create a secure culture. This is key, not only for SAP but for every company. Everyone needs to get involved and realize that there is no gate keeper by the end of the chain who can protect the whole company. I like to use the image of one single person with snow can-on by the end of a glacier trying to stop global warming. That is not going to work.

For individuals I urge you to slow down and think. With very basic awareness you cover a lot


of threats. A lot of people do already have a gut feeling, that they unfortunately ignore. Think before you click. Read before you agree to addi-tional links and popups. Take your time to do a re-search. Even just a short one can be very useful.

My tip that I give to people in my surround-ing is; Don’t share to much about yourself. Don’t make yourself a target. Maybe send your where-abouts to the people that you want to commu-nicate with in an email rather than a public post. Think about if it is worth it?

When it comes to cloud usage we need to see to our mindset and change the approach. A lot of companies when they take their first steps into the cloud, struggle because they try to trans-fer their current habits of running their current IT system into the cloud. That is very difficult. At the point where they are doing it all themselves, there is feeling of control. So, once they start to hand over to someone else, they experience that they are giving up that control. Therefore, they have to make the decision if this is something they want. But then there is a huge advantage if you have a good cloud provider with capacity, knowledge, bandwidth and experts. Business owners today are up against of a huge wall of regulations and threat landscapes. A cloud provider can step in and handle this. And once the companies starting to see that it is not about losing control but shar-ing the responsibility, they also start to see that the right cloud provider is a big advantage to them. And that is the core, that is what cloud should be.

What are the biggest myths about security? What misconceptions are you running in to the most? For individuals I hear “I have nothing to hide” or “My life is so boring, why would anyone care?” But the information is out there and can be mis-used, we have to think about the results.

From a company perspective a very com-mon one is; “IT and security will fix it” But as I mentioned earlier, this is not enough. Everyone needs to contribute and stay alert.

What changes and challenges are you seeing? Everything is getting more professional. It is getting easier to steal data than cars. The scale is also getting bigger. The criminal activity is no longer single hackers that are working alone, but organized crimes. The nature of threats is changing on a daily basis

New regulations are popping up everywhere and they as well are more complex. Getting peo-ple up to date with this is a big challenge. We

need more talent for this and so does the whole industry. Not being up to date will not only open up a risk towards illegal threats. Companies who are not making sure to handle their data properly in alignment with the GDPR also risk severe legal consequences.

How do you at SAP keep your employees up to date? Regular as well as security staff? We have mandatory training sessions. For our awareness team but also for all our employees. Everyone needs to know how to handle the threats as well as their obligations.

A popular way to educate is to gamify. At SAP we have created a virtual escape room. In order to get out of it, our coworkers have to answer security questions and solve security puzzles. We have had a lot of good feedback for this. We have also arranged a hacker competition where SAP coworkers from all over the world work together to hack simulated situations. During these sessions the participants can share their knowledge and upskill each other. This is a good way to strengthen the awareness, the skills and the teamwork while having fun.

Is there anything you want to add before we round up? Security is important, it is a shared responsibili-ty for everyone. And don’t forget that this is fun and exciting field to work within. We certainely need more diversity.

There is still a lack of balance so I would be happy to see more females as well as people from different intellectual and cultural backgrounds approaching the topic. If you are currently in an-other field, you can always join in. Regardless of your background you can keep on learning. So, don’t worry if you are not an expert yet.

Thank you so much for participating!

The interview was conducted by Emelie Gustafsson.

cLouDIcAL

When it comes to cloud usage we need to see to our mindset and change the approach.

projEct LEADErsHIp26

PROJECT LEADErsHIp

Global Strategic Alliances in the IT EcosystemA complex and powerful step towards success

size that makes an alliance global, strategic and successful? And does it necessarily need to be business in a foreign country, only because it is „global“? And why can it be important for modern tech-companies to join forces at all?

Joining forces with another company to close gaps

Delany gives the reader a more classi-cal view on Global Strategic Alliances, when writing:

A global strategic alliance is usually established when a company wishes to edge into a related business or new geographic market, particularly one where the government prohibits im-ports in order to protect domestic in-dustry. Alliances are typically formed between two or more corporations, each based in their home country, for a specified period of time. Their pur-pose is to share in the ownership of a

In the fast-moving world of cloud technology business, partnership an-nouncements are a firm component of the daily news stream. On the sur-face, all these carefully crafted press releases seem to indicate a sustained integration of market players. On clos-er examination however, you’ll find that many conveniently coined “part-nerships” or “strategic partnerships” are in fact sales agreements. Every-body wants to make money; hence a reseller partner sells a given product. Even though expanding the channel organizations across different regions or serving a variety of customers may well support strategic business ob-jectives, both modes of cooperation are straight-forward and may not de-serve puffing terminology. In fact, the ubiquitous use of it should make us wonder what Partnership or Strategic Alliance could really be and what can be gained from it, for cloud businesses and clients alike.

To be upfront about it, there are various contexts and cases in which Global Strategic Alliances create an impact far beyond distribution agree-ments. We all work in an increasingly complex technology ecosystem that is confronted with an endless sophis-tication of customer requirements and expectations. One dimensional cooperation alone will not be enough for a company to survive, or even grow it´s revenue in the future. Successful players in the cloud arena must adopt more sophisticated modes of collabo-ration that allow solving of most com-plex challenges. A big hand for Strate-gic Alliances!

Laurel Delany states that Glob-al Strategic Alliance means „joining forces with another company of simi-lar size and market presence that is lo-cated in a foreign country where you are already doing business or would like to.”1 That seems rather narrow. Is it really the similarity in company


newly formed venture and maximize competitive advantages in their com-bined territories.2

But Global Strategic Alliances is way more than that, and way more complex. A Global Strategic Alliance should usually be established when two companies find a deficit in any area of their organization or work. This could be in any part of their business, i.e. in a strategic way or based on a lack of knowledge or expertise in a differ-ent area, or of course in a different geographical market. However, it can be in the same geographical market; just think of two smaller companies forming an alliance to have a better standing against a big, dominating competitor.

This is especially true for tech-companies. The IT world has become much more complex and di-verse during the last decade. Release cycles, updates, new technologies etc. changed at an increasing speed

and evolved into ever more special-izations. (In this regard, IT seems not much different from science.) No single organization can effectively manage this dual challenge of speed and specialization. A good example is the whole Kubernetes ecosystem. It came up five years ago and the first KubeCon CloudnativeCon, held by the CNCF3 in November 2015, had less than 1.000 participants. Now, the numbers go up to 8.000 for the US conference and there are more than 2.66 million contributions and more than 56.000 contributors on this

technology.4 Additionally, more and more companies are offering their ex-pertise in this technology to their cus-tomers, on many different occasions. It is available for the container ser-vices of the big Hyperscalers such as Azure, Google, AWS and others, but also used from Middleware providers like SUSE, RedHat etc. And Kuberne-tes is only the roof under which many other technologies and projects are developing – and it is only one exam-ple of the whole ecosystem of the IT and digital world becoming more and more complex.

„ … large enterprises typically want to deploy multiple or layered technologies to address their specific data analysis and management needs.“


Customers needs become more complex

Thus, the customer is also in the situ-ation that their IT is becoming more and more complex and less compre-hensible; they certainly cannot over-look the speed and technical changes anymore. Therefore, customers ex-pect their service providers and ven-dors to reduce complexity by working together and providing integrated solutions, as it is done by SUSE and SAP, NetApp and RedHat and others. Of course, companies like AWS try to get their clients “the whole package”, where customers can buy all kinds of a service out of one hand. But that also means a huge risk of a vendor lock in for the customer. The solution for many tech-companies is to estab-lish alliances, to form cooperations, to cover their own gaps, to offer clients a better solution and better conditions with joint forces and of course to grow in areas, where growth alone would

not be possible: „…large enterprises typically want to deploy multiple or layered technologies to address their specific data analysis and manage-ment needs.“, says Mark Dending-er, CEO of 3V Solutions.5 This does not necessarily have to be between companies of the same size or in dif-ferent geographical areas any more; even competitors can form alliances, as Nokia and Microsoft did: “By using their complementary strengths and expertise, these potential competitors

thus ensure their mutual survival in the new global mobile ecosystem and marketplace”6

This is also true for companies of very different sizes: The tech world in particular has many startups, moving very fast and offering new and very dynamic solutions. Thus, there are of course the big cooperations like RedHat and SAP: “By complementing Red Hat’s open hybrid cloud technol-ogies with SAP’s powerful portfolio of data platforms, we, along with our

toge

ther

coop

erat

ion

stra

tegy

successpartnership

strategicalliance

goaljoin

partnerteam

business

teamworkmetaphorinvestor

progress combinegroup

di�

eren

t

successfulsynergy

solution

integration

word

manager

unio

n

vent

ure

cons

ensu

s

mutualcorporate

upw

ard

dir

ecti

on

merger

joint creativitycompany

managementcoordination

communityassociation

toge

ther

ness

agre

emen

t

cooperatefriendship

clientachievement

work

com

plia

nce

politicsorganizationsuccessment

visioninnovationmotivation

commondesign

profit

unifi

cati

on

investment

career

relationship

coalitione�ort

cloudnative collaboration

joint approaches

cust

omer

suc

cess

“ By using their complementary strengths and expertise, these potential competitors thus ensure their mutual survival in the new global mobile ecosystem and marketplace”


vast, experienced partner networks, can deliver high-performing, enter-prise-class solutions that help solve true business problems.”7 But also al-liances between companies of differ-ent size, range and revenue, such as Cloudical and SUSE or Aiven who is partnering with GCP.

Collaboration as a tool

The whole Global Strategic Alliance network is, by any means, far more complex to modern tech-companies, than just “joining forces with another company of similar size and market presence that is located in a foreign country where you are already doing business, or would like to.”8 Firstly, a company has to define its own mean-ing of strategic. SUSE, for example, “works with partners around the globe to develop solutions that help organi-zations run more efficiently and cost effectively. SUSE’s global ecosystem of partners includes solution provid-ers, system integrators, and resellers who build, sell, and implement cus-tomer solutions using SUSE techno-logy.”9 And Melissa Di Donato, CEO of SUSE, states: „What is unmistak-able is our unlimited ability to deliv-er value to our community, custom-ers, partners and shareholders – all of whom have been the bedrock of SUSE’s success“10, meaning, that with-out partners, the success of modern tech-companies like SUSE, would not be what it currently is. When having a look at the partner sub-page of SUSE, one will find proof of this: One will find 10 subcategories of possible partner-ships. Of course, one finds resellers. A partner level most license-selling companies have. Moreover, SUSE has solution provider partners, train-ing partners, hardware partners etc. 11 Another example: RedHat. They di-vide their partners into „technology“ and „business partners“12 and offer different tiers to their partners. Com-panies like SUSE, RedHat and others in the Techfield have understood that building a Global Strategic Partner ecosystem will help them not only to

join forces in another country, but also to close a gap or deficit. They are hir-ing external staff from partners to be able to deliver a project, or they even enable their own sales team to get ready for the market and launch new products.

