In organisations everywhere, both business and IT are embarking on a cloud computing journey- but from very different starting points. While many IT departments look upon cloud computing as a way to make IT operations more efficient, business departments see it as an opportunity to directly source solutions 'as a service', often bypassing the IT department. This can’t go on. These two groups need to begin talking again; otherwise the scenario will be similar to ‘strangers passing in the night’. Even worse, it is ‘a train crash waiting to happen’.

This management guide aims to facilitate this discussion by providing a non- technical, structured introduction to cloud computing. It also highlights the profound change that needs to take place in the way large organisations manage their IT. Cloud computing has the potential to further transform IT into a utility: affordable, reliable, always on and ubiquitous. And as Nicolas Carr highlighted in his notorious 2003 Harvard Business Review article, utilities need to be managed differently.

The question is: will this new approach to the management of IT increase or decrease the strategic relevance of IT? That is not easy to answer at a time when some predict cloud computing to be an emerging bubble, while others see it as the beginning of the renaissance of IT.

To answer the question, we not only need to understand what cloud computing is and how it is developing, we also need to realise that the management of IT already began its transformative journey before cloud computing was introduced. Cloud computing is the next station on the route to making organisations more agile, responsive, efficient and thus successful.

Gregor Petri

Advisor Cloud Computing, CA Technologies

1.1: The Cloud Academy

About a year ago, we published the Cloud Academy primer “Shedding Light on Cloud Computing”. Since then, interest in cloud computing has blossomed and I have had the opportunity to present our Cloud Academy content at cloud computing events around the world.

This new book encapsulates the insights and knowledge gathered from conversations at these events. That includes the dialogue with cloud practitioners, vendors, customers and the considerable number of cloud computing gurus this industry,- despite its young age,- already seems to have.

In section 2, 'Cloud computing defined', we include an abbreviated and updated version of the Shedding Light on Cloud Computing primer. This provides a quick recap of the various types of cloud computing, the reasons why organisations would want to implement such a strategy, and the risks associated with cloud computing.

In section 3, we discuss a number of more philosophical questions around this phenomenon that is reshaping today’s IT: How big is the cloud? Can cloud computing be assured and secured?; Does it mean the end of the data centre as we know it?

Finally, in section 4, we take a look at how cloud computing is creating both an opportunity and a necessity for IT management to transform itself from being a guardian of the IT factory to an orchestrator of a supply chain of internal and external services.

Some of the content in this book was originally published via the Cloud Academy blog, the cloud storm chaser blog, ITSMportal.com and in several printed publications. I hope you will find it a useful guide for your journey to the cloud.

1.2: Cloud - more a marathon than a sprint

Cloud computing is not an invention. The components that make up or enable the cloud are not new. We have had fairly broad networks for 10 years, have used virtualisation for 20 years and were sharing computing capacity (time sharing) even before I embarked on my working career.

Cloud computing is much more a practical innovation. Practical innovations combine existing technology into a compelling new product. The best example of a practical innovation is probably the Apple® iPod that combined existing and readily available technology like a portable hard disk, a compact headset and MP3 compression in a new type of Walkman. It represents an innovation that has profoundly changed the music industry. Cloud computing has the potential to change the IT industry in a similar fundamental fashion. The thing with practical innovations is that it is not about having the best idea; it is not even about having the idea first. It is all about planning and flawless execution. In other words, despite the hype and the peer pressure, 'ready-fire-aim' is not an encouraging strategy for cloud computing. This is why we decided to launch The Cloud Academy and subsequently publish this book with knowledge and insights from the Academy.

The Cloud Academy’s goal is to give IT and business technology (BT) professionals an opportunity to exchange ideas, discuss experiences and brainstorm about execution strategies for their complex environments. The content aims to be vendor and technology agnostic and covers all the different incarnations of cloud computing, including infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). The Academy is not a course where a teacher explains how cloud computing should be executed. The goal is to increase knowledge and insight, so participants can set a strategy for their use of cloud computing. This book, together with the brief primer Shedding Light on Cloud Computing were both created in that spirit The Academy sessions began in Europe in many countries in co-operation with, or via contributions from, recognised cloud players, such as Cisco, NetApp, Amazon Web Services and Cap Gemini.

The sessions are now also scheduled elsewhere, including in North America. During these sessions, debates are sometimes quite heated, as chief security officers, VPs of operations and heads of development (not to mention representatives of business departments) sometimes have conflicting objectives. The best way to resolve this is to build a common understanding of each group’s challenges and opportunities so they can be addressed in a constructive fashion. If you would like to participate in the debate, please join The Cloud Academy group at LinkedIn ⁰⁰¹, or attend one of the Cloud Academy sessions.

Section 2: Cloud computing- defined

This section contains a shortened and fully updated version of the “Shedding Light on Cloud Computing” primer that the Cloud Academy made available in early 2010.

2.1: Cloud computing: what is it?

As cloud computing is such a broad topic it makes sense to look first at some definitions. The shortest one, the best computer is no computer, seems to encapsulate much of the frustration that users traditionally had with IT.

A more pragmatic definition is used by consulting firm Accenture: the dynamic provisioning of IT capabilities (hardware, software or services) from third parties over a network. Most definitions, like the one below from Wikipedia, assume that network to be the Internet (or at least some Internet technology).

Wikipedia: Cloud computing refers to the provision of computational resources on demand via a computer network. In the traditional model of computing, both data and software are fully contained on the user’s computer; in cloud computing, the user’s computer may contain almost no software or data (perhaps a minimal operating system and web browser only), serving as little more than a display terminal for processes occurring on a network of computers far away. A common shorthand for a provider’s cloud computing service (or even an aggregation of all existing cloud services) is 'The Cloud' ⁰⁰².

