Escolar Documentos
Profissional Documentos
Cultura Documentos
WWW.OVUM.COM
Research
Laurent Lachal Stephen Mann
Important Notice
We have relied on data and information which we reasonably believe to be up-to-date and correct when preparing this Report, but because it comes from a variety of sources outside of our direct control, we cannot
Acknowledgements
Ian Brown Jens Butler Steve Hodgkinson John Madden Graham Titterington
guarantee that all of it is entirely accurate or up-to-date. This Report is of a general nature and not intended to be specific, customised, or relevant to the requirements of any particular set of circumstances. The interpretations contained in the Report are nonunique and you are responsible for carrying out your own interpretation of the data and information upon which this Report was based. Accordingly, Ovum is not responsible for your use of this Report in any
specific circumstances, or for your interpretation of this Report. The interpretation of the data and information in this Report is based on generalised assumptions and by its very nature is not intended to produce accurate or specific results. Accordingly, it is your responsibility to use your own relevant professional skill and judgement to interpret the data and information provided for your own purposes and take appropriate decisions based on such interpretations. Ultimate responsibility for all interpretations of the data, information and commentary in this Report and for decisions based on that data, information and commentary remains with you. Ovum shall not be liable
Contents Continued
Chapter 5: Cloud governance: an overview 5.1 Summary 5.2 Cloud governance builds on IT governance 5.3 Cloud governance relies on the same ingredients as IT governance 5.4 Cloud governance, like IT governance, is a work in progress 5.5 ALM governance needs to expand to the cloud 5.6 Cloud governance builds on SOA governance 5.7 Recommendations Chapter 6: Public clouds require IT service management to adapt 6.1 Summary 6.2 Public clouds are changing the IT function 6.3 Public clouds are changing the ITSM landscape 6.4 ITSM technology has a big role to play in managing public clouds 6.5 Recommendations Chapter 7: Glossary Chapter 8: Appendix
Incorporating
WWW.OVUM.COM
Key findings:
Cloud computing is controversial and important. The public cloud market is more complex than expected. Private clouds are catching up with the public cloud Joneses. Hybrid clouds are the next frontier. Enterprises need to scrutinize and adapt to public cloud cost characteristics. Public cloud pricing structures are evolving, but not always as expected or for the better. Private clouds put public cloud costs in context. Service-level agreements (SLAs) are key to cloud adoption. Security is the number-one cloud quality of service (QoS) concern. Reliability and availability are under increasing scrutiny. Scalability underpins cloud computings elasticity. The road to reliable and scalable private clouds requires new thinking and skills. Cloud governance builds on IT governance. Cloud governance delivers the right recipe from a variety of ingredients. Cloud governance, like IT governance, is a work in progress. Application lifecycle management (ALM) governance needs to expand to the cloud. Cloud governance builds on service-oriented architecture (SOA) governance. Public clouds are changing the IT function. Public clouds are changing the IT service management (ITSM) landscape. ITSM technology has a big role to play in managing public clouds.
Ovum view
IT is fashion-driven, and cloud computing is the new black. Currently at the height of its hype, it will suffer a backlash before becoming fully mainstream and established, by which time a new phrase will have captured the imagination of IT pundits.
Moving from What is cloud computing? to How to make the best of it?
It is no longer a question of whether or not enterprises will use cloud computing: they already are. However, it is still early days for both suppliers and users, many of which have yet to figure out how to take advantage of the various elements of cloud computing. There are plenty of early adopter benefits to be gained, despite the variety of challenges that cloud computing puts in the way.
Benefits
Cloud computing
Enterprises are turning to cloud computing for the following reasons: Convenience: for fast procurement (and termination) of on-demand IT services available on a selfservice basis from a variety of networked devices. Convenience drives faster time to market. Adaptation: through the ability to mix and match IT services and increase or decrease their use as required (clouds are elastic). Innovation: cloud computing makes it easier to try new things while taking fewer risks via a PAYG approach known as utility computing. Simplicity: cloud computing short-circuits IT complexity by reducing significant elements of the IT stack to standardized commodity services. Lower costs: from economies of scale based on IT resource pooling coupled with the PAYG approach to using these resources. Cost transparency/awareness: the ability to understand, measure, and manage who is using which IT resources at what cost for billing, planning, and optimization purposes. QoS: enterprises expect public and private cloud IT resources to be more reliable, available, scalable, and secure than traditional ones.
10
Private clouds
While public clouds are still mostly vendor-pushed rather than demand-pulled, private clouds are both vendor-pushed and demand-pulled in roughly equal measure. Many enterprises are wary of the limitations in terms of security and bandwidth, and the constraints in terms of application design and functionality of the various types of public cloud, but are curious about the possibility of adopting the technologies, designs, and best practices of these clouds in their own data center under the private cloud name. The aim is to deliver similar benefits to public clouds while remaining in control of the IT infrastructure and therefore security and compliance, and squeezing more value out of existing IT investments. Self-service IT frees IT departments from provisioning issues and abstracts service delivery from implementation.
Public clouds
In addition to generic cloud computing benefits, public clouds enable enterprises to: reduce upfront capital expenditures (capex) in favor of more flexible ongoing operating expenditures (opex) via subscription and/or PAYG schemes access IT resources that many did not previously have the means to buy and/or implement focus limited IT resources (hardware, software, budget, people) on a smaller number of projects to narrow the gap between business ambitions and IT capabilities more easily share IT resources both internally and with partners because public clouds provide ready-made resources instead of requiring those sharing to create the resources in the first place expand their reach to new countries and regions and support global operations by recruiting new talent in lower-cost areas within as well as outside their core markets have easier access to Internet resources: public cloud resources have been designed from the start to integrate with other Internet resources.
11
Private clouds
Apart from generic cloud computing concerns, enterprises main concerns when it comes to private cloud implementation include: Old traditional concerns related to the industrialization, consolidation, and standardization of internal data centers: the emergence of public clouds has increased the pressure on IT departments to deliver on these objectives faster than many are ready to do, to boost utilization, reliability, and flexibility. New generic concerns such as the need to make data centers more energy-efficient, mostly to save money (rather than the planet per se), or to redesign data-center network topology from a three-tier hierarchy to simpler two-tier or even single-tier peer configurations to make it easier to move IT assets rapidly to where they are needed and to boost network performance. New concerns related to the adoption of public cloud-like ways to deliver and consume IT resources: implementing self-service portals and delivering cost transparency is a challenge. It makes more sense to boost the cost-effectiveness of currently owned data centers via virtualization, automation and SOA than to seek to drive costs down by turning to one or more public clouds.
Public clouds
Apart from generic cloud computing concerns, enterprises main concerns when it comes to public cloud implementations include: Security, regulatory compliance, and intellectual property protection are the primary concerns. Data overseas over my dead body remains a common refrain. Reliability and availability worries are growing in importance. The pain inflicted by public cloud outages can be anticipated and lessened with temporary fallback procedures.
12
SLAs: enterprises want public cloud service providers to offer stronger as well as end-to-end SLAs to back up their QoS/RASS claims. Vendors are unwilling to do so for reasons that are both technology-related (especially at the level of end-to-end SLAs) and business-related (too tight margins). Migration and long-term costs: enterprises struggle to figure these out as they mostly depend on their specific circumstances. Demand-management to make sure that, since public cloud costs are usage-based, public cloud use is not wasted. Skills. Money is less of an issue with public clouds, with lower upfront costs leading to a democratization of IT. By contrast, this makes skill shortages an even bigger problem. Immature tools for the testing, deployment, scaling, monitoring, migration/movement, and overall lifecycle management of IT resources deployed on public clouds. Interoperability: public cloud offerings favor integration. Portability is mostly limited to data portability. There are many standardization efforts around public clouds, most of them immature. The immature and rapidly evolving nature of the IaaS and PaaS markets, where vendor viability is a bigger issue than technology maturity. The environmental impact of the data center infrastructures that underpin public clouds despite claims by vendors that their state-of-the-art data centers maximize utilization and have as low a carbon footprint as they can have.
13
Chapter 7 Glossary
A glossary of commonly used terms has been included.
Chapter 8 Appendix
This chapter contains information about additional reading and the methodology used for this report.
14
Incorporating
WWW.OVUM.COM
2.1 Summary
Catalyst
Cloud computing is emerging as a major disruptive force for both IT vendors and users. It is still very early days, however, for what many rightfully consider to be the most important trend of decade. The next three years will see cloud computing mature rapidly as vendors and enterprises come to grip with the opportunities and challenges that it represents.
Ovum view
Some define cloud computing very narrowly as infrastructure-as-a-service (IaaS) and platform-as-aservice (PaaS) public clouds. Others, Ovum included, include software-as-a-service (SaaS) public and private cloud offerings. A wider perspective helps in understanding one of the key trends in cloud computing: cloud computing will be hybrid. Cloud computing promises to tackles two hitherto irreconcilable IT challenges: the need to lower costs and the need to boost innovation. However, it will take a lot of effort from enterprises to actually make it work. Instead of a nimbler IT firm with its mess for less somewhere else, the ill-prepared will end up with their IT mess spread across a wider area.
Key messages
Cloud computing is controversial and important. The public cloud market is more complex than expected. Private clouds are catching up with the public cloud Joneses. Hybrid clouds are the next frontier.
17
the multiple roots of cloud computing, which originates from developments in technology (growth in computing power and broadband connections, grid computing, virtualization), pricing/licensing models (subscription, pay-as-you-go), business models (Amazon expanding from retail to IT), and so on the twisting of the concept to fit the marketing approaches of an increasing variety of vendors.
so have vendors
Vendors are trying to position themselves as market leaders in cloud computing, either as thought leaders, technology innovators, business value providers, or some combination thereof. They want to be seen as shaping the industrys broader cloud agenda and, at the same time, working with customers to show where cloud services can deliver real-life business and IT benefits. They are trying to be smarter, more explicit, and more proactive in how they explain and differentiate their cloud offerings but, as victims of their own hype, are finding it harder to differentiate their cloud computing offerings. Many are still unclear about how, and to what extent, they will make cloud services profitable both on their own and as part of the new cloud computing ecosystems currently forming.
Evolution
Cloud computing builds on the evolution of a variety of IT technologies (broadband connections, virtualization, etc.), designs (service-oriented architectures, multi-tenant applications, etc.), and best practices (e.g. for large-scale enterprise IT management). Many of its characteristics have been around for quite some time. For example, the shared use of excess capacity brings many back to the early days of corporate computing when time-sharing was the norm. Similarly, online shared services have underpinned the Internet itself (e.g. domain name registries) for years and various industries for even longer. Examples include global transaction platforms in the finance industry as well as computer reservation systems and global distribution systems (CRS/GDS) in the travel industry. What matters is not that cloud computing recycles certain ideas and technologies (or that older offerings are rebranded as cloud computing) but how this recycling (and re-badging) impacts the use and evolution of IT.