And last but not least, collabora-tion can be a useful tool to survive in an extremely fast-moving ecosystem and to having at least a chance to ser-vice next to the very big companies, that swallows the smaller ones. Es-pecially having an eye on the smaller ones, the startups, can be very inter-esting and useful: „The thing is now, … it’s about competing with the small nimble start-ups who move incred-ibly fast. I am always keeping an eye on the founder community, the start ups, before companies even come to market.“13 But why only see them as competitors? They surely can become very helpful Global Strategic Allianc-es as well - helpful strategic partners to survive and grow business in a very complex and fast moving technology ecosystem with growing and diverse customer requirements and expecta-tions; not only by establishing reseller agreements.

Sources a 1. Delaney, Laurel: Advantages and

Disadvantages of Global Strategic Alliances, (https://www.thebalanc-esmb.com/global-strategic-allianc-es-advantages-and-disadvantag-es-1953552, accessed on August 5th 2019)

a 2. Delany, Laurel: Advantages and Disadvantages of Global Strategic Alliances, (https://www.thebalanc-esmb.com/global-strategic-allianc-es-advantages-and-disadvantag-es-1953552, accessed on August 5th 2019)

a 3. CNCF = Cloudnative Computing Foundation

a 4. Numbers are from the Keynote-speech from KubeCon Barcelona, by Cheryl Hung., Director of CNCF Ecosystem.

a 5. Mark Dendinger, CEO of 3V Solutions: https://www.redhat.com/

Julia Hahn

Director of Global Strategic Alliances

[email protected]

cLouDIcAL

en/partners/strategic-alliance/sap (accessed on August 5th 2019)

a 6. Delaney, Laurel: Advantages and Disadvantages of Global Strategic Alliances, https://www.thebalanc-esmb.com/global-strategic-allianc-es-advantages-and-disadvantag-es-1953552, accessed on August 8th 2019

a 7. Arun Oberoi, Executive Vice President, Global Sales and Ser-vices, Red Hat, Source: https://www.redhat.com/de/about/press-releases/red-hat-deep-ens-collaboration-sap-sap®-da-ta-management-portfolio-launch-es-red-hat-enterprise-li-nux-sap-hana® (accessed on August 5th 2019)

a 8. (https://www.thebalancesmb.com/global-strategic-allianc-es-advantages-and-disadvantag-es-1953552, accessed on August 5th 2019)

a 9. https://www.suse.com/de-de/partners/find-partner/ (accessed on August 5th 2019)

a 10. https://www.suse.com/c/news/melissa-di-donato-appoint-ed-ceo-of-suse/ (accessed on August 5ht 2019)

a 11. https://www.suse.com/de-de/partners/ (accessed on August 5th 2019)

a 12. https://www.redhat.com/de/partners (accessed on August 5th 2019)

a 13. https://www.theupgroup.com/news-insight/2019/2/27/com-mercial-interview-melissa-di-do-nato-sap accessed on August 5th 2019


PROJECT LEADErsHIp

Agile Transformation for small- and medium-sized enterprises: first steps

result is not Scrum. Scrum exists only in its entirety and functions well as a container for other techniques, meth-odologies, and practices.” (Schwaber, Ken/Sutherland, Jeff (2017): The Scrum GuideTM, p. 19)

In practice, following Scrum to the letter is much less important than finding work methods that fit the company, its business, and the peo-ple who work there. This requires a tho rough analysis, leading to a deep-er understanding of the way depart-ments and people previously interact-ed and completed their tasks. In the

Digital transformation is generally understood as the digitization of a company’s business processes. In this context, agile transformation is the adaptation of the work methods and tools needed for running the digitized company and leveraging the poten-tial of the digital transformation: be-coming more efficient, effective and customer friendly. From an opera-tions perspective, such an adaptation enables a company to process digital input and to produce digital output, satisfying customers’ needs in the best possible way (Fig. 1).

Many small- and medium-sized enterprises (SMEs) struggle with the digital and agile transformations. This is often due to the assumption that Scrum is for start-ups and incubators only. But what really causes the frus-tration are the greenfield approaches to agile methods copied from start-ups, along with an all-or-nothing at-titude that, unfortunately, the Scrum Guide seemingly promotes for the innocuous reader: “Scrum’s roles, events, artifacts, and rules are im-mutable and although implementing only parts of Scrum is possible, the

Fig. 1: The agile approach seen from an operations perspective




following, this will be illustrated based on the experience from several recent consulting cases.

The customer in question might be a family business in a traditional indus-try. The in-house IT comprises about 50 people. It has only recently been established as a single department under a newly-hired department head. Before that, there had been two sub-departments: one responsi-ble for the IT infrastructure as well as software development, and the oth-er acting as a kind of project and re-quirements management (PRM). The latter sub-department occasionally turned over development tasks to a long-standing supplier. As a particular challenge, all new features and change requests had to be implemented on a system that worked according to mainframe logic. There were a lot of interdependencies between differ-ent sections of code and databases, and this made it highly likely for even the smallest modifications to produce system-critical errors.

By the time the consulting mandate started, the entire IT was considered completely unproductive by the oth-er departments and the management. Interviews with management and staff confirmed the assessment, and also shed light on what was causing the problem. It turned out that even the tiniest modifications of the software, which other companies would classify as high priority change requests, took an average of 6 weeks to complete. In addition, many demands made by the

specialist departments had been wait-ing to be implemented for more than a year. Even worse, when a demand had finally been implemented, no one in the relevant department remem-bered why the change had become necessary in the first place. As a formal approval process was lacking, virtual-ly none of the modifications asked for ever went live.

The causes of the IT’s perceived inability to deliver became very clear during the discussions with staff: Even the smallest tasks were labelled as “projects”; at the same time, no em-ployee knew what a project really was, let alone what made it different from a change request. The same was true for the specialist departments, and for the management. There was no for-mal process for initiating a project or asking for a change request.

As a result, all tasks were initiated the “Hey-Joe”-way: employees from the specialist departments simply passed their demands on to someone from PRM, be it by e-mail, a casual phone call or a chat over lunch. Prioritization was by hierarchy only, so that the owners could overrule any task IT was working on in no time. None of the demands un-derwent any detailed analysis regard-ing their usefulness and technical fea-sibility, nor were they prioritized based on any conceivable criteria. Ultimately, both the way the IT department re-ceived its input, and the way it delivered its output, were severely disturbed. This explained the general impression of IT’s inability to deliver (Fig. 2).

To counter this unsatisfactory state, the consulting team decided to cautiously introduce some puzzle pieces from agile approaches. Clear-ly, much of the problem hinged on the fact that requirements were not transmitted in a comprehensible and comprehensive manner. Also, respon-sibilities were not clearly assigned, as mirrored in the RACI-matrix below (Fig. 3). The same few employees from the PRM sub-department were usu-ally ascribed the “Responsible”-role, whereas the whole amorphous team doing infrastructure and software de-velopment was seen in a subordinate role. Executives, on the other hand, were not “Responsible” in the percep-tion of the interviewed employees but were frequently classified as “Con-sulted”. This was one of the causes for requirements to become inflated.

Agile methods offer the advan-tage of making transparent the links between requirements and their im-plementation, as well as the responsi-bility of individuals and teams. In the case presented here, it was particularly important to emphasize responsibil-ities. Up until then, nobody had ever thought about footing the bill caused by their respective demands. To put an end to the “Hey-Joe-hierarchical”-ap-proach, executives and managers were made aware that they had to describe what they wanted in a comprehensi-ble way and estimate the prospective business value of their demands.

Scrum and user stories come into play here. After lengthy but ultimately

Fig. 2: Disturbances on the input and output sides of the process leads to the almost complete inability of the IT to deliver




fruitful discussions with the manage-ment, the consultants received per-mission to introduce a kind of check-list, which all departments should use when transmitting new tasks to IT. A person from the PRM sub-depart-ment was installed as point of con-tact, whose job it was to act as a kind of overall Product Owner (PO) for the central (mainframe-like) IT. Note that this person’s primary task is not technical at all. She is supposed to help fill in the check-list and formulate user stories based on the information given, and to facilitate a meeting we called Round Table.

For Scrum experts, this was noth-ing more than Planning Meeting 1, and the consultations with the Product Owner were actually backlog groom-ing and story estimation. One obser-vation from many consulting cases, however, is that agile terminology often meets with resistance in more traditional companies. Poor know-

ledge of English is often volunteered as a reason, but an underlying desire to set oneself apart from the start-up hipsters in the hotspots of the New Economy may well be at play, too.

As might be expected, manage-ment needed a certain amount of support to transition to the new way of working. The same was true of the newly appointed PO, who had to get used to the new role as an adviser and facilitator. To meet this need, in addi-tion to extensive on-the-job coach-ing, off-the-job trainings are very helpful. They foster the further deve-lopment of necessary methodolog-ical and personal competences, and show the potential of agile methods outside employees’ concrete working contexts. A company reaching for an agile transformation should train as many employees as possible – from the shop floor up to the management level – to implement agile methods. This way, employees can drive change

from within, ultimately reducing the need for external consulting.

The first Round Table was a suc-cess. Based on the check list, user stories were formulated. The partici-pating managers quickly grasped the need to make the costs and benefits of a requirement transparent. From the magic wallpaper and cards that acted as the newly-installed Scrum board, they also saw with their own eyes why prioritization was an absolute neces-sity: the software development team (who we named “agile team - at”) had limited capacity and needed an indi-cation as to which requirements were the most important.

Following the Round Table, the agile team would have a meeting with the Product Owner, where they com-mitted to the requirements they would churn out within two weeks (in Scrum terminology: in the current Sprint). This made possible a perk for manag-ers: they now received a commitment that the highest priority requirements would definitely be delivered with-in two weeks at the most. Additional items would be approached as fit the capacity – and there would reliably be another meeting after two weeks, making it possible to react quickly to new and changing priorities. This meant a notable change from the for-mer state of the “unproductive” IT.