Most industry analysts have their own definitions, but the most widely used or even ‘official’ definition of cloud computing is the definition provided by the North American National Institute of Standards and Technology (NIST). Following an extensive industry review, this definition was submitted in January 2011 as NIST Special Publication 800-145 (Draft) ⁰⁰³.

In short, this definition says:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five essential characteristics (on-demand self-service, broad network access, resource pooling, rapid elasticity, measured service); three service models (SaaS, PaaS, IaaS); and four deployment models (private cloud, community cloud, public cloud and hybrid cloud).

The visual presentation of the NIST definition (opposite) gives a nice graphical overview of the components of this definition (source: Australian government cloud computing strategic government paper). In the remainder of this chapter we will discuss the above in more depth. Before doing so, however, let’s remind ourselves of how today’s organisations typically run IT.

In traditional IT environments, stability is the name of the game. Applications,- regardless of whether they are built in house or bought as standard packages, run on permanently available, stable in-house infrastructure. Even if the infrastructure and/or management of these applications have been outsourced, the outsourced processes and infrastructure will be dedicated to the customer and boast similar levels of stability. Applications can of course be moved across the infrastructure; but to do so a ‘change request’ is needed, which has to be approved in advance by a change committee. In a pre-cloud environment, they almost certainly are not assigned dynamically to the server that happens to have the most capacity available.

Such stability does not necessarily make this type of environment easy to manage. The inherent complexity of a modern IT environment requires advanced processes, procedures and tools. Often the organisation will have turned to best practice frameworks such as Information Technology Infrastructure Library (ITIL) and Control Objectives for Information and Related Technology (COBIT) to help govern, manage and secure these large and complex environments.

1. Cloud computing service models

When discussing cloud computing, the IT industry has broadly divided the way cloud computing can be used in three scenarios.

Infrastructure as a service (IaaS)

With IaaS, organisations - typically their IT departments - source infrastructure capacity (servers, storage or other) over the web, as a service. For instance, this may be to cater for unexpectedly large customer demand, internal requests for a temporary test server, or an extra SharePoint server for a departmental intranet. In most organisations, the end users will not be aware that their IT department is using such infrastructure cloud services.

Using virtualisation as an enabler, the requested infrastructure can be derived from a private cloud (a pool of infrastructure exclusive to the organisation, either located in-house or at a service provider), or it can be sourced from an external public cloud infrastructure provider. By sharing the infrastructure, at different moments in time and among multiple users or customers, IaaS allows for increased utilisation, reduced capacity requirements, lower cost and lower energy consumption, and also greater scalability and flexibility.

Deployment is also much faster than having new hardware ordered, supplied and installed in the data centre. Due to its dynamics, the allocation and de-allocation of capacity is optimised when fully automated. Often this is done by means of simple scripts, but larger organisations are rapidly turning to more advanced data centre automation solutions.

Some of the more familiar providers offering IaaS are Amazon Web Services, Rackspace, Savvis, Terremark, GoGrid and Layered Tech.

Platform as a service (PaaS)

PaaS is a software development and execution environment that allows developers to develop applications and offer these as a service to their customers or users. Besides offering an efficient, high-level development environment, PaaS also significantly reduces the time required for deployment (moving the developed application into production), as the PaaS provider also hosts the created services, typically in return for a fee based on actual usage or users.

While internal IT departments may use PaaS for building custom applications, it is often also used by independent software developers to create specialised applications and make them available in the cloud more quickly. Easily combining and integrating these standard offerings with customer-specific developments is one of the promises of PaaS. One of the most familiar PaaS examples is probably Japanese Post, which developed an application that allowed millions of customers to check the whereabouts of their postal packages every morning.

Some of the more familiar names in PaaS are Force.com by salesforce.com, Google App Engine and Microsoft Azure.

With vendors like Microsoft offering both PaaS and IaaS from the same platform (for example Microsoft Windows Azure), the distinction between PaaS and IaaS is blurring. With IaaS users typically bring and install their own software and are responsible for running and tuning it on the provided infrastructure. With PaaS, users provide the application by defining it on the spot in the PaaS development environment or by loading existing (typically Java) application code. However, unlike with IaaS, the PaaS provider is responsible for running it at the agreed performance levels. The PaaS user does not have to worry about adding CPUs or memory, the PaaS provider takes care of that.

Software as a service (SaaS)

With SaaS, organisations do not buy software for installation on their own computers. Instead, they simply use their browser to access the software they want over the Internet.

As this form of cloud computing directly involves applications and not the underlying infrastructure or development efforts, and applications are much closer to users and thus to the business, one could argue that the business impact of SaaS will surpass that of IaaS and PaaS. Thanks to pre-packaged guidance and recommended work procedures typically offered with SaaS, implementation times are also refreshingly short. SaaS has become more attractive as technologies like Adobe Flash, AJAX, Microsoft Silverlight, and HTML5 bring the graphical user interface of web applications up to the standards of modern PC applications. Apps, the new phenomena of lightweight client applications that act as an 'off-line' front end to SaaS offerings are also boosting interest in SaaS offerings.

SaaS applications are in many cases used directly by end-user departments, often to a degree that surprises the IT department. For example, sales might simply charge the use of a CRM application derived from the cloud to their credit card, only for it to be lost among the myriad of client lunches and entertainment expenses. One of the advantages of SaaS lies in the vast amount of content that is typically included in the service; content such as photos of every street (Google Maps), CVs of potential employees (LinkedIn) or details of all hotels (Expedia). Offering such vast amounts of content as part of the service is often far beyond the possibilities of in-house applications. If the service provider, in addition to providing software and content, also provides certain processes for the customer, we start to talk about business process as a service (BPaaS).

