planning for cloud computing

IT Management and Strategy Report

Part of the Datamonitor Group WWW.OVUM.COM

Planning for Cloud

ComputingUnderstanding the organizational, governance,

and cost implications

November 2010

Butler GroupIncorporating

OVUM

Research

Laurent Lachal

Stephen Mann

Acknowledgements

Ian Brown

Jens Butler

Steve Hodgkinson

John Madden

Graham Titterington

Important Notice

We have relied on data and information which we reasonably believe to

be up-to-date and correct when preparing this Report, but because it

comes from a variety of sources outside of our direct control, we cannot

guarantee that all of it is entirely accurate or up-to-date.

This Report is of a general nature and not intended to be specific,

customised, or relevant to the requirements of any particular set of

circumstances. The interpretations contained in the Report are non-

unique and you are responsible for carrying out your own interpretation

of the data and information upon which this Report was based.

Accordingly, Ovum is not responsible for your use of this Report in any

specific circumstances, or for your interpretation of this Report.

The interpretation of the data and information in this Report is based on

generalised assumptions and by its very nature is not intended to

produce accurate or specific results. Accordingly, it is your responsibility

to use your own relevant professional skill and judgement to interpret

the data and information provided for your own purposes and take

appropriate decisions based on such interpretations.

Ultimate responsibility for all interpretations of the data, information and

commentary in this Report and for decisions based on that data,

information and commentary remains with you. Ovum shall not be liable

for any such interpretations or decisions made by you.

Published by Ovum

Published November 2010© Ovum

All rights reserved. This publication, or any part ofit, may not be reproduced or adapted, by anymethod whatsoever, without prior written Ovumconsent.

Artwork and layout by Karl Duke, Steve Duke,and Jennifer Swallow

Part of the Datamonitor Group

Enterprise IT Knowledge Centre At the heart of the new service are more than 150 ICT analysts from the former Ovumand Butler teams. They provide deep insight into both vertical and horizontal businesstechnology, delivered through best-in-class research and analysis. To their insights, weadd the expertise of Datamonitor’s 350 business analysts. It is this combination thatmakes the new Ovum IT service especially valuable to clients: by integrating the threeteams, we can offer unique insight into the opportunities and issues facing you and yourcustomers, and dispense invaluable advice to help you create an effective technologystrategy – a process that we describe as Collaborative Intelligence.

Our comprehensive research agenda spans the full IT investment lifecycle. Our analysisand advice help you to create the optimal technology investment portfolio for theorganisation, select and implement the appropriate solutions and services, and managethose investments to realise the desired business benefits. Our coverage ranges frominsight into industry-specific business processes and analysis of vendor markets,through to radical opinion on disruptive technologies and best-practice ITimplementation guides. Here we present thought-leading research and strong examplesof Collaborative Intelligence in action, and we look forward to working in partnershipwith enterprises globally.

For more information, please contact Mike James on +44 1482 608380 [email protected]