18
Disruption
Cloud computing not only recycles ideas and technologies (among other things) but also reflects disruptive IT industry trends such as the transformation of the Internet from a content delivery platform into a software delivery platform. And it is not just about Internet trends. It reflects and accelerates the commoditization of both hardware and software as well as the weaving of software deeper into the fabric of our economies as well as societies. It moves the IT industrys focus from hardware towards software and services, and in doing so blurs the lines between all three. Some equate this restructuring with the ones that occurred in other industries, such as electricity (which moved from local generation to national grids) and automotive (which moved from companies owning and maintaining their own fleet of cars to renting). It impacts the way enterprises relate to: Their IT: it impacts the way they define, create, procure, and consume IT assets. Their IT departments: cloud computing enables (by freeing IT people to focus on key projects) and undermines (by enabling users both within and outside IT departments to bypass established processes) enterprise-wide IT strategies. It redirects IT people to new activities that generate competitive advantage as well as to their local job center via redundancies. One another: among other things, it makes available to SMEs what was formerly only available to larger organizations, and makes it easier for companies to share IT assets. Their IT vendors: cloud computing shifts the risk of investing in, and managing, IT to the vendors. This makes it a slow-moving phenomenon, as relationships evolve much more slowly than technology.
Private clouds
In the past 18 months, an increasing number of vendors and users have been pulling the cloud computing blanket into the private IT space, to the horror of those that define cloud computing as a strictly public phenomenon. What matters, however, is not whether or not private clouds are clouds at all but how, and to what extent, private clouds relate to public ones and impact the way IT infrastructures are currently evolving.
Hybrid clouds
The problem with defining boundaries in the IT industry is that technologies and their packaging are evolving in a way that quickly blurs these boundaries. In the cloud computing space, hybrid offerings are emerging between public and private clouds as well as between traditional IT services offerings (e.g. hosting, outsourcing services) and public cloud ones (see Figure 2.2.1). In fact, the hybrid cloud space is where most cloud computing breakthroughs will happen in the next five years.
19
Public cloud
Outsourced IT assets
Source: Ovum
20
New vendors are emerging, eager to add a specific spin to the IaaS theme. This trend will continue for at least two years; then, as the IaaS market matures and consolidates, it will standardize.
Platform-as-a-service
Makes it easier to develop and run applications
PaaS adds a new layer of software services on top of those usually found in IaaS to make it easier to develop and/or run (web) applications. While some, but not all, PaaS offerings feature development tools, they all offer run-time services usually found in application servers (e.g. transaction management, process enablement, scalability, user authentication, cache, etc.). For example, the PaaS run-time automatically takes responsibility for scaling cloud applications up and down, depending on usage levels. Developers do not have to hard-code this elasticity into their applications as they would in an IaaS environment.
Ecosystem platform
Like IaaS, PaaS is: a platform on which new software ecosystems, not just applications, are being built; related to online marketplaces in which ecosystem participants offer their wares; and encouraging developer and user communities, not just marketplaces.
Software-as-a-service
The most developed public cloud market
SaaS combines application-functionality delivery via a web browser with data encryption, transmission, access, and storage services. It can be consumer-centric (e.g. Flickr photo storage, management and sharing offering), enterprise-centric (e.g. Salesforce.coms and Microsofts CRM offering), or both (e.g. Googles Gmail email offering). The SaaS market was the first to develop and, as a result, there are now SaaS alternatives to many, if not most, enterprise and consumer software products. It has expanded rapidly, attracting the attention of software incumbents, which has fueled further expansion and competition. The pioneer in the enterprise sector (ten-year-old Salesforce.com) recently became the first pure-play SaaS vendor to reach $1 billion in revenue. Other SaaS companies such as NetSuite, RightNow Technologies and Workday aim to follow suit, although the next big SaaS vendor is more likely to be an incumbent such as Microsoft.
21
22
SaaS
SaaS
Source: Ovum
PaaS offerings have IaaS components (e.g. Microsofts Azure Service Platform has an IaaS storage component). Some are layered on top of, and independent from, an IaaS foundation. For example, Tibco Silver is available as a pre-built, preconfigured Amazon Machine Image (AMI) and Tibco plans to add support for other third-party IaaS environments, including those supporting VMware technology.
Common characteristics
IaaS, PaaS, and SaaS have various characteristics in common: They are online services delivered by a third party available to any connected devices over the Internet (or other networks) via web-browser graphical user interfaces (GUIs) and to other software mostly through open application programming interfaces (APIs). The latter vary depending on whether the service is IaaS, PaaS, or SaaS (and between offerings in the same area, e.g. IaaS, which creates complexity). They offer standardized services. They are user-centric greenfield approaches to simplifying and standardizing IT to make it much easier to try, buy, and consume IT services. Standardization was initially viewed as a limitation (especially for SaaS), but is increasingly becoming best practice.
23
They do not require ownership or management of hardware or software (other than the access device). The service provider takes care of hosting, developing, managing and maintaining the services. They are always on. They rely on massive data centers that mix virtualization and automated system management technologies to provide economies of scale (and low cost) as well as a satisfactory quality of service (QoS) in areas such as reliability, availability, scalability, and security (RASS). They use operational support systems for functionality such as management and reporting and business support systems for functionality such as usage metering, service activation and billing. These vary depending on the type of public cloud offering. They are available via a self-service online catalogue or portal that offers transparent pricing information. Besides being self-service, they enable customers to access peer support. They enable vendors to upgrade all users centrally and evolve the service iteratively based on customer feedback as well as actual user behavior data.
Convergence
This feedback loop is strengthened by the increasing convergence of SaaS with IaaS and PaaS from a variety of perspectives: Infrastructure: besides building their own data centers or outsourcing them, SaaS ISVs increasingly use IaaS or PaaS clouds, or both, as the foundation for their services, especially since an increasing number of IaaS/PaaS providers (e.g. Fujitsu) target them with SaaS ISV-specific services. Service portfolio: Salesforce.com, for example, has expanded from SaaS to PaaS (Force.com). Google and Microsoft started with SaaS then moved to PaaS. IBM offers both IaaS and SaaS but is likely to expand to PaaS. Ecosystem: cloud computing vendors are increasingly partnering with one another. On-demand availability on a self-service basis: most consumer SaaS services are available on this basis, the way that IaaS and PaaS are. This is less the case for enterprise SaaS (but not all, e.g. Webex), although some enterprise SaaS offerings (mostly from new start-ups) are moving in this direction. Pricing: many consumer SaaS offerings are free to use (financed by advertising), although an increasing number of vendors are moving towards subscription revenues. IaaS and PaaS are unlikely to adopt the same approach, although some vendors will move towards free-to-try or set-up offerings, or both.
24
Pricing/licensing elasticity: most enterprise SaaS is available via automatically renewed annual subscription contracts that make it relatively easy to increase the number of user seats but not decrease them: the latter is usually only allowed at the end of annual subscriptions. Newcomers (rather than incumbents that will stick to the subscription model) will adopt a more IaaS/PaaS-like usage-based/metered approach with no long-term commitment/contract and the ability to scale usage up and down on demand. Amazon is also pushing ISVs in this direction. Its market presence and established metering and billing processes have resulted in many software offerings being available as SaaS on the Amazon IaaS cloud (using virtualization to achieve a one-to-many delivery model). IBM, for example, is expanding the portfolio of its software available on Amazon EC2, based on a new Processor Value Units pricing model. IaaS and PaaS will move in the opposite direction, towards a subscription model. Some enterprises, especially large ones, prefer the more predictable subscription approach to pricing, which often includes volume discounts.
Wider perspective
IT services impact on public clouds
The boundaries are not only blurring between IaaS, PaaS, and SaaS but also between cloud computing offerings and traditional IT service offerings (e.g. hosting and outsourcing). The flexible pay-as-you-goand-as-much-as-you-consume approach of part of the cloud computing phenomenon could have an obvious effect on services firms bottom lines, and such firms are understandably not ready to abandon traditional businesses in favor of trumpeting cloud-only models for their enterprise customers. For now, they are positioning cloud-based services as an additional delivery model, one that could work in tandem with IT services delivered either in-house or through an external provider. They position themselves closer to cloud computing not only by providing IaaS, PaaS, or SaaS clouds or all three themselves, or mixing public cloud services consumed in a one-to-many model with dedicated one-to-one (on- or off-premise, or both) services, but also by adding public cloud computing characteristics (e.g. fast provisioning) to their traditional services. Customers have started to mix and match traditional IT and public cloud computing offerings. For example, Wordpress.com combines hosted servers and Amazons S3 IaaS storage services to run its blog platform. Cloud computing is transforming the relationship that IT service providers have with their customers. With cloud computing, whose value proposition centers on the delivery of a standardized set of services, the customer adapts to the offering, not the other way around, as was the case until now for IT services. We expect a lot of hybrid solutions stemming from the convergence of these two approaches (with various balance levels between adaptation to customers and customer adaption).
25
2.4 Private clouds are catching up with the public cloud Joneses
Cloud computing shifts to private clouds
In the first 18 months of its existence, cloud computing was a purely public phenomenon. The following 18 months saw a significant shift in focus away from public clouds towards a new concept (that of the private cloud), owing to a powerful mix of vendor push and user pull.
Vendor push
The private cloud is, to a large extent, a rebadging of what data-center-focused hardware, software, and service vendors have been doing under different names (utility computing, autonomic IT, on-demand data center, etc.) for the past ten years. In this market, vendors offer either building blocks or complete solution offerings. For example, IBM offers: The IBM CloudBurst Smart Business System platform, which combines hardware, storage and networking components with virtualization and management software as well as on-site QuickStart implementation (and training) services. It is part of IBMs ongoing efforts to combine network, compute, and storage capabilities into packaged offerings that are easier to manage and consume (with single invoice, installation, and support structure). The Smart Business (private) cloud, which is a service-wrapped hardware and software offering that can leverage existing IT infrastructure or use IBM CloudBurst, or both. It is a natural extension of IBMs data center building and management capabilities. IBM can not only put a private cloud together, but also manage it or leave its management to the customer. Many of IBMs IT service competitors have made similar moves. Not only incumbents like IBM but also cloud computing start-ups (mostly in the PaaS domain) are taking a keen interest in private clouds. They want to bring public cloud technologies into the data center, with the ambition to elbow the incumbents out of (at least parts of) the data center (as well as help customers manage complex, hybrid IT infrastructures that combine public cloud resources with locally managed ones).
User pull
Many users are wary of the QoS/RASS as well as legal/compliance limitations of the various types of public cloud, but are curious about the possibility of adopting the technologies, designs, and best practices of public clouds (e.g. virtualization, standardization and automation) to create elastic pools of IT resources within their firewall to cut costs and make it easier and faster to provision new services. Users caution is strengthened by the unwillingness of some IT departments to adopt public cloud components for fear of losing control (as well as their jobs).
26
Marketing hype: vendors seeking to sell new hardware, software and services to enterprise chief information officers (CIOs) are the guilty parties here. Public cloud supporters argue that extending the definition of cloud computing to private clouds stretches the concept so much that it loses all meaning. They also point out that it will lead to users getting increasingly skeptical as the term gets applied to all and sundry. We agree with most of these points, yet we do not believe that arguing over definitions is worth the effort.
New twists
The private cloud embraces automation, virtualization, and SOA while increasing data center focus on the following, among other things: Self-service portals that provide instant on-demand access from a catalogue: the catalogue becomes the key interface that provides product detail and pricing information, enables configuration, manages the ordering process, and offers account management tools. It is also key to make sure that governance policies apply to clouds: IBMs Service Catalog portal, underpinned by Tivoli Service Automation Manager, for example, enables IT departments to limit users choices to a predefined set of services. Providing access not only to internal standardized and reusable services but also to a marketplace of vetted applications and a community of peers: IBM, for example, has an online catalogue for both its SME and large enterprise Smart Business offerings. While the SME online catalogue is generic and geared towards third-party partners (26 in India and 16 in the US as of May 2009), the large enterprise catalogue is workload-specific and, in the case of application development and test workload, mostly limited to IBM software. The SME-focused IBM Smart Market is not just an online application store, but also a marketplace and related portal with Web 2.0 features to compare, rate, and buy applications and services (such as managed security and hosted backup). It is also a community in which clients, experts, and vendors interact. The large enterprise equivalent is likely to evolve along these lines. Usage monitoring and chargeback mechanisms: metering and billing is the next frontier when it comes to private (and public) clouds. Many enterprises are not able to calculate then allocate costs, despite being willing to do so, as they do not have the necessary infrastructure, processes and metrics in place.
27
28
A variety of hybrids
Not public or private, but both, and then some more
When not debating the nature of a true cloud, participants in the cloud computing discussion like to explain why their preferred type of cloud is better than the other. Some define private clouds as superior to public ones because they offer more control and can run legacy applications, among other things. Others favor public clouds because of their flexibility, lack of upfront capital expenditures (capex), etc. Each type of cloud has its strengths and weaknesses, but that does not make it necessarily better or worse than the other, simply different. The yours is better than mine private-versus-public debate is all the more pointless because the reality of cloud computing is not at the extremes but in the middle, being: not just one or the other but a mix of private and public clouds not just one and the other but a variety of hybrid offerings in between. For example, an increasing number of companies will turn part of their private cloud into a public one, for partners as well as customers. Some of these offerings will be infrastructure (IaaS/PaaS-type) ones; other will be SaaS/business process offerings.
29
The two issues are orthogonal to one another: Some private clouds are shared: The notion of a private shared cloud is particularly popular among public sector organizations at the moment. We expect that the success of cloud computing as a concept will lead to more shared private clouds across different organizations, not just business units of the same organization. For example, IT services company Savvis offers a variety of cloud services, available both as a dedicated infrastructure offering devoted exclusively to a single customer and a shared infrastructure service in which pooled resources are provided to multiple customers on an anonymous, on-demand basis and at a lower price point. It is also considering a cloud exclusively for the use of customers in the capital markets, yet shared among them. Some public clouds have parts dedicated to a single user: In August 2009, for example, Amazon Web Services (AWS), the cloud computing subsidiary of Amazon, added a virtual private cloud offering to its portfolio. We expect hybrid public-cloud-based virtual private clouds to become one of the major trends in cloud computing in the next two years.
30
2.6 Recommendations
Recommendations for enterprises
Be specific
Cloud computing means different things to different people. When talking about it, be specific. Are you talking about IaaS, PaaS, SaaS, public clouds, private clouds, or a mix?
Be pragmatic
It is difficult not to get drawn into the endless debate about what cloud computing is and is not, yet you need to avoid it. Most of it is not only pointless, but tends to push participants to extremes, irrespective of the fact that the reality of cloud computing is somewhere in the middle.
Know yourself
In order to figure out which IT assets to keep and manage within a private cloud, which to trust to a traditional IT service provider, and which to source from the various public cloud solutions on offer, you need to understand what you have and where you want to go.
Consider whether you are ready for cloud computing, not just whether cloud computing is ready for you
Adoption is a two-way street. It is not just about whether cloud computing is ready for you: it is, more importantly, about whether or not you are ready for it. The fact is that many enterprises are currently not ready for private or public clouds or any type of hybrid in between. Many enterprises lack the knowledge, skills, and metrics among other things to figure out what is best for them, hence the increasing number of vendors offering their services to help them do just that. Train specialists and adapt systems, processes, and metrics to remain in control while benefiting from the instant provisioning capability of public clouds.
31
More explicitly define how to get from current data centers to private clouds
Depending on whom you talk to, the private cloud is either the aim of the data center evolution (the next-generation data center) or the part(s) of the data center that is ahead of the rest (with specific workloads running on the part or parts reengineered to act as a cloud). What is needed is a way to reconcile the two approaches (private-cloud-as-a-journey and -as-a-shortcut) to understand when on the road towards next-generation data centers users should take shortcuts. Unfortunately, most vendors currently emphasize the second approach rather than trying to reconcile the two.
32
Incorporating
WWW.OVUM.COM
3.1 Summary
Catalyst
Most cloud strategies have an initial focus on cost reduction or improved cost efficiencies, for two main reasons: the global recession, and the failure of many on-premise IT investments to deliver the cost savings they were supposed to. This is easier said than done, as cloud computing may lead to some cost reductions but introduce complexities of its own for users. This reports looks at costs, pricing, and licensing issues related to the various types of public cloud offering. It contrasts these offerings, including comparison with private clouds.
Ovum view
Cloud computings focus on cost is part of a wider cost scrutiny effort
Software vendors have always offered their wares on the promise of cutting costs or boosting productivity. The lure of cost savings usually turns out to be a triumph of hope over experience, however. Cost savings are now a more explicit and definite objective. Many organizations are strengthening benefit realization processes that increase executive accountability for cost-saving targets. This is flowing through to an increasing interest in cloud computing from early technology adopters.
IaaS, PaaS, and SaaS are converging from a pricing and licensing perspective
The subscription model used by software-as-a-service (SaaS) as well as open-source vendors disrupted the status quo of the incumbent software vendors. The transparent and flexible usagebased/metered approach of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) is even more disruptive. The IT industry is moving towards hybrid pricing and licensing approaches to public clouds to cater for as wide a range of needs as possible. Consequently, while SaaS will move towards the pay-as-you-go (PAYG) approach, IaaS and PaaS will move in the other direction towards subscription and less flexible, but cheaper and predictable, schemes.
Private clouds are emerging to make the internal data center more cost-effective
The notion of private clouds has become popular with the objective of boosting data center economics (an endeavor that was hastened by the emergence of public clouds but predates this emergence). For many large enterprises it makes more sense to boost the cost-effectiveness of currently owned data centers (via virtualization, automation, service-oriented architecture, etc.) than to seek to drive costs down by turning to public clouds.
35
Key messages
Enterprises need to scrutinize and adapt to public cloud cost characteristics. Public cloud pricing structures are evolving, but not always as expected or for the better. Private clouds put public cloud costs in context.
3.2 Enterprises need to scrutinize and adapt to public clouds cost characteristics
Public clouds have attractive cost characteristics
Lower costs via economies of scale
The cost advantage of public cloud services is based on the economies of scale achieved in large (often brand new and state-of-the-art) data centers that underpin the public clouds services. These economies stem from a variety of sources, such as: Volume discounts for resources including facilities, power, bandwidth, hardware, and software. Automation, consolidation, and standardization efforts (for example, provisioning, maintenance, and backup) that minimize costs by enabling a smaller group of people to take care of a larger pool of IT assets. Centralization of resources, which enables, for example, easier and faster upgrades (along with software design choices such as multi-tenancy). The use of commodity hardware and software assets: software is often tweaked or custom-built to make the most of its underlying commodity hardware. Most of this is open source, with the public cloud service vendor taking charge of freely available source code and optimizing it for its own ends, rather than turning to commercially available versions of open-source products. Uncorrelated demand aggregation: as they pool demand from multiple customers, cloud service providers reduce usage variation and maximize use. For example, they can help the retail sector deal with the peak of Christmas shopping and the public sector with tax return season, without users in these sectors having to invest in IT assets that would be underused at other times of the year.
36
Ongoing costs are much higher than upfront costs, which significantly drives down the total cost of ownership of IT assets delivered via public clouds. Lower upfront and ongoing costs make it easier to correlate the benefits of using the software with the cash flow required to invest in that software. They also result in faster time-to-benefit for each of the projects that public cloud services underpin.
37
In the IaaS space, public cloud providers compete with hosting providers that are used to thin margins. As a result, while public cloud offerings start cheaply, they only prove cheaper for specific types of usage for example, handling of peak workloads and ad hoc processing of data such as video encoding. In most cases the hosting offering, although not as flexible, proves a cheaper alternative in the long run. In the SaaS space, public cloud providers compete with on-premise application software vendors that are used to high margins. It is, therefore, easier to pitch their wares below the cost level of their competitors.
38
Enterprises need to set up procurement systems, processes, and metrics that support not just procurement experts but also the average user. Anybody can procure cloud services easily, but this democratization of procurement comes with its share of dangers. Even those companies with tight controls on business card purchasing have had nasty surprises on receipt of their monthly bills. These come as a result of employees using the business credit card to buy public cloud services but failing to understand what they are getting into, or to use and manage the services they bought. For example, it is common for developers to provision themselves with an Amazon virtual machine, use it for awhile, and then forget about it. More importantly, they also forget that while they are not using it, Amazon happily keeps charging for it.
Architects and developers need to understand the cost implications of their actions
Architects and developers need to understand the impact of IaaS and PaaS pricing structures on the software design choices they make. For example, a pricing structure that combines cheap compute resources with not-so-cheap storage resources should be met with applications that are processingintensive but not overly demanding from a storage point of view (or at least compress data). It should not be the other way around, either, as this would go a long way towards neutralizing the cost savings that public clouds are supposed to deliver. Unfortunately, most enterprises are unaware of this issue. Even if they were, most would be unable to address it, as it would require the re-engineering of their application lifecycle management (ALM) processes (if they have any). Similarly, developers can easily spend too much time fine-tuning their Amazon IaaS virtual machines instead of being more productive elsewhere.
Speed and ease of procurement are more attractive than lower costs
Public cloud services are provisioned faster and more easily than their on-premise alternatives. PaaS helps to drive development times down. SaaS does the same for application implementation. These characteristics mean faster time to benefit or to market, or both, which helps customers outflank competitors.
39
Lower risks and flexibility are more attractive than lower costs
Public clouds reduce not only the cost and pain, but also the risk, of using IT assets. This is more the case for IaaS and PaaS, with their PAYG approach to pricing and licensing, than for SaaS, which favors the less flexible subscription approach. IaaS and PaaS vendors have a usage-based/metered approach with no long-term commitment or contract and the ability to scale usage up or down on demand. They do not penalize users if their level of usage changes, which allows users to do away with capacity planning. (However, this will require internal controls to ensure that users do not go overboard.) It makes it easier not just to use IaaS and PaaS (as well as some SaaS) services, but to: Meet unpredictable demand: the ability to do this cost-effectively and with an acceptable QoS is, according to some, the key value that public clouds bring to the IT table. Innovate: supporting innovation is not only one of the two main challenges facing IT today (besides cutting costs), but also the most important. Therefore, many enterprises consider this flexibility to be more important than the cost savings enabled by public clouds.
New technology and efficiency are more attractive than lower costs
In October 2009, the Los Angeles City Council awarded Google a $7.25 million, five-year contract to put the councils 30,000 employees on a SaaS email offering. It would have cost the council significantly less to stay on Novells on-premise GroupWise system. However, the council wanted to switch to a new technology and the efficiencies that come with it in areas such as procurement, flexibility, and cost.
3.3 Public cloud costings evolve, but not always as expected or for the better
Evolution will not result in complete commoditization
Commoditization is the name of the game, within limits
Many believe that, driven by their underlying economies of scale, public cloud services are engaged in a race to the bottom that will depress prices and profitability across the IT industry. They are partly right, but will eventually be disappointed if they expect the impact of the trend towards commoditization to be broad and deep. (Commoditization has always been there cloud computing is only one of its newest faces.) Instead, it will be neither, for a variety of reasons including the different cost profiles of the various public cloud segments and a lack of interoperability between public cloud services. On the other hand, some expect that as the public cloud market consolidates around a smaller number of players and remains riddled with interoperability issues, prices will eventually increase. However, we do not think so. There will not be any large-scale consolidation in the short to medium term, and interoperability is likely to improve, as it is key to the ecosystems underpinned by cloud services.
40
41
Overall, vendors will need to carefully balance the drive for market share with the desire for profitability. Thus, such efforts are unlikely to result in price wars in the SaaS market that are as deep as those in the IaaS and PaaS markets. Many vendors will increasingly benefit from the cost savings delivered by IaaS and PaaS infrastructures but, in order to boost profitability, will not pass all of these savings along to customers.
42
43
All-in-one pricing
Public cloud pricing is more transparent than on-premise software pricing because it includes updates and upgrades as well as technical support. In a perpetual upfront licensing scheme, updates and upgrades are excluded from the upfront price (although they may be included if it is a term license). Updates, upgrades, and technical support are priced either independently or bundled together as a maintenance fee and paid on an annual basis as a percentage of the upfront price (usually a nominal rather than discounted price). Because of lower upfront license revenues and industry consolidation, in the past ten years vendors have: increased upgrade and maintenance fees, as well as charges to transfer ownership in the case of mergers and acquisitions started to limit customers to small updates rather than version upgrades and offer upgrades for a higher fee; for example, the 2005 Microsoft Open Value three-year license payment program included new version rights as well as support and training for 27% of the upfront price limited the technical support included as part of the maintenance fee. These are some of the reasons why enterprise customers have started to turn to public cloud services (among other tactics, such as negotiating maintenance fees down, turning to third-party maintenance providers, or doing away with maintenance altogether). Some public cloud vendors are keen to build on this by adding more value to their bundles, such as free training (for example, SaaS vendor Intacct).
Increasingly complex
Customers have always complained that upfront licensing schemes are overly complex, based on a variety of units, including: named, concurrent, and power users (or seats) server or central processing unit (CPU) or, in the case of an appliance license, hardware boxes, boards, blades, and so on component or component stack/suite, site, and so on all-you-can-eat enterprise volume licenses. These schemes are complicated further by technological developments such as the increasing distribution, componentization, and virtualization of software applications, as well as the rise of multicore and grid/cluster computing. Vendors say that this complexity reflects customers wide-ranging requirements.
44
Public cloud services only partially do away with this complexity. Subscription approaches to pricing and licensing are less complex than upfront perpetual licenses (which are mostly limited to units of users, seats, or sites). PAYG approaches started out simply, but are becoming increasingly complex. PAYG pricing may be available for all to see, compare, and contrast, but users have to compare granular structures (such as the price for a CPU per hour, data transfer, or storage space), which can differ significantly. In the process, they need to decipher what lurks behind the various terminologies adopted. In addition, in the IaaS space (with the PaaS and then SaaS markets likely to follow), public cloud service providers are expanding from PAYG pricing schemes in a variety of directions. Amazon Elastic Compute Cloud (EC2) is a good example. It started with a straightforward on-demand PAYG scheme and then, in 2009, added: Reserved pricing (March), which enables customers to reserve compute resources for important applications for one- or three-year terms. This tiered commitment pricing scheme offers discounts of 3050%. Spot pricing (November), which allows customers to bid for unused on-demand or reserved compute resources and keep using them until Amazon needs them back or the customer is outbid. Customers pay the spot price rather than the maximum bid price that they specify. This scheme is relevant to workloads that can deal with lower resources such as batch image conversion, video rendering, and financial analysis. Other pricing schemes include: a configuration approach, where the customer starts with a basic configuration for an entry fee and then pays extra to add various services an upfront or joining fee to build and configure the system, and then yearly, quarterly, or monthly recurring payments a schedule-based approach, whereby enterprises commit to a fixed number of units based on expected requirements buy-back, which enables public cloud providers to buy back some of the capacity of a virtual private cloud if it is unused this approach is similar to the smart-grid/metering work in the utilities space vendor load balancing, in which the public cloud provider adds capacity based on resources (for example, if the CPU is more than 80% busy for five minutes, the vendor adds 30% more capacity) or virtual machines (the vendor adds virtual machines to run any extra workload). As a result, while pricing is transparent, cost-benchmarking exercises quickly become challenging (but not impossible).
45
A smaller group will focus on success-based models for example, payment based on achieving certain productivity, employment, and/or revenue growth objectives. Most public cloud service providers shy away from this approach, as it is much more dependent on the ability of the user company than that of the underlying software used by the firm. On the other hand, the ability to demonstrate an understanding of the needs of a specific customer or industry sector from a pricing and licensing point of view could yield benefits and strengthen the customer relationship based on a partnership approach to pricing. It would also make it easier to build a business case in terms that business executives, as opposed to IT specialists, would understand.
46
In the IaaS and PaaS markets, public cloud service vendors usage metering and billing systems need to be able to cope with not only their own requirements, but also those of the third-party developers and SaaS vendors that use their platforms. IaaS and PaaS service providers are particularly keen to make developers and SaaS vendors lives as easy as possible by offering them, among other things, the ability to sell and bill applications via an online marketplace. These capabilities need to become more flexible. For example, Amazon cannot currently support multiple vendors per virtual instance because it would be difficult to split revenues from each virtual instance between Amazon and a variety of vendors. Third-party developers and SaaS vendors using the usage metering and billing systems of IaaS and PaaS service providers are also facing a growing challenge. The more diversified the portfolio of public cloud services they use, the more complicated it will be to integrate their own usage metering and billing systems with the usage metering and billing systems of these public cloud services. Currently, few are alert to this challenge. There will be tears along the way for those that do not start to design their systems to cope with heterogeneity soon.
47
Smaller companies: the McKinsey report acknowledged that IaaS may not be the best option for large enterprises, but it can be cost-effective for SMEs as well as start-ups. (However, it still depends on the types of application used as well as breadth and depth of IT assets and expertise.) Indeed, VCs have begun to require start-ups to use IaaS and PaaS public clouds in order to take advantage of their flexible pay-as-you-succeed-not-if-you-fail approach to pricing and licensing. The whole spectrum of the public cloud services: the McKinsey report focused on IaaS. The other components of the public cloud stack (PaaS and SaaS) can be more cost-effective because they deliver more services or require fewer resources and efforts. McKinsey itself acknowledges the costeffectiveness of SaaS over on-premise solutions. McKinsey did a thorough job. However, its approach has shortcomings. An all-or-nothing perspective: the cloud will not be either public or private, but a mix of the two. Companies are unlikely to give up on their existing data center investments because of public clouds, and they should not shy away from public clouds because of these investments. The key issue is to understand, for each company, how and the extent to which public and private clouds complement one another (and other options such as traditional hosting and outsourcing), rather than pitting one against the other. A focus on hard costs rather than soft costs: Some data centers cannot keep up with internal demand, meet requirements on time and on budget, deliver a satisfactory QoS, or retain key skilled workers. These shortcomings have a cost. From that perspective, public clouds are more attractive than it seems from a private cloud angle. In addition, the more dysfunctional the data center, the more likely both developers and end users are to turn to public cloud offerings (creating more dysfunction along the way).
48
Enterprise users need better systems to manage both public and private clouds
In the same way that public cloud service providers need to improve their IT systems to boost pricing, metering, and billing management, enterprise users need to put in place the infrastructure that enables them to: understand and manage internal costs (as well as QoS), based on a mix of tools such as IT resources, assets, service planning and portfolio management solutions, chargeback tools, and metering and billing systems deal with public cloud billing and metering systems: the more they mix and match different public clouds, the more diverse will be the public cloud metering and billing systems with which they will have to cope. Better systems would enable users to track a variety of measures (such as the price of a gigabyte of storage), whether the service is a private or public cloud. It would enable CIOs to demonstrate the cost of the services they provide and put public cloud costs in context in response to CEOs increasing demands.
49
3.5 Recommendations
Recommendations for enterprises
Analyze your figures
In theory, public clouds are cheaper than internal offerings and other IT service solutions. However, in practice, depending on the project, this is not always true. Do not assume anything, and analyze your figures carefully.
50
51
Incorporating
WWW.OVUM.COM
4.1 Summary
Catalyst
Public cloud service providers will rise and fall on their ability to execute and deliver satisfactory quality of service (QoS) in areas such as reliability, availability, scalability, and security (RASS). Many enterprise users are wary of public clouds QoS and RASS limitations but curious about the possibility of adopting the technologies, designs, and best practices of public clouds for their own data centers (rebadged as private clouds). The situation is evolving rapidly with both public and private clouds, as vendors and users are struggling to keep up with new developments.
Ovum view
Public clouds QoS is under close scrutiny
Public cloud providers claim superiority over on-premise IT infrastructures on two fronts: cost and QoS. On-premise IT supporters counter-attack at both levels, but the brunt of their offensive focuses on QoS with a mix of valid criticisms and hyped assertions aimed at generating fear, uncertainty, and doubt (FUD). Public cloud providers should expect the criticism (and FUD) to continue at its current intensity.
Private clouds will find it hard to keep up with the public cloud Joneses
Enterprises QoS expectations are rising. The rise affects both private and public clouds. The more demanding enterprises become with public cloud SLAs and QoS at all (RASS) levels, the more likely the same enterprises will be to make the same demands of their IT departments. Considering the status of many internal data centers, public cloud providers may find it easier to meet these demands than IT departments.
55
Key messages
SLAs are key to cloud adoption. Security is the number-one cloud QoS concern. Reliability and availability are under increasing scrutiny. Scalability underpins cloud computings elasticity. The road to reliable and scalable private clouds requires new thinking and skills.
56
This context will increasingly be that of supply chains, not just individual suppliers
Enterprises are increasingly aware that SLAs between service providers are as important as those between users and providers: a whole public cloud service ecosystem is being created as, for example, software-as-a-service (SaaS) vendors increasingly rely on infrastructure-as-a-service (IaaS) and PaaS offerings. The growing interdependency of service providers makes SLA guarantees and enforcement more complicated, especially when many providers do not want to face up to this complication. For example, when Tibco released its Tibco Silver PaaS offering on top of Amazon EC2, it downplayed SLA issues, focusing on its own offering instead of taking a more holistic view that would have included Amazon.
Public cloud providers need to manage the gap between QoS hype and SLA reality
The gap fuels skepticism
Many enterprises are still skeptical about public cloud providers QoS promises because of the gap between these promises and the SLAs that these providers offer if they offer any. The terms and conditions of these SLAs limit their scope and compensation. Scope: most SLAs only guarantee uptime, not performance, for example. Scheduled maintenance is not considered downtime and, in some cases, neither are outages of less than a specified duration (e.g. ten minutes). Compensation: many limit refunds to credits against future charges. The credits are either pro-rated as time lost against uptime promised, or limited to small percentages of monthly fees. In many cases redress, if any, is reactive rather than proactive: customers have to ask for it. Many SLAs are open-ended contracts. Providers can withdraw their services at will or make changes to their offerings without end users having any say.
57
The ten-year-old SaaS market is the most mature of all three public cloud service markets, but its SLA record is still mixed at best. The IaaS and PaaS markets have yet to catch up with SaaS. Major IaaS and PaaS players such as Amazon and Google have a low SLA starting point, owing to their: consumer-sector roots willingness to keep their offerings in beta form for a relatively long time pile them high, sell them cheap approach to the market.
58
Become more business-related. Vendors will express SLAs in business terms, not just IT-related terms, and define them from an end-user point of view, not just an IT standpoint.
Private cloud SLAs will have to keep up with the public cloud Joneses
Business users are increasingly comparing internal QoS levels with the levels of service delivered by public cloud providers. As a result, the goal of private clouds is to turn internal data centers into more secure, scalable, reliable, and available shared dynamic pools of hardware and software assets backed by stronger, more flexible and more explicit SLAs than those currently offered (if any). Turning a data center into a private cloud will take time and will reuse many of the RASS technologies and best practices of public clouds.
59
Users need time to familiarize themselves with cloud-specific security challenges. Some security risks are similar to those encountered internally or with more traditional IT outsourcing services. Public cloud services introduce more potential vulnerabilities as a result of sharing these services and the possibility of subcontracting parts of them, among other things.
60
The data and metadata (while in transit, in storage, and in use) processed and generated by public clouds: public cloud providers combine a variety of technologies, such as VPN, data leakage prevention, enterprise digital rights management, multi-location backup, and encryption. Public cloud access points: public clouds use service access controls based on identity and access management (IAM) technologies to ensure that only authorized users and applications gain access to the relevant functionality and data. Securing their various application programming interfaces (APIs) is also becoming a priority. Public cloud supply chains: to ensure that no provider in the chain weakens the secure provision of cloud services, the supply chain includes security-centric service providers such as those that provide single sign-on or identity management services. Based on the various resources at their disposal in terms of technology and expertise, public cloud providers claim that they are at least as secure as most internal data centers. They point out that the specialization, homogeneity, automation, and centralization that public clouds offer increase security. They can remain tightly focused on their particular offering, which they can easily and rapidly update or upgrade in case of a problem, whereas enterprise IT staff have to take a more generalized approach. Providers also rightfully assert that, while some public clouds have been used as platforms for malware, they are mostly used as platforms for a new generation of security-related services (such as identity management services, disaster recovery, antivirus, and application security testing) to secure both private and public clouds. For example, SaaS application security testing provider VeraCode achieved a sevenfold increase in revenue bookings in 2009. Most of its revenue comes from large organizations, mainly in the financial services and government sectors, that demand that a security code specialist independently examines software (for both on-premise and SaaS configurations) before they will buy it.
61
Security software vendors are keen to enable enterprises to move towards a hybrid cloud-centric view of security. For example, Novell asserts that for the cloud to become an extended part of their infrastructure, enterprises should use the same security and access control technology, model, and interface for the public cloud as they use internally. An increasing number of people (including representatives of the UK government talking about the countrys government clouds) point out that public clouds provide an opportunity to take a good look at internal security procedures, weave security more tightly into the fabric of IT processes, and redefine the mix of skills needed to achieve IT security. Too many enterprises do not have the governance processes and metrics in place to track the effectiveness of their security efforts.
62
These providers also need to take an interest in the way that data are secured across the data lifecycle (data creation, use, sharing, storage, archiving, and destruction). In the minds of many users, the whole point of outsourcing resources to public clouds is to forget about the operational details of these resources. This is a luxury that firms cannot indulge in. As societies and economies grow digitalized, data governance legislation is likely to tighten rather than relax, making it impossible for enterprises (SMEs included) to wash their hands of this issue. They need to pay particular attention to the following: Data location: enterprises need to know where their data go and what they go through. (As a result, data location transparency is one of the main issues emphasized by the open cloud manifesto published in early 2009.) Data replication technologies, processes, and compliance: user organizations need to understand how public clouds replicate data in order to secure them. They need to know what type of synchronization and recovery technologies are used; whether the locations are independent enough so that if one fails, it does not create problems in the others; and what the data retention and transfer policies are to make sure these do not contravene privacy and data transfer-related legislation and so on. Data confidentiality: some public cloud providers give themselves the right to peek into enterprise data for a variety of reasons, such as advertising or to avoid discriminatory content. Enterprise users need to be aware of these rights and curtail them if necessary (or if possible). These concerns are less related to digital identity and online privacy issues (which are key to the consumer side of public cloud services) than to the protection of intellectual property and trade secrets. Data return policies: enterprises need to consider not just entry, but also exit strategies, and how best to move their data elsewhere should they decide to terminate their use of a particular public cloud offering or should the service provider become unable to provide the service they signed for. They need to seek contractual guarantees that all of their data will be returned promptly and in the desired format at the end of a contract, and that all backup copies will be destroyed.
63
A clearer distinction between the two types of compliance allows public cloud service consumers and providers to put security compliance ahead of regulatory compliance. Most focus too much on the latter at the expense of the former. Instead, security should come first: once secure, IT assets can then be made compliant. Consumers also need to understand how the two issues relate to one another. For example, when Amazon acknowledged in 2009 that enterprises could not run PCI Level 1-compliant applications on its compute and storage IaaS offerings, too many people believed that these offerings (EC2 and S3, respectively) were not secure. That is not the case. The non-compliance stems from Amazon not allowing on-site audits, not from its offerings not being secure.
The public sector is a key participant in the security and compliance debate
Governments are still grappling with the cloud computing phenomenon
When it comes to security and the Internet, governments are users, regulators, and cyber-attack protectors as well as initiators. The 21st century is one of cyber warfare, and war, in all its various guises, is a governmental affair. However, as with actual war, the current problem is less to do with nation states than hard-to-anticipate rogue terrorist movements. As a regulator, the public sector is also a key participant in the compliance debate. However, the public sector finds it as hard to grapple with public cloud security and compliance issues as enterprise users do. In March 2009, for example, the US Federal Trade Commission, the Organisation for Economic Co-operation and Development, and Asia-Pacific Economic Cooperation held a meeting to discuss cloud computing security. The overwhelming message from the delegates was that there was no consensus yet on the best way to regulate cloud services, which are rapidly becoming globalized. Efforts are still mostly national and piecemeal, with many governments remaining uncertain of the best way to approach public clouds. As usual, the US leads the way with centralized efforts to define a national security and compliance framework for public, private, and hybrid clouds.
64
65
66
67
Public cloud providers are open about their scalability recipe, within limits
Scalability cannot be an afterthought. It is an upfront design issue that is difficult and expensive to achieve. There are many ways to approach it (with the ability to use more computing, storage, or network resources and the ability to parallelize applications across multiple servers), and it can be delivered via a mix of design and technology choices, such as additional hardware, virtualization, data grids, and distributed caches. Public cloud vendors are willing to share details of choices they have made and provide guidance on how to make the best of their offerings from a scalability point of view. SaaS providers using IaaS and PaaS clouds are also relatively open to sharing their experience (for example, SmugMugs use of Amazon Web Services). On the other hand, many public clouds reach their scalability objectives via custom software (and, to a lesser extent, hardware) assets that they are not so open about discussing. These often consist of a custom software middleware layer aimed at squeezing the most out of basic, inexpensive (x86) hardware and (often open-source) software components.
68
4.6 The road to scalable and reliable private clouds requires new thinking and skills
Public clouds open up new avenues
A renewed debate around how best to deliver QoS
Part of the public-versus-private-cloud debate revolves around which type of cloud is most able to deliver satisfactory QoS at all (RASS) levels. This has led to a renewed debate on how best to achieve QoS levels. There is: consensus on the need to use old, trusted software-engineering principles such as abstraction, separation on concern, loose coupling, and modularization (principles that underpin service-oriented architectures) disagreement on which technologies and technology implementations to choose, as exemplified by the debate concerning database partitioning versus federated database design. Like similar debates, it is extremely nerdy, but reflects a renewed, healthy focus on new ways to deliver QoS.
69
Which database technology is best: over the past 20 years, the relational database model emerged as the dominant jack-of-all-trades, pushing alternatives into the periphery of the market. This trend is now reversing, however, as many public clouds have rejected the model in favor of new and old alternatives. Some of these developments are independent from but accelerated by cloud computing (such as the atomization of the application server services and the virtualization of software, storage, and input/output). At the application level, public cloud providers are leading the move towards stateless applications that relate to the underlying compute infrastructure via asynchronous, persistently queued events. This, in turn, leads to the redesign of data center infrastructures in a way that supports the new stateless applications as well as legacy stateful applications (and ensures that stateful applications deliver true linear scalability by making them more parallelized, partitioned, and distributed).
70
4.7 Recommendations
Recommendations for enterprises
Put your use of public clouds in context
The debate about public cloud QoS too often revolves around extreme positions. The reality of public cloud usage is in the middle in the careful balancing of risks, costs, and benefits. Enterprises need to carefully assess the QoS requirements of the data, applications, and processes that they plan to move to and get from public clouds this is an ongoing effort that they need to weave into their IT governance efforts. A strong cloud computing governance framework would also enable them to manage their own side of the QoS bargain: responsibility for QoS, especially at the security and compliance level, is shared between providers and consumers.
71
72
Incorporating
WWW.OVUM.COM
5.1 Summary
Catalyst
Cloud computing enables enterprises to: deliver IT resources via automated, virtualized, and service-oriented architecture (SOA)centric private clouds consume and combine IT resources from a variety of public cloud offerings mix and match private and public cloud services together into hybrid clouds. Cloud governance enables enterprises to exploit these new opportunities and tackle cloud computing in a systematic manner (instead of the piecemeal approach that currently characterizes most cloud computing-related initiatives). This systematic approach needs to be woven into current application lifecycle management (ALM) and SOA governance efforts as part of IT governances efforts to cross-reference and coordinate governance initiatives.
Ovum view
IT governance is necessary and difficult, and cloud computing (in the form of public, private and hybrid clouds) makes it even more so. It introduces an additional layer of complexity that enterprises need to control in order to make the most of its benefits (including lower costs and on-demand flexibility). However, cloud governance best practices and underlying tools are in their infancy, which makes it difficult to strengthen current ALM and SOA governance efforts in areas such as cloud-centric applications and application programming interface (API) management.
Key messages
Cloud governance builds on IT governance. Cloud governance delivers the right recipe from a variety of ingredients. Cloud governance, like IT governance, is a work in progress. ALM governance needs to expand to the cloud. Cloud governance builds on SOA governance.
75
Each of these trends, including cloud computing: cannot succeed without an effective IT governance framework that promotes and ensures coordination between IT teams promotes, and builds on, the other governance efforts.
Drives service-centric IT
Shared assets are increasingly delivered as a service. The evolution of IT departments from technology managers to providers of technology-based services is fueled by: ITSM, a top-down, business-driven approach to the management of IT that specifically focuses on the need to provide satisfactory service levels ALM, with the aim being to have developers create software that can live up to service-level agreements (SLAs) SOA that is both about service-centric software design (the splitting up of software into components that provide services to one another) and service-centric software delivery (whereby software components are combined and provided on-demand) cloud computing that offers on-demand service-centric IT (hardware and software) asset delivery in both private and public clouds, and thus redefines the way businesses see, use, and pay for IT. Service-centric software delivery (as well as service-centric software design) relies on a contractual approach to services that defines the context in which service providers and consumers relate to one another. The service-level agreement (SLA) is the mechanism that makes the service provider accountable to the consumer (accountability being a core governance tenet). In that context IT governance needs to make sure that the IT department:
76
Successfully manages the transition to service-centric software delivery at all levels (ALM, ITSM, SOA, and cloud computing governance). Does not mistake the transition for the main objective. Service-centric IT is not the end but the means that underpins a top-down approach to IT focused on business scenarios and outcomes rather than a bottom-up approach focused on technology and vendor stacks. This is particularly relevant to cloud governance, where technology considerations often take precedence over business concerns. From a cloud computing governance point of view, the objective is to make sure that IT departments do the following: When acting as consumers (of public cloud services), they must insist on satisfactory SLA parameters and require strong SLA guarantees, besides putting the service provider through a due diligence evaluation process. When acting as providers (of private or public cloud services), they must deliver SLA parameters and guarantees that meet consumers requirements.
go
nce na r ve
SOA governance Cloud computing governance ALM governance ITSM governance Security governance Data governance
IT
er ov IT g
an c
Source: Ovum
77
The objective is to build a positive feedback loop between these various governance domains. The complexity and difficulty of doing so is such that IT governance is not the aim but the journey. There is no big bang implementation but an approach similar to the Japanese Kaizen concept of gradual and orderly, continuous improvement.
Cloud computing governance must be woven into all IT governances federation efforts
IT governance federates other governance efforts with a variety of perspectives. Cloud computing governance should be woven into each of these. They include the following: Asset lifecycle management: IT governance promotes a lifecycle management approach to the various IT assets (hardware, software, information/data) from their creation or sourcing down to their disposal or re-purposing. Each governance effort has its own specific approach to lifecycle management, linked to the specificity of the assets being managed (for example, ALM and SOA apply lifecycle management to applications and software services, respectively). However, these various specific lifecycles can be correlated to one another on the basis of a generic lifecycle management approach, illustrated in Figure 5.2.2. Cloud computing governance relates to all lifecycles (hardware, data, software application, software service, virtual machine etc.). It expands these lifecycles from internal to external IT systems. When both private and public clouds are used, it ensures that the same lifecycle deliverables are created on both sides. Dependency management: cloud computing (along with SOA, virtualization, open source) is one of the reasons why IT departments need to keep up with increasingly integrated, portable, abstracted, and open IT assets. The more these assets prove so, the more (dynamic rather than static) dependencies there are to manage, orchestrate, and automate. The vertical dependency management approach of IT assets also helps map each step of horizontal asset management lifecycles to one another.
ITSM ALM
Application lifecycle
Inception
Construction
Provision
Operation
Change
Inception
Construction
Provision
Operation
Change
SOA
78
EA governance: EA governance provides a system-centric backbone to federated IT governance efforts. In the case of public clouds, it stretches to architectures and IT assets managed by third parties. This requires a difficult cultural shift that will take time. EA governance is also important in efforts to turn (parts of) current data centers into private clouds. APM/PPM integration: federated IT governance relies on the integration of project portfolio management (PPM) and application portfolio management (APM) people, processes, and tools (which may be part of the same suite as EA tools). It also integrates PPM and APM with a variety of teams, processes, and systems outside IT such as the CFO office, investment portfolio management processes, and enterprise transaction systems and risk management systems to link all stages of the software application/service to their business context. When it comes to cloud computing, the challenge is for PPM and APM tools to expand to manage assets that are outside of the organization.
79
Paraphernalia
(of systems, tools and technologies)
People
Processes
Source: Ovum
As shown in Figure 5.3.1, there are six main ingredients to any good governance recipe including cloud governance: people, processes, policies, plans, performance monitoring, and paraphernalia (various systems and tools).
80
Corporate governance
IT governance
Cloud governance
Governance appraisal Board of directors Directors/ executives Governance definition Business executive team IT executive team Governance execution Cloud Center of Excellence
(IT focus)
Strategic governance
Tactical governance
Source: Ovum
81
Private cloud governance is about enabling private clouds to keep up with public ones
The past 18 months have seen a significant shift in focus away from public clouds towards a new concept that of private clouds. This stems from a powerful mix of vendor push (to sell the latest hardware and software and respond to enterprises concerns about public clouds) and user pull (from both business executives wary of public clouds QoS credentials and IT executives keen to remain in control of IT and in possession of their jobs). IT executives cannot ignore public clouds, however, as internal IT cost and QoS will be increasingly compared to that of public clouds. From that point of view, private cloud governance is about: managing the evolution of internal IT from the mundane data center to the state-of-the-art private cloud and making sure that private clouds can live up to public clouds challenge in areas such as QoS as well as speed and ease of procurement positioning internal IT services as competitive alternatives as well as complements to public cloud services (and IT executives as competitors as well as trustworthy managers of these services).
Policies, plans, performance monitoring and processes are the backbone of cloud governance
As shown in Figure 5.3.3, governance connects high-level strategy objectives to low-level project implementations via policies, plans, and performance monitoring.
82
Misson
Strategy
Policies
Adjustments
Governance domain
Plans
Monitoring
Targets
Projects
Source: Ovum
83
Cloud governance relies on paraphernalia in the form of systems, tools and technologies
Paraphernalia are the foundation for cloud governance, yet managed by it
The definition and implementation of policies, plans and performance monitoring as well as processes rely on paraphernalia in the form of systems, tools, and technologies. As with processes, these paraphernalia: underpin governance; for example, IT policies are enforced by rule and/or process engines are subject to EA governance that defines which systems, tools, and technologies to use and how to design and mix them, among other things. The tools are becoming: public cloud-enabled (e.g. Xactium Salesforce.com-hosted GRC requirement management solution or Monitis Amazon EC2-based SOA load testing service) public-cloud service enablers (e.g. PerspecSys salesforce.com Edition Data Governance solution, which enables Swiss banks to use Salesforce.com CRM while retaining sensitive data in-house as required by Swiss law).
84
85
Many governance frameworks are even more limited in scope. For example, a variety of them (FIPS PUB 200, ISM3, ISO/IEC 13335, 15408, 17799 and 27001, IT Baseline Protection Catalogs, NIST 80014) focus on security. Some are generic rather than IT-specific, such as the Balanced Scorecard framework (reused by COBIT), or the Projects in Controlled Environments (PRINCE) framework, applied to project management. Implementing governance frameworks is not that simple. They are evolving quickly. COBIT, for example, has recently acquired two new extensions, Val IT and Risk IT, to respectively help IT investment decisions and mitigate IT risks. Similarly, in 2002 (SW)CMM evolved into Capability Maturity Model Integration (CMMI). They have limitations. Most of them provide guidelines based on how actual enterprises have successfully managed IT, but some (e.g. ITIL) are not prescriptive, and organizations looking for an easy answer will be disappointed: there is no blueprint for implementation. Many are also old-fashioned, ignoring the real complexity of modern IT infrastructures. They have to be adapted to new trends such as SOA and cloud computing. Industry organizations have started to step in, however, and provide either specific guidance (e.g. cloud security guidance from the Cloud Security Alliance) or more generic guidance (e.g. the cloud computing code of practice unveiled in April 2010 by the UK-based Cloud Industry Forum).
Enterprises are struggling to keep up with best-practice frameworks; cloud computing could help
Enterprises are struggling to keep up with the following: The rise of these frameworks: COBIT, CMM, and ITIL have garnered limited support. Other approaches (such as Lean IT) have relatively few reference implementations. The detail of these frameworks: some of these frameworks are so broad (e.g. COBIT, ITIL) that few, if any, organizations have implemented all of their recommendations. Most adopters cherry pick those portions that support specific corporate or IT objectives (such as consolidating the service desk in ITIL) or address key pain points (such as incident management or problem resolution in ITIL). Adaptation to specific circumstance and cherry picking are the right way to go, however, provided organizations do not forget the big picture. The spirit of these frameworks: some IT organizations have used these frameworks in an inwardlooking fashion to define processes and metrics without regards for the bigger picture of business goals, for example. The variety of these frameworks: there are many of them and they overlap and/or complement one another. Vendors add to the complexity with their own twists (e.g. the Microsoft Operations Framework for ITSM). New cloud computing guidance needs to clearly specify how and to what extend cloud governance relates to established frameworks. In return, established frameworks need to evolve to take cloud computing into account, all the more since cloud governance-as-a-service (GaaS) could help in the adoption of these frameworks. As GaaS offerings begin to appear, providers will be able to: start providing feedback on the use of these tools for companies to benchmark themselves against their peers leverage social web functionality for governance practitioners to create IT governance implementation communities make it easier for governance efforts to be shared across LoBs/divisions and between partners.
86
87
ALM governance in the cloud should start small but think big
Public clouds are unfamiliar territory for many developers. Most enterprises find it easier to start with a small specialist team to adopt ALM in the cloud and/or for the cloud. Starting small and taking it one step at a time is the right way to go. On the other hand, enterprises should not forget that, in the end, ALM in the cloud will make it easier to involve more people in ALM by offering: Centralized, standardized, dynamically scalable ALM infrastructure services to audiences distributed horizontally across geographies as well as vertically across organizational units. The zerodeployment benefits of online tools coupled with monitoring and social web capabilities simplify the task of ensuring that all relevant stakeholders view the status of projects, tasks, processes, and activities that are relevant to them. This in turn makes the process of governance easier by getting everybody involved in the process onto the same (web) page.
88
Self-contained (development plus deployment) offerings such as the ones provided by small PaaS vendors. These offerings can democratize ALM by making it easier for business or casual developers to get involved. They also lessen the pressure on IT departments by enabling casual developers to create so-called situational applications. They typically feature forms or GUI-based development or mashup capabilities, rather than intensive programmatic or transactional coding.
ALM governance in the cloud can help weave ALM and ITSM governance together
ALM is expanding slowly to ITSM
When it first emerged, ALM focused on the software development lifecycle (SDLC). The objective was to integrate the various development process steps (e.g. design, development, testing) while ensuring clear separation of concern and normalization between these steps. The concept of ALM then expanded to comprise the entire operating life of an application from the cradle to the grave based on the coordination of ALM and ITSM (as well as ITBM) processes. The reality of ALM has yet to catch up, however. In the on-premise world: Many user organizations have yet to properly implement ALM-as-SDLC. ALMs expansion from ALM-as-SDLC to cradle-to-grave ALM is not even on their radar. Vendors have only started to integrate their ALM-as-SDLC offering and have yet to offer complete cradle-to-grave ALM support. What they offer is limited-point integration between ALM and ITSM offerings.
89
ALM governance in the cloud must live up to the challenge of cloudcentric applications
Adapting to IaaS and PaaS constraints
ALM governance needs to ensure that developers understand and adapt to IaaS and PaaS application deployment environments from a variety of perspectives, including: Cost: developers need to understand the impact of IaaS and PaaS pricing structures on the software design choices they make. For example, a pricing structure that combines cheap compute resources with not-so-cheap storage resources should be met with applications that are processing-intensive but not overly demanding from a storage point of view (or at least compress data). It should not be the other way around either, as this would go a long way towards neutralizing the cost savings that public clouds are supposed to deliver. Design constraints: IaaS offerings usually provide bare-bone virtualized environments that leave developers on their own devices from a management perspective. They need to code the application in a way that enables it to take control of its environment and scale up to the level they want. PaaS platforms handle much of this housekeeping but constrain application design to specific patterns.
90
Produce a properly designed SaaS application: that is, ensure acceptable costs and QoS levels, ease of integration, relevant functionality, and right design choices. The SaaS approach to functionality is different to that of traditional on-premise applications. The latter focus on feature breadth and depth. SaaS applications focus on the 20% of features used by 80% of users. Design choices are critical at all levels, including infrastructure, interface, and service delivery. Developers need to pay particularly attention to service-delivery-centric design, since they are likely to be unfamiliar with what it entails. They need, for example, to make it easier for users to trial the application or to use various levels of features (which may be linked to various price levels). Service-delivery-centric design also requires developers to build usage-monitoring capabilities into the application.