The 'as a service' ecosystem

Although the various service models can be described individually, they are (or can be) very much related and integrated. A SaaS provider can, for example, decide to build software using the PaaS platform of another vendor, or use the IaaS services of, for example, Amazon to operate on. In fact, most of today’s SaaS providers use public IaaS services instead of owning and running their own data centres.

SaaS experiences
Customer relationship management (CRM) was one of the first areas to demonstrate that business-critical applications did not necessarily have to operate in-house. This sprang from the fact that the intended end users (salespeople) are not in the office very often, and that the sales process is less tightly integrated into internal ERP-type administrative processes than, for example, invoicing or purchasing.

In the airline industry we already see systems for reserving seats and selling tickets offered ‘as a service’ to multiple airlines, often at a cost of just a few cents per ticket. In fact very few of today’s low cost carriers run and maintain their own ticketing system because the available SaaS options do it more efficiently and cost effectively.

Another two common SaaS services are conferencing and webcast facilities. Very few companies feel the need, or have the knowledge, to implement these network-sensitive applications in house. Many believe that other collaboration/ communication applications such as email and instant messaging will form the next wave of broadly implemented SaaS applications.

2. Cloud deployment models

Cloud computing can be deployed on an infrastructure that is private, public, exclusive to a community, or on a combination of these (hybrid).

In this book we define private clouds as those in which the use of the infrastructure is dedicated to one organisation (regardless of who owns or maintains it), meaning the infrastructure cannot be used by other organisations. Public clouds, on the other hand, do provide their resources on demand to other organisations, typically over the open Internet.

The private versus public discussion currently plays mainly around IaaS. However, it is easy to imagine large customers such as the U.S. federal government asking a PaaS provider to set up a dedicated PaaS cloud for all its departments (private) or for all federal, state and local government organisations (community). Community clouds are becoming rapidly popular in government, health care and other public service sectors.

Every type of cloud needs to accommodate to some extent the five characteristics of the NIST definition:

On-demand self-service; users can request (additional) capacity through some (ideally automated) portal.
Broad network access; the resources are delivered/accessed over a network (not physically delivered/placed on or under the desk) and can be accessed from anywhere.
Resource pooling; The resources are dynamically shared among all users of this cloud- be it all users in an enterprise (private), all members of a community (community) or all customers of a public cloud.
Rapid elasticity; when needed additional capacity is easily or automatically allocated.
Measured service; use of resources is metered (and ideally charged for) on an ‘as used’ basis.

Sharing is the key concept of any cloud computing deployment. By increasing the sharing of resources, efficiency improvements and economies of scale are realised. This includes:

Sharing capacity (e.g. servers) across multiple departments/customers.
Sharing a server across multiple applications (e.g. using virtualisation).
Sharing content (pictures, maps, résumés) across more consumers.
Sharing functionality and the outcome of development activities across more users.

Some of these sharing possibilities are not exclusive to cloud computing. However, the simple fact that cloud computing is accessed over a network- i.e. the Internet- makes sharing a lot easier than it was before.

2.2: Cloud computing: the benefits

The principal benefits of cloud computing can be assessed in terms of:

Cost savings for cloud service consumers.
Efficiency gains for cloud service providers.
Increased added value and agility.

1. Cost savings for cloud service consumers

Cost savings for cloud service consumers

Better infrastructure utilisation

Owing to rapid networks, self-service facilities and rich browser interfaces, cloud computing removes many of the obstacles to the effective sharing of IT resources and cost.

However, when not using virtualisation, sharing servers across multiple applications is still problematic, due to multiple applications severely impacting each other. This has led to a proliferation of servers, commonly known as server sprawl, each running only one application. Thanks to virtualisation, running multiple applications on a shared server is no longer a problem as the virtual machine manager, commonly known as the hypervisor, gives each application its own dedicated sandbox, a virtual container in which untrusted programs can be run safely

Effectively this means that cloud computing allows IT to share resources and increase individual server utilisation.

New York Times text book example
The classic example of cloud computing is the New York Times’ online archive TimesMachine which takes readers back to any issue of the newspaper from 1851 to 1922. Converting the back issues into a useable format required significantly more computing capacity than the publisher had anticipated, or was in a position to make available. The use of Amazon for conversion and for hosting the document store in the cloud led to significant cost savings. Pay-as-you-go flexibility

As cloud providers only charge for actual usage of the consumed services, the total cost of IT can start to vary according to use. Prior to the arrival of cloud computing, IT costs were typically fixed annually (based on a fixed number of computers, a fixed number of licences and a fixed number of operators). If the total IT department costs $60 million per year to operate, then $60 million was typically cross-charged at the end of each year to the user departments regardless of whether they made use of the installed systems or not.

With cloud computing, the cost of IT resources such as servers, storage and software can vary significantly. Cost becomes variable when organisations start to procure only what is needed. For example, when companies buy capacity from telecommunications companies instead of building and maintaining their own wide area networks (WANs).

Why buy a taxi if you only need a ride?
Cloud computing cost models can be compared to the cost of owning and maintaining a car or aircraft, versus the cost of public transport, like a taxi, plane, train and rental car.

When travelling by public transport, the price of the ticket is a contribution towards the total cost of running the service: no trip, no expense. With a car under ownership, a significant investment has to be made first, but once a certain number of miles is reached (high utilisation) then in theory that investment can be recouped by the lower variable cost per mile.

In a similar vein to the company cars analogy, as cloud providers become more efficient at offering computer capacity and market competition forces them to pass these efficiency gains on to their customers, it becomes less and less attractive for companies to own their computing infrastructure.

One could compare SaaS to flying on a commercial airline (the route is already determined), PaaS to using a taxi (you tell it where to go) and IaaS to driving a car yourself. To take the analogy further, IaaS in a public cloud would be like driving a rental car (you drive it, but you can give it back the minute you no longer need it). IaaS in a private cloud would be comparable to a company pool of cars (shared among employees, but all responsibilities for purchasing, repair and maintenance remain with the company). The private cloud offered by a managed service provider could be compared to using a leased car (the lease company buys, maintains and repairs, but you are the sole user and are required to use it for the full period).

Capex versus Opex

The ability of cloud computing to make the service cost variable with use also enables these IT services to be funded as an operational expense (opex) rather than as a capital expenditure investment (capex). Moreover, the decision process for opex is usually much shorter and less complex, as the risks are deemed lower and more easily identifiable. It is like choosing a house: the potential risk of renting a property is lower than the risk of buying a house outright.

Organisations typically invest in areas they identify as core capabilities, such as manufacturing or research and development (R&D). They typically treat other areas like housing, catering or company cars more as expenses. The question organisations need to ask concerning cloud computing is this: Which parts of IT do they see as core capabilities they want to invest in, and which parts of IT do they want to source in the same way as other non-primary resources?

It is important to realise that the answer to this question can vary by type of industry and type of company. The sports company Nike, for example, believes manufacturing does not necessarily have to be done in house, but R&D does. Moreover, running a network could be crucial for one type of company (a telecommunications provider, for example), while for others it is better sourced as a commodity.

Nicolas Carr asked whether IT deserved to be considered strategic in his now notorious Harvard Business Review article 'IT does not matter' ⁰⁰⁴. Companies will need to decide what aspects of IT might make a strategic difference to their business. Running desktops, a network or servers might not give that competitive edge, but designing friendly applications for end-user customers might just do the trick.

Proof before purchase

Most organisations do not know upfront beyond reasonable doubt how long and how widely a solution that is yet to be implemented will be used. Therefore, an opex-based pay-per-usage model makes sense. But in case the solution turns out to be widely used for a long time, it may have been more cost effective to buy the solution (capex).

Cloud computing can enable companies to start off in the cloud (as opex) and bring projects back in house (as capex) when it becomes clear it will be used intensively for the next ten years.

If the implementation (for some unforeseen reason) is expected to be discontinued in just a few years, then it would be better to continue to finance it as opex. Not all vendors offer this flexibility yet; many solutions are only available in one model. Over time, however, buyers need the flexibility to move solutions from one model to the other and vice versa; for example, from opex to capex, from in-house to as-a-cloud service - or from one cloud provider to another.

2. Efficiency gains for cloud service providers

Cloud computing opens up potential cost savings to service providers which, in a competitive open economy, will be passed on to their customers. Provider savings are typically derived from:

Volume discounts

The typical cloud provider will buy infrastructure in very large volume, allowing them to negotiate much higher discounts than the average end-user organisation.

Operational savings

Most of today’s SaaS applications are based on multi-tenancy, meaning that all customers make use of the same configuration, version and implementation. Patches and bug fixes only need to be applied once, and upgrading to a new release immediately moves all customers to the latest version. This eliminates the potentially substantial cost of maintaining previous releases.

But also, in non-multi-tenancy environments, where each customer is in a dedicated, separate environment, providers can boost efficiency by automating upgrade and update processes. A provider upgrading 1,000 customer instances in its data centre, for example, can do this more efficiently (by automating the process) than 1,000 customers each upgrading one unique implementation.

Development platform savings

Cloud vendors can significantly reduce their costs by deploying their services on one platform, instead of supporting a multitude of platforms, whether it is mainframe, Windows, UNIX or Linux at multiple versions and releases.

The total cost of cloud
At first sight, cloud services can appear to be more expensive than traditional IT. With traditional software the customer typically buys the license (often as little as 10 percent of the total real cost) and pays separately for hardware, network, storage, operating systems, installation and support. With SaaS all these costs are wrapped up in the monthly user fee, making that look high in comparison to the original cost of the software license. It is the same for infrastructure: the cost of hardware is just a fraction of the total cost of ownership (TCO) which includes installation, patching, warranties, backup, and failover. So it does not make sense to compare that hardware cost to the cost of IaaS on a one-to-one basis.

3. Increased added value and agility

Shorter time-to-value

Cloud computing means shorter time-to-value for both applications and infrastructure. SaaS is often implemented in a fraction of the time required for traditional on-site applications just because it is ready, available and waiting. It provides an attractive, practical and ready-made alternative to requesting and provisioning in-house resources. Even to start a simple pilot in traditional organisations can easily take several months.

The same is true for IaaS. Getting additional capacity for a large number- crunching or data-analysis project in the traditional way takes time. Being able simply to rent this capacity in the cloud can be much faster and more cost effective.

Many CIOs struggle to explain to their CEO why implementing ERP took years and cost ten times more than the cloud-based CRM application that went live within six months - with a comparable number of users, and with greater impact on the business.

Striking the right balance
The ideal cloud provider should understand and be experienced in balancing economies of scale with catering for specific customer demands and warranting continuity.

In the event of a breakdown of one of the large public email services, for example, all we can do is read the press release notifying us of the mishap, which of course will be in line with the published terms and conditions. And then wait for service to be resumed, along with a few million other users!

If, however, we use a niche application from a company with only a few other clients, the only option we have if this supplier gets into difficulty, is to take over the whole set-up including its staff. This may sound far-fetched, but has happened several times in the world of traditional software.

This may lead to traditional outsourcers and managed service providers being more likely candidates as cloud providers for the average enterprise then small innovative SaaS start-ups or large ‘mega cloud’ infrastructure providers.

Elasticity

Being able to scale and deploy additional servers or storage over the web quickly is an important benefit of IaaS. It is commonly referred to as elasticity. In the case of PaaS and SaaS, we also see organisations scale up quickly from just a few users to many thousands.