In addition, the method brought about a normalization of the RA-CI-matrix: PRM (now the Product Owner and two Co-Product Owners) and the agile team became “Respon-

Role R A C I

Executives/owner x

Management x x

Other employees x

PRM x x

Infrastructure and dev. (x)

Fig. 3: RACI-matrix of the IT-department before the introduction of agile methods

Role R A C I

Executives/owner (x)

Management x* x**

Other employees x***

PRM/PO x

Infrastructure and dev./at x

Fig. 4: RACI-matrix of the IT-department after the introduction of a few agile methods

* with respect to their own department

** with respect to other departments

*** as a substitute for the head of department


sible”, managers became “Account-able” for requirements from their re-spective departments. At the same time, managers from the other de-partments were “Consulted” during the Round Table, or even before that, when the check-list was filled in for any given requirement. Ultimately, executives were really only given a rough overview and not bothered by overwhelming technical detail (Fig. 4).

During daily work, it quickly showed that IT had regained its ability to deliv-er. This was made possible by the sim-ple fact that requirements were now explicitly formulated and prioritized. Also, instead of assigning 10 or even 20 poorly formulated requirements to a single person, there was now a team of 4 working on 3-4 tasks at a time, giving developers superior focus.

The agile team’s tasks were tracked on the Scrum board, and tasks iterated through the status “To Do”, “Develop-ment”, “Technical Test”, “Test Product Owner” and “Acceptance”. The final status was tied to cooperation from management: With the introduction of the method, it was agreed that a de-partment asking for a certain require-ment must be available for questions that might arise during development at very short notice. They also had to be ready to do an acceptance test, which meant there was now a formal approval process in place. As a result, the process around the IT department improved on the input as well as on the output side. The agile team now used a rudimentary form of Scrum. Through

the simple Scrum board on the wall the method acquired a visibility that might well outweigh the advantag-es of a sophisticated tool, such as jira. Tooling was actually postponed, as its complexity and cost represent typical agile aspects that make traditional business people cringe (Fig. 5).

To conclude, IT’s ability to deliver was restored thanks to two immediate effects of agile methods: a clearly defined responsibilities

(shown in the figure by the person pictograms)

a visibility and transparency of re-quirements / tasks

Together, they provide some concrete “material” based upon which every-body (e.g. all the roles in the RACI ma-trix) can learn the method and prac-tice the new way of working together. This shows that, contrary to popular belief, agile methods can be intro-duced with a minimum of “theory” (a frequent criticism in smaller compa-nies), and produce tangible results even in the first phases. In the present case, the company still chose to have the learning process supported by two experienced Agile Coaches.

This article does not suggest that agile methods are a panacea. The intro-duction of a rudimentary Scrum did not immediately generate customer-ori-ented output in the style of a start-up (this is what the yellow flash in Fig. 5 indicates). And, of course, there were also some negative reactions from management and employees, which

must be used as feedback for the next steps in the agile transformation pro-cess. Also, the measures described in this article are really only the very first steps towards the “agile threshold”. Many more aspects, like the hardware and software, test and quality man-agement, cooperation with standing and potential suppliers, need to be ad-dressed subsequently. The agile team needs time to “get into the groove” before they can serve as a nucleus or example for introducing agile puzzle pieces in additional departments.

The path to an agile attitude, which is the organizational matrix for digital transformation, can take a long time to complete. This article has recount-ed the first steps of the journey and highlighted its first results. In any case, the question of whether to call any of this “Scrum”, or not, should not be the primary concern, and it is certainly no obstacle to taking on the agile trans-formation.

Fig. 5: New methods and clear roles restore IT’s ability to deliver.

Christiane Zehrer

She first learned about Scrum in 2007 and has been hooked since. She worked as a bid manager and consultant in the automotive industry before turning completely agile, becoming a full-time product owner and coach. She holds a PhD in applied linguistics and presently teaches technical com-munication and project management at the uni-versity level.



conFErEncEs34

„Data Security: I have nothing to hide” was the topic for the conversation when Global Digital Woman invited to a panel discussion held at SAP’s Data Kitchen in Berlin. The CEO and founder of GDW Tijen Onaran gave everyone a warm welcome. As an in-troduction to the topic Birgit Hess, Cloud Security Awareness Lead at SAP, opened with a flirt to all the Ma-trix fans. But what is the core message of Matrix? Don’t trust your own eyes. The conversation got more serious as she talks about deepfake, a technique for human image synthesis based on artificial intelligence. “Deepfake” came along in 2017. Since then with the capability to combine and super-impose existing images and videos onto source images or videos we have seen a development for the online community where it is getting harder to separate the different content. A compromising deepfake picture can ruin my career or my personal life, be-

cause maybe I don’t have any proof that it’s fake.

Birgit warned us that unreliable data is getting more and more com-mon. Therefore, big data is getting less important and we will see more value in real data. Data that we can

prove is valid and accurate will gain much more value. Big data is great for statistics but loses its value if cannot prove that it is real. In order to do so we need an unbroken chain.

A lot of people complain about the GDPR, but Birgit tells us that she is a big fan. She points towards the integrity of the data. Everyone who is touching data is responsible. There is a difference between keeping people out and to be able to prove that no one had been able to break in. We are getting more and more vulnerable. We need to make sure that the data we have is secure, valid and accurate.

Next on the agenda was the pan-el discussion with: Elena Jolkver, Consultant in Data Analytics and Machine Learning at xValue, Alisha Andert, Head of Legal Innovation at Flightright and Legal Tech expert, René Bader, Manger for Criticial Busi-ness Applications & Big Data at NTT Security, Birgit Hess, Cloud Security Awareness Lead Europe at SAP and Tijen Onaran, CEO at GDW and Mod-erator. Tijen wanted to know what the essence for data security tells us and how can it be defined?

Our panel describes it as the cau-tions of sensible data. We want to know who has access. How data can be trackable and usable even for the next person. And also, there is a big focus on ethical usage. The possibili-ty to analyze combined data can give us opportunities but also negative consequences that we didn’t think of

while creating the tools. Therefore, it’s important to include the regulation perspective to protect our valuables. Here we have a challenge to integrate the security mindset into our culture. We all want the convenience, but we don’t want to give out too much of our personal data. This forces us to look at the way we see and protect data. On one hand we want to pro-tect the individual, our privacy, and on the other hand we want to protect the data itself, the business out of it. To feel secure is a deep human need. When we experience that the threats around us are diffuse and unknown a lot of people tend to respond in a very emotional way. There is no guarantee, who, what, and in which context data can be used.

But what does it mean for the start-up world? There is a challenge in terms of huge investments. You constantly need to keep up to date on a topic that is rapidly changing and evolving. And not only from a technology perspec-tive but in the view of laws and regula-tions as well. Startups tends to be data driven companies which means that they depend on data. Their own as well as others. The need for accuracy is huge. Making investments based on false data set can mean the end for a small startup. For companies who have the means to sort needs to make sure what they collect. The core is a process that involves all the perspectives. The innovation part as well as the regula-tion and not to see them as counter-parts to one and other. The data secu-rity mindset needs to be a norm.

Global Digital Women and the SAP Kitchen

Emelie Gustafsson.

cLouDIcAL


As the programming language Go is one of the fastest growing languag-es, we‘ve thought about how we can support the community and decided to start with a the Go-related confer-ence GoDays.

The first edition in Berlin in January 2019 was a huge success. With 300+ participants and 25 speakers from around the world, the community’s response exceeded our expectations. We had a full house at Google Factory and were sold out two weeks before the event. Good reasons for us to continue with the series and to create more room for the Go-community to engage and ex-change with one another.

What‘s waiting for you next year?Once again, GoDays will take place in Berlin from January 21-23, 2020, since the city has a vivid Go-commu-nity. Our new venue – Vollgutlager & Schwuz – is on the former grounds of the Alte Kindl Brewery and was restored in 2015. The rough charac-ter of an industrial production hall combined with the remnants of the creative underground Berlin scene provide a very special location for the conference.

Why should you come?Next year, GoDays will be three days packed with hands-on workshops and in-depth developer talks about Go.

January 21 a Hands-on workshops a Pre-conference meetup

ADVErtorIAL

Go Community meets again at GoDays in Berlin

January 22-23 a Main conference with in-depth

talks on 3 stages a Networking breaks & afterparty

We expect an international speaker line-up and more than 500 attend-ees from all over the world. This is your chance to meet like-minded Go experts, beginners, and everyone in between to exchange ideas and learn from each other.

For the cloud report readers we have a special discount code, which gives you a 20% discount on the regular conference ticket: #GoDays20_20%@CloudReport

Join us for three days in Berlin.

tEsts36

Cloud computing offerings are changing rapidly. Even the offerings of the individual providers are reg-ularly being further developed. This makes it almost impossible to keep track of things. We, Cloudical, would like to remedy this situation and grad-ually examine the offers and evaluate them from an objective point of view. Our technicians have developed tests for this purpose. We test general in-formation on onboarding, availability, SLAs, data centers, compute, storage, network, limitations, scaling, technol-ogies, but also more internal informa-tion such as backup, security, image service, patch management, monitor-ing, CI/CD, as a Service offerings and, of course, the cost factor.

This results in rankings and tables help customers to inform themselves inde-pendently and to find the right provid-er for themselves. But not only readers of the Report receive comprehensive,

tEsts

We are testing clouds

independent datas, providers can also find out about their market, see where they stand and where their strengths lie in comparison. They can also iden-tify their possible weaknesses and po-tentials, see possible pent-up demand or discover approaches for further specialization and improvement. And of course, they present themselves to interested readers and potential cus-tomers.

Currently we have tested the provid-ers AWS, Azure, Google Cloud, IMB Cloud, the Open Telekom Cloud and the OVH Cloud. On the following pages you will find the evaluations sorted by individual topics. You will find the complete evaluations here. We will gradually add more clouds, so that in the next issues only exemplary test evaluations will be shown, you will find the detailed tables online.

a the-report.cloud

If you have any suggestions for sup-plementing the questions, please write to us at: [email protected].

Note: Three virtual machines of differ-ent sizes are used in the evaluations:

Small means: a OS Ubuntu 16.04 a 2vCPUs a 8GB RAM a min. 50GB HDD a Location: Germany, if not Western

Europe, if not Europe

Medium means: a OS Ubuntu 16.04 a 4vCPUs a 16GB RAM a min. 50GB HDD a Location: Germany, if not Western


Large means: a OS Ubuntu 16.04 a 8vCPUs a 32GB RAM a min. 50GB HDD a Location: Germany, if not Western



And the winners are ...