Chapter 1: Executive summary 7

1.1 Executive summary 9

1.2 Report objectives and structure 14

Chapter 2: Cloud computing will be hybrid 15

2.1 Summary 17

2.2 Cloud computing is controversial and important 17

2.3 The public cloud market is more complex than expected 20

2.4 Private clouds are catching up with the public cloud Joneses 26

2.5 Hybrid clouds are the next frontier 28

2.6 Recommendations 31

Chapter 3: Cloud computing costs in perspective 33

3.1 Summary 35

3.2 Enterprises need to scrutinize and adapt to public clouds’ cost characteristics 36

3.3 Public cloud costings evolve, but not always as expected or for the better 40

3.4 Private clouds put public cloud costs in context 47


Chapter 4: Cloud computing quality of service in perspective 53

4.1 Summary 55

4.2 SLAs are key to cloud adoption 56

4.3 Security is the number-one cloud QoS concern 59

4.4 Reliability and availability are under increasing scrutiny 66

4.5 Scalability underpins cloud computing’s elasticity 68

4.6 The road to scalable and reliable private clouds requires new thinking and skills 69


Contents – November 2010

CONTENTS – PLANNING FOR CLOUD COMPUTING 33

Planning for Cloud

Computing

Chapter 5: Cloud governance: an overview 73

5.1 Summary 75

5.2 Cloud governance builds on IT governance 75

5.3 Cloud governance relies on the same ingredients as IT governance 80

5.4 Cloud governance, like IT governance, is a work in progress 85

5.5 ALM governance needs to expand to the cloud 87

5.6 Cloud governance builds on SOA governance 91


Chapter 6: Public clouds require IT service management to adapt 97

6.1 Summary 99

6.2 Public clouds are changing the IT function 100

6.3 Public clouds are changing the ITSM landscape 102

6.4 ITSM technology has a big role to play in managing public clouds 107


Chapter 7: Glossary 111

Chapter 8: Appendix 115

Contents – Continued

CONTENTS – PLANNING FOR CLOUD COMPUTING 55


WWW.OVUM.COM

CHAPTER 1:

Executive summary


OVUM

CHAPTER 1: EXECUTIVE SUMMARY 99

1.1 Executive summary

Catalyst

Cloud computing promises to tackles two hitherto irreconcilable IT challenges: the need to

lower costs and the need to boost innovation. However, it will take a lot of effort from enterprises

to actually make it work. Instead of moving their IT mess for less somewhere else, the ill-

prepared will end up with their IT mess spread across a wider area.

Ovum view

IT is fashion-driven, and cloud computing is the new black. Currently at the height of its hype, it willsuffer a backlash before becoming fully mainstream and established, by which time a new phrase willhave captured the imagination of IT pundits.

Key findings:

� Cloud computing is controversial and important.

� The public cloud market is more complex than expected.

� Private clouds are catching up with the public cloud Joneses.

� Hybrid clouds are the next frontier.

� Enterprises need to scrutinize and adapt to public cloud cost characteristics.

� Public cloud pricing structures are evolving, but not always as expected or for the better.

� Private clouds put public cloud costs in context.

� Service-level agreements (SLAs) are key to cloud adoption.

� Security is the number-one cloud quality of service (QoS) concern.

� Reliability and availability are under increasing scrutiny.

� Scalability underpins cloud computing’s elasticity.

� The road to reliable and scalable private clouds requires new thinking and skills.

� Cloud governance builds on IT governance.

� Cloud governance delivers the right recipe from a variety of ingredients.

� Cloud governance, like IT governance, is a work in progress.

� Application lifecycle management (ALM) governance needs to expand to the cloud.

� Cloud governance builds on service-oriented architecture (SOA) governance.

� Public clouds are changing the IT function.

� Public clouds are changing the IT service management (ITSM) landscape.

� ITSM technology has a big role to play in managing public clouds.

Some fashions are longer-lasting than others

Cloud computing as a term may have a use-by date, but the technical, operational, and commercialinnovations behind it are here to stay. Cloud computing is a real innovation in the logic of how IT is sourcedand managed and how services are delivered, and its use will grow steadily over the next 12 months.

Moving from “What is cloud computing?” to “How to make the best of it?”

It is no longer a question of whether or not enterprises will use cloud computing: they already are.However, it is still early days for both suppliers and users, many of which have yet to figure out how totake advantage of the various elements of cloud computing. There are plenty of early adopter benefitsto be gained, despite the variety of challenges that cloud computing puts in the way.

Get your hands dirty

Taking advantage of the new capabilities of cloud computing requires a change of mindset and thelearning of new skills, both of which are better done on the basis of practical experience than academicdiscussion. Getting hands-on with the cloud is the best way to understand its strengths and weaknessesand its impact.

Cloud computing is a multifaceted phenomenon

“Cloud computing” is a generic term that refers to several different ways of providing access to sharedIT resources that are consumed over a network, mostly but not necessarily the Internet. The termemerged in the second half of 2007 as a category for two emerging types of online offering:infrastructure-as-a-service (IaaS), which delivers raw compute or storage resources, and platform-as-a-service (PaaS), which delivers a complete runtime environment for developing or running applicationsfrom the likes of Amazon, Google, and Salesforce.com. It quickly expanded to a third type of onlineoffering: software-as-a-service (SaaS), which provides user access to application functionality, andwhich predates the use of the “cloud” term. In 2009–10 it expanded further from a synonym for publicclouds where the provider delivers services to a number of third parties (a category that includes IaaS,PaaS, and SaaS) to the notion of private clouds that mix old data-center design and managementtrends with new public clouds for self-service provisioning and pay-as-you-go (PAYG) billing to deliverand consume IT resources, then hybrid clouds that reflect the way IT suppliers and users mix and matchpublic and private cloud components in a variety of ways to fit their own requirements. For more detaileddescriptions of each type of cloud please see the Chapter entitled “Cloud computing will be hybrid”.

