1. were can you benefit from cloud?
    1. increased visibility
      1. closer to your customers
      2. closer to your citizens
    2. peak times
    3. on-/off operations
    4. high load
      1. predictable
      2. not predictable
  2. considering cloud for...
    1. external presence
      1. internet presence
      2. blog, wiki
      3. help (e.g. for governmental procedures documentation)
    2. connectivity services
      1. mobility services
      2. online/offline data sync
      3. other connectivity
    3. high load services w/o or short data storage
      1. autom. document generation
      2. year-end calculation
    4. anonymous data/information
      1. e.g. information about person without personal identifiers
    5. non-sensitive services
      1. public directories
        1. phone book
        2. company directory
        3. ...
      2. public information valuable to anybody
        1. e.g. medication interactions
    6. ...
  3. technical considerations for bridging on-premise with cloud
    1. Integration through Azure services like storage, service bus
      1. storing data in cloud ok
        1. SQL Azure
        2. Blob Storage
        3. Table Storage
        4. Queues
        5. ...
      2. temporarily storing data in cloud ok
        1. Azure Queues
        2. Service Bus Events, Topics, Queues
        3. Other storage with clean-up, only
          1. Easy for blob, table
          2. not so easy for SQL/RDMBS
      3. encrypted data stored in cloud ok
        1. maintain encryption keys on-premise
        2. store data encrypted in cloud
          1. easy for blob
          2. easy for queues
          3. practically doable for tables
          4. not as easy as for blob/queue
          5. but still affordable
          6. really hard for SQL Azure
          7. encrypting single values, easy
          8. but full database not really
          9. today needs to happen in your implementation
          10. out-of-the-box functionality planned to be available in Azure
          11. Use standard .NET encryption APIs
          12. Some solutions available doing this
          13. Storsimpl
          14. Datacastle
          15. Zuora Ironclad
      4. no, storing data in cloud NOT an option
        1. Connect Cloud-Front-End with On-Premise Backend using Service Bus Relay
          1. Your service that is handling/keeping sensitive data runs local
          2. Service is exposed through service bus relay registry
          3. Relay registry exposed to "permitted" audience/consumers, only
          4. Authentication against service bus required
          5. For both, consumer and provider
          6. Token-based authentication against service bus
          7. Shared secret
          8. Access Control Service
          9. Authentication against service itself required as usual
    2. Integration with regards to authenticating users
      1. Custom database
        1. If you have your own user database and want to re-use with least amount of effort
        2. Option 1: get database into cloud
          1. Sync on-premise with cloud-DB using data sync
          2. Keep data in cloud, completly, use DB in local apps/services, as well
        3. Option 2: expose "authentication service" through Service Bus Relay
          1. Requires always-on service in own data center
          2. might lead to performance bottleneck in case of many concurrent "login"-operations
        4. Custom APIs or ASP.NET Membership/Roles API
          1. ASP.NET Providers for Azure Storage
          2. ASP.NET Universial Providers (NuGet), work with SQL Server and SQL Azure
      2. Active Directory Federation Services (2.0)
        1. If you have an AD on-premise and you want to re-use the user-base for cloud-apps (and on-premise apps at the same time)
        2. Open standards (WS-Fed, SAML)
        3. Open for alternative STS/authentication providers in future
        4. No development effort for AD-based authentication through Internet based on open standards
        5. ADFS 2.0 Proxy allows exposure while not exposing ADFS 2.0, directly
        6. Requires operating ADFS 2.0 on-premise, of course
      3. Custom Security Token Service
        1. If you have your own database and you want to integrate your users based on standardized approaches for being open for the future
        2. Open standards (WS-Fed, SAML)
        3. Open for alternative STS/authentication providers in future
        4. No AD required, custom user database can be used while still building on open standards
        5. Higher development effort required
        6. Operating custom STS required
          1. Can be operated in cloud
          2. On-Premise operations
          3. Exposed/opened through firewall
          4. Ore exposed through Service Bus
          5. Higher security due to very targeted exposure
      4. Windows Azure Access Control Service
        1. If you want to integrate with multiple authentication sources but have one unified approach in your application
        2. Open Standards (WS-Fed, SAML)
        3. Open for alternative STS/authentication providers in future
        4. No AD required
        5. Can act as "normalization" of security tokens from multiple Identity Privders
        6. Integrates with multiple identity providers
          1. Facebook
          2. Yahoo
          3. Google ID
          4. Windows Live ID
          5. Any custom WS-Federation based Security Token Service
          6. ADFS 2.0
          7. Your custom STS
          8. Open SSO
          9. etc.