As with every edition, our team looked into many different aspects of sever-al cloud providers. We analyzed their pros and cons, discussed our expe-riences, and decided for the winner in all categories. Interestingly, we found out that none of the vendors we tested would not be recommend-able - each one has specific strengths and (of course) potential for improve-ments. We were especially impressed by the performance of smaller and / or not so-well-known cloud vendors, such as Open Telekom Cloud: Often they offer comparable performance and sometimes even more options than their bigger competitors, com-bined with more personal support and

very reasonable pricing. That being said, let’s look into the winners. And don’t forget to check out our detailed comparison tables on the next pagesfor more details. From our perspective there is no right or wrong considering cloud vendors nowadays, there is only a matter of needs and their fulfillment by a vendor. The best thing is: Nowa-days, multi-cloud-approaches can be implemented as easy as never before, allowing for a the-right-tool-for-the-job-approach and preventing from vendor lock-ins.

The tests were ranked by Christian Schilling.

CLOUDICAL

Category Winner Reason

Backup, Recovery and Availability

IBM Cloud IBM can keep it‘s top position as it is still the cost efficient solution. If more features are need-ed, Azure will be the best choice.

Compute OTC OTC still offers the best „OverAll“ Compute Performance, our new participant OVH is an interesting option regarding price per VM.

Databases (DBaaS) AWS AWS wins in fact that they have the biggest variability in big data and databases. Ranging from in house products to widely used redis, postgresql a.s.o.

IaaS, PaaS and SaaS - Patch Management

Google Cloud Platform GCP is the Winner, as they are offering a wide catalogue of common and container optimized OSes. As they are offering Patch-Management, too, Azure and IBM can be a good choice for you.

Network OVH As OVH does not charge Traffic, they win that Part, even if Azure and Google Cloud Platform still have unbeatable high bandwidth.

Security Azure Azure can still defend the first place in that category, as they are still the only one which do pen-tests again their platform.

Storage AWS for object, IBM for Block and File

IBM offers the fastest Block-Storage with up to 240 MB/s. Price wise, Google wins that fight, but keep in mind that they have the slowest storage for that price. For Object Storage, there is no way around AWS as inventor of S3-Storage.

tEsts38

Compute


Small VM: OS Ubuntu 16.04; 2vCPUs; 8GB RAM; min. 50GB HDD; Location: Germany, if unavailable: Western Europe, if unavailable: Europe

yes yes yes yes yes yes

Medium VM: OS Ubuntu 16.04; 4vCPUs; 16GB RAM; min. 50GB HDD; Loca-tion: Germany, if unavailable: Western Europe, if unavailable: Europe


Large VM: OS Ubuntu 16.04; 8vCPUs; 32GB RAM; min. 50GB HDD; Location: Germany, if unavailable: Western Europe, if unavailable: Europe


GPU support for the VM? yes yes yes yes no yes

AutoScaling for VM? yes yes yes yes yes no

Availability Zones (i.e Availability set) possible yes yes yes yes yes no

Startup-time (till time of availability) – Small – Medium – Large

28 sec29 sec30 sec

112 sec125 sec145 sec

57 sec44 sec43 sec


50 sec59 sec69 sec

39 sec40 sec45 sec

Count of steps until VM is created 7 steps 7 Steps 2 Steps 4 Steps 4 Steps 5 Steps

RAM throughput (sysbench, Block size 1k) – Read – Write

860.19 MB/sec822.12 MB/sec

4894.59 MB/sec3710.21 MB/sec

4510.19 MB/sec3540.88 MB/sec

796.62 MB/sec759.06 MB/sec

4198.97 MB/sec3452.77 MB/sec

4340.03 MB/sec3432.97 MB/sec

CPU speed (geekbench) – Small Single Core – Small Multi Core – Medium Single Core – Medium Multi Core – Large Single Core – Large Multi Core

30965991313910857353720995

3086365830606687320011882

3070382430507258305813460

2627497127729395263616380

2915540829069527298018568

3147574029079804311017932

VM accessible via Console no yes yes yes yes yes

Total cost of VM per month (732hrs) – Small – Medium – Large

€ 69.91 / $ 78.48€ 139.80 / $ 156.95€ 279.60 / $ 313.89

€ 73.92 / $ 99.28€ 147.75 / $ 175.20€ 295.49 / $ 350.40

€ 56.09 / $ 62.54€ 110.17 / $ 125.09€ 220.34 / $ 250.18

€ 80.63 / $ 89.94€ 154.54 / $ 172.39€ 302.19 / $ 337.10

€ 74.75 / $ 83.86€ 150.28 / $ 168.60€ 292.42 / $ 328.20

Supported disk formats / images – OVA – VMDK – RAW – VHD/VHDX


– VMDK – VDH – RAW

– VMDK – AKI – ARI – AMI – QCOW2 – RAW

– VMDK – VHD – VHDX – QCOW2 – RAW

– VMDK – ISO – ARI – AKI – AMI – VDI – VHD

Are there any limitations per VM? Amount CPUs: 128RAM size: 1952 GBDisk size: 2048 GB

Amount CPUs: 128RAM size: 3892 GBDisk size: 4096 GBAmount Disk: 64

Amount CPUs: 160RAM size: 3844 GBDisk size: 64 TBAmount Disk: 128

Amount CPUs: 64RAM size: 512 GBDisk size: 12 TB

Amount CPUs: 60RAM size: 940 GB

Can bare-metal servers be deployed via the cloud? yes no yes yes yes yes

Which hypervisor is used? – KVM – Xen

– Hyper-V – KVM – PowerVM – VMware ESX Server – Xen – KVM – z/VM

– Xen – KVM

Is autorecovery available yes yes no yes yes


Compute


Small VM: OS Ubuntu 16.04; 2vCPUs; 8GB RAM; min. 50GB HDD; Location: Germany, if unavailable: Western Europe, if unavailable: Europe


Medium VM: OS Ubuntu 16.04; 4vCPUs; 16GB RAM; min. 50GB HDD; Loca-tion: Germany, if unavailable: Western Europe, if unavailable: Europe


Large VM: OS Ubuntu 16.04; 8vCPUs; 32GB RAM; min. 50GB HDD; Location: Germany, if unavailable: Western Europe, if unavailable: Europe


GPU support for the VM? yes yes yes yes no yes

AutoScaling for VM? yes yes yes yes yes no

Availability Zones (i.e Availability set) possible yes yes yes yes yes no

Startup-time (till time of availability) – Small – Medium – Large

28 sec29 sec30 sec


57 sec44 sec43 sec


50 sec59 sec69 sec

39 sec40 sec45 sec

Count of steps until VM is created 7 steps 7 Steps 2 Steps 4 Steps 4 Steps 5 Steps

RAM throughput (sysbench, Block size 1k) – Read – Write

860.19 MB/sec822.12 MB/sec

4894.59 MB/sec3710.21 MB/sec

4510.19 MB/sec3540.88 MB/sec

796.62 MB/sec759.06 MB/sec

4198.97 MB/sec3452.77 MB/sec

4340.03 MB/sec3432.97 MB/sec

CPU speed (geekbench) – Small Single Core – Small Multi Core – Medium Single Core – Medium Multi Core – Large Single Core – Large Multi Core

30965991313910857353720995

3086365830606687320011882

3070382430507258305813460

2627497127729395263616380

2915540829069527298018568

3147574029079804311017932

VM accessible via Console no yes yes yes yes yes

Total cost of VM per month (732hrs) – Small – Medium – Large

€ 69.91 / $ 78.48€ 139.80 / $ 156.95€ 279.60 / $ 313.89

€ 73.92 / $ 99.28€ 147.75 / $ 175.20€ 295.49 / $ 350.40

€ 56.09 / $ 62.54€ 110.17 / $ 125.09€ 220.34 / $ 250.18

€ 80.63 / $ 89.94€ 154.54 / $ 172.39€ 302.19 / $ 337.10

€ 74.75 / $ 83.86€ 150.28 / $ 168.60€ 292.42 / $ 328.20

Supported disk formats / images – OVA – VMDK – RAW – VHD/VHDX


– VMDK – VDH – RAW

– VMDK – AKI – ARI – AMI – QCOW2 – RAW

– VMDK – VHD – VHDX – QCOW2 – RAW

– VMDK – ISO – ARI – AKI – AMI – VDI – VHD

Are there any limitations per VM? Amount CPUs: 128RAM size: 1952 GBDisk size: 2048 GB

Amount CPUs: 128RAM size: 3892 GBDisk size: 4096 GBAmount Disk: 64

Amount CPUs: 160RAM size: 3844 GBDisk size: 64 TBAmount Disk: 128

Amount CPUs: 64RAM size: 512 GBDisk size: 12 TB

Amount CPUs: 60RAM size: 940 GB

Can bare-metal servers be deployed via the cloud? yes no yes yes yes yes

Which hypervisor is used? – KVM – Xen

– Hyper-V – KVM – PowerVM – VMware ESX Server – Xen – KVM – z/VM

– Xen – KVM

Is autorecovery available yes yes no yes yes

tEsts40

Storage


Which kinds of storage are available? – Object / Blob Storage – File Storage – Block Storage

yes (S3 / Glacier)yes (EFS)yes (EBS)

yes (Azure Blob Storage)yes (Azure Disk Storage)yes (Azure Files)

yes (Google Cloud Storage)yes (Google Drive / Persistent Disk)yes (Google Persistent Disk)

yes (IBM Cloud Object Storage)yes (IBM Cloud file storage)yes (IBM Cloud block storage)

yes (Object Storage Service)yes (Scalable File Service)yes (Elastic Volume Service)

yes(Swift)Yes(CephFS)yes(Based on Ceph)

Block - Different tier-classes? SATA, SSD, SAS yes yes yes yes yes yes

Which objects storage-engines are offered? Amazon S3 Azure Blob Storage Buckets (like S3) – S3 – Swift

– S3 – OpenStack Swift

-Swift

File - Accessing file storage via (cluster) file system. – EFS – GlusterFS – BeeGFS – Luster

– Google Cloud Storage FUSE – Beta: Google Cloud Filestore

– NFS – NFS -CephFS

Storage capacity limits Overall size: Unlimited5 TB per S3 object

Overall size: 500 TB per Storage Account200 Storage Accounts per Subscrip-tions

Overall size: Unlimited5 TB per individual object

Overall size: Unlimited25 GB per month of object stor-age(Unlimited for standard plan)

