cif white-paper-5-2012-cloud-definitions-deployment-considerations-diversity

one© Cloud Forum IP Ltd 2012

Cloud UK Paper five

Cloud Definitions, Deployment Considerations & Diversity

5

© Cloud Forum IP Ltd 2012two

IntroductionThe furore surrounding the opportunity of Cloud Computing shows no signs of abating in the near future, at least in the UK. Adoption remains healthy, both in terms of the number of new user organisations as well as increased penetration by existing users. Furthermore, the satisfaction of end users with the benefits achieved through adopting Cloud services appears to be extremely high with 96 per cent of the research base surveyed by the Cloud Industry Forum confirming satisfaction with their experiences to date.

Equally, there is some passionate commentary on the perceived risks with this latest evolutionary step for the delivery of IT. Fear, Uncertainty and Doubt (FUD) are regularly pedalled in regard to perceived issues around the management of IT from a third party hosted environment. Be they issues of data security, legal jurisdiction or dependence upon poor internet connectivity, the list of negatives are arguably as numerous and the range of commentators as voluminous as those in the pro camp.

When looking at Cloud Computing as a disruptive solution though, it is essential that we see it not as just an issue of pure technology, but one of business process change, supply chain change, project management and IT delivery change. When you view it this way it is no surprise that the passions are raised and the camps formed. Cloud services represent the most significant opportunity to improve the way IT is conceived, built, delivered and managed, it re-writes the boundaries of how IT is orchestrated to serve an organisations needs, reshapes the skills needed within consuming organisations and realigns channels for the delivery of solutions. However, the market is still young, and the level of adoption, whilst growing quickly is still a fraction of the market that is satisfied on-premise. Throughout 2011 we have seen the barriers to adoption of Cloud services fall dramatically and we have seen the market for supply attempt to reshape itself to meet the future demand that is expected. As the market is arguably still nascent, the number of new entrants moving into the market is driving a level of divergence as each aims to get its value proposition communicated. This noise is one of the key issues the Cloud Industry Forum is committed to providing guidance on by providing clarity on Best Practice for Cloud service delivery, and by sharing understanding of the key matters to be considered when adopting Cloud services through initiatives like its certified Cloud Service Provider Code of Practice, research activity and educational White Papers.

In this White Paper we set out to provide clarity on the language of Cloud Computing, to offer a practical description and ordering of the key Cloud terminology in use. We also put forward the basic, but often unspoken, argument that organisations will need to address an increasingly fragmented notion of how IT is delivered going forward. The constraints of server rooms, DMZ’s, ownership and dedicated resources are giving way to shared services, scalable infrastructure, on-demand service and consumption based OpEx costs. Consumerisation and contextualisation of technology changes the basis of expectation for IT delivery, and capability and capacity of IT assets are no longer constraints. However, the real world impact of legacy applications, regulation, levels of customisation/integration of applications etc do call into check how IT services can be deployed.

This paper does not set out to state that Cloud Computing will replace on-premise computing, far from it. It sets out to recognise that organisations need to reconsider their approach to IT strategy, that the benefits afforded from accessing aspects of IT as a Service are tangible and therefore new skills need to be honed inside organisations to define, implement, monitor and manage IT in an increasing disparate set of delivery models that will combine the best of on-premise and Cloud Computing, whether the latter is accessed via SaaS style applications or through Private or Hybrid Clouds extending the boundaries of the traditional IT infrastructure and enabling business transformation.

Paper five Cloud Definitions, Deployment Considerations & Diversity

Cloud services represent the most significant opportunity to improve the way IT is conceived, built, delivered and managed

© Cloud Forum IP Ltd 2012three


Methodology and samplingIn October 2011, Vanson Bourne conducted a second body of research on behalf of the Cloud Industry Forum to determine the level of Cloud adoption among participants and to gather attitudes and trends about end user perception and experience.