The peaks and troughs in required capacity can be extreme. While a company can make reasonable capacity estimates by estimating when internal users are likely to log on to their email system, judging the required capacity for applications offered directly to customers or consumers over the Internet is a lot more difficult. The more companies begin to interact directly with the general public over the Internet, the more important elasticity becomes, as this provides the flexible capacity needed to manage the user experience to a satisfactory standard.

Higher added value

Cloud applications can offer greater added value than traditional in-house applications in terms of the content they provide.

A typical example is LinkedIn, a constantly updated database that offers profiles of virtually every current, former and prospective employee in the world (provided they have registered on the service). Many HR departments are now using such systems to look up details of their employees because these profiles are often more up to date than those held in house. Another example is Expedia, the travel website. The average in-house travel department cannot include every hotel on the globe in its database but Expedia and several other travel services do.

Higher added value

Cloud applications can offer greater added value than traditional in-house applications in terms of the content they provide.

A typical example is LinkedIn, a constantly updated database that offers profiles of virtually every current, former and prospective employee in the world (provided they’ve registered on the service, but who isn’t nowadays). Many HR departments are now using such systems to look up details of their employees because these profiles are often more up to date than those held in-house.

Another example is Expedia, the travel Website. The average in-house travel department cannot include every hotel on the globe in its database-but Expedia and several other travel services do.

2.3: Cloud computing: the risks

There is one area where the cloud draws the most resistance: risk. For cloud computing to become as ubiquitous as many expect, cloud vendors will need to address the risk and security related concerns that customers have with regard to:

Availability
Privacy and legislation compliance
Fear of data theft and loss

1. Availability

Availability (having access to a working application when needed) is a concern as old as computing itself. Organisations need to decide what level of availability they require per application. Not all applications are critical. For example, hospitals typically have a backup generator in the basement, whereas local primary schools do not. If a bank currently has a 24/7 failover facility for specific applications, it would be strange if it did not demand the same from its cloud infrastructure or cloud application suppliers. For other applications the need may be significantly less.

In an IaaS environment, the virtualisation layer makes movement of workloads across different cloud providers feasible, making it easier to restore availability; although such portability is not as easily available with PaaS and SaaS vendors. Various vendors are working on addressing these concerns. For example, SaaS escrow services provide a backup copy of the executable software and a copy of the data that allows the customer to continue to run the SaaS application elsewhere should there be an extended interruption of service. We will return to this topic later in the book.

The reliability of access to the Internet is another issue. Larger organisations typically have (or should have) a degree of redundancy built into their Internet access; for smaller companies though, the availability of the cloud is likely to be the greatest concern. For instance, a two day Internet breakdown in the Netherlands resulted in a large number of cancellations for a local book-keeping-as-a-service supplier, as customers ran back to the local PC store for a desktop and a software package to install in their own offices.

2. Privacy and legislation

Moving data off site through outsourcing is one thing. Not having a clear understanding of where that data is, for example not knowing even which country it is in, is something else.

Some of the aspects that need to be examined in detail for each cloud offering are:

The specific terms and conditions offered by the service provider.
The flexibility of the arrangements with the service provider.
The conditions for exit and termination of the agreement.
The legal and practical implications of moving specific types of data off-site.

Cloud providers are beginning to address some of these legal and privacy concerns; offering, for example, to guarantee that the data for a specific customer will stay within a certain geographic region. Google has committed to provide a cloud environment dedicated for U.S. federal government use, where data will be stored inside the U.S. and access to this cloud will be restricted to government employees and certified Google staff only. But unlike other providers, Google has yet to offer a guarantee for data to remain inside the European Community.

Associations like EuroCloud are also looking to prevent privacy and legislation requirements becoming so strict that they undermine the use of the cloud and its potential benefits.

3. Data theft and loss

Given the headline-grabbing breaches caused by the careless loss of memory sticks and laptops, data security remains a concern. It may come as a surprise to some though that many cloud data centres are physically and procedurally ring-fenced to a greater degree than their enterprise or government counterparts.

Customers also need to understand the encryption and backup measures the provider is taking. For example, many cloud email providers store emails in an encrypted form, so their employees cannot read them. Customers should evaluate these measures on a regular basis and decide whether these precautions are adequate for their needs or not.

4. Other mishaps

When discussing risk we often focus on protecting ourselves from bad guys and mishaps like disasters of nature. But what if a provider consciously decides to cease providing a service - like several providers recently did with regard to WikiLeaks? WikiLeaks is a special case, but a similar thing happened to a small company that was sent confidential bank information by mistake. Even though it was an admitted error of the bank, a court ordered that the cloud email provider should block the mail account of the company immediately. This was no failure of technology; instead it was bureaucracy that prevented this company from reaching any mail for several weeks. Not having an alternative way to send, receive or access older email proved highly disruptive to the company concerned.

Moreover, consider the case of a project manager who uses a cloud service to plan and monitor the most important project for his company. Due to a credit card mishap the subscription is not renewed, resulting in the supplier, in line with the published terms and conditions, deleting all the details of this project. Who in this case is liable for any delays the company experiences on this project? And how can such mishaps be anticipated, prevented and overcome?

5. Users and identities

Cloud computing also poses new demands on user management. Just as we allow or deny users access to in-house applications based on their roles and responsibilities, we need this ability in a cloud environment as well.

Consider this SaaS example. When a former employee’s access to the company intranet and network is removed, this includes all internal applications. Control lies with the organisation that maintains a central record of roles and responsibilities to notify all applications that this former employee is now denied access.

But with the cloud, often the company email address is used as the user ID. Theoretically, the former employee could still use his old company’s email identity to continue blogging, use social networking sites and maybe even business applications like CRM posing as a representative of his old company.

The solution? Single sign-on, which permits a user to enter one name and password to access multiple applications. Single sign-on will deliver the same in-house user management in the cloud, as well as removing the need for authorised users to remember multiple passwords and user IDs.

6. Privileged users and administrator identities

When we turn to IaaS and virtualisation, the requirements for administrator (or root) security change significantly. With single machines it was a fact of life that the administrator had all the access rights. Many organisations installed some form of control to prevent the administrator from accidently killing all processes, deleting all users or even from viewing all data.

In a virtual environment with one ‘machine’ running hundreds or even thousands of virtual servers, often for different organisations, this becomes even more important. In fact many firms split responsibilities between administrators, allowing some to create, move or delete virtual machines and others to access/operate specific sets.

7. Securing virtual machines

Traditional security management needs to be reconsidered in a virtualised environment.

Securing virtual machines in the same way as physical servers has some practical drawbacks. These are down to their not being active all the time so that periodic virus, malware scans, critical updates or patches happen concurrently: as soon as the virtual machine comes online rather than in off-peak hours. The outcome is seriously reduced performance at exactly the time we are waking these machines up to perform a specific task.

Having off-line virtual machines may also lead to a false sense of security, as the latest compliance scan or report may show all live systems as fully patched and up to date, while ignoring all non-active virtual machines. Security also needs to be aware of the significant changes the cloud requires to IP, firewall and port settings. Physical servers typically run in or behind a demilitarised zone (DMZ) with security applied in that context. Virtual servers, on the other hand, can be started and moved just as easily inside or outside an organisation’s own firewall or DMZ to anywhere in the cloud. One notorious example would be a developer starting up a virtual copy of a production image on their laptop to try out a change, only to have that virtual copy tell all the production servers in the data centre to route all transactions to the copy now running on this laptop.

The conclusion is that virtual servers require advanced security administration tools-to an even greater extent than physical servers

2.4: Cloud computing: the building blocks

Virtualisation isolates objects from the underlying hardware and enables objects to be moved simply across different physical infrastructures. This makes it a key enabler of IaaS. In this chapter, we will briefly discuss the various types of virtualisation.

1. Types of virtualisation

Network virtualisation

Today we see the most widespread use of procuring infrastructure as a service in the field of WANs. About two decades ago, most multinational organisations still owned and managed their own WAN. This consisted of a vast and expensive network of fixed, leased and dial-up lines that connected the various national and international branches.

As technology progressed, sharing the use of an already existing network infrastructure with other organisations was found to be more efficient than each enterprise connecting all their branches themselves. Early provider and telecommunications provider offerings were based on X25, later on frame relay and now, increasingly, on the standard internet protocol (IP). This ‘rented’ on-demand network capacity still needed to appear as a separate private network to customers, so a virtualisation layer was used to behave as if only the machines in the customer’s offices were connected to the network, a virtual private network (VPN). Recently, Amazon has started offering a similar VPN option, which makes the servers it provides part of the infrastructure of the customer by logically putting them inside the customer's (virtual) network.

Storage virtualisation

The simplest example of storage virtualisation is the apparent availability of a drive D: on a PC, when in reality it is a directory on a larger disk down in the company’s data centre. Here a virtualisation layer presents part of a larger whole as a specific dedicated facility to the user.

The Amazon S3 service (simple storage service) is another example of storage virtualisation. Objects (files, images) can be stored and retrieved using a simple web service interface. Sites such as Flickr, SlideShare and Twitter now use S3 storage services, but S3 can also be used as a backup medium or default storage device. Apple’s iCloud service and Microsoft’s equivalent, Windows Live SkyDrive, offer a virtual disk in the cloud for consumers. With these services, consumers can store their data (emails, pictures, documents, music) in one place with 24/7 access.

Remote virtual storage does require changes in how we manage it. The common way for an application to check whether a file is still available and not corrupted is to open it and read it. With remote storage this means transmitting the whole data collection across the network just to be assured it is still there and correct.

Several storage vendors are working on a smarter storage application programming interface (API) that allows the management application to carry out this verification. The faster the networks become and the more these storage services meet B2B requirements, the greater the advances this type of storage virtualisation is likely to make.

Server virtualisation

Server virtualisation is currently the most important, and certainly the most discussed type of virtualisation.

The principle is once again the same: a section of shared physical infrastructure represents itself as a dedicated resource. Today VMware is the best known vendor in this field, but there are several others such as Xen (Citrix), Hyper-V (Microsoft) and KVM (Red Hat).

The Amazon Elastic Compute Cloud (Amazon EC2) service enables users to rent such virtual servers over the internet. Quick loading of virtual servers is possible through the use of image files (types of backup file). Similar to an operating system loading a spreadsheet or document to make it available to users for editing a moment later, a hypervisor (virtualisation layer) loads an image of a full computer and makes it available for use instantly.

Traditionally, physical servers are very rarely used for something else or even powered down after being configured. With virtual servers, we load and unload images all the time, based on demand. Thanks to the virtualisation layer, we can run the virtual server images easily on different types and brands of servers (for example, Dell, HP, IBM or white label x86). We can even move Linux applications to a mainframe hosting thousands of such Linux images. Originally, hypervisors added significant performance overhead. But today’s hardware is optimised for running them and the added flexibility far outweighs this now minor overhead.

Avoiding VM sprawl and stall
VM sprawl occurs when the number of virtual machines running in a virtualised infrastructure increases over time due to the ease with which they can be created rather than their necessity to the business. This leads to management complexity and wasted licence costs for unwanted virtual machines.