Benefits

Cloud computing

Enterprises are turning to cloud computing for the following reasons:

� Convenience: for fast procurement (and termination) of on-demand IT services available on a self-service basis from a variety of networked devices. Convenience drives faster time to market.

� Adaptation: through the ability to mix and match IT services and increase or decrease their use asrequired (clouds are “elastic”).

� Innovation: cloud computing makes it easier to try new things while taking fewer risks via a PAYGapproach known as utility computing.

� Simplicity: cloud computing short-circuits IT complexity by reducing significant elements of the ITstack to standardized commodity services.

� Lower costs: from economies of scale based on IT resource pooling coupled with the PAYGapproach to using these resources.

� Cost transparency/awareness: the ability to understand, measure, and manage who is using whichIT resources at what cost for billing, planning, and optimization purposes.

� QoS: enterprises expect public and private cloud IT resources to be more reliable, available,scalable, and secure than traditional ones.

PLANNING FOR CLOUD COMPUTING NOVEMBER 20101100

Private clouds

While public clouds are still mostly vendor-pushed rather than demand-pulled, private clouds are bothvendor-pushed and demand-pulled in roughly equal measure. Many enterprises are wary of the limitationsin terms of security and bandwidth, and the constraints in terms of application design and functionality ofthe various types of public cloud, but are curious about the possibility of adopting the technologies,designs, and best practices of these clouds in their own data center under the “private cloud” name. Theaim is to deliver similar benefits to public clouds while remaining in control of the IT infrastructure andtherefore security and compliance, and squeezing more value out of existing IT investments. Self-serviceIT frees IT departments from provisioning issues and abstracts service delivery from implementation.

Public clouds

In addition to generic cloud computing benefits, public clouds enable enterprises to:

� reduce upfront capital expenditures (capex) in favor of more flexible ongoing operating expenditures(opex) via subscription and/or PAYG schemes

� access IT resources that many did not previously have the means to buy and/or implement

� focus limited IT resources (hardware, software, budget, people) on a smaller number of projects tonarrow the gap between business ambitions and IT capabilities

� more easily share IT resources both internally and with partners because public clouds provideready-made resources instead of requiring those sharing to create the resources in the first place

� expand their reach to new countries and regions and support global operations by recruiting newtalent in lower-cost areas within as well as outside their core markets

� have easier access to Internet resources: public cloud resources have been designed from the startto integrate with other Internet resources.

IaaS public clouds

In addition to generic cloud computing and public cloud benefits, IaaS enables enterprises to:

� Reuse existing technology, code, and skills, and minimize lock-in. It does this by making it relativelyeasy to move IT resources (usually packaged as virtual software appliances) on to and away froman IaaS infrastructure.

� Have a good level of configuration control over the infrastructure resources they use such as centralprocessing unit (CPU) type, memory amount, and disk configuration, and the software (virtualappliance) they run on top of these resources within the constraints of the vendor’s service catalogue.

PaaS public clouds

In addition to generic cloud computing and public cloud benefits, PaaS:

� Enables developers to focus solely on the business logic that makes a difference to their employer;for example, the PaaS runtime automatically takes responsibility for scaling cloud applications upand down, depending on usage levels.

� Supports more granular pricing structures than IaaS. IaaS pricing applies to the running of wholephysical and/or virtual server instances (either on or off), while PaaS pricing can delve deeper intothe usage requirement of the software that makes use of PaaS resources such as price per requestmade by the software to the underlying PaaS compute, storage, and network resources.