The research polled 300 senior IT and business decision-makers in enterprises, small-to-medium businesses (SMBs) and public sector organisations. The organisations participating all had UK based operations, of which 257 were headquartered in the UK, 24 in the US and 12 in Continental Europe.

Of the 300 end user organisations questioned, 32 per cent came from the IT and technology sector, 10 per cent from business and professional services, 8 per cent manufacturing and financial services and 5 per cent from retail and logistics. A further 33 per cent comprised of public sector organisations ranging from central and local government, education and healthcare.

38 per cent of participating organisations were plc’s, 32 per cent public sector, 11 per cent Ltd, 8 per cent LLC, 6 per cent NFP and 2 per cent partnerships (3 per cent cited other).

This White Paper sets out to define Cloud Computing and explores the factors impacting decision making for IT deployments that subsequently give rise to the diversity of deployment and service options in the market. Building upon this baseline the paper sets out why multiple deployment and/or service models can (and probably will) co-exist in any given organisation over time.

The organisations participating all had UK based operations, of which 257 were headquartered in the UK, 24 in the US and 12 in Continental Europe

■ IT and technology■Education ■Business/professional services■Manufacturing■Financial services■Retail, distribution and transport■Local or central government■Public sector: including armed forces

and emergency services■Public healthcare and services■Private healthcare and services■Construction and property■Utilities and telecommunications■Charity/not for profit■Entertainment, media and leisure■Hospitality/catering■Other

In which sector does your organisation primarily operate?

Total

94%

6%

32%

14%10%

8%

8%

8%7%

5%

1%1%

2%

0%

Sample: 300

© Cloud Forum IP Ltd 2012four

1. Cloud defined: 1.1 What is Cloud Computing?

There have been many definitions of Cloud Computing since the phrase was first coined back in the 1990s and it has to an extent become an umbrella phrase for remotely hosted IT services of any type including, but not limited to, multi-tenanted services accessed via the internet. However, organisations like the US National Institute of Standards and Technology (NIST) have taken a more formal and specific approach to define what is unique to the context of Cloud Computing (see Special Publication 800-145) and the following definition is put forward by the Cloud Industry Forum as a synopsis of the manifold definitions offered in the market:

Cloud Computing is a term that relates to the IT infrastructure and environment required to develop/host/run IT services and applications, on demand, with consumption based pricing, as a resilient service. Communicating over the internet and requiring little or no client end components it provides resource and services to store data and run applications, from many devices, anytime, anywhere, as a service. The services can in turn be scaled up and down as needed to meet a customer’s variable operational needs, ensuring maximum cost efficiency.

What are the common capabilities of Cloud Computing that set it apart from other IT delivery models?

Availability: Cloud is delivered on-demand: A user can chose to provision computing capabilities, such as storage, processing, network and memory, (or an application) as needed automatically without requiring human interaction with the service provider.

Flexibility: Cloud is agile and scalable: The amount of resource consumed by the user can be increased or decreased to meet their operational needs. This is often referred to as being an elastic service, though many solutions require a human act or contractual obligation to facilitate the change of state. As such the capabilities available for provisioning can appear to be unlimited and available in any quantity and at any time. At a Service Provider level, resources are pooled to meet demand and the technology enables applications to span multiple physical and/or virtual assets seamlessly.

Chargeability: Cloud is based on consumption based commercial models: In other words, a user will only pay for the services they use and this can include the capability to access IT services on a pay-as-you-go model or to pre-purchase contractual volumes to access more attractive unit rates (similar to mobile phone voice and data tariffs). Resources used should be able to be monitored, managed, and reported on via the Service Provider to validate the costs incurred. This commercial model opens up accessibility to users and organisations of all sizes.

Accessibility: Cloud is accessible anywhere (there is internet access): As services are delivered over the Internet and normally accessed through standard web based interfaces, Users are typically able to connect to Cloud services (via fixed or mobile communications) using PC’s, Laptops, workstations, tablets or mobile phones, thereby increasing the flexibility of using IT in new and portable media.