50 TB of Object storage32 TB of Block Storage10 PB of File Storage

Overall size: Unlimited

Duration of provisioning? 8 sec 47 sec 22 sec 24 sec 8 sec 7 sec

Throughput IOPS (only Block- and File-Storage) – Random read: – bw = 24.52 MB/s, iops = 3065 – Random write: – bw = 129.00 MB/s, iops = 2015 – Random Read and write:

– read : bw = 44.20 MB/s, iops = 2762 – write: bw = 5.04 MB/s, iops = 314

– Sequential read: – bw = 24.55 MB/s, iops = 3068 – Sequential write: – bw = 99.07 MB/s, iops = 3095

– Random read: – bw = 1.95 MB/s, iops = 243 – Random write: – bw = 15.58 MB/s, iops = 243 – Random read and write:

– read: bw = 3.50 MB/s, iops = 218 – write: bw = 0.41 MB/s, iops = 25


– Random read – bw = 1.20 MB/s, iops = 149 – Random write – bw = 7.32 MB/s, iops = 114 – Random read and write:


– Sequential read – bw = 37.59 MB/s, iops = 4699 – Sequential write – bw = 121.87 MB/s, iops = 3808

– Random Read – bw = 145.81 MB/s, iops = 18266 – Random Write – bw = 226.01 MB/s, iops = 3531 – Random Read and write:

– read: bw = 165.92 MB/s, iops = 10370

– write: bw = 18.90 MB/s, iops = 1181Sequential Readbw = 108.30 MB/s, iops = 13538Sequential Writebw = 119.20 MB/s, iops = 3725



Sequential Readbw = 10.90 MB/s, iops = 1362Sequential Writebw = 57.91 MB/s, iops = 1809




Costs per month – total price for 50 GB Disk which is mounted to the VM

€ 5.29 / $ 5.95 € 7.65 / $ 8.58 € 1.14 / $ 1.28 € 8.82 / $ 9.89 € 2.30 / $ 2.58 € 2.25 / $ 2.25



Are managed backups offered (Provider is responsible to take backups) yes yes no yes yes yes

Which types of backups are supported for VMs? – Snapshots – Incremental Backups

– Full Backups – Differential Backups – Incremental Backups – Snapshots

– Snapshots – Incremental Backups

– Snapshot – Full Backups – Incremental Backups



Where will the backup be stored? – Amazon S3 – Amazon Glacier – Different datacenter – Storage-Cluster

– Recovery Services Vault – Different Datacenter

– Google Cloud Storage – Storage Cluster

– Evault – dedicated backup space – IBM Cloud Backup, – IBM Object Storage archive

– different Data-Centers – different Data-Centers – Cloud Repository

Can backups be scheduled? yes yes yes yes yes yes

Usage costs per month–500 GB Backup Storage–Western Europe € 22.13 / $ 25.00 € 10.12 / $ 12.00 € 4.48 / $ 5.00 € 0.88 / $ 1.00 € 5.00 / $ 5.63 € 5.03 / $ 5.58

Is a managed Backup-Service for a VM provided? no yes no yes yes yes


Storage


Which kinds of storage are available? – Object / Blob Storage – File Storage – Block Storage

yes (S3 / Glacier)yes (EFS)yes (EBS)

yes (Azure Blob Storage)yes (Azure Disk Storage)yes (Azure Files)

yes (Google Cloud Storage)yes (Google Drive / Persistent Disk)yes (Google Persistent Disk)

yes (IBM Cloud Object Storage)yes (IBM Cloud file storage)yes (IBM Cloud block storage)

yes (Object Storage Service)yes (Scalable File Service)yes (Elastic Volume Service)

yes(Swift)Yes(CephFS)yes(Based on Ceph)

Block - Different tier-classes? SATA, SSD, SAS yes yes yes yes yes yes

Which objects storage-engines are offered? Amazon S3 Azure Blob Storage Buckets (like S3) – S3 – Swift

– S3 – OpenStack Swift

-Swift

File - Accessing file storage via (cluster) file system. – EFS – GlusterFS – BeeGFS – Luster

– Google Cloud Storage FUSE – Beta: Google Cloud Filestore

– NFS – NFS -CephFS

Storage capacity limits Overall size: Unlimited5 TB per S3 object

Overall size: 500 TB per Storage Account200 Storage Accounts per Subscrip-tions

Overall size: Unlimited5 TB per individual object

Overall size: Unlimited25 GB per month of object stor-age(Unlimited for standard plan)

50 TB of Object storage32 TB of Block Storage10 PB of File Storage

Overall size: Unlimited

Duration of provisioning? 8 sec 47 sec 22 sec 24 sec 8 sec 7 sec

Throughput IOPS (only Block- and File-Storage) – Random read: – bw = 24.52 MB/s, iops = 3065 – Random write: – bw = 129.00 MB/s, iops = 2015 – Random Read and write:

– read : bw = 44.20 MB/s, iops = 2762 – write: bw = 5.04 MB/s, iops = 314


– Random read: – bw = 1.95 MB/s, iops = 243 – Random write: – bw = 15.58 MB/s, iops = 243 – Random read and write:



– Random read – bw = 1.20 MB/s, iops = 149 – Random write – bw = 7.32 MB/s, iops = 114 – Random read and write:


– Sequential read – bw = 37.59 MB/s, iops = 4699 – Sequential write – bw = 121.87 MB/s, iops = 3808


– read: bw = 165.92 MB/s, iops = 10370

– write: bw = 18.90 MB/s, iops = 1181Sequential Readbw = 108.30 MB/s, iops = 13538Sequential Writebw = 119.20 MB/s, iops = 3725







Costs per month – total price for 50 GB Disk which is mounted to the VM

€ 5.29 / $ 5.95 € 7.65 / $ 8.58 € 1.14 / $ 1.28 € 8.82 / $ 9.89 € 2.30 / $ 2.58 € 2.25 / $ 2.25



Are managed backups offered (Provider is responsible to take backups) yes yes no yes yes yes

Which types of backups are supported for VMs? – Snapshots – Incremental Backups

– Full Backups – Differential Backups – Incremental Backups – Snapshots

– Snapshots – Incremental Backups




Where will the backup be stored? – Amazon S3 – Amazon Glacier – Different datacenter – Storage-Cluster

– Recovery Services Vault – Different Datacenter

– Google Cloud Storage – Storage Cluster

– Evault – dedicated backup space – IBM Cloud Backup, – IBM Object Storage archive

– different Data-Centers – different Data-Centers – Cloud Repository

Can backups be scheduled? yes yes yes yes yes yes

Usage costs per month–500 GB Backup Storage–Western Europe € 22.13 / $ 25.00 € 10.12 / $ 12.00 € 4.48 / $ 5.00 € 0.88 / $ 1.00 € 5.00 / $ 5.63 € 5.03 / $ 5.58

Is a managed Backup-Service for a VM provided? no yes no yes yes yes

tEsts42

Databases (DBaaS)

Questions AWS Azure Google Cloud Platform IBM Cloud OTC Cloud

Which DB engines are offered? Relational DB – MySQL – PostgreSQL – MariaDB – Oracle – Microsoft SQL Server – Amazon Aurora

Non-Relational DB – Amazon DynamoDB – Amazon ElastiCache – Amazon Neptune – Redis – MemCached

Data Warehouse / Big Data – Amazon Redshift – Amazon Athena – Amazon EMR (Hadoop, Spark, HBase, Presto, etc.)

– Amazon Kinesis – Amazon Elasticsearch Service – Amazon Quicksight

Relational DB – Azure SQL Database – Azure Database for MySQL – Azure Database for PostgreSQL – Azure Database for Maria DB – Microsoft SQL Server

Non-Relational DB – Azure Cosmos DB – Azure Table Storage – Redis

Data Warehouse / Big Data – SQL Data Warehouse – HDInsight (Hadoop, Spark, Hive, LLAP, Kafka, Storm, R.)

– Azure Databricks (Spark) – Azure Data Factory – Azure Stream Analytics

Relational DB – PostgreSQL – MySQL – Google Cloud Spanner

Non-Relational DB – Google Cloud Datastore – Google Cloud BigTable

Data Warehouse / Big Data – Google Cloud BigQuery – Google Cloud Dataflow – Google Cloud Dataproc (Hadoop / Spark)

– Google Cloud Datalab – Google Cloud Dataprep

Relational DB – Db2 on Cloud – PostgreSQL – MySQL

Non-Relational DB – Cloudant – MongoDB – ScyllaDB – Redis – JanusGraph – etcd – Elasticsearch

Data Warehouse / Big Data – Db2 Warehouse on Cloud

Relational DB – PostgreSQL – MySQL – Microsoft SQL Server

Non-Relational DB – MongoDB – Redis

Performance of MySQL (MySQL Sysbench, table-size (row data): 1000000, Threads: 16)

– Read – Write – Read / Write

Transactions: 63923 (1065.00 / sec)Transactions: 87049 (1450.54 / sec)Transactions: 42841 (713.69 / sec)



Transactions:36562 (609.04 / sec)Transactions:79668 (1327.34 / sec) Transactions:29407 (489.85 / sec)


Provisioning time for a MySQL instance 325 sec 205 sec 250 sec 300 sec 463 sec

Performance of PostgreSQL Transactions: 1010644 (16841.26 / sec)Transactions: 372072 (6200.38 / sec)Transactions: 32639 (542.73 / sec)





Provisioning time for a PostgreSQL instance 460 sec 250 sec 195 sec 480 sec 315 sec

Supported DB Versions – MySQL 8.0,5.7, 5.6, 5.5 – MariaDB 10.3,10.2,10.1,10.0 – Microsoft SQL Server 2017 RTM, 2016 SP1, 2014 SP2, 2012 SP4, 2008 R2 SP3

– Oracle 12c (12.1.0.2, 12.1.0.1), Oracle 11g (11.2.0.4, 11.2.0.3, 11.2.0.2)

– PostgreSQL 11.2, 11.1,10.6,10.5, 10.4, 10.3, 10.1, 9.6.x, 9.5.x, 9.4.x, 9.3.x,9.2.x