        7. Enables using your internal accounts (through ADFS integration) and public accounts at the same time
  4. technical options
    1. Cloud Storage Usage on-premise or to integrate on-premise with cloud in hybrid scenarios
      1. Azure Storage
        1. Blob, Table, Queue
        2. Secured with "Storage Account Key"
        3. If temporary access by "partner" required
          1. Shared Access Signatures for BLOB storage
          2. Hide Azure Storage behind Cloud-hosted or on-premise service
      2. SQL Azure
        1. not very different to SQL On-Premise
        2. SQL On-Premise performance better because of no "connectivity latency"
        3. SQL Azure Data Sync can keep on-premise and cloud-DB in sync
    2. Host service in cloud
      1. Use on-premise services from cloud
        1. Service Bus Relay
          1. Enables direct service connectivity, NO data stored in cloud, at all
          2. Different messaging patterns supported
          3. No/minor firewall / NAT / proxy configuration required
          4. Connectivity established through Service Bus in Cloud
          5. Provider connects to service bus
          6. Consumer connects to service bus
          7. Service bus relays consumer connection to provider connection
          8. 3-fold authentication required
          9. Provider authenticating against service bus
          10. Consumer authenticating against service bus
          11. Consumer authenticating against provider-service as usual
          12. therefore in my opinion: at least as secure as opening firewall ports to on-premise services
          13. even more secure
          14. because provider service defines, when available
          15. because provider service defines when and from whom it accepts connections
          16. because of 3-fold authentication mentioned above
        2. In-direct communication
          1. Windows Azure Queue
          2. Messages persisted in cloud for a defined period of time
          3. On-premise service retrieve message from queue regularily
          4. Cloud service puts message on queue for on-premise processing
          5. No transactional behavior, no delivery guarantee etc.
          6. Service Bus Topics and Queues
          7. Messages persisted in cloud for a defined period of time
          8. Options for transactional behavior and delivery guarantee
          9. Additional options through topics and events
          10. Enables multiple cloud- AND on-premise-services to receive same message if needed (broadcasting)
      2. Use cloud-services from on-premise
        1. typically not challenging
        2. web service end-points (or similar) exposed from cloud service enables usage from on-premise
        3. open up firewall so that on-premise can call cloud
    3. Usage of other services on-premise
      1. Azure Cache
        1. doesn't make sense to me
      2. Azure Access Control Service
        1. Makes sense if you want to have one single point to integrate with multiple identity providers
      3. CDN
        1. Take same aspects into consideration as with BLOB and Azure Storage above
        2. As of today, CDN for public content, only!!
        3. makes sense if you have geo-distributed access to large files, videos or the like
      4. HPC
        1. definitely, e.g. outsource the year-end-business-calculation to the cloud
        2. perform calc-intense operations in cloud before "upscaling" your own data center
      5. Virtual Network / Azure Connect
        1. It's sole purpose is to integrate with on-premise AD
        2. So definitely useful for hybrid solutions
        3. but limited options as of today (domain join as startup-task!?)
      6. SQL Azure Reporting
        1. Why not!?
  5. keep other parts on-premise
    1. sensitive services
    2. sensitive processing
    3. sensitive data
    4. legal or compliance constraints
      1. still to me provides option of keeping "anonymized" data in cloud
      2. keep personal information on-premise, absolutely