1.2 Is there one Cloud?

In short – No! The phrase ‘Cloud’ should be considered in a similar context to that of a biological taxonomy of an ‘Order’ under which a number of ‘Families’, ‘Genus’ and ‘Species’ exist and continue to evolve. Following this metaphor there are two key Families that exist in the Cloud ‘Order’, those that relate to how Cloud is commercially delivered (the Service Delivery Models), and those that relate to how the Cloud is technically deployed (the Cloud Deployment Models).


Is virtualisation really Cloud Computing by another name?

Virtualisation is a technical capability that enables a physical server to act as if it is several ‘virtual’ servers at the same time; increasing the utilisation of the hardware and reducing companies need to invest in hardware and associated power and floor space. Virtualisation is not in and of itself a Cloud capability as it still works within the constraints of the physical hardware in which it operates.

Is Grid computing really Cloud Computing by another name?

Grid computing is the name given to the action of combining loosely coupled computer resources and applying them to perform a substantial common or specific task. It usually relates to a notion of a distributed system with non-interactive workloads as opposed to the orchestration of complete IT services.

Is Utility computing just Cloud Computing by another name?

Utility computing refers to ability to access elements of computing such as storage, ram and processors as a consumption based chargeable service (similar to electricity, phone calls etc). To an extent the philosophy of utility computing is a subset of the Cloud Computing model.

Cloud Taxonomy

Order: Cloud

Family/s: Service Deployment

Genus: e.g. SaaS e.g. Public

Species: e.g. DaaS

© Cloud Forum IP Ltd 2012five

1.2.1 Cloud Service Delivery Models:

There are three primary business or commercial models (Genus) for the delivery of Cloud services:

SaaS (software-as-a-service) refers to software or applications that are accessed over the internet (typically from a public Cloud, multi-tenancy (or shared) environment as a fully managed service). Unlike desktop applications, SaaS apps require no installation as they connect via the internet. Salesforce.com, Microsoft Office365 are popular examples of a service based in the Cloud. Typically solutions are priced per user accessing them and licensing is the responsibility of the service provider.

IaaS (infrastructure-as-a-service) delivers computing infrastructure on-demand – such as RAM, storage and processors typically as virtual servers along with networking capabilities to effectively provide a hosted data centre or server on demand upon which business can run their applications. This is computing as a service, rather than businesses having to purchase and manage their own expensive infrastructure. As with most Cloud services it can be scaled up and down and customers usually only pay for what they consume. Applications may be licensed via some service providers but the accountability for licensing and management of the solution remains with the end user unless subcontracted to a partner.

PaaS (platfrom-as-a-service) offers a level of abstraction above IaaS where by the management of infrastructure is automated and effectively hidden from the user. It often refers to the environment within which developers can build and launch new applications as it simplifies this activity. Well known Cloud platforms include Microsoft Azure, Amazon EC2, and Force.com

Whilst the above relate to the standard Service Delivery models, returning to the notion of ‘evolution’, a lot of marketing activity has led to the context of there being an accepted wisdom of XaaS (whereby X may relate to IT elements or solutions such as Database, Storage, etc). Whilst this is not truly an introduction of new ‘Genus’, the notion of a Database being a type or ‘species’ of SaaS or IaaS is viable and has become accepted language in many circles.

1.2.2 Cloud Deployment Models:

Typically organisations will not move their business wholly away from an on-premise capability, especially where they have legacy IT solutions to manage, complex integrations and regulatory environments where data sovereignty may be an issue. As such many organisations select multiple deployment models depending on the application, size and complexity of business etc. Organisations will combine the following as needed:

Public Cloud:Public Clouds are intended to be used by multiple parties at once and are designed to provide maximum value for money through a standardised and hi-scale approach on shared infrastructure. Public Cloud is the most logical deployment model for delivering SaaS. Many public Clouds operate internationally for scale or geographic resilience, but this gives rise to some concerns for some businesses over where their data is being stored at any particular point in time which may prefer a Private or Hybrid Cloud approach.