SaaS public clouds

In addition to generic cloud computing benefits including convenience, innovation, simplicity, and lowercosts, and public cloud benefits including reduced Capex and affordable IT resources, SaaS are turnkeyofferings that have matured fast enough to represent a credible alternative to many on-premiseapplications. They are already running at scale, and customers know that they will work before they signup. Their web interfaces are usually simpler and they are upgraded more often than their on-premisecounterparts, with users usually able to turn on the new features at their convenience.


Deployment and management considerations

Cloud computing

Enterprises’ main concerns across both private and public clouds include:

� Lack of information, resources, and skills: many enterprises are not ready to consume/create cloudservices without excessive risk.

� The right approach to service-centric IT: service-centric IT is not the end but the means thatunderpins a top-down approach to IT focused on business scenarios and outcomes rather than abottom-up approach focused on technology and vendor stacks.

� Governance: cloud computing might be convenient and promote innovation but enterprises are keento ensure that these benefits are not delivered at the expense of control and vice versa.

� QoS and reliability, availability, scalability, and security (RASS): the overall expectation is that publicclouds have the upper hand when it comes to scalability while private clouds are more trustworthywhen it comes to SLAs, security, and reliability. This is not always the case, particularly when itcomes to private clouds.

� Cost transparency: public clouds are not as transparent as most expect when it comes to pricing,and cost comparisons can prove difficult as pricing structures grow increasingly complex. Privateclouds still have a long way to achieve cost transparency, more for cultural than technologicalreasons. Cost transparency across public clouds and between public and private clouds will take along time to be achieved, if ever.

� The automation, management, and orchestration related to services offered on public, private, andhybrid clouds.

Private clouds

Apart from generic cloud computing concerns, enterprises’ main concerns when it comes to privatecloud implementation include:

� Old traditional concerns related to the industrialization, consolidation, and standardization of internaldata centers: the emergence of public clouds has increased the pressure on IT departments to deliveron these objectives faster than many are ready to do, to boost utilization, reliability, and flexibility.

� New generic concerns such as the need to make data centers more energy-efficient, mostly to savemoney (rather than the planet per se), or to redesign data-center network topology from a three-tierhierarchy to simpler two-tier or even single-tier peer configurations to make it easier to move ITassets rapidly to where they are needed and to boost network performance.

� New concerns related to the adoption of public cloud-like ways to deliver and consume IT resources:implementing self-service portals and delivering cost transparency is a challenge. It makes moresense to boost the cost-effectiveness of currently owned data centers via virtualization, automationand SOA than to seek to drive costs down by turning to one or more public clouds.

Public clouds

Apart from generic cloud computing concerns, enterprises’ main concerns when it comes to public cloudimplementations include:

� Security, regulatory compliance, and intellectual property protection are the primary concerns. “Dataoverseas over my dead body” remains a common refrain.

� Reliability and availability worries are growing in importance. The pain inflicted by public cloudoutages can be anticipated and lessened with temporary fallback procedures.


� SLAs: enterprises want public cloud service providers to offer stronger as well as end-to-end SLAs

to back up their QoS/RASS claims. Vendors are unwilling to do so for reasons that are both

technology-related (especially at the level of end-to-end SLAs) and business-related (too tight

margins).

� Migration and long-term costs: enterprises struggle to figure these out as they mostly depend on

their specific circumstances.

� Demand-management to make sure that, since public cloud costs are usage-based, public cloud

use is not wasted.

� Skills. Money is less of an issue with public clouds, with lower upfront costs leading to a

democratization of IT. By contrast, this makes skill shortages an even bigger problem.

� Immature tools for the testing, deployment, scaling, monitoring, migration/movement, and overall

lifecycle management of IT resources deployed on public clouds.

� Interoperability: public cloud offerings favor integration. Portability is mostly limited to data portability.

There are many standardization efforts around public clouds, most of them immature.

� The immature and rapidly evolving nature of the IaaS and PaaS markets, where vendor viability is

a bigger issue than technology maturity.

� The environmental impact of the data center infrastructures that underpin public clouds despiteclaims by vendors that their state-of-the-art data centers maximize utilization and have as low acarbon footprint as they can have.

