a guide to strategic cloud adoption for government · a guide to strategic cloud adoption for...
TRANSCRIPT
A guide to strategic cloud adoption for government
This guide is suitable for senior officers within government who are responsible for business and IT transformation, estate management and mapping their organisation’s IT to its business strategy. The guide looks in detail at the different stages an organisation needs to work through to adopt cloud and strategically transform its business.
Cloud adoption process
Build a strategyDefine business objectivesDefine technology prioritiesGet the right
building blocksBusiness caseStaff and skills baseProcurementSecurityService Integration and Management [SIAM]
Design and planAppoint the right teamPlan what to migrate and wherePrepare for business changePlan your procurement
MigrateTrack performanceRegular review and feedbackCommunicate progress
Next stepsReview against objectives
2 www.eduserv.org.uk
www.eduserv.org.uk
Contents
Introduction 4
Chapter 1: Defining your objectives and priorities 5
Chapter 2: Making sure you have the right building
blocks in place 7
Chapter 3: Service design and migration planning 10
Chapter 4: Migration and next steps 13
Chapter 5: Concluding thoughts 15
3
IntroductionWhen the UK government formally introduced its Cloud First policy in 2013 it signalled its desire to drive wider adoption of cost-effective cloud computing in the public sector.
This is a laudable aim. What we need to remember, however, is that the Cloud First policy is not just being promoted and mandated for reasons of cost. What it really heralds is the strategic importance of the cloud within the government’s vision for how it does business in the future.
“The Cloud First policy will embed the skills a modern civil service needs to meet the demands of 21st-century digital government and help us get ahead in the global race,” said Francis Maude, Minister for the Cabinet Office.
The message is becoming increasingly clear: while many organisations have experimented with cloud and achieved successful tactical cloud deployments, they are now being asked to do more. The focus is changing and public sector organisations are being asked to start harnessing the cloud to enable more strategic transformation.
But with limited experience beyond tactical deployments, how can you address this need for strategic cloud adoption?
This guide seeks to help address that shortfall by detailing a step-by-step journey through a typical strategic adoption. It includes considerations and recommendations that will help you move forward with confidence.
Tactical or strategic adoption: what’s the difference?
● Tactical cloud: implementations concentrate on technology-focused point solutions to address specific needs. For example, the hosting of a single line of business application.
● Strategic cloud: adoption supports broader aims and business objectives. These might include the consolidation of IT infrastructure, reduction of power consumption, enablement of ‘anywhere access’ or reduction of IT capital requirements. These projects are business-led and are not technology focused.
4 www.eduserv.org.uk
www.eduserv.org.uk
1
Defining your objectives and priorities
Defining your business objectives
Your first step is to develop a cloud strategy and roadmap with one, three and five year milestones. It’s important to remember that this should form part of a wider IT strategy – it’s not just a tactical ‘trial’ – it should support your broader organisational goals.
It’s also crucial to remember that cloud adoption is a value enabler that supports those goals and is not just a cost reduction lever.
As such you need to carefully consider and articulate what your organisation’s motivation is for moving to the cloud before building your strategy against it. Note: this is likely to change as your organisation’s adoption maturity increases.
Typical motivations include:
● Alignment to regulatory requirements e.g. government cloud adoption targets, Business Impact Level (BIL) requirements, Cloud First policy
● Reduced capital expenditure and Total Cost of Ownership (TCO)
● Greater alignment of IT costs to business demand
● Business / IT agility with instant-on and agile provisioning
● Improving the robustness of IT through better testing and greater resilience
● Deploying services with greater speed and at a lower cost
● Achieving business advantage through new functionality and agility
It’s likely the business will want to achieve a number of these and possibly others. It’s also likely that the business will have some initial headline views on priorities influenced by current corporate risk, new business requirements, or contract termination dates. These should be assessed and validated as the strategy takes shape.
5
Defining your technology priorities
In addition to creating more flexible and cost-effective capability for delivering new services, there will also be significant focus on the need to transform the legacy environment.
For instance, the type, quantity and role of legacy equipment in your estate will heavily influence your categorisation of services to be transitioned.
Early discovery work should therefore focus on a high level evaluation of the applications and business services to see what can or should be migrated:
● What custom applications need migrating?
● Are there systems that must remain on-premise?
● What are the integration requirements?
● What is the age and type of kit: is it virtualised, when does the maintenance expire, is the equipment still depreciating?
● Is the application / service delivered from a managed service contract and if so when does it expire?
● What are the Business Impact Level (BIL) requirements and other related security considerations?
● What does the business need in terms of service level commitments for each application / service?
From this assessment it will be possible to create a preliminary view of priorities to feed into the strategy.
At this stage you are iterating through the risk vs reward cycle, starting with low risk (e.g. test and development systems) and then moving into higher-value, more complex and integrated environments and applications. This will help you to build confidence and capability whilst managing risk. It also enables some quick win savings that can be reinvested for more incremental savings on the cloud journey.
High level outcomes from this early stage discovery work also feed into the overall strategy, helping to shape possible migration and transformation phases, while also providing an early indication of where cost savings might be achieved.
6 www.eduserv.org.uk
www.eduserv.org.uk
2
Making sure you have the right building blocks in place
Now that you understand your initial strategy drivers and priorities – what else do you need to have in place before you start your implementation?
Here are the building blocks we recommend:
1. A business case that will get you buy-in: first you need to demonstrate that your strategy makes commercial sense, fits with Cabinet Office strategy, supports the wider business and IT strategy, reduces cost and improves services.
2. Delivery team: we highly recommend that you create a delivery unit responsible for implementing the strategy. This should include senior sponsorship and leadership as well as funding and governance. You may also want to consider including resources from outside the organisation. These might come from specialist contractors, professional services engagements or even a plan for full service and integration management (SIAM - covered in more detail below).
3. The right skills: it’s important to consider whether you have the right skills in-house to understand, plan and manage your move to the cloud. If not, you may need to consider extending the internal team with specialist professional services. You could also consider buying a fully-managed service or outsourcing the entire programme. The benefit of a fully-
managed service is that you can bring in specialist skills so your internal staff can focus on the objectives of the business. Read more on managed services.
4. A procurement strategy: this should be straightforward given the procurement channel enabled by G-Cloud and CloudStore.
However, CloudStore’s current iteration makes it difficult to compare products and services which, although similar at face value, can actually be quite different. One way to address this is with a ‘clarification pack’. This means issuing your short-listed suppliers with the same set of requirements and asking them to articulate how their CloudStore products and services meet both your business and cost requirements. This helps to ‘level the playing field’ and allow for easier comparison.
It’s also crucial to understand how you are going to integrate whatever cloud product(s) you are buying into the legacy environment and whether you’re going to need support to do so. In general, CloudStore products do not come with integration services or professional services built-in. The additional “glue” required to join infrastructure, products and management together to form a service will need to either come from within your own team or through an additional procurement.
7
5. Understanding integration considerations: as you go through your phased approach, you will also have to consider whether the systems migrating to the cloud will still integrate with systems that you are keeping out of the cloud (or indeed that sit in another private cloud). This can be one of the most difficult issues to overcome. You may need to consider an Enterprise Service Bus to enable interconnection, for example. If you are new to strategic cloud adoption, we recommend this is one area in particular where you should seek expert help to inform your planning.
6. Understanding security: the Business Impact Level of a service is usually presented as a number from 0 to 6 and is a measure of the severity of an information security ‘compromise’ to your organisation (0 being no impact, 6 being a severe impact). You can find further details in G-Cloud’s Short guide to business impact levels. CESG’s IS1/IS2 Technical Risk Assessment Method [PDF] also provides a reliable way of establishing a given impact and the risk to your information assets. The most important thing to remember is that impact levels are assessed against three different criteria:
● Confidentiality – the risk of an information asset getting into the hands of someone it shouldn’t.
● Integrity – the risk of somebody having the ability to modify an information asset that they shouldn’t.
● Availability – the risk of someone, or something, preventing access to an information asset by legitimate users.
When you’re looking to purchase a service as part of your strategy you should check what matters most out of these three elements to you and your business.
Don’t just look at the accreditation badge. You need to look closely at the service description and any accreditation documentation and understand what it is saying about confidentiality, integrity and availability. Only then can you see if it matches what you need.
You should also understand the Government Security Classifications and what they mean for your information assets and the way that they should be handled.
By using services that are already accredited you avoid the cost and complexity of accrediting infrastructure and can just add your services and applications on top.
It is important to monitor government policy on security classifications and impact levels as we are aware there may be changes in the future. However, Business Impact Levels remain an important tool in the course of undertaking a technical risk assessment and for valuing the importance of your data when considering security in the cloud.
We believe they will continue to be a useful and a well-used measure for the foreseeable future.
0 20
30
40 50
60 70
80 90
8 www.eduserv.org.uk
www.eduserv.org.uk
7. Understanding SIAM in the context of wider service tower adoption: Service Integration and Management co-ordinates and consolidates the management of individual services from your service providers (internal and external), providing end-to-end service management whilst ensuring that services consistently meet business objectives and requirements for performance, quality and cost.
If you are considering cloud adoption at a tactical level then the service integration and management (SIAM) model is largely irrelevant. However, when cloud adoption
Service tower model adoption involves procuring separate contracts (or ‘service towers’) for the groups of IT capability that make up the delivery landscape.