– Amazon Aurora - compatible with MySQL 5.6.10a

– MySQL 5.7, 5.6 – MariaDB 10.2 – Azure SQL Database: Microsoft SQL Server 2017

– Microsoft SQL Server 2017, 2016 SP1, 2014 SP2, 2012 SP4, 2008 R2 SP3

– PostgreSQL 10.3, 9.6.x, 9.5.x – Azure Cosmos DB

– MySQL 5.7, 5.6 – PostgreSQL 9.6.x

Db2-ge PostgreSQL 9.6.12,9.6.10,9.6.9,9.5.14,9.5.13,9.4.19,9.4.18 MySQL 5.7.22, 5.7.20Cloudant-h7MongoDB 3.4.10,3.2.18,3.2.11,3.2.10ScyllaDB 2.0.3Redis 4.0.10,3.2.12JanusGraph 0.1.1 betaetcd 3.3.3,3.2.18Elasticsearch 6.2.2 , 5.6.9Db2 Warehouse-ef

PostgreSQL 10.0, 9.6.5, 9.6.3, 9.5.5MySQL 5.7.20, 5.7.17, 5.6.35, 5.6.34, 5.6.33, 5.6.30Microsoft SQL Server 2016 EE, 2016 SE2014 SE

Troubleshooting as a Service – Rollback – Support

yesyes

yesyes

yesyes

yesyes

yesyes

Total price for the database per month – MySQL – 2 vCores – 100 GB Storage – Frankfurt / Western Europe – 100% active per month – No dedicated backup

€ 114.13 / $ 128.13 € 142.29 / $ 159.50 € 121.43 / $ 138.75 N/A € 298.40 / $ 335.04

Total price for the database per month – PorstgreSQL – 2 vCores – 100 GB Storage – Frankfurt / Western Europe – 100% active per month – No dedicated backup

€ 121.64 / $ 136.34 € 142.29 / $ 159.50 € 124.21 / $ 141.81 € 103.04 / $ 136.00 € 312.80 / $ 350.85


Databases (DBaaS)

Questions AWS Azure Google Cloud Platform IBM Cloud OTC Cloud

Which DB engines are offered? Relational DB – MySQL – PostgreSQL – MariaDB – Oracle – Microsoft SQL Server – Amazon Aurora

Non-Relational DB – Amazon DynamoDB – Amazon ElastiCache – Amazon Neptune – Redis – MemCached

Data Warehouse / Big Data – Amazon Redshift – Amazon Athena – Amazon EMR (Hadoop, Spark, HBase, Presto, etc.)

– Amazon Kinesis – Amazon Elasticsearch Service – Amazon Quicksight

Relational DB – Azure SQL Database – Azure Database for MySQL – Azure Database for PostgreSQL – Azure Database for Maria DB – Microsoft SQL Server

Non-Relational DB – Azure Cosmos DB – Azure Table Storage – Redis

Data Warehouse / Big Data – SQL Data Warehouse – HDInsight (Hadoop, Spark, Hive, LLAP, Kafka, Storm, R.)

– Azure Databricks (Spark) – Azure Data Factory – Azure Stream Analytics

Relational DB – PostgreSQL – MySQL – Google Cloud Spanner

Non-Relational DB – Google Cloud Datastore – Google Cloud BigTable

Data Warehouse / Big Data – Google Cloud BigQuery – Google Cloud Dataflow – Google Cloud Dataproc (Hadoop / Spark)

– Google Cloud Datalab – Google Cloud Dataprep

Relational DB – Db2 on Cloud – PostgreSQL – MySQL

Non-Relational DB – Cloudant – MongoDB – ScyllaDB – Redis – JanusGraph – etcd – Elasticsearch

Data Warehouse / Big Data – Db2 Warehouse on Cloud

Relational DB – PostgreSQL – MySQL – Microsoft SQL Server

Non-Relational DB – MongoDB – Redis

Performance of MySQL (MySQL Sysbench, table-size (row data): 1000000, Threads: 16)

– Read – Write – Read / Write




Transactions:36562 (609.04 / sec)Transactions:79668 (1327.34 / sec) Transactions:29407 (489.85 / sec)


Provisioning time for a MySQL instance 325 sec 205 sec 250 sec 300 sec 463 sec

Performance of PostgreSQL Transactions: 1010644 (16841.26 / sec)Transactions: 372072 (6200.38 / sec)Transactions: 32639 (542.73 / sec)





Provisioning time for a PostgreSQL instance 460 sec 250 sec 195 sec 480 sec 315 sec

Supported DB Versions – MySQL 8.0,5.7, 5.6, 5.5 – MariaDB 10.3,10.2,10.1,10.0 – Microsoft SQL Server 2017 RTM, 2016 SP1, 2014 SP2, 2012 SP4, 2008 R2 SP3

– Oracle 12c (12.1.0.2, 12.1.0.1), Oracle 11g (11.2.0.4, 11.2.0.3, 11.2.0.2)

– PostgreSQL 11.2, 11.1,10.6,10.5, 10.4, 10.3, 10.1, 9.6.x, 9.5.x, 9.4.x, 9.3.x,9.2.x

– Amazon Aurora - compatible with MySQL 5.6.10a

– MySQL 5.7, 5.6 – MariaDB 10.2 – Azure SQL Database: Microsoft SQL Server 2017

– Microsoft SQL Server 2017, 2016 SP1, 2014 SP2, 2012 SP4, 2008 R2 SP3

– PostgreSQL 10.3, 9.6.x, 9.5.x – Azure Cosmos DB

– MySQL 5.7, 5.6 – PostgreSQL 9.6.x

Db2-ge PostgreSQL 9.6.12,9.6.10,9.6.9,9.5.14,9.5.13,9.4.19,9.4.18 MySQL 5.7.22, 5.7.20Cloudant-h7MongoDB 3.4.10,3.2.18,3.2.11,3.2.10ScyllaDB 2.0.3Redis 4.0.10,3.2.12JanusGraph 0.1.1 betaetcd 3.3.3,3.2.18Elasticsearch 6.2.2 , 5.6.9Db2 Warehouse-ef

PostgreSQL 10.0, 9.6.5, 9.6.3, 9.5.5MySQL 5.7.20, 5.7.17, 5.6.35, 5.6.34, 5.6.33, 5.6.30Microsoft SQL Server 2016 EE, 2016 SE2014 SE

Troubleshooting as a Service – Rollback – Support

yesyes

yesyes

yesyes

yesyes

yesyes

Total price for the database per month – MySQL – 2 vCores – 100 GB Storage – Frankfurt / Western Europe – 100% active per month – No dedicated backup

€ 114.13 / $ 128.13 € 142.29 / $ 159.50 € 121.43 / $ 138.75 N/A € 298.40 / $ 335.04

Total price for the database per month – PorstgreSQL – 2 vCores – 100 GB Storage – Frankfurt / Western Europe – 100% active per month – No dedicated backup

€ 121.64 / $ 136.34 € 142.29 / $ 159.50 € 124.21 / $ 141.81 € 103.04 / $ 136.00 € 312.80 / $ 350.85

tEsts44

Limitations: How many simultaneous requests to the DB?How much RAM?How many users?

MySQL: – max Connections: 2540

PostgreSQL: – max Connections: 5696








PostgreSQL: – max Connections: unlimited

How does backup/restore work? Backups: – Automatic Backups.

Restore: – Point-in-time restore

Backups: – Automatic Backups.

Restore: – Point-in-time restore – Geo-restore


Restore: – On-demand





Network


Is network monitoring availble? yes yes yes yes yes no

Is a Content Delivery Network (CDN) available? yes yes yes yes yes yes

Sample Measurements1) Same AZ2) Different AZ3) Different Region

Iperf Result:1) TCP: Bandwidth Sender: 956 Mbit/sec Receiver: 956 Mbit/sec UDP: Bandwidth: 613 Mbit/sec2) TCP: Bandwidth Sender: 922 Mbit/sec Receiver: 921 Mbit/sec UDP: Bandwidth: 2.06 Gbit/sec3) TCP: Bandwidth Sender: 186 Mbit/sec Receiver: 184 Mbit/sec UDP: Bandwidth: 381 Mbit/sec

Iperf Result:1) TCP: Bandwidth Sender: 1.35 Gbit/sec Receiver: 1.37 Gbit/sec UDP: Bandwidth: 935 Mbit/sec2) TCP: Bandwidth Sender: 910 Mbit/sec Receiver: 908 Mbit/sec UDP: Bandwidth: 945 Mbit/sec3) TCP: Bandwidth Sender: 892 Mbit/sec Receiver: 892 Mbit/sec UDP: Bandwidth: 933 Mbit/sec

Iperf Result:1) TCP: Bandwidth Sender: 1.81 Gbit/sec Receiver: 1.80 Gbit/sec UDP: Bandwidth: 3.79 Gbit/sec2) TCP: Bandwidth Sender: 3.36 Gbit/sec Receiver: 3.36 Gbit/sec UDP: Bandwidth: 3.79 Gbit/sec3) TCP: Bandwidth Sender: 649 Mbit/sec Receiver: 649 Mbit/sec UDP: Bandwidth: 3.80 Gbit/sec

Iperf Result:1) TCP: Bandwidth Sender: 102 Mbit/sec Receiver: 100 Mbit/sec UDP: Bandwidth: 98.9 Mbit/sec2) TCP: Bandwidth Sender: 102 Mbit/sec Receiver: 100 Mbit/sec UDP: Bandwidth: 98.9 Mbit/sec3) TCP: Bandwidth Sender: 102 Mbit/sec Receiver: 99.8 Mbit/sec UDP: Bandwidth: 99 Mbit/sec

Iperf Result:1) TCP: Bandwidth Sender: 105 Mbit/sec Receiver: 103 Mbit/sec UDP: Bandwidth: 3.31 Gbit/sec2) TCP: Bandwidth Sender: 4.80 Gbit/sec Receiver: 4.80 Gbit/sec UDP: Bandwidth: 3.08 Gbits/sec3) N/A

Iperf Result:1) TCP: Bandwidth Sender: 245 Mbit/sec Receiver: 244 Mbit/sec UDP: Bandwidth: 5.37 Mbit/sec2) N/A3) TCP: Bandwidth Sender: 244 Mbit/sec Receiver: 243 Mbit/sec UDP: Bandwidth: 5.01 Gbit/sec

Public IPs – Public IPs for VMs? – Available kinds of public IPs for VMs – Public IPs for Load Balancers? – Available kinds of public IPs for Load Balancers

yesfloating / staticyesstatic



yesfloating/staticyesstatic

yesstaticyesstatic

yesstaticyesstatic

Is a dedicated network connection from datacenter to public cloud possible? yes (AWS Direct Connect) yes (Azure Express Route) yes (Google Cloud Interconnect) yes yes (Direct Connect - MPLS) yes

Network Security features (Network Traffic analysis, Network Security Groups)

– AWS Web Application Firewall – Network security groups – Network Traffic analysis

– Azure Firewall – Azure Front Door – Azure Network Watcher – Azure Security Center – Azure DDoS protection – Network access control – Network layer control – Network security rules (NSGs)

– Firewall – Network security groups – Network Traffic analysis

– Network Security Groups – Firewalls (Multi VLAN, Single VLAN and Web App)

– DDOS mitigation


– Network Firewall – Failover IP – vRack (private network) – OVHCLoud Connect – Bandwidth – Load Balancers – Anti-DDoS protection

VPN as a Service yes yes yes yes yes yes

Traffic costs per GB € 0.13 / $ 0.15 € 0.009 / $ 0.01 € 0.073 / $ 0.082 € 0.078 / $ 0.087 € 0.06 / $ 0.067


Limitations: How many simultaneous requests to the DB?How much RAM?How many users?