IaaS public clouds

Apart from generic cloud computing and public cloud concerns, enterprises’ main concerns when itcomes to IaaS implementation focus on:

� how to understand and keep track of costs as IaaS cost structures become increasingly complex

� how to design, manage, and monitor software appliances to deliver satisfactory QoS/RASS levels

� how to port software appliances from one IaaS offering to another to minimize lock-in, or frominternal data centers to IaaS to maximize the reuse of existing software appliances.

PaaS public clouds

Apart from generic cloud computing and public cloud concerns, enterprises’ main concerns when itcomes to PaaS implementation focus on the technology and design constraints imposed by the PaaSenvironment. These constraints make it impossible to migrate applications from internal IT

infrastructures to PaaS and back again (unless the two use the same PaaS platform), or move them

between PaaS offerings.

SaaS public clouds

Apart from generic cloud computing and public cloud concerns, enterprises’ main concerns when itcomes to SaaS implementation focus on the depth and breadth of the delivered application functionality

as well as the configuration/customization and integration/data-portability facilities. The danger for SaaSapplications, as for their on-premise counterparts, is to customize them too much.

SaaS customers are also asking for clearer and simpler pricing models (for example, fewer for-a-feeoptions such as mobile client support) and are concerned about the privacy issue related to vendors

collecting usage data, although the collection can, for example, help them to come up with best-practiceguidance and benchmarks.


1.2 Report objectives and structure

Chapter 1 – Executive summary

This chapter provides a high level overview of the entire report and its key findings

Chapter 2 – Cloud computing will be hybrid

Cloud computing is all the rage. It will not replace current IT offerings but will add to them inconfigurations that will increasingly be hybrid. This chapter explains how and why.

Chapter 3 – Cloud computing costs in perspective

Cloud computing’s main promise is that is can cut IT costs, which is easier said than done. This chaptergoes into the details of what enterprises need to keep in mind to achieve some of the cost savings theywere aiming for when first considering cloud computing.

Chapter 4 – Cloud computing QoS in perspective

Enterprises want lower costs but not at the expense of QoS in areas such as RASS. This chapter looksinto their QoS/RASS concerns and details whether, and to what extent, cloud service providers aremeeting these concerns with better SLAs.

Chapter 5 – Cloud governance: an overview

Cloud governance enables enterprises to exploit new opportunities and tackle cloud computing in asystematic manner (instead of the piecemeal approach that currently characterizes most cloud-computing-related initiatives). This chapter explains why a systematic approach needs to be woven intocurrent ALM and SOA governance efforts as part of IT governance’s efforts to cross-reference andcoordinate governance initiatives.

Chapter 6 – Public clouds require IT service management to adapt

As the adoption of public cloud services becomes more prevalent, IT organizations face a variety of newITSM challenges. This chapter details why they need to ensure not that only existing policies,processes, procedures, and supporting technologies are fit for externally delivered IT services, but alsothat the IT function remains relevant to the business as an effective part of the IT service delivery chain.

Chapter 7 – Glossary

A glossary of commonly used terms has been included.

Chapter 8 – Appendix

This chapter contains information about additional reading and the methodology used for this report.



WWW.OVUM.COM

CHAPTER 2:

Cloud computing will be hybrid


OVUM

2.1 Summary

Catalyst

Cloud computing is emerging as a major disruptive force for both IT vendors and users. It is still

very early days, however, for what many rightfully consider to be the most important trend of

decade. The next three years will see cloud computing mature rapidly as vendors and

enterprises come to grip with the opportunities and challenges that it represents.

Ovum view

Some define cloud computing very narrowly as infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) public clouds. Others, Ovum included, include software-as-a-service (SaaS) public andprivate cloud offerings. A wider perspective helps in understanding one of the key trends in cloudcomputing: cloud computing will be hybrid.

Cloud computing promises to tackles two hitherto irreconcilable IT challenges: the need to lower costsand the need to boost innovation. However, it will take a lot of effort from enterprises to actually makeit work. Instead of a nimbler IT firm with its “mess for less” somewhere else, the ill-prepared will end upwith their IT mess spread across a wider area.

Key messages

�� Cloud computing is controversial and important.

�� The public cloud market is more complex than expected.

�� Private clouds are catching up with the public cloud Joneses.

�� Hybrid clouds are the next frontier.