These include service integration, end-user computing, networks, hosting and application maintenance and development. Legacy service arrangements typically see a number of systems integrators (SIs) delivering horizontally (i.e. across functional domains), with responsibility for components across the service towers. There is widespread recognition that this has led to significant inefficiency and unnecessary cost, mainly due to duplication and integration issues.
becomes part of a broader alignment to the service tower model, SIAM becomes incredibly important, if not critical. This is because its role will cover business requirements, governance, service design and then integration of the various towers (including the IaaS, PaaS and SaaS) at all levels including business, technology, process and tools.
The earlier the SIAM is appointed, the easier it will be for you to support the requirements specification, procurement, selection, integration and migration across the service stack.
Public Sector Organisation Insourced IT
Service Integration & Management
Service Towers
Inte
grat
ion
End-
user
com
puti
ng
Net
wor
ks
Hos
ting
Appl
icat
ion
mai
nten
ance
an
d de
velo
pmen
t
What is the service tower model?
9
12
3
Service design and migration planning
With a strategy and roadmap formed and a delivery team in place, detailed design and planning can now start.
The key stages you will need to work through are as follows:
1 Getting the right team to manage cloud migration:
● Appoint a SIAM partner (if applicable) – as above, if a SIAM partner is to be appointed doing so at this stage can bring significant benefit, albeit at a cost. Your partner can advise, co-ordinate and implement a significant proportion of the design and planning phase. If a SIAM partner is not to be appointed, your business will need to establish commitment and clarity on which resources (and teams) will take on this responsibility.
● Establish a programme board at the start of the planning phase with stakeholders from across the business – a fundamental shift to cloud will need everyone on board to contribute to and assess the viability of the plan, even for the low risk candidates at the start. The programme board will become even more vital once implementation begins.
2 Confirmingwhattomigrateandtowhere:
● Finalise conclusions from your initial discovery – as discussed in Section 1, your initial work should have included conducting a deep dive discovery of the legacy environment. This should have identified pilot application candidates that are quick wins and low risk (i.e. where the cost of failure is low; giving you a good opportunity to build confidence, intelligence and familiarity with operating in a cloud world). Now you need to populate the detailed plan and build its associated phases.
● Assess business requirements for new applications and services – it’s also crucial at this stage to assess your new service / application roadmap and how this will be affected by a cloud deployment.
● Confirm target architectures, BIL treatment and cloud model requirements – after you have assessed both your legacy systems and future roadmap you will have a set of business, service and technical requirements that must be met. Next you will need to conduct a design exercise to confirm what the target architecture(s) need to look like to address the requirements.
The outcomes from this exercise will be a granular set of services / products that need to be procured, developed and deployed.
10 www.eduserv.org.uk
www.eduserv.org.uk
3You should also have confirmed how they will exist alongside any legacy arrangements and how RMADS (Risk Management Accredited Document Set) and accreditation will be addressed.
You will find that this is largely a solution architecture exercise that can be split into two areas as follows:
(i) Analysis and design of the technical requirements:
• General platform: consider public, private, hybrid models and associated requirements for availability, scalability, resilience and integration.
• Compute: evaluate sizing, OS choice, specific application requirements and performance benchmarking.
• Storage: consider needs related to performance, resilience and replication.
(ii) Operational and security requirements:
• Networks: evaluate needs for tiered segregation, firewalls, intrusion detection / prevention, load balancing, connectivity both public access and private, network services (DNS, NTP etc).
• Operations: consider monitoring and alerting, scaling, backups and managed service requirements.
Please note: the scope and complexity of this activity can be significant. Designs should be led, supported and verified by appropriately skilled solution architects.
3 Planning the migration:
● Draft the follow-on phases – these shouldn’t be set in stone; they should have some flexibility but should also provide some shape to the plan. They will largely be influenced by increasing complexity, groups of dependencies and / or driven by contract end dates for legacy service contracts and support agreements.
● Confirm service management requirements – the SIAM (if appointed) will play a key role here; they will be responsible for design, implementation and delivery of the service management arrangements across the internal and external supplier base. It can be a significant undertaking to flesh this out and get agreement, even if a SIAM has been appointed.
11
4 54 Preparing for managing business change:And finally what about business change? At this point you will have developed a detailed picture of what’s in scope for cloud adoption and the associated challenges in doing so will be emerging.
Questions you should ask include:
•Whatnewskillsandcapabilities willbeneeded?
•Whatnewstructuresshould beputinplace?
•What, if any, external support does your organisation need tofacilitatethechanges?
Beyond the adoption and transition programme itself, there will also be an ongoing need to manage the delivery of services from the cloud.
This requires the IT organisation to evolve significantly, changing from a ‘lights-on’ focus to more ‘value-add’ focus. The IT department effectively becomes the service orchestrator and manager instead of delivering low level operations. With this comes the need for different skills. This will of course be a journey, but one that needs careful consideration and planning given the fundamental business change programme that will probably result.
5 Establishing your procurement plan:From here we can start to consider procurement plans. What platforms and services are required and by when across IaaS, PaaS, SaaS and private, public and hybrid deployment options?
What connectivity is needed; does PSN cater for everything or do you need other network services?
The solution architecture exercise detailed in point two above will provide key inputs into this exercise.
Whenyouhaveworkedthroughallthesekey stages you should have a delivery roadmap agreed, initial phases planned, architecture designs in place and a procurementstrategysignedoff. Migrationcannowbegin.
12 www.eduserv.org.uk
www.eduserv.org.uk
1
2
When implementation begins your first low-risk pilot services (either new applications or migrations from legacy environments) will be migrated and made live.
It’s important to track the performance of these early projects, and to learn lessons for future phases.
So what’s next?
1 Set up a delivery board that is distinct from your planning board:You now need to consider developing a delivery programme board made up of stakeholders from across the business. This may be an extension of the planning board that was set up at the start of the planning phase. However it will probably make more sense to have two separate boards, with distinct terms of reference and audiences. This is because your planning activity will need to continue alongside your initial delivery. Only the initial phases will have detailed plans.
2 Establish technical and service forums: If you are going to contract external service providers to provide one or more of the services (as part of service tower adoption or not) it’s also now important to establish technical and service forums across the supplier base (both internal and external). This will enable regular feedback and engagement and ensure refinement of on-boarding and delivery practices that will almost certainly occur as systems and applications bed down.
4
Migration and next steps
13
3 43 Communicate your progress:As you move forward it’s important that you communicate early wins and recognise and address any struggles. Communicating progress is vital to build momentum and maintain buy-in. One way to do this is by establishing a regular, useful and interesting format for communication. This needs to be something which can be accessed by all users, is informative and interesting and encourages further participation (e.g. sharing on social media).
Remember that ‘good news’ user stories are very powerful. Identify where users are now able to do more (and more easily) than before the change, and communicate this.
4 Reviewdeliveryagainststrategy:Finally, it is crucial that you also maintain a view of how the roadmap is delivering against your strategy’s expected benefits and milestones. This should be done at least quarterly, preferably monthly. By doing this you will ensure that your delivery teams remain outcome focused and can help to shape future phases through benefit analysis and the knowledge and feedback you have gained so far.
One way to do this is to establish and maintain a Benefits Realisation map. This is a diagram which links initiatives (projects you undertake) to the achievement of real business outcomes (e.g. 20% reduction in operating costs).
It is likely that there will be a complex chain of initiatives which all contribute to the ultimate achievement of business outcomes, but it’s important to identify them and track their achievement as you go in order to show the ‘journey’.
If benefits realisation is off track, then it’s time to bring your implementation back into line.
14 www.eduserv.org.uk
www.eduserv.org.uk
In this guide we have described how to move from tactical cloud implementation to strategic adoption through a series of steps that can be followed by any public sector organisation.
In our view this approach is the best way to adopt cloud computing to drive value, reduce technology costs and meet demand for increased agility and transformational performance that is being driven by government policies and strategy.
Throughout the guide we’ve also recommended areas where it may be best to seek external help. This will not be necessary for every adoption, but it can help to clarify objectives and ensure a successful and targeted adoption.
If you’re unsure about which way to turn before you commit, one of the best places to start is a cloud adoption assessment service. This can help you to understand the benefits, costs, risks and approaches involved with migrating to cloud computing. It can also help to minimise the risk and uncertainty of your cloud transformation by helping you:
● Understand which, if any, cloud solution is right for your organisation
● Identify the cost and benefit of migrating to the cloud
● Understand the approach and timescales of moving to the cloud
If you would like to talk to Eduserv about our own Cloud Adoption Assessment Service, Cloud Service Design or Cloud Migration, please contact us at [email protected] or 01225 474 300.
5
Concluding thoughts
About EduservOur Cloud Services can help you at every stage of moving to the cloud. We offer managed services and consultancy on top of market leading infrastructure to help you successfully migrate to the cloud and allow you to focus on your core business.
Whether you’re looking to host a business critical website, off-site disaster recovery or to host your entire data and IT systems in a secure IL3 environment, we can help. Our cloud services provide on-demand, scalable and efficient storage and compute services that help save money and drive performance in the public sector.
We have 15 years’ experience of providing hosting services to government and also have substantial experience of cloud consultancy, design, migration and operation. We built the first UK IaaS cloud for education, one of the largest public-facing vCloud installations in Europe, and we draw on our experience to offer public sector organisations, such as the Department for Education, independent support for investigating cloud technologies.
About the authorNick Loba heads up our professional services team, responsible for working with clients to develop their IT
strategies and architect solutions that underpin business change. Nick and his team are currently working with a number of government customers to design and implement their migration to an accredited cloud solution to reduce costs and improve services.
Find out more at www.eduserv.org.uk WEB
-135
.0
15