91
The application/process service level consists of software-only services, provided by software components to one another. These are the types of service that most people refer to when talking about SOA services. Public clouds relate to SOA at both: the platform service/SOI level: IaaS and PaaS runtime platforms have been designed on the basis of SOA engineering principles the application/process (SOA) service level: many SaaS applications have been designed on the basis of SOA engineering principles. Similarly, private clouds are expected to follow an SOA approach at both levels.
92
From bottom up (technology) to top down (business): this transition is not so much about moving from one perspective to the other as it is about linking the two together. SOAs are enterprise-level crossfunctional initiatives that span multiple LoBs as well as IT domains. They need to involve both business and IT so that SOA software component policies reflect enterprise-level as well as department-level business policies. From using internal software services to using external services: SOA has always had an external business-to-business aspect, although most SOA efforts have so far been internal application-toapplication efforts. From service-centric software design to service-centric software delivery: while an SOA and the software development process that underpins it do not on their own turn IT into a service-centric software delivery-driven organization any more than a chisel and hammer turn masons into sculptors, they make the process easier. SOA governance ensures the successful implementation of every one of these transitions. This means, for example, making sure that the AD team: does not focus on reuse at the expense of the overall architecture perspective; significant retraining and/or participation in mixed teams with architectural mentoring is essential to avoid an overly development-centric approach to SOA does not dive too quickly into process/BPM issues (an approach that requires too many details too early), instead of dealing with business outcomes first. Cloud computing helps enterprises manage SOA transitions: From SOI to SOA: IaaS and PaaS offerings, as well as private cloud platforms, do not so much expand the choice of SOIs as provide an SOI shortcut, allowing enterprises to focus on the delivery of software services. From building to composing: PaaS and SaaS public cloud offerings provide ready-to-compose building blocks (via a self-service portal/catalog targeted at developers). From service-centric software design to service-centric software delivery (via a self-service portal/catalog targeted at end users). From bottom up (technology) to top down (business): actually in this instance, it is more a case of SOA governance helping cloud computing governance, as cloud computing initiatives are currently too technology-centric. From using internal software services to using external services: public cloud services provide SOA initiatives with an easy way to reach out to third-party software components. However, public cloud offerings are still rather immature and not quite ready to fully support SOAs shift from development to management.
93
94
API policy definition and enforcement API security: APIs are one for the first ports of call for hackers. API management tools need to be backed by strong governance, as API design and management impact both business and IT at various levels. For example, governance support is required to define the context of: API monetization: service providers are currently testing a variety of business models and go-tomarket strategies that mix free basic APIs and paid-for enterprise APIs on the basis of a variety of parameters, such as who is using the API and how many requests are sent to the API, as well as a variety of licensing and payment conditions. API openness and constraints: an increasing number of APIs are open (well-designed and documented, available via self-service). Many open APIs only request developers to give attribution (e.g. Raskpace API). Others are more demanding (Google API prevents reverse engineering, for example). API adoption and community building efforts.
5.7 Recommendations
Recommendations for enterprises
Cloud computing requires governance, but slowly does it
You need a governance framework to benefit from, and adapt to, cloud computing. There is no big bang implementation to cloud governance, but a gradual build-up that provides an opportunity to launch and/or reinvigorate other governance efforts. The objective is to build a positive feedback loop between various governance domains as part of a wider IT federation governance effort.
95
Weave cloud governance into your ALM and SOA governance tools
To avoid cloud governance becoming yet another governance silo, ALM and SOA governance tool providers should adapt their offering to the requirements of both private and public clouds.
96
Incorporating
WWW.OVUM.COM
6.1 Summary
Catalyst
As the adoption of public cloud services becomes more prevalent, IT organizations face a variety of new IT service management (ITSM) challenges. Not only will they need to ensure that existing policies, processes, procedures, and supporting technologies are fit for externally delivered IT services, but also that the IT function remains relevant to the business as an effective part of the IT service delivery chain.
Ovum view
ITSM is key to the adoption of cloud computing
CIOs will need to leverage ITSM people, processes, tools, and techniques to understand which IT services would be better served from private and/or public clouds and the priority for migration from private to public (and vice versa) based on business pain points, internal capabilities, the existing quality of service (QoS), and the cost of provision, with the aim of providing better customer service and improved productivity.
ITIL v3 service strategy disciplines are important when optimizing public cloud usage
Within the Information Technology Infrastructure Library (ITIL) v3 service strategy area, the processes of financial management, service portfolio management, and demand management will become more important, as IT service costs are driven by the level of public (as well as private) cloud service consumption. Enterprise need to get their IT financial management (ITFM: the function and processes responsible for managing an IT service providers budgeting, accounting, and charging requirements) and service-level management (SLM the process of maintaining and gradually improving businessaligned service quality) act together prior to moving to public clouds. Following service migration (to public clouds), there is potential for IT functions to lose both visibility and control of IT services within the cloud. ITFM and SLM will again both be key ITSM capabilities, as will ramped-up supplier management capabilities, as IT organizations endeavor to manage a blended mix of on-premise and cloud-based IT service delivery.
ITIL v3 service design elements will be needed for public cloud service delivery
IT service continuity and information security will become higher-profile ITSM activities in light of business concerns related to public clouds. Availability and capacity management will still be relevant, with the former potentially posing a big risk to be closely managed and the latter hopefully being simplified through public clouds ability to adjust capacity as needed. Service level, service catalog, and supplier management will also be critical people activities in ensuring that public-cloud-based IT services deliver on their promises.
99
ITIL v3 service catalog management is particularly relevant to private cloud service delivery
The ITIL v3-espoused service catalog management process and enabling technology can be used not only for the design and costing of public-cloud-delivered services but also for private cloud self-service provisioning, supporting the cloud ethos of agility and cost-efficiency. By defining a service catalog with a menu of standard service options, policy-governed self-service, and other key service management capabilities (such as pricing and usage tracking), IT organizations will be better able to manage private cloud service delivery.
IT organizations need to be thinking now about the best approach to adding tools for managing a hybrid data center environment
Niche cloud management vendors have already emerged with solutions to address a wide spectrum of private and public cloud management needs and, in the same way that traditional systems management vendors have added virtualization capabilities to existing tools, so they will do with cloudbased capabilities. There is also a third tool possibility, where third-party vendors, spotting a gap in the market, will create solutions that allow cloud management vendor tools and systems management vendor tools to operate in their non-native environments.
Key messages
Public clouds are changing the IT function. Public clouds are changing the ITSM landscape. ITSM technology has a big role to play in managing public clouds.
100
IT Management
Business Specialists
Functional Specialists
Financial Analysis
Technical Specialists
Java Development
IT Department
IT Strategy
Project Mgmt.
Source: Ovum
This structure might appear at first glance to be replacing one set of silos with another, with less clearly defined roles and responsibilities, but it is nonetheless likely to be the more generally adopted approach, with a number of iterations to refine the model over time, because the implications of the proposed change are more fundamental and far-reaching than they first appear. The principle behind the model is that organizational responsibility will become more matrix-like in its construction, translating into employees wearing more than one hat.
101
This model promotes specialization, but only in areas that need a particular focus
This might give the impression that the model is nothing more than a de-skilling of IT, effectively making everybody a generalist. However, on closer inspection, the model actually promotes specialization, but only in areas that need a particular focus. It also supports the concept of overlapping responsibility so that demarcation, or gaps in coverage, becomes less of an issue. It will necessitate the creation of new responsible, accountable, consulted, informed (RACI) charts for roles, potentially extending those created for an outsourcing model. At a basic level, this might be the creation of a specific commercial team to manage outsourced providers with a specific focus on actual service delivery, contractual issues (often with differing interpretations), the financial implications of changes, and the application of service credits (penalties) where appropriate. With more complex service-provision scenarios, the relatively new concept of service integration could be applicable across multiple suppliers. This is based on the fact that, while IT outsourcing can deliver significant cost savings and improve an organizations ability to compete, only around 5060% of outsourcing partnerships are thought to be successful. To succeed with outsourcing, IT organizations need a robust IT governance and service management structure between the service recipient and service providers for service integration. This should be implemented at the outset of any partnership, with an estimated 80% of the causes of failure attributed to governance issues. Consultancy organizations such as Capgemini, IBM, and Tata Consultancy Services are now providing both service integration advice and services. We believe that some organizations will adapt to cloud computing based on the self-selecting team principle where the concept of management is reduced in scope and leaders attract team members based on merit and the strength of their proposal and that IT teams will become more fluid, potentially changing dynamically as both supply and demand change over time. The transition to this approach to IT structure will happen organically as IT leaders recognize the merits of individual team members and their pertinent skills. It will require IT leadership to focus more closely on individual development and cross-team capability reviews to ensure that skills consistently meet the requirements for a potentially changing set of needs. This fluidity of operation and the emphasis on strong individuals performing within flexible teams will also necessitate a change in the way that both personal and team performance is recognized and rewarded by IT.
102
Service Design
Service Strategy
Service Operation
ITIL
Service Transition
Co
To elaborate, the Office of Government Commerce (OGC) Service Strategy book offers the following description of the service lifecycle model:
Source: OGC
103
Service Strategy is the axis around which the lifecycle rotates. Service Design, Service Transition, and Service Operation implement strategy. Continual Service Improvement helps place and prioritize improvement programs and projects based on strategic objectives. An important point to note is that the service lifecycle is driven by strategy, not operational expediency. There is no doubt that IT organizations will need to evolve to reflect the change in focus caused by the externalization and loss of immediate management of some IT infrastructure and IT services. However, even in an IT organization that migrates all IT services to public clouds there will still be a need for IT resources to manage service delivery using best-practice ITSM processes, and for systems administrators and networking professionals to acquire new skills for the new complexities of IT service delivery that public clouds will bring.
104
COSTS
Hardware Software Staff Facilities External services Transfer
Cost elements
Direct costs
Indirect costs
Costs-byservice
Service A
Figure 6.3.2: Service costing overview
Service B
Service C
Service D
Source: Ovum
105
People policies will need to reflect the risk of IT service procurement within the cloud
Public clouds make it easier for business users to slip under the IT governance radar
While public clouds are often touted as offering a wealth of benefits and opportunities to both IT and the business, they also create the potential for business people to circumvent the IT department, directly procuring public-cloud-based services to meet ever-pressing business needs for rapid technology enablement. Whether it is due to poor IT-to-business relations, a need for speed that IT is perceived to be unable to deliver against, the relative costs of internal IT to external provision, naivety, or just maverick behavior, there will undoubtedly be instances of business people considering or even contractually engaging with cloud-based service providers directly. While to many it may seem farfetched, most IT service managers will tell war stories of business functions using local budgets to independently procure the design and development of a business-enabling application with the first the IT function knows about it being when the business function expects them to deliver it.
Unofficial public clouds will quickly make themselves known to IT when issues occur
Public-cloud-based service provision both simplifies and extends the severity of such a scenario. Not only can the application be designed outside the control or guidance of the IT organization, it also now has the potential to be delivered. The IT function will be blissfully unaware of the situation and the relevant business people will probably be happy with their decision to go it alone until something goes wrong. The potential consequences are as follows: The procured IT service cannot be consumed behind the corporate firewall. The IT service doesnt deliver against the stated business requirements in terms of functionality, capacity, availability, or performance. Required changes to the service are not possible, financially restrictive, or both. The service provider goes into administration or just disappears. The promised levels of security are not provided or dont meet corporate IT governance requirements upon auditing. When business people complain to the IT service desk, as the single point of contact for IT failures, and expect it to be able to resolve the issue immediately, the IT organization may have no idea that the service exists let alone what it is, the business process it supports, the third-party vendor used, the SLAs involved, and the escalation procedures required to restore service as usual as soon as possible. Mayhem will follow and no doubt the finger of blame will at least initially be pointed at the IT organization.