2.2 Cloud computing is controversial and

important

It is early days for cloud computing

A fashion that will not go away

The IT industry is fashion-driven. For most vendors, as well as an increasing number of users, cloudcomputing is the new black. The hype surrounding it is currently at its climax, as everybody scramblesto “out-cloud” the competition.

Fashions come and go. Two to three years from now, another buzzword will have replaced “cloudcomputing”, yet cloud computing itself will not go away. It will become a permanent feature of the ITlandscape, among other types of IT consumption model. It will turn into the “little black dress” of the ITindustry: fashionable at first, then a classic.

Important but immature

While there is a growing consensus on the importance of cloud computing, the debate still goes on asto its nature, scope, and impact – a clear sign of immaturity. Everybody has their own definition, whichcauses confusion. The variety of these definitions reflects:

CHAPTER 2: CLOUD COMPUTING WILL BE HYBRID 1177

� the multiple roots of cloud computing, which originates from developments in technology (growth incomputing power and broadband connections, grid computing, virtualization), pricing/licensingmodels (subscription, pay-as-you-go), business models (Amazon expanding from retail to IT), andso on

� the twisting of the concept to fit the marketing approaches of an increasing variety of vendors.

Users have still to come to terms with it…

Users’ response to cloud computing, like other technology innovations, oscillates between conflictingpersonalities, best characterized by the children’s book archetypes of Toad of Toad Hall (‘Hurray for theshiny new thing!’), Eeyore (‘Ho hum, seen it before. Didn’t work last time and won’t work now.’), and ChickenLittle (‘Alarm! Disaster is upon us!’). The market may be curious about cloud computing and willing to talkabout it, but it is also mostly confused and skeptical when it comes to actually implementing it.

…so have vendors

Vendors are trying to position themselves as market leaders in cloud computing, either as thoughtleaders, technology innovators, business value providers, or some combination thereof. They want tobe seen as shaping the industry’s broader cloud agenda and, at the same time, working with customersto show where cloud services can deliver “real-life” business and IT benefits. They are trying to besmarter, more explicit, and more proactive in how they explain and differentiate their cloud offerings but,as victims of their own hype, are finding it harder to differentiate their cloud computing offerings. Manyare still unclear about how, and to what extent, they will make cloud services profitable both on theirown and as part of the new cloud computing ecosystems currently forming.

Ovum stands by with a helping hand

This report clarifies and puts in context the variety of elements that are part of the current debate about,and the approaches to, cloud computing. Ovum does not wish to add its own definition to the long listof definitions already drawn. We have no intention of defining boundaries then declaring any particularcomponent, approach, or perspective out of bounds. Instead, we seek to understand what the supplyand demand sides of the IT market do in its name and to what extent this makes sense.

Evolution and disruption

Some see cloud computing as a disruptive breakthrough. Others consider it the result of a slowevolution. It is both.

Evolution

Cloud computing builds on the evolution of a variety of IT technologies (broadband connections,virtualization, etc.), designs (service-oriented architectures, multi-tenant applications, etc.), and bestpractices (e.g. for large-scale enterprise IT management). Many of its characteristics have been aroundfor quite some time. For example, the shared use of excess capacity brings many back to the early daysof corporate computing when time-sharing was the norm. Similarly, online shared services haveunderpinned the Internet itself (e.g. domain name registries) for years and various industries for evenlonger. Examples include global transaction platforms in the finance industry as well as computerreservation systems and global distribution systems (CRS/GDS) in the travel industry. What matters isnot that cloud computing recycles certain ideas and technologies (or that older offerings are rebrandedas cloud computing) but how this recycling (and re-badging) impacts the use and evolution of IT.


Disruption

Cloud computing not only recycles ideas and technologies (among other things) but also reflects disruptiveIT industry trends such as the transformation of the Internet from a content delivery platform into a softwaredelivery platform. And it is not just about Internet trends. It reflects and accelerates the commoditization ofboth hardware and software as well as the weaving of software deeper into the fabric of our economiesas well as societies. It moves the IT industry’s focus from hardware towards software and services, and indoing so blurs the lines between all three. Some equate this restructuring with the ones that occurred inother industries, such as electricity (which moved from local generