Whether you need to reduce costs, develop software applications with increased speed, or leverage staff in a more meaningful way, the cloud can help. The question is not about the cloud's ability to deliver on its promises, but instead at what cost, as measured by effort, risk, and added complexity.
[This article reprints the bulk of Chapter 4, "Tying Up Loose Ends," in Edward Mahon's book Transitioning the Enterprise to the Cloud: A Business Approach [http://www.enterprisecloudbook.com/] (published November 2015). The book "describes the conundrum the cloud presents, provides a business perspective of the cloud, outlines how and what to assess in a technology environment, suggests several potential cloud transition scenarios and use cases, and develops a cloud-sourcing strategy." We thank the author for allowing EDUCAUSE Review to share this part of his work. —The Editors]
Mitigating Risk as You Transition to the Cloud
Throughout this book, risk has been defined as risk associated with added complexity to an already complex information technology architecture, runaway cloud transition project costs, risk of exposing sensitive data, risk of service disruption, and risk associated with choosing a cloud vendor. This section outlines a few techniques to mitigate these risks.
Let's start by outlining a few traditional SLA components, independent of the cloud.
Traditional SLA Components
- Performance and reliability guarantees: measurable system responsiveness and failover protection to minimize service outages
- Customer credit when service availability falls below an agreed-upon level
- Business continuity commitments
- Price increase limits
- Access to provider audit results
- Remediation clauses
- Maintenance windows times
As a rule, in the cloud, SLAs focus on service availability and data protection assurance. A cloud SLA will be enhanced through two measures: (1) developing a portability clause; and (2) ensuring a sound, agreed-upon exit strategy.
Protection measures ensure data and the service are safe in the cloud. First, ensure the SLA formally documents that your company contractually owns the data. The second measure is to ensure the SLA includes a portability clause that enables obtaining your data, upon request, in a predetermined time. This clause ensures the ability to extract the data. Doing due diligence, as you enter the cloud, includes finding another cloud operating environment is at the ready, should your operation need to move to another cloud provider.
Elements of a Data Portability Clause:
- How quickly your data will be returned.
- How the data will be provided (in an agreed-upon format).
- Once data verification, for data integrity, has been completed, the cloud provider will destroy any data remaining on their systems.
- Where your data can and cannot be located.
Ensuring a Sound Cloud Exit Strategy Is Important
Both a cloud entrance strategy and exit strategy are needed from the outset; a good engineer requires a backup plan. Develop plans that include those actions as a safeguard against if a cloud provider discontinues operations. Exit strategies are based upon the cloud vendor, you, and ensuring your data is accessible.
Designing the cloud entrance requires the concurrent creation of an exit strategy. Movement from one cloud provider to another, on a moment's notice, is quite possible. Traditional SLAs are insufficient when securing cloud services; in order to avoid vendor lock-in situations, additional protections are required.
What if the primary cloud provider's business viability model failed, completely unrelated to the binding contract? An exit strategy, securing the services of another cloud provider, ensures service is maintained, should the cloud provider default or can no longer continue the service. This additional protection measure requires familiarity with another cloud provider with the same service offerings.
By evaluating several cloud providers during the selection process, a good sense of another cloud provider will be acquired. When building that secondary cloud environment, you have the opportunity to minimize costs, as the service remains unused and dormant. This secondary environment can serve as a business continuity/disaster recovery site.
Information Security Transcends All Cloud Entry Points
Information Security Is a Team Sport
Strict security measures are critical to data protection. A lot is at stake. If a security breach occurs, customers must be informed and financial penalties may accrue.
Information security is an area to assess regardless if sensitive data is moved to the cloud; security vulnerabilities must continuously be addressed. Constantly draw a relationship between the service delivery models utilized and the appropriate security measures required for each. As it relates to cloud security, though, the provider and you are jointly responsible for all security provisions. Fortunately, the cloud provider can address information security matters equally to or better than you. For example, evaluate if cloud vendor resources are better than yours including: staff security specialization, company staff on-boarding and off-boarding processes, and their required auditing.
Cloud service providers have developed an environment chock-full of security protection measures. Now is a good time to evaluate the current security environment and contrast it to the leading cloud providers. As a first step, take a broad view and increase your understanding of the inherent vulnerabilities in the existing environment, independent of a particular service delivery model. Cloud vendors address security better than most company-run data centers, for the reasons mentioned above. If you are not subject to SSAE 16 (formally SAS 70 certification), they are. Besides, compliance requirements are good motivators to ensure best security practices are followed.
In addition to evaluating cloud security capabilities, current third-party providers, some of which may house sensitive data, merit a security review. Wouldn't you like to know how your current third-party vendors handle their security operations? Verifying that in-house security operations are secure is a must. Create a checklist that outlines key security areas to measure. Apply that list to your existing in-house security operations and current third-party vendors that house your sensitive data, thus improving existing security operations. After reviewing the in-house security and that of the current third-party providers, you will be prepared, using the same checklist, to assess cloud vendor capabilities.