106
While this may seem draconian, an enterprise cannot afford to be placed at risk by maverick or even misguided individuals endangering business operations by independently procuring IT services without the necessary level of IT governance applied by experts within the IT function.
6.4 ITSM technology has a big role to play in managing public clouds
Managing service availability will be more complex in the cloud
With public clouds, service availability can no longer be focused on hardware
By the very nature of the public cloud and its make-up, the ability to manage service availability can no longer be focused on the particular pieces of hardware that support the critical business services. This not only applies to infrastructure-as-a-service (IaaS), it also applies to platform-as-a-service (PaaS) and SaaS, which add their own particular twists to the situation. From a service availability perspective, public-clouddelivered services can be considered far more complex than traditional IT infrastructure in that a workload might move across servers, whereas with traditional on-premise delivery a service could be broken down into its static technology components, or configuration items, and be managed from a service availability perspective from the bottom up, with greater ITSM priority or emphasis placed on the hardware that supports critical business services.
Service availability should be measured end-to-end rather than limited to the data center that provides cloud services
This complexity extends beyond the public cloud, however. As discussed earlier, IT organizations will be faced with the need to manage the availability of IT services delivered both in-house and via public clouds (or any hybrid in between). Cloud vendors will offer service-level-based information to enterprises but, especially early on in the customer-service provider relationship, an IT organization may wish to have a greater level of control and visibility over end-to-end IT service delivery.
New tools are emerging to cater for public clouds management needs
Niche cloud management vendors have already emerged with solutions to address a wide spectrum of public cloud management needs for early adopters. For enterprise IT organizations that already use traditional IT management products, however, are they going to want to add more tools to what is already probably an overpopulated tool bag? Just as traditional systems management vendors have added virtualization capabilities to existing tools, so they will do the same with public cloud-centric capabilities. However, will the cloud management vendors add traditional systems management functionality to their solutions, or are they better off being niche players continuing to offer potentially better capabilities than the consolidated approach of traditional systems management vendors? There is also a third possibility where third-party vendors, spotting a gap in the market, will create solutions that allow cloud management vendor and systems management vendor tools to operate in their non-native environments. All three vendor types will potentially offer fit-for-purpose solutions to enterprises, but it is still too early to tell whether a particular approach will prevail over the others. No matter what the future holds for these vendors, IT organizations will need to decide upon the best approach to managing a hybrid data center environment, a decision that needs to be considered and undertaken as part of the overall planning and costing of moving IT services to public clouds. The cost of new management tools will need to be factored in when calculating the total cost of ownership of publiccloud-based IT service provision. In many ways, an IT organizations experiences of and lessons learned from managing within a virtualized environment will be a stepping stone to managing service availability with IaaS public clouds.
107
Increasing corporate familiarity with SaaS makes it easier for SaaS tools
SaaS vendors are not just riding on the back of the global recession, as the benefits are not limited to value for money. There are also the ease of use and ease of version upgrade, but one should not forget the benefits of removing the operation and support of what is essentially a non-business-critical IT system from the often already overrun internal IT organization, allowing it to focus on greater value-add activities.
108
6.5 Recommendations
Recommendations for enterprises
Enterprises need to consider a wide range of public-cloud-based issues from an ITSM perspective
Some public-cloud-based ITSM issues are obvious. An IT organization needs to have a good understanding of the IT services it provides, along with the service-delivery quality levels required, and the SLA targets agreed with the business. At minimum there will be end-user education needs to fulfill, and the potential for non-conformance needs to be managed. Business perceptions of the potential for degradation of service in terms of availability, speed of response, and security will also need to be managed. An area where many IT organizations will struggle is service costing, and an IT organization needs to ensure that oranges are compared with oranges financially when making decisions around public clouds.
Public clouds will necessitate the introduction or reintroduction of certain ITIL processes
Following service migration, there is potential for IT functions to lose both visibility and control of IT services within public clouds. ITFM and SLM will both be key ITSM capabilities, as will ramped-up supplier management activity, as IT organizations endeavor to manage a blended mix of on-premise and public-cloud-based IT service delivery. The ITIL v3 service catalog management process and enabling technology should be used not only for the design and costing of public-cloud-delivered services, but also for self-service provisioning of private cloud services, supporting the cloud ethos of agility and cost-efficiency.
IT organizations need to reassess roles and responsibilities, and peoples skills and capabilities, to reflect cloud-based changes
There is no doubt that IT organizations will need to evolve to reflect the change in focus caused by the externalization and loss of immediate management of some IT infrastructure and IT services. However, even in an IT organization that migrates all IT services to public clouds there will still be a need for resource to manage service delivery using best-practice ITSM processes, and for systems administrators and networking professionals to acquire new skills for the new complexities of IT service delivery that public clouds bring. Understanding and applying the service lifecycle is key, with IT staff viewing and managing technology provision as discrete IT services aimed at consistently meeting business needs for the technology enablement of business processes. SLM will be critical, as the ability to effectively manage service delivery from a third party will become paramount from a business-continuity perspective. As IT becomes more of a conduit between external providers and internal customers and consumers, softer skills will become increasingly important for the majority of IT staff, as they need to work more closely with the business and its component business units or functions.
109
IT organizations need to decide upon the best approach to, and tools for, managing a hybrid data center environment
There are various options available to enterprises. Niche cloud management vendors have already emerged with solutions to address a wide spectrum of cloud management needs. Traditional systems management vendors that have added virtualization capabilities to existing tools will do the same with cloud-based capabilities. Third-party vendors, spotting a gap in the market, will create solutions that allow cloud management vendor tools and systems management vendor tools to operate in their nonnative environments. However, no matter what the future holds for these vendors and their solutions, IT organizations will need to decide upon the best approach to managing a hybrid data center environment, a decision that needs to be considered and undertaken as part of the overall planning and costing of moving IT services to a public cloud, with the cost of new management tools factored in when calculating the total cost of ownership of public-cloud-based IT service provision.
Alternative views
ITIL v3 is not the only best-practice ITSM framework available
While ITIL v3 is consistently referred to throughout this paper, it is not the only option available to enterprises. In many ways ITIL can be considered documented common sense, and for many IT organizations the introduction of ITIL v2 in particular was a formalization of existing internal processes to improve consistency of application and the utilization of industry best practice where needed. So while ITIL has been a platform for worldwide IT service improvement, gaining strong brand awareness and associated popularity in the process, it is not the only option available to IT organizations. An organization could go it alone and use process improvement methodologies such as Six Sigma and benchmarking to drive incremental improvements of existing processes to support cloud. Alternatively, it could opt for the international ITSM standard ISO/IEC 20000, which represents a far greater challenge than ITIL but allows compliance to best practice to be measured. It could also opt for Control Objectives for Information and Related Technology (COBIT), the IT management framework that offers best-practice IT processes with a focus on IT governance and internal controls. So ITIL is definitely not the only option available to IT organizations, just currently the most popular.
110
Incorporating
CHAPTER 7: Glossary
WWW.OVUM.COM
Cloud computing IT (network, hardware, software) resources available on-demand either internally (private cloud) or from a third party (public cloud). Infrastructure-as-a-service Infrastructure-as-a-service (IaaS) combines computing and/or storage, as well as network resources based on standardized hardware (servers, switches, routers) and software (hypervisor, operation system, management) components and associated services (such as DHCP, DNS, LDAP and SSH). Multi-tenant architecture Multiple customers are served simultaneously from one system, rather than from individual instances set up for each customer. Data and processing are logically separated for security. The recoding of existing application software in order to do this involves reworking functions such as data indexing and searching. Platform-as-a-service Platform-as-a-service (PaaS) adds a new layer of software services on top of those usually found in IaaS to make it easier to develop and/or run applications. Private cloud Private clouds are positioned as next-generation data centers. Some define them as the aim of the data center evolution journey, a long patient maturation that starts with companies understanding what they currently have, and then shaping it slowly to achieve a fully dynamic shared infrastructure. Others emphasize the need to take shortcuts along the way by pushing parts of the data center ahead to deliver a focused return on investment. From this perspective, the private cloud is the part(s) of the data center that is ahead of the rest. Public clouds Public clouds are usually split into IaaS, PaaS and software-as-a-service (SaaS) clouds. Software-as-a-service SaaS combines application functionality delivery via a web browser with data encryption, transmission, access and storage services. It can be consumer-centric (such as Flickr photo storage, management and sharing offering); enterprise-centric (such as Salesforce.coms CRM offering) or both (such as Googles Gmail email offering).
CHAPTER 7: GLOSSARY
113
Incorporating
CHAPTER 8: Appendix
WWW.OVUM.COM
Further reading
Datamonitor (2010) 2010 Trends to Watch: Cloud Computing, January 2010, BFTC2534 Ovum (2010) Cloud computing fundamentals, August 2010, OVUM052638 Ovum (2009) Cloud computing in IT services: a primer, July 2009, OVUM051158 Ovum (2009) Data security in the cloud, May 2009, OVUM050904 Ovum (2010) Identity services in the cloud, September 2010, OVUM052712 Ovum (2010) Managed hosting: more of a utility than a cloud, March 2010, OVUM051982 Ovum (2010) The cloud computing strategies of global telcos, July 2010, OVUM052546 Ovum (2010) The clouds open for enterprise storage, June 2010, OVUM052491 Ovum (2010) The role of multi-tenancy in a cloud environment, June 2010, OVUM052476 Ovum (2010) Transformation and sustainability complement the cloud in managed services, June 2010, OVUM052366 Ovum (2010) Virtual private clouds: a very public/private affair, July 2010, OVUM052572
Methodology
Primary research/vendor briefings: ongoing briefings with technology vendors serving the government sector. Secondary research: industry publications, companies annual reports and press releases, and data from public databases.
Author(s)
Laurent Lachal, senior analyst, Ovum software group laurent.lachal@ovum.com Stephen Mann, senior analyst, Ovum software group stephen.mann@ovum.com
Ovum consulting
We hope that the analysis in this brief will help you make informed and imaginative business decisions. If you have further requirements, Ovums consulting team may be able to help you. For more information about Ovums consulting capabilities, please contact us directly at consulting@ovum.com.
Disclaimer
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publisher, Ovum (a subsidiary company of Datamonitor).
CHAPTER 8: APPENDIX
117
Incorporating
WWW.OVUM.COM
This Report reveals: Why the public cloud market is more complex than expected. How private clouds are catching up with public cloud capabilities. Why hybrid clouds are the next frontier for the enterprise. That public cloud pricing structures are evolving, but not always for the better. Why service-level agreements (SLAs) are key to cloud adoption. Where public clouds are changing the IT function. Why security is the number-one cloud quality of service (QoS) concern. Why reliability and availability are under increasing scrutiny. That cloud governance, like IT governance, is a work in progress. How public clouds are changing the IT service management (ITSM) landscape.
Incorporating
Ovum Australia
Level 5, 459 Little Collins Street, Melbourne 3000, Australia t: +61 (0)3 9601 6700 f: +61 (0)3 9670 8300 e: info@ovum.com
OI00005-006