Private Cloud:Private Clouds are intended to be restricted to a single customer or trusted community. However, dedicated components can vary between providers beyond storage, processing and RAM to include the network security and hypervisor elements. These are popular among organisations looking to access the benefits of Cloud Computing but retain higher control and flexibility of configuration compared to a public Cloud. Private Clouds can be run inside a company data centre or be hosted by a third party. IaaS is a delivery model best associated with Private Clouds where data sovereignty is a key issue.

Hybrid Cloud:A Hybrid Cloud as the name infers is a Cloud capability that joins either private and/or public Clouds, or on-premise infrastructure to private/public Clouds in order to provide a customer or community with an appropriate or even bespoke environment to meet their specific operational needs.

Again there have been a number of market evolutions and naming conventions introduced to further segment these deployment models such as the UK Government approach to G- Cloud (the Government Cloud which is still in definition) or Community Clouds that could arguably both be types or ‘species’ of a Hybrid Cloud genus.


Organisations will not move their business wholly away from an on-premise capability, especially where they have legacy IT solutions to manage

© Cloud Forum IP Ltd 2012six

2. Internal diversity in IT solution deploymentWhen approaching the subject of adopting Cloud services, organisations tend to focus on the primary aspects of both the benefits they can achieve and the risks they seek to mitigate. This White Paper does not revert back to these subjects as they are adequately covered in White Papers three and four, rather we focus in this paper on the drivers and influencers that impact upon how an IT solution should best be deployed. As stated in section one, there is no singular Cloud, and even beyond the notion of Service and Deployment Models there are vendor specific flavours of these models to add to the complexity of choice.

The Cloud Industry Forum advocates adoption of Cloud services and has clearly evidenced that satisfaction levels with these solutions are running at an unprecedented 96 per cent in the UK random sample we canvassed. However, it is still important that each and every IT project is subject to some basic tests to determine pragmatically what is the best or most viable option/s for deploying any given solution, and we fully respect that in some cases this will be on-premise, in some cases outsourced, some hosted and some in the Cloud.

When assessing IT projects there are a number of factors that will impact choice of deployment which we would broadly describe as legacy considerations, commercial matters, technical requirements and governance or policy constraints.

2.1 Legacy drivers and influencers

It will be little surprise that 89 per cent of organisations surveyed had an in-house server room, although this dropped to 73 per cent for those employing less than 20 people. The combination of committed capital and potential of available labour supporting it has to be assessed to determine if a new solution is most effectively housed on premise. Equally, if an organisation is considering expanding a legacy or bespoke application, or creating an integration with such a system from a new application (e.g. a new workflow service for an existing order management system), then the level of integration or the nature of the legacy application may restrict choice of deployment options, to being on-premise or hosted in a private Cloud or dedicated infrastructure.

One less tangible issue many organisations have to face is how to manage IT in an increasingly distributed environment. This can lead to a sense of loss of control, based on inexperience or insufficient tools, but of itself should not be the determinant of choosing on-premise over Cloud or hosted services.

2.2 Commercial drivers and influencers

Surprisingly, available network bandwidth to access the internet was not as high a practical issue as we suspected. Indeed 80 per cent of organisations (across all size ranges) already had sufficient bandwidth for normal business tasks at a contracted rate of 10Mbit/s or greater. Equally, it was not a practical inhibitor of Cloud adoption. That said some intensive tasks like CAD are clearly not best suited to Cloud models unless served in a full remote desktop environment. The service provider industry has made significant steps forward in overcoming bandwidth constraints by offering bulk data load services at commencement and end of contracts to restrict the use of the internet to handling purely delta changes to the data stored.

Whilst cost savings are not the initial driver of Cloud adoption (flexibility and agility are), it is clearly evident that most organisations achieve a financial benefit for adopting Cloud based services. As such, and assuming no restrictions arising from sections 2.1, 2.3 and 2.4, public Cloud/SaaS usually offers the best value for money where organisational needs are not unique. Equally the whole concept of delivering IT as a service enables organisations to plan costs fairly accurately to ensure they are predictable and avoid surprises and constraints that can occur with managing on-premise solutions.

