Moving to Cloud: An IT Management View

March 2011

Cloud computing simply refers to a model for computing resources (networks, servers, storage, applications and services) provisioned on shared pool of technology infrastructures. Various service models allow deployment of these services independently or combined, transferring most of the system maintenance functions to the service provider. The main prospect of cloud computing is to provision IT resources in a short time and to reduce infrastructure investments with increased reliability and scalability.

Although this concept has been available for a long while, new online business models, reliable and cost-effective network services and matured technologies such as virtualization, grid computing and web-based services have boosted cloud based offerings in recent years. The strong view in the IT world considers cloud computing as the dominating IT sourcing model within the next 5 years. The volume of researches by various agencies and industrial bodies and the amount of recent investments by leading vendors and service providers are strong indicators of this trend.

The portfolio of cloud based solutions is extensive and applicable to all industries. Many business services are available in the cloud from various service providers. Some examples are CRM, ERP, eCommerce, business intelligence and billing. Basic IT services are also offered such as e-mail, content management, storage, backup & recovery and service management. Recently, leading software vendors have extended their product catalogs offering their standalone products as online services in the cloud with the model of software or platform as a service.

In house developed or customized applications with custom interactions with other systems are now able to be modularized using standard models such as SOA (service oriented architecture) and web services that facilitate the phased transition of these systems into the cloud. Standardization and federation of connectors for identity management and access control also support this process. This modular structure provides portability and interoperability capabilities and allows future developments simpler.

Cloud based architectures promise extensive scalability without significant infrastructure and labor investments. The system maintenance and operational costs are reasonable with efficient service design and management practices. Provisioning computing hardware and storage can be accomplishment in a very short time providing extensive backup and disaster recovery capabilities with high availability features. Environmental attributes are also well developed with intelligent buildings specifically designed as data centers, providing high level of physical security and safety.

The existing cloud ecosystem is admitted as “immature” at the moment by many researches and surveys conducted by leading institutional and commercial entities. Many providers offer proprietary components making portability and interoperability a possible issue. Some of the providers may also lack in applying good IT management practices in terms of organizational structures, processes and controls in order to maintain the assurance required by the business. Cloud services transfer most of the technical IT controls to the Service Provider while the information security liabilities stay with the in house IT organization. Therefore, some roles of the in house IT Team will gradually be migrated from technical management to process management. Good practices for supplier management, contract management and service-level management should be gained in accordance with generic project management capabilities.

A risk-based approach should be adopted in order to source an IT service in any form of a cloud offering. The level of transparency about business and operational practices provided by cloud service providers is important in order to perform proper risk assessments and make sound transformation decisions. There may also be some ambiguities about the roles and responsibilities especially for deploying and managing security controls. First, the operating model of the cloud service provider should be well understood. Then, internal processes, organizational structures and technical expertise should be established and performance metrics and related service standards should be defined and included in contract terms as required. Data portability and interoperability should be considered up front as part of the risk management process and security assurance of any cloud program.

The critical nature of information requires extensive care -in terms of confidentiality, integrity and availability- mostly regulated by laws and standards. Legislation in the EU is still an issue since different interpretations of regulations may cause confusion as they have not referred to cloud computing models directly yet. Considering a cloud computing service may span many countries in the EU or even further, consistency and harmonization across country regulations is required. The Security & Resilience in Governmental clouds report by European Network and Information Security Agency (ENISA) is an example of the good resources to be informed about the cloud ecosystem including legal issues. Being aware of all these issues, proactively following recent developments and conducting architectural studies in the early stages is crucial to develop sound investment plans and shape the IT organization accordingly.

Recommended Strategy
Cloud based deployments are viable options as long as they are well planned and managed. As enterprises have existing in-house IT investments and operating models, they should be utilized as much as possible during their life-cycle. However, deploying cloud based solutions in phases should be considered due to the drivers described previously in this article. Based on a risk based approach, recommended sequence of deployment steps are described in the following paragraphs.

Establishing an IT Architecture Team and a Technology Forum engages the IT Team’s interest in the first instance and directs the team to develop baselines and standards for the existing and future services in a possible cloud scenario. IT Management capabilities also need to be developed such as security management, service continuity management, service level management, supplier management, contract management, compliance etc. Training and awareness programs may be planned for this purpose.

Deploying pilot services in the cloud helps to control risks associated with major changes in the service model. Non-mission critical IT services can be selected as pilot deployments upon the IT Architecture Team and the business establishes baselines and standards. Pilot deployments may be standalone applications (SaaS) without dependencies to other systems and/or may be infrastructure solutions (IaaS) for data processing or storage. HR, data warehouse or business intelligence applications may be possible candidates for this phase.

“Learning from experience” gained in pilot service deployments assists to understand the operating model of cloud service providers, identifies possible gaps in processes, roles and responsibilities and improves baselines and standards as required. This phase provides the opportunity to develop further management practices to resolve all reported issues in future service contracts in order to maintain the assurance required by the business.

Considering cloud transformation for mission critical services comes next based on measured benefits delivered by pilot deployments. Depending on the cloud architecture chosen, this phase will also transform some technical roles and responsibilities in the IT Team into a process management context. Organizational structures, processes and practices need to be developed to reflect this direction.

A cloud service should be deployed after conducting risk-based service assessments, determining in house resources and capabilities and evaluating them against cloud market offerings. Regardless of the service model to be applied, keeping the core knowledge and expertise in house is crucial in order to be flexible for a possible supplier transition or an on-premise hosting in the future.

The existing cloud ecosystem has not proven its effectiveness and efficiency yet and still not matured enough in terms of standardization, capabilities and compliance. However, standards, regulations and best practice frameworks are expected to be well developed soon to address cloud deployment issues. This article concludes that wide usage of cloud based services is inevitable within the next five years. This statement is even more promising for small and mid-size enterprises where IT resources and capabilities are limited. Nevertheless, cloud transformation is a viable option as long as the services are well planned and managed.

This situation drives enterprises to be aware of cloud based offerings, future trends and improvements in this arena and adjust their IT strategy accordingly. Continuous education and structured service design are strategic steps for preparation. Of course, enterprises should utilize their in house investments during their life cycle based on cost benefit analysis. Deploying cloud based solutions should be considered in phases, as justified in this document, supported by a risk-based approach in accordance with the enterprise architecture.

Ultimately, all these statements are future predictions based on publicly available generic information and the final action plan should be formed upon conducting deeper analysis on each IT service individually and as a whole, following industry trends and assessing corporate dynamics, i.e, business culture, structure, capabilities and resources.