VM stall occurs after companies have virtualised the 'low hanging fruit'-typically the test and development servers and some of the less critical production servers. It will be clear that the benefits of sharing infrastructure remain largely elusive if only 30 percent of the production servers have been virtualised.

Application virtualisation

Unlike network, storage and server virtualisation, application virtualisation is about traditional PC applications working within a ‘virtual box’, which allows them to be used on the spot without having to go through an install procedure. The virtual box, including the application, is simply loaded as an image. Not only does this ensure that the application does not conflict with others (each contained in its own virtual box) but it also does not alter the underlying operating systems by adding settings to the registry, or loading or deleting DLLs.

Desktop virtualisation

With desktop virtualisation, the user’s desktop no longer resides exclusively on the local PC of the user. Instead, it uses a virtual machine image installed on a server elsewhere in the office or somewhere in the cloud. That image can be run centrally and accessed via a browser or it can be initiated on the machine that is most convenient: a laptop, home game PC, MacBook or machine at a client site.

This has advantages in terms of mobility and resource sharing. But it also means that the desktop can be accessed by lighter, less energy-consuming devices, such as a notebook, tablet computer or smartphone. Organisations can configure and secure virtual desktops to run inside a save box on any device, which is important as more and more people use less secured personal devices such as phones, tablets and home PCs for work-related activities.

Sun Microsystems, now part of Oracle, has been offering a virtual travelling, thin client-based desktop for several years. However, comparatively few companies have adopted them as they required proprietary hardware. Users, too, have remained wedded to the idea of their own, personal desktop.

The virtual desktop is predicted to become mainstream soon, driven by increased worker mobility, use of multiple end user devices (phones, tablets), concerns about security, and advances in more economic and user-friendly virtual desktop technology.

2. Automation

Virtualisation is one side of the coin that makes cloud computing possible; the other side is automation. Automating the creation and configuration of virtual machines is the key to releasing the on-demand dynamic scaling capacity of the cloud. Why? Because configuring virtual machines manually is too slow while, without virtualisation, the complexity is prohibitive to apply automation. Using virtualisation first to restructure applications into a set of independent blocks that can be easily added or removed makes automation feasible.

Automation also enables self-service and elasticity and helps to put a handle on VM sprawl and overcome VM stall. Apart from industrialising the provisioning process, automation can be used to monitor application traffic response time or quickly perform root-cause analytics to help isolate and remediate virtual environment faults. The upshot of all this automation is it allows IT more time on the business and with users, and less on the technology and the plumbing that makes it work.

2.5: Cloud computing: management aspects

In later sections, we discuss a strategy for how the IT discipline should evolve. First though, we close off our initial description of cloud computing by looking at how cloud computing directly impacts day-to-day IT management.

Short term - manage one more platform

In most cases the cloud will initially be an additional platform to manage and monitor. Alongside Windows, UNIX/Linux and maybe the mainframe, organisations will now have applications running in yet another set of environments. We deliberately use the plural here because there are many cloud platforms out there (Amazon, Rackspace, Terremark); and in terms of the private cloud there are also many vendors and platforms, including VMware, Xen, Cisco, IBM, HP and Microsoft.

With users playing a more dominant role in selecting cloud solutions, it will be very hard for organisations to maintain standardisation. As a result they should plan for managing diversity. Essentially this will be a hybrid group of external and internal cloud platforms from many vendors combined with traditional platforms. And it is too soon to bet on which one will turn out to be the 100 pound gorilla. Change management complexity increases

Having good change processes and reliable configuration data in place will be even more essential in a dynamic ‘provision to order’ cloud environment than it is in today’s relatively stable data centres. We all know the stories about IT departments too afraid to switch off a certain server because they have no idea what it does. When this is a virtual server in the cloud, paid for by the minute, it will be even more essential to understand the business processes it is supporting so the correct decision can be made.

Manage or predict

The management of cloud platforms is also different in that one cannot actually manage it physically. For example, we cannot configure or tune the servers we source from Amazon EC2, neither can we move the customer relationship management (CRM) application we use as a service to a different server (the service provider takes care of all that). This means some aspects of cloud management become monitoring and predicting availability and planning alternative routes in case there is a problem. It is comparable to a pilot who uses a weather report to determine an optimal route rather than to decide how he will change the weather conditions at a certain destination.

Operations planning

This requires the IT operations managers to become IT operations planners. This planning and management process is comparable to the distribution-production planning role in a large industrial organisation. Eventually this leads to a supply chain management approach for IT, where IT optimises the delivery across a variety of in-house and sourcing options.

Planning is essential, whether resources are owned or hired
To illustrate the case for planning, consider the example of a manufacturing company that decides to switch from owning and running its own fleet of trucks and directly employed drivers, to using third-party services.

Deciding whether to hire trucks and drivers on a daily or hourly basis, or to use a parcel service to send products to customers, still requires essential planning and management of the distribution process.

Longer term - towards a new role for IT management

Imagine for a minute that our organisation sources everything as a service, using applications from various SaaS and PaaS providers. In this instance, would there still be a role for IT management? Regardless of whether this fictitious end point will ever be reached, there are a number of things that still need to be managed:

Managing support

In such a multi sourced environment, integrated support becomes critical. Organisations using several different SaaS applications would not want their users to go to each individual vendor for support and file issues in as many different places only to get as response that the issue does not lie with this particular vendor

Managing integration

Overlooking integration is also a management task that is likely to remain with IT. If the organisation uses CRM from one SaaS vendor and distribution planning from another, IT will be expected to connect or integrate the two. In this case, having an integration capability that works across different cloud and non-cloud applications becomes essential.

In the ERP area, companies at some moment concluded that integration between multiple solutions is just too difficult and senior management started to enforce a single vendor policy (resulting in increased vendor lock-in and the associated high annual bills). An equivalent single vendor policy is not feasible or even sensible in the cloud environment: the cloud’s functional scope is much wider, decisions are more user led and the market is much younger, with hundreds of vendors still jockeying for leadership positions.

Managing the cost

Another role that will become more important is cost management. As choosing between several external and internal options becomes more standard, it becomes more important to have a thorough understanding of the cost of these alternatives and the impact on the overall cost of the service.

Managing a catalogue

A good way of making life easier (both for users and for the IT department) is offering a catalogue of available and approved cloud applications. This catalogue can include internally provided and externally sourced solutions; and ideally the consumer would not even be able to tell the difference. An early example of such a catalogue is Apps.gov, a catalogue of pre-approved cloud services for use by any U.S. federal government organisation.

Managing SaaS

People often assume that SaaS does not have to be managed by IT, as IT is not writing the code, running the code or even running the machines the code is installed on. Some also question how IT can monitor, manage and secure SaaS applications, given that it may not be aware of which applications users are deploying as a service.

This is a tough one, but no different from how HR, procurement and manufacturing had to adapt their ways when organisations started to subcontract and outsource their operations. Purchasing used to process every single purchase order; now they contract master agreements and departments place orders directly at approved vendors. Similarly, IT has to get used to the fact that they are less in control and no longer pulling the switches themselves. Yet they will be held responsible still for the mentioned aspects that go across the various SaaS offerings such as support, integration and cost.

Managing security and risk

When users go out and select solutions that fit their needs, some requirements will be more important to them than others. Functionality, ease of use and possibly even cost will be seen as critical, while other aspects such as ease of integration, vendor viability, business continuity and security may not be top of the list for the average business department. Selecting and auditing vendors and specific offerings against such criteria will need to be done, regardless whether it is by the security, purchasing or IT department. For cloud services it may actually be the IT department that has the best mix of skills for this.

Managing the service portfolio

Some may argue that in a pure cloud environment, where all applications have moved into the cloud, governing the portfolio will be the only remaining task for IT management. That includes monitoring which services to add, which services to retire, evaluating the cost of these services and keeping a finger on the pulse of all associated transition projects.

With so many options, it is more complex than ever to make the right choice about vendors and solutions- and to monitor the successful implementation of these decisions. Portfolio management allows IT to balance investments and costs against risks and available resources and gives the organisations the helicopter view needed.

We will return to the subject of portfolio management and the cloud later in the book.

2.6: Cloud computing: from definition to deployment

So far we have set the scene for cloud computing. To some the whole cloud thing may be a bit overwhelming, providing yet more acronyms and complexity; to others the idea of ‘the best computer is no computer’ sounds very attractive.

Although cloud computing combines many existing concepts, it constitutes a fundamental change, comparable to the move from custom software to standard packages on the application side, and it is as impactful as outsourcing has been on operations.

In general, customers are excited by the prospect of using the most economical way of performing computing. However, they are not necessarily excited by the idea of moving their data or computing off site into a cloud environment.

The role of IT will certainly change. Technical skills, like programming and configuration, will become less important; maintaining an overview and achieving synergy will grow in importance. In the following chapters, we will examine the changing role of IT management from different perspectives.

With regard to security risk (which we referred to earlier as probably the most common objection to cloud computing), there are indeed some questions and issues that still need to be addressed. But the argument that ‘our systems are so business- critical that we would never risk bringing them under a cloud’ is off the mark. If this were the case, companies would never have outsourced or off-shored parts of their operations. It also ignores the enormous investments cloud providers are making to address these valid concerns.

On the infrastructure side, virtualisation and cloud computing add a set of platforms that can significantly increase utilisation, scalability and sharing of resources, leading to lower and more variable cost. But in the short term, one should not expect these cloud platforms to replace all current internal platforms, but rather be used in addition. Regarding applications, shorter time-to-value and broader functionality at lower initial cost make SaaS very attractive, but the danger of vendor lock-in is also significant here. The big promise is PaaS, which promises to deliver the low cost and scalability enabled by mass standardisation, while still offering scope for differentiation.

Continue reading this ebook at Smashwords.
Download this book for your ebook reader.
(Pages 1-31 show above.)

EPUB Ebooks: Free ebook sample of "Lean and the Art of Cloud Computing Management" by Gregor Petri

A guide to building Agile IT Supply Chains

Table of Contents

0: Introduction

1.1: The Cloud Academy

1.2: Cloud - more a marathon than a sprint

Section 2: Cloud computing- defined

2.1: Cloud computing: what is it?

1. Cloud computing service models

Infrastructure as a service (IaaS)

Platform as a service (PaaS)

Software as a service (SaaS)

The 'as a service' ecosystem

2. Cloud deployment models

2.2: Cloud computing: the benefits

1. Cost savings for cloud service consumers

Capex versus Opex

Proof before purchase

2. Efficiency gains for cloud service providers

Volume discounts

Operational savings

Development platform savings

3. Increased added value and agility

Shorter time-to-value

Elasticity

Higher added value

Higher added value

2.3: Cloud computing: the risks

1. Availability

2. Privacy and legislation

3. Data theft and loss

4. Other mishaps

5. Users and identities

6. Privileged users and administrator identities

7. Securing virtual machines

2.4: Cloud computing: the building blocks

1. Types of virtualisation

Network virtualisation

Storage virtualisation

Server virtualisation

Application virtualisation

Desktop virtualisation

2. Automation

2.5: Cloud computing: management aspects

Short term - manage one more platform

Manage or predict

Operations planning

Longer term - towards a new role for IT management

Managing support

Managing integration

Managing the cost

Managing a catalogue

Managing SaaS

Managing security and risk

Managing the service portfolio

2.6: Cloud computing: from definition to deployment