Several key points can guide your security considerations:
- Data is where the "bad guys" go.
- Security is everyone's responsibility; it is a shared responsibility. Clearly establish and document who has what liability for which data breaches.
- Security is a balance between access and protection.
- Compliance verification is necessary.
- An expanded identity management system (authentication and authorization) is needed in a hybrid cloud environment.
If your head is spinning regarding security entry points, liability, and the importance of your decisions, this is expected. No single action or set of activities ensures that an environment can withstand all breaches. As a security checklist is created, take a multidimensional view to mitigate risk. Include protocols such as these:
- Continue with traditional operational controls developed in the current operation.
- Create a federated team to own important security matters.
- Develop a layered infrastructure and application security approach.
- Maintain an up-to-date incident response procedure.
- Document legal and electronic discovery procedures including subpoena response, litigation holds, and discovery searches.
- Ensure security policies and practices are well known.
Information security priorities include all of the following:
- Applications
- Database
- Encryption
- End point
- Server
- Network
- Facilities
- Identity and access management
Assessing the Larger Cloud Marketplace Exposes a Much Larger Set of Options
Services rendered by the major cloud providers are important; so, too, is the marketplace or ecosystem that has grown around each of them. The cloud marketplace varies among cloud providers and is indexed along typical industry lines as education, financial services, government, healthcare, manufacturing, and retail. The industry solutions and services they render are often built on the major cloud provider they serve.
The cloud marketplace is young, immature, and prone to change. It includes value-added resellers and professional services firms that provide a variety of cloud-related products and services. The cloud marketplace consists of vendors that run their products on the public cloud infrastructure and then sell their service directly to you.
Services Offered by the Cloud Marketplace
- Assessment assistance, migration, integration
- Cloud and premises integration
- Cloud transition planning
- Cloud costing and comparison
- SaaS applications implementation, e.g., CRM, ERP, web/e-commerce, messaging.
- Developer tools
- Database platforms
- Big data engines such as Hadoop distributions
- Database licensing options
- Web content management software
- Infrastructure assessment and support
- Network capacity planning
- Security products
- Operating system support
- Monitoring and enterprise management software
- Storage and backup
- Disaster recovery
Determine how to approach cloud vendors. Depending on internal capabilities, a cloud integrator may be required to assist with:
- Picking a cloud platform provider
- Answering questions, such as how much time your team will require to learn and implement new cloud services
- Augmenting staff skills to develop a cloud reference architecture, write a cloud RFP, or plan cloud migration
- Assessing your team's technical capability and readiness to build a cloud adoption strategy
A cloud integrator can have significant impact. However, pick a cloud vendor only after collecting sufficient information about the current operation, as outlined in Chapter Two. This interim research step will solidify, accurately and comprehensively, identifying the type of integration assistance required.
Developing a Good, Old Fashioned "To-Do List" Helps Build a Sourcing Strategy
Depending on the situation, merit exists related to holding off on beginning the cloud transition or moving forward. Taking preparatory steps will ensure a successful cloud implementation and ultimately a satisfactory transition. Spending time and money will later reap dividends. First, independent of if or when a company begins a cloud transition, an extensive checklist of preliminary steps and actions should be conducted.
The list, below, covers traditional information technology management activities and cloud preparatory actions. Second, a table is provided that will help outline and weigh the key decision criteria of risk, complexity, cost, and value. As you review the list, thoughtfully raise the question: "Do I need to conduct several of these actions, as it relates to the current environment, independent of entering the cloud?" Taking these preparatory steps will ensure a successful implementation and ultimately a satisfactory transition. Spending money on these items, albeit many, will later reap dividends.
Checklist of Steps Before Deciding to Enter the Cloud
- Assess current management tools and contrast those to what will be needed in the cloud, i.e., migration and enterprise management and monitoring.
- Create standard SLA templates for use with all cloud providers.
- Assess current staffing skills with an eye toward:
- Acquiring new or additional bench-strength skills
- Repurposing selected staff
- Discover how the entire IT team spends its time
- Training existing staff for new cloud-related skills
- For example:
- Expand the role of an existing cost accountant or hire another one in order to document current costs, by service offering. The effort should contrast current costs to cloud costs. Comparing a capital expenditure model (premises-based and -owned data center) to an operational expenditure (cloud) takes time. First document current costs; when the time comes, you will be prepared to develop accurate TCOs and ROIs when contrasting recurring cloud costs.
- Dedicate a vendor-relationship manager to the current and future third-party vendors.
- Create an enterprise-wide cloud architect position.
- Develop a cloud-transition project team, consisting of a contract specialist, tactical planner, project manager, and communicator.
- Create a security checklist.
- Assess the longevity of current software applications and hardware life cycles.
- Identify current capacity utilization and peak requirements to size cloud compute and storage needs.
- Engage staff with the cloud discovery process; learn together—staff must offer input in order to support the cloud-transition decision.
- Contrast current operations costs to cloud operations costs.
- Rationalize the current software applications for cloud readiness.
- Determine if new capital expenditures will emerge, but might be avoided with a cloud transition.
- Identify and contrast the costs of potential cloud use cases.
- Communicate the plan to key stakeholders.
- Develop cloud-transition strategies that meet your specific needs.
- Assess if and how you need to change your department's operating culture.
- Nibble around the edges: Realize early wins by selecting a few early cloud candidates, perhaps e-mail, data management and cloud storage, messaging, collaborative software.
- Negotiate an enterprise cloud agreement.
- Think of the transition as a series of projects.
Drawing a relationship between potential activities and their key characteristics is important. Consider using a table such as the one below to highlight potential early adopters to move to the cloud. Factors such as risk, complexity, value, and cost avoidance are good drivers to guide decisions.
Criteria to Use to Highlight Potential Early Adopters to Transition to the Cloud |
---|
Low risk |
Minimal induced complexity |
Produces high value |
Potential cost avoidance |
Building an Argument Either Way Strengthens Your Decision
IT innovation has been a constant during the past sixty years. The cloud, as a new service delivery model, involves change beyond compare. High availability, simple provisioning, expansive marketplace, and seemingly unlimited computing resources are attributes of the cloud model. These attributes could not have come at a better time, as enterprises know they need to adapt to change and deliver value more quickly.
Whether the need is to reduce costs, develop software applications with increased speed, or leverage staff in a more meaningful way, it is clear the cloud can help.
The question is not about the cloud's ability to deliver upon its promises, but instead at what cost, as measured by effort, risk, and added complexity. Thus, an initial question is how to begin and complete the cloud journey with the least level of disruption to your goals, customers, and operation. Information, such as is provided in this book, is needed in order to decide if or when to move information technology operations to the cloud. This information can then assist with the creation of a cloud outline and value proposition along with the significant issues that will be encountered during the cloud transition. This information can be used to build an argument and justification to decline on a cloud transition or proceed to the cloud.
Deciding Against a Cloud Transition
An adequate justification not to begin the cloud transition would include valid reasons, such as these:
- Substantial transition complexity, risks, and costs.
- A secondary cloud vendor market in flux.
- Lack of standards and shared access protocols among cloud providers.
- Transition tool availability continues to mature.
- Vendor lock-in is likely.
- Project failure is a strong possibility.
A complete cloud migration, resulting in no longer owning and operating a data center, will be difficult to obtain. In the absence of completely exiting the data center business, running both a data center and subscribing to cloud services involves complex integration issues and represents additional challenges. Managing two service delivery models is additional work that will take you away from current maintenance and development efforts. The cloud transition alone will require significant technical and managerial skills, increased operations cost, and a change in the operating culture.
Managerial skills to develop additional cloud capacity planning and forecasting capability are necessary. Sharpening the enterprise-wide technology infrastructure monitoring skills will prove a challenge. Other than the general roadmap I have suggested, a pathway for you and your company to take to the cloud is not readily evident.
An argument could be made to wait, as the transition will get easier as the cloud marketplace matures. Clearly, the cloud is still growing and evolving. Cloud providers are continually building products, adding features, and adjusting pricing models. An evolving industry, combined with the preparatory steps needed before beginning the transition could make a case to hold off beginning the cloud entrance. In the future, enhanced tools will be offered and will be common practice, simplifying cloud transitions.
Proceeding to the Cloud
If professional judgment indicates it is time to begin the cloud transition, a framework has been provided to do so. Factoring in your sister departments' propensities to develop in the cloud themselves, you may have determined it is riskier to wait to enter the cloud than to proceed.
Several actions can be taken to support a decision to proceed to the cloud:
- Document the fiscal, staffing, and technical elements of the current environment.
- Understand the cloud business model and how it contrasts to the current operation.
- Develop a thorough awareness of the major cloud providers, including their products, services, and costs.
- Contrast the current model's weak points versus the cloud's strengths.
- Estimate actual cloud-transition costs.
- Document the staff skills in the cloud.
Hopefully, you have now formed an opinion of how or when to proceed to the cloud. Congratulations, you are strongly positioned to determine what portion of the cloud better meets your needs over the current delivery model. If equipped with project transition funds, skills, and time to apply those skills, you are ready to move to the cloud.
The choice is yours. The question is not if, but when to develop a plan to completely transition to the cloud.
Sooner or later, I'll see you in the cloud.
Ed Mahon is vice president and CIO at Kent State University and author of the book Transitioning the Enterprise to the Cloud: A Business Approach. He was a finalist for Crain's Cleveland Business CIO of the Year (April 2013), winner of the CIO 100 Award for Project Innovation (2009) from CIO Magazine, and winner of the Campus Technology Award for Innovation (2009).
© 2016 Edward G. Mahon. Reprinted with permission of the author.