PostgreSQL: – max Connections: unlimited

How does backup/restore work? Backups: – Automatic Backups.



Restore: – Point-in-time restore – Geo-restore







Network
















yesstaticyesstatic

yesstaticyesstatic







– DDOS mitigation





tEsts46

Security


Integration to a SIEM possible? (Security Information and Event Manage-ment)Security GroupsDisk EncryptionNetwork Traffic Analyse

yes yesyesyes

yesyesyesyes

yesyesyesyes

yesyesyesyes

yesyesyesyes

noyesyesyes

Protection against Denial of Service Attacks yes yes yes yes yes yes

Firewall - Does the cloud provider provide additional integrated security features i.e. a Next Generation Firewall?


Does the cloud provider keep an eye on current threats and take action? yes yes yes yes yes yes

Does the cloud provider support additional integrated security features for cloud resources using 3rd party tools: IDS (Intrusion Detection System)IPS (Intrusion Prevention System)ATP (Advanced Threat Protection)

yesyesyes

yesyesyes

yesyesyes

yesyesyes

nonono

yesyesyes

Does the provider carry out regular penetration tests against the platform? No yes no no no no

Container as a Service


Which technologies are being provided/supported? – Kubernetes – Docker

– Kubernetes – Mesosphere – DV/OS – Docker

– Kubernetes – Mesosphere

– Kubernetes – OpenShift

– Kubernetes – Docker – Cloud Container Engine

– Kubernetes

Is a managed container service available? yes (EKS) yes (AKS) yes yes yes yes

Can worker nodes be accessed directly by customers? yes yes yes yes yes yes

Can master nodes be accessed directly by customers? no yes yes yes yes yes

Which version of the technologies/Kubernetes is being offered? 1.13, 1.12, 1.11, 1.10 1.14.3, 1.14.1, 1.13.7, 1.13.5, 1.12.8, 1.12.7, 1.11.10, 1.11.9

1.13.7-gke.8, 1.13.6-gke.13, 1.12.9-gke.7, 1.12.8-gke.8, 1.12.7-gke.25, 1.11.10-gke.5

1.14.4, 1.13.8, 1.12.10 1.11.3, 1.9.10 1.15, 1.14, 1.13, 1.12, 1.11

How much time does it take to provide the container service for four nodes 10 min < 2 min < 3 min < 2 min 15 min < 2:30 min

Costs for a Kubernetes Cluster (4 Nodes) – Managed service – 732hrs per month – small flavor – hosted in Frankfurt or Western Europe – Storage / IPs not included

* Prices in USD have been converted to EUR

€ 201.19 / $ 224.88 € 344.74 / $ 383.82 € 222.53 / $ 247.78 € 247.68 / $ 275.78 € 285.69 / $ 318.07 € 105.60 / $ 117,53

Shared or dedicated Container Engine Cluster? dedicated shared shared dedicated shared dedicated

Do predefined StorageClasses exist in Kubernetes?Name - Provisioner

gp2 - kubernetes.io/aws-ebs default (default) - kubernetes.io/azure-diskmanaged-premium - kubernetes.io/azure-disk

standard (default) - kubernetes.io/gce-pd

ibmc-file-bronze (default) - ibm.io/ibmc-fileibmc-file-custom - ibm.io/ibmc-fileibmc-file-gold - ibm.io/ibmc-fileibmc-file-retain-bronze - ibm.io/ibmc-fileibmc-file-retain-custom - ibm.io/ibmc-fileibmc-file-retain-gold - ibm.io/ibmc-fileibmc-file-retain-silver - ibm.io/ibmc-fileibmc-file-silver - ibm.io/ibmc-file

cce-evs - cce-evscce-sfs - cce-sfs

cinder-high-speedcinder-classic

Limitations - What is the maximum cluster size? max. 50 max. 100 max. 5000 n/a Max nodes/cluster: 1000 100

Do you have full access to all K8s ressources (no RBAC restriction)? yes no yes no yes no

Does the Container Service provide a Load-Balancer Service? yes yes yes yes yes yes

Is a Storage Class useable? yes yes yes yes yes yes


Security


Integration to a SIEM possible? (Security Information and Event Manage-ment)Security GroupsDisk EncryptionNetwork Traffic Analyse

yes yesyesyes

yesyesyesyes

yesyesyesyes

yesyesyesyes

yesyesyesyes

noyesyesyes

Protection against Denial of Service Attacks yes yes yes yes yes yes

Firewall - Does the cloud provider provide additional integrated security features i.e. a Next Generation Firewall?


Does the cloud provider keep an eye on current threats and take action? yes yes yes yes yes yes

Does the cloud provider support additional integrated security features for cloud resources using 3rd party tools: IDS (Intrusion Detection System)IPS (Intrusion Prevention System)ATP (Advanced Threat Protection)

yesyesyes

yesyesyes

yesyesyes

yesyesyes

nonono

yesyesyes

Does the provider carry out regular penetration tests against the platform? No yes no no no no

Container as a Service


Which technologies are being provided/supported? – Kubernetes – Docker

– Kubernetes – Mesosphere – DV/OS – Docker

– Kubernetes – Mesosphere

– Kubernetes – OpenShift

– Kubernetes – Docker – Cloud Container Engine

– Kubernetes

Is a managed container service available? yes (EKS) yes (AKS) yes yes yes yes

Can worker nodes be accessed directly by customers? yes yes yes yes yes yes

Can master nodes be accessed directly by customers? no yes yes yes yes yes

Which version of the technologies/Kubernetes is being offered? 1.13, 1.12, 1.11, 1.10 1.14.3, 1.14.1, 1.13.7, 1.13.5, 1.12.8, 1.12.7, 1.11.10, 1.11.9

1.13.7-gke.8, 1.13.6-gke.13, 1.12.9-gke.7, 1.12.8-gke.8, 1.12.7-gke.25, 1.11.10-gke.5

1.14.4, 1.13.8, 1.12.10 1.11.3, 1.9.10 1.15, 1.14, 1.13, 1.12, 1.11

How much time does it take to provide the container service for four nodes 10 min < 2 min < 3 min < 2 min 15 min < 2:30 min

Costs for a Kubernetes Cluster (4 Nodes) – Managed service – 732hrs per month – small flavor – hosted in Frankfurt or Western Europe – Storage / IPs not included

* Prices in USD have been converted to EUR

€ 201.19 / $ 224.88 € 344.74 / $ 383.82 € 222.53 / $ 247.78 € 247.68 / $ 275.78 € 285.69 / $ 318.07 € 105.60 / $ 117,53

Shared or dedicated Container Engine Cluster? dedicated shared shared dedicated shared dedicated

Do predefined StorageClasses exist in Kubernetes?Name - Provisioner

gp2 - kubernetes.io/aws-ebs default (default) - kubernetes.io/azure-diskmanaged-premium - kubernetes.io/azure-disk

standard (default) - kubernetes.io/gce-pd

ibmc-file-bronze (default) - ibm.io/ibmc-fileibmc-file-custom - ibm.io/ibmc-fileibmc-file-gold - ibm.io/ibmc-fileibmc-file-retain-bronze - ibm.io/ibmc-fileibmc-file-retain-custom - ibm.io/ibmc-fileibmc-file-retain-gold - ibm.io/ibmc-fileibmc-file-retain-silver - ibm.io/ibmc-fileibmc-file-silver - ibm.io/ibmc-file

cce-evs - cce-evscce-sfs - cce-sfs

cinder-high-speedcinder-classic

Limitations - What is the maximum cluster size? max. 50 max. 100 max. 5000 n/a Max nodes/cluster: 1000 100

Do you have full access to all K8s ressources (no RBAC restriction)? yes no yes no yes no

Does the Container Service provide a Load-Balancer Service? yes yes yes yes yes yes

Is a Storage Class useable? yes yes yes yes yes yes

tEsts48

IaaS / PaaS / SaaS Patch Management


Does the cloud provide a managed patch service? no yes (Azure Automation) yes (Google App Engine) yes (IBM BigFix Patch Management) no no

Which operating systems are available? Linux: – Red Hat Enterprise Linux (RHEL) 7.0 - 7.4, 6.5 - 6.9

– SUSE Linux Enterprise Server (SLES) 12

– Amazon Linux 2015.03 - 2018.03, 2012.03 - 2017.03

– CentOS 7.1, 6.5and later – Raspbian Jessie – Raspbian Stretch – Ubuntu Server 18.04, 16.04, 14.04

Windows: – Windows Server 2008 – Windows Server 2012 – Windows Server 2016 including R2 Versions

Linux: – CentOS 6 (x86/x64), 7 (x64) – Red Hat Enterprise 6 (x86/x64), 7 (x64)

– SUSE Linux Enterprise Server 11 (x86/x64), 12 (x64)

– Ubuntu 14.04, 16.04 (x86/x64)

Windows: – Windows Server 2008 – Windows Server 2008 R2 RTM – Windows Server 2008 R2 SP1 and later

Linux: – Centos 7, 6 – Container-Optimized OS from Google cos-69-lts, cos-stable, cos-beta, cos-dev

– CoreOS coreos-stable, coreos-be-ta, coreos-alpha

– Debian 9 – Red Hat Enterprise Linux (RHEL) 8, 7, 6

– RHEL for SAP, rhel-7-6-sap-ha, rhel-7-4-sap

– SUSE Enterprise Linux Server (SLES) 15, 12

– SLES for SAP sles-15-sap, sles-12-sp4-sap, sles-12-sp3-sap, sles-12-sp2-sap, sles-12-sp1-sap

– Ubuntu 19.04, 18.10, 16.04, 14.04

Windows: – Windows Server 2019, 2016, 2012 R2, 2008 R2

– Windows Server Core 2019 – Windows Server Core 2019 for containers

Linux: – CentOS 7, 6 – RedHat Enterprise 7, 6 – SUSE Linux Enterprise Server 12, 11 – Ubuntu Minimal 18.04, 16.04, 14.04

Windows: – Windows Server 2016 R2, 2012 R2, 2008 R2

Linux: – openSUSE 42.x, 15.x – CentOS 6.x, 7.x – Debian 9.x, 8.x – Fedora 29, 28, 27, 26 – EulerOS 2.x – Ubuntu 18.04, 16.04, 14.04 – RedHat Enterprise Linux 7.x, 6.x – SUSE 15.x, 12.x, 11.x – Oracle Linux 7.x, 6.x

Windows: – Windows Server 2019, 2016, 2012 R2, 2012, 2008

Linux: – CentOS 6.x, 7.x – Debian 9.x, 8.x, 7.x – Fedora 29, 27, 26 – Ubuntu 19.04, 18.10, 18.04, 17.10, 16.04

– FreeBSD – CoreOS – Archlinux


Is the operating system from the deployed VM at a current patch level? yes yes yes yes yes yes

What is the current available patch level in our sample VM? – Ubuntu 16.04 LTS with latest patches applied

04 04 04 04 04 04

Software as a Service


Is a mobile office suite offered? Is it deeply integrated with other services? non/a

yesno

yesyes

yesyes

nono

yesyes

Managed App Services – AWS Step Functions – Amazon API Gateway – Amazon Elastic Transcoder – Amazon SWF

– Azure Stack – Security and Compliance – Backups and Archives – Disaster Recovery – Cosmos DB – Networks – Active Directory Services – Development and Testing Services – Mobile Services

– Google App Engine – GSuite

IBM Cloud APICI/CDDatabase as a ServiceNetwork as a ServiceFunction as a Service,Webserver as a Service, Monitoring as a Service,Backup as a service,AI as a service

BigData MapReduceDatabase as a service,Workspace management,Backup as a service,Network as a service,Monitoring as a service

– Database as a service, – Backup as a service, – Network as a service, – Data & Analytics as a service, – Workspace Management (Hori-zon),

– Project Management as a service, – Monitoring as a service – Telecom services – Server services

Mobile App Services – Push Notifications – User Management – NoSQL-Datenbase – File Storage – Messaging – Social Networks

AWS Mobileyesyesyesyesyesno

Azure Mobile App Serviceyesyesyesyesyesyes

Google Firebase / App Engineyesyesyesyesyesyes

IBM Mobile Foundationyesyesyesyesyesyes

yesyesnoyesyesno

yesyesyesyesyesyes

Application Environments – Websites – Microservices – Messaging – Serverless

yes (AWS Lightsail)yes (AWS Elastic Beanstalk)yes (AWS SQS)yes (AWS Lambda)

yes (Azure Web Sites)yes (Azure Service Fabric)yes (Azure Service Bus)yes (Azure Functions)

no yes (App Engine)yes (Cloud Pub/Sub)yes (Cloud Functions)

yesyesyes (IBM message Hub)yes (Cloud Functions)

yesyesyesno

yes (OVH Web, SSL gatway/CDN)yes (Infrastructure as Code/terraform)yes (OMNI)yes (OpenFaaS)yes (Managed Kubernetes Service)

Rollback to a previous application version? yes yes yes yes no yes


IaaS / PaaS / SaaS Patch Management


Does the cloud provide a managed patch service? no yes (Azure Automation) yes (Google App Engine) yes (IBM BigFix Patch Management) no no

Which operating systems are available? Linux: – Red Hat Enterprise Linux (RHEL) 7.0 - 7.4, 6.5 - 6.9

– SUSE Linux Enterprise Server (SLES) 12

– Amazon Linux 2015.03 - 2018.03, 2012.03 - 2017.03

– CentOS 7.1, 6.5and later – Raspbian Jessie – Raspbian Stretch – Ubuntu Server 18.04, 16.04, 14.04

Windows: – Windows Server 2008 – Windows Server 2012 – Windows Server 2016 including R2 Versions

Linux: – CentOS 6 (x86/x64), 7 (x64) – Red Hat Enterprise 6 (x86/x64), 7 (x64)

– SUSE Linux Enterprise Server 11 (x86/x64), 12 (x64)

– Ubuntu 14.04, 16.04 (x86/x64)

Windows: – Windows Server 2008 – Windows Server 2008 R2 RTM – Windows Server 2008 R2 SP1 and later

Linux: – Centos 7, 6 – Container-Optimized OS from Google cos-69-lts, cos-stable, cos-beta, cos-dev

– CoreOS coreos-stable, coreos-be-ta, coreos-alpha

– Debian 9 – Red Hat Enterprise Linux (RHEL) 8, 7, 6

– RHEL for SAP, rhel-7-6-sap-ha, rhel-7-4-sap

– SUSE Enterprise Linux Server (SLES) 15, 12

– SLES for SAP sles-15-sap, sles-12-sp4-sap, sles-12-sp3-sap, sles-12-sp2-sap, sles-12-sp1-sap

– Ubuntu 19.04, 18.10, 16.04, 14.04

Windows: – Windows Server 2019, 2016, 2012 R2, 2008 R2

– Windows Server Core 2019 – Windows Server Core 2019 for containers

Linux: – CentOS 7, 6 – RedHat Enterprise 7, 6 – SUSE Linux Enterprise Server 12, 11 – Ubuntu Minimal 18.04, 16.04, 14.04

Windows: – Windows Server 2016 R2, 2012 R2, 2008 R2

Linux: – openSUSE 42.x, 15.x – CentOS 6.x, 7.x – Debian 9.x, 8.x – Fedora 29, 28, 27, 26 – EulerOS 2.x – Ubuntu 18.04, 16.04, 14.04 – RedHat Enterprise Linux 7.x, 6.x – SUSE 15.x, 12.x, 11.x – Oracle Linux 7.x, 6.x


Linux: – CentOS 6.x, 7.x – Debian 9.x, 8.x, 7.x – Fedora 29, 27, 26 – Ubuntu 19.04, 18.10, 18.04, 17.10, 16.04

– FreeBSD – CoreOS – Archlinux


Is the operating system from the deployed VM at a current patch level? yes yes yes yes yes yes

What is the current available patch level in our sample VM? – Ubuntu 16.04 LTS with latest patches applied

04 04 04 04 04 04

Software as a Service


Is a mobile office suite offered? Is it deeply integrated with other services? non/a

yesno

yesyes

yesyes

nono

yesyes

Managed App Services – AWS Step Functions – Amazon API Gateway – Amazon Elastic Transcoder – Amazon SWF

– Azure Stack – Security and Compliance – Backups and Archives – Disaster Recovery – Cosmos DB – Networks – Active Directory Services – Development and Testing Services – Mobile Services

– Google App Engine – GSuite

IBM Cloud APICI/CDDatabase as a ServiceNetwork as a ServiceFunction as a Service,Webserver as a Service, Monitoring as a Service,Backup as a service,AI as a service

BigData MapReduceDatabase as a service,Workspace management,Backup as a service,Network as a service,Monitoring as a service

– Database as a service, – Backup as a service, – Network as a service, – Data & Analytics as a service, – Workspace Management (Hori-zon),

– Project Management as a service, – Monitoring as a service – Telecom services – Server services

Mobile App Services – Push Notifications – User Management – NoSQL-Datenbase – File Storage – Messaging – Social Networks

AWS Mobileyesyesyesyesyesno

Azure Mobile App Serviceyesyesyesyesyesyes

Google Firebase / App Engineyesyesyesyesyesyes

IBM Mobile Foundationyesyesyesyesyesyes

yesyesnoyesyesno

yesyesyesyesyesyes

Application Environments – Websites – Microservices – Messaging – Serverless

yes (AWS Lightsail)yes (AWS Elastic Beanstalk)yes (AWS SQS)yes (AWS Lambda)

yes (Azure Web Sites)yes (Azure Service Fabric)yes (Azure Service Bus)yes (Azure Functions)

no yes (App Engine)yes (Cloud Pub/Sub)yes (Cloud Functions)

yesyesyes (IBM message Hub)yes (Cloud Functions)

yesyesyesno

yes (OVH Web, SSL gatway/CDN)yes (Infrastructure as Code/terraform)yes (OMNI)yes (OpenFaaS)yes (Managed Kubernetes Service)

Rollback to a previous application version? yes yes yes yes no yes

tEsts50

Logging as a Service


Does the cloud platform provide a Logging as a Service functionality? yes yes yes yes yes yes

Is the data stored in encrypted form? yes yes yes yes yes yes

Which logging technology is used? – AWS Cloudwatch – AWS Cloudtrail – AWS VPC flow logs – Amazon Cloudfront access logs – Amazon S3 access logs

– Activity logs – Azure Log Analytics – Activity diagnostics logs – Azure AD Reporting – Virtual machines and cloud services – Azure Storage Analytics – Network Security Group (NSG) flow logs

– Application insight

– Stackdriver Logging – IBM Log Analysis with LogDNA – Bluemix UI – Cloud Foundry Line Interface(CLI) – External logging

– cloud trace – Logs Data Platform

Network
















yesstaticyesstatic

yesstaticyesstatic







– DDOS mitigation






Logging as a Service


Does the cloud platform provide a Logging as a Service functionality? yes yes yes yes yes yes

Is the data stored in encrypted form? yes yes yes yes yes yes

Which logging technology is used? – AWS Cloudwatch – AWS Cloudtrail – AWS VPC flow logs – Amazon Cloudfront access logs – Amazon S3 access logs

– Activity logs – Azure Log Analytics – Activity diagnostics logs – Azure AD Reporting – Virtual machines and cloud services – Azure Storage Analytics – Network Security Group (NSG) flow logs

– Application insight

– Stackdriver Logging – IBM Log Analysis with LogDNA – Bluemix UI – Cloud Foundry Line Interface(CLI) – External logging

– cloud trace – Logs Data Platform

Network
















yesstaticyesstatic

yesstaticyesstatic







– DDOS mitigation





tEsts52

Image Service






– Windows 10































Monitoring




yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes



Image Service






– Windows 10































Monitoring




yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes

yesyesyesyesyes



Managed Cloud Services Cloud Native Application Operation

The agile way to operate

190826_Cloud_Report_ty.indd 1 09.09.2019 09:21:49

04—2019 cloud securitythe-report.cloud/wp-content/uploads/2019/10/cloud... · computing from a...

Documents