Other commercial considerations, organisations have to take into account are matters such as the urgency of the solution (i.e. Time to Market) where a hosted or Cloud solution has clear advantages for urgent or temporary projects, balanced against contributing considerations of available experienced staff in the solution area and/or the ability to identify a trusted partner for delivery via the Cloud. Building trust is a key issue in expanding IT operations outside the traditional DMZ and is the primary justification for the Cloud Industry Forum’s Code of Practice for CSP’s.

Whilst cost savings are not the initial driver of Cloud adoption (flexibility and agility are), it is clearly evident that most organisations achieve a financial benefit for adopting Cloud based services


© Cloud Forum IP Ltd 2012seven

2.3 Technical drivers and influencers

The technical considerations need to start at the planning and strategy phase. CIF’s research identified that 85 per cent of organisations now formally include consideration ofCloud based solutions within their IT strategy, which is very positive as this number is some 32 per cent above the actual number of organisations that have adopted at least one Cloud service formally. This level of strategic engagement demonstrates that there is significant room for growth not just in terms of new Cloud users but increased penetration within organisations for multiple solutions.

As discussed the technical delivery team inside any organisation is going to have look at initiatives based on attributes such as their temporality/duration, urgency (time to market), frequency in changes of scale in operations, skills and manpower requirements etc in order to determine if a solution can be delivered in-house or should be delivered as a service. Other criteria will apply when considering issues such as Test or Back-Up/Disaster Recovery solutions where arguably an off-site presence is more appropriate to reflect and mitigate the real world risks.

Integration requirements between applications as well as the nature of the application (data sensitivity) and its degree of customisation are also key considerations as to how best to deploy. By nature, higher levels of integration, configuration and uniqueness of applications favour a private or hybrid Cloud environment, hosted servers or on-premise over a public Cloud or SaaS service where a more generic solution would be provided.

Finally, for smaller organisations where SLA’s are critical, it is possible that an organisation may need the added assurances of service availability though a hosted or Cloud service to provide 24x7 cover for the system being used and, therefore, ensure a higher availability than could practically be achieved (cost effectively at least) in house.

2.4 Policy drivers and influencers

Over-riding all commercial and technical considerations are the Governance, Policy and Regulatory constraints that the organisation must take into account.

Top of this list will relate to issues of external regulation and notably around matters such as Data Sovereignty. 42 per cent of organisations participating in the research stated they were subject to external regulation, 12 per cent were subsidiaries of organisations that were headquartered internationally. Certain verticals such as Finance, Heathcare and Professional Services had a clear focus on this issue relating to certain applications and types of data. Equally there remains considerable legal uncertainty and a lack of any case law to substantiate some of the fears around data location but in any event, companies can still embrace the Cloud though use of IaaS and SaaS in typically private or Hybrid Cloud environments where data location can be guaranteed. Interestingly, a lot of the concerns expressed around data location stem from concerns over security more than regulation and re-emphasise the need for Cloud Service Providers demonstrating and establishing trust with their customers and prospects. In the survey 90 per cent of respondents wanted their data kept on-premise or hosted in the UK and not held within the wider EEA or other geographies.


Integration requirements between applications as well as the nature of the application and its degree of customisation are also key considerations as to how best to deploy

2.5 One person’s SaaS opportunity is another’s on-premise requirement

There are a number of considerations that when assessed will help shape the options as to how a new IT project should be deployed. The important thing to remember is that only the customer can make the assessment (with the help of advisors) as no external company can adequately know all the legacy, commercial, technical and governance constraints.

Equally, by way of example, where email may be delivered appropriately as a public Cloud or SaaS solution for one company in one industry, in another vertical, it may have to be provided in a private Cloud or on-premise capability to meet regulatory requirements. The table below gives a snapshot of the organisations participating in the research in terms of how they currently deploy different types of IT solutions, and clearly evidences the diversity.

This spread of options leads on to the obvious conclusion that in any one organisation based on the different application areas and operational needs, they are likely, over time, to have a combination of on-premise, hosted, SaaS and Private/Hybrid Cloud solutions. In fact, this is likely to become the norm and therefore a key issue in future IT strategy has got to be in demonstrating good governance of IT across a broad distributed network and variety of managed and unmanaged deployment options. As such, controls, end-to-end monitoring, alerting, reporting and transparency are going to be key to effective IT operations to ensure that in driving up efficiency and driving down costs, that new risks are not created due to lack of skills or tools to manage the new order of IT services.

© Cloud Forum IP Ltd 2011

eight


Asked of respondents who use hosting or Cloud-based services (respondents only saw applications that they currently use)

Accounting and Finance Applications

Advertising and Online Marketing Services

IT Asset Management Services

IT Operations Management

Data Backup/Disaster Recovery Services

Data Storage Services

Email Services

Collaboration Services

Unified Communications

Office Automation/Productivity

Portal Services

Workflow Systems

Niche Vertical Applications

Infrastructure-as-a-Service

Managed IT Services

IT Security Services

Service Management/Help Desk Services

eShop Services

Webhosting

Personnel and Payroll

CRM

Partner Relationship Management

Sales Management

Other

Base

SaaS

7%

13%

8%

7%

6%

7%

6%

20%

7%

2%

6%

8%

0%

14%

9%

6%

6%

18%

9%

4%

12%

14%

16%

0%

160

IaaS

0%

4%

5%

1%

3%

6%

4%

2%

5%

3%

10%

4%

0%

0%

3%

1%

2%

6%

2%

0%

1%

7%

0%

0%

160

Hosted server

12%

27%

18%

13%

15%

19%

19%

5%

23%

19%

24%

14%

25%

18%

15%

18%

15%

29%

26%

10%

12%

21%

13%

0%

160

Managed server

8%

10%

9%

23%

14%

11%

21%

18%

16%

12%

16%

8%

0%

23%

25%

16%

20%

18%

27%

15%

7%

0%

6%

0%

160

Outsourced

6%

10%

3%

5%

9%

13%

10%

5%

2%

2%

12%

4%

0%

5%

14%

10%

2%

18%

19%

8%

10%

7%

6%

0%

160

In-house

67%

35%

57%

51%

52%

44%

39%

40%

48%

63%

33%

62%

75%

41%

35%

48%

56%

12%

17%

63%

58%

50%

58%

100%

160

Application Deployment Model choices

nine© Cloud Forum IP Ltd 2011


3. Delivering the Cloud on your termsIn an IT market offering both increased choice and flexibility, a key consideration for any organisation is how best to deploy and deliver any given IT solution or project. Just how should an organisation approach the subject of adopting Cloud services? What would be the best fit in terms of a deployment or service model? And, can they achieve that within the constraints they have to operate? In other words can any organisation truly adopt Cloud services on the terms that are relevant for them?

Without doubt, Cloud and on-premise solutions will need to co-exist alongside each other in most organisations over the coming years as there is no practical incarnation of a one-size-fits-all Cloud solution upon which an organisation would likely base its entire IT strategy. Cloud services adoption is not standardised or even polarised today, and the wider concept of IT solution deployment is multi-faceted, driven by practical considerations such as:

● Organisational size and IT maturity – e.g. what skills are in house and what capability to implement and operate IT services exist?

● Nature of the Application/Solution – e.g. new solution areas and fixed life projects are far more likely to be hosted /provided as a service.

● Exiting Investment – i.e. organisations wish to maximise the life and value of investments already made in technology (e.g. server rooms) and software licensing.

● Data Sovereignty – e.g. concerns over regulatory, legal jurisdiction and perceived security fears restrict the nature of how some organisations adopt Cloud solutions.

● Connectivity – i.e. accessing high speed internet is still not a given in many parts of the UK and the wider world. Bandwidth constraints can constrain perception of suitability for Cloud or hosted services.

As already commented, it is encouraging to see that 85 per cent of organisations that participated in the survey already formally include consideration of Cloud services as a viable option when deciding on delivery of new projects, whether or not they already make use of Cloud based solutions. The fact that this preparedness is ahead of actual Cloud adoption in the UK (currently 53 per cent) reflects a healthy openness to improve process and effectiveness of solutions is being established.

One of the biggest challenges organisations face in adopting Cloud or other hosted services is to determine the appropriate Deployment and/or Service Model. As set out in section two a balance has to be struck between the level of complexity of the solution and the need for delivery as a service.

Cloud and on-premise solutions will need to co-exist alongside each other in most organisations over the coming years

On-premise

Hosted

Hybrid Cloud

Private Cloud/IaaS

Public Cloud/SaaS

Co-location OutsourcedManaged Services

Generic

Bespoke

In-houseDelivery as a service

So

luti

on

co

mp

lexit

y

Outsourced

Relationship between complexity and service delivery options

Technically enabled options Commercially enabled options

No two companies are the same and no two projects inside any given company are the same

ten© Cloud Forum IP Ltd 2011

3.1 Mapping key criteria to deployment outcomes

In order to determine which options for deployment of an IT solution are most optimal for any given organisation/application it is essential that a practical and efficient assessment of risks or key choice criteria is undertaken to establish a common sense check on viable deployment options. For example a UK based company operating in the retail sector may consider projects as follows:

In reality, the degree of sensitivity impacting a company based upon their industry vertical, international presence, age of organisation and in-house experience will require more thorough assessment than the rudimentary example given, but the principle here is to demonstrate that no two companies are the same and no two projects inside any given company are the same and as such assessment criteria need to mature to enable a rational decisions to be made.


Project Sensitivity Criteria: Accounting System Stock System Admin Productivity Suite

External Regulation Moderate Low Low

Local Jurisdiction High Medium Low

DC Location sensitivity High Medium Medium

Service Level requirement Medium High Medium

Security Level required High Medium Medium

Uniqueness of Application Low High Low

Integration with Other Apps High High Medium

Low Cost Delivery requirement Medium Medium High

Elasticity/Variability Low High Low

Project Length Low Low Low

Legacy Investment impact Low High Low

Skill set required Medium Medium Low

Resource available in-house Low High Low

Private/Hybrid Private/Hybrid SaaS or Public Cloud or on-premise or on-premise due to generic in seeking UK service due to levels of needs/low cost custom/integration

Example of criteria impacting Cloud solution choice

© Cloud Forum IP Ltd 2012eleven

3.2 Governance, risk and compliance in the Cloud

Cloud is highly attractive in terms of commercial concept but the underlying implications require a more comprehensive approach to IT GRC assurance for most organisations that are primarily operating with an on-premise capability today. A number of risks need to be reconsidered in light of adoption of Cloud services, and whilst none are unreasonable or unmanageable, it is essential organisations actively assess, prepare for and execute changes to IT GRC policy. Of particular note are the changes that will likely occur in the areas of:

● Socio-Technical trends: To what degree is consumerisation and social media policy relevant and covered effectively in employment policy, Acceptable Use Policy etc?

● Temporality & Elasticity: Is appropriate control and management of computing resources and subsequent retirement of assets or services properly governed in a virtual and elastic environment?

● Containing IT Sprawl: How is procurement managed and approved in a world where a credit card can enable new IT application use? How is IT managed as an overall strategy through multiple deployment models?

● Data Management: What are the organisations obligations in regard to data security, privacy, protection and sovereignty? Who is accountable and how is policy assurance achieved in partnership with third parties who deliver elements of the IT operations?

● Contracting & SLA’s: If using a third party, is the agreement covering end-2-end service delivery, under which legal jurisdiction is it written and with what clarity on responsibility and liabilities of the relevant parties in regard to the set-up, ongoing operations and subsequent exit/end?

3.3 Monitoring and management of distributed IT

There is an age old piece of common sense advice which is worthy of reiteration. “If you can’t monitor it, you can’t manage it”. This is relevant whether you are running all your IT operations on-premise, all in the Cloud, or more likely a combination of these along with potential use of co-location, hosted or managed services. When embarking on a third party services arrangement for the delivery of an IT capability it is essential that end user organisations establish clear service level expectations, define appropriate monitoring, set alerting thresholds and agree reporting requirements. Whilst accountability for delivery of the services may be passed to a third party that does not negate the organisations need to manage service delivery and ensure efficient operations and effective issue resolution or Disaster Recovery. This is the subject of White Paper seven due to be published in the Spring of 2012.


It is essential that end user organisations establish clear service level expectations, define appropriate monitoring, set alerting thresholds and agree reporting requirements

twelve© Cloud Forum IP Ltd 2012

ConclusionCloud Computing has become established within the vocabulary of the IT profession, but concerted effort to clarify and educate the wider market on key terms, definitions and implications are needed to achieve a common understanding of the meaning, opportunities and the risks associated with this rapidly growing sector of the market.

1. IT project/solution deployment options are increasingly flexible and diverse creating both a commercial opportunity and an IT management challenge.

2. Cloud should be considered a complementary solution option in many IT strategies, not a wholesale replacement for on-premise computing.

3. There is no nirvana Cloud solution that meets all organisational needs today. Rather organisations will typically find themselves managing a portfolio of deployment options at any given time from on-premise through to co-location, hosted services, managed services and Cloud solutions.

4. Cloud Computing should be assessed more in terms of organisational enablement and impact rather than in terms of technological change.

5. Cloud is best defined in terms of service delivery models (SaaS, PaaS and IaaS) and technical deployment models (Private, Public and Hybrid).

6. The choice of Service and/or Deployment Models for a specific Cloud solution will be influenced by a combination of technical, commercial, governance and legacy investment factors. The choice of Service/Deployment Model for a specific solution in one company may not be true for an organisation of similar size in another industry.

7. Legal and Regulatory factors drive considerable uncertainty especially in regard to matters relating to Data Sovereignty and Security. Where relevant, this tends to encourage end users to seek the lowest risk deployment, which in the case of this research was to prefer UK hosted data.

8. 85 per cent of organisations actively consider the option of Cloud services to assess viability for new projects. Individuals accountable for IT Strategy should ensure they update their assessment criteria to enable a practical determination of which deployment options are valid for any given IT project.

9. IT Governance needs to embrace the notion of services delivered on-premise and those delivered remotely, and where relevant the integration in between. IT departments need to determine the criteria to be complied with for monitoring, alerting and reporting for remote services. Appropriate tools and responsibilities need to be implemented to enable effective management of the distributed IT operations as a whole.

Individuals accountable for IT Strategy should ensure they update their assessment criteria to enable a practical determination of which deployment options are valid for any given IT project


one© Cloud Forum IP Ltd 2012

The Cloud Industry Forum (CIF) was established in direct response to the evolving supply models for the delivery of software and IT services. Our aim is to provide much needed clarity for end users when assessing and selecting Cloud Service Providers based upon the clear, consistent and relevant provision of key information about the organisation/s, their capabilities and operational commitments.

We achieve this through a process of self-certification of vendors to a Cloud Service Provider Code of Practice requiring executive commitment and operational actions to ensure the provision of critical information through the contracting process. This Code of Practice, and the use of the related Certification Mark on participant’s websites, is intended to provide comfort and promote trust to businesses and individuals wishing to leverage the commercial, financial and agile operations capabilities that the Cloud based and hosted solutions can cover.

The Cloud Industry Forum

Sword House, Totteridge Road High Wycombe HP13 6DG

t 0844 583 2521

e [email protected]

www.cloudindustryforum.org

cif white-paper-5-2012-cloud-definitions-deployment-considerations-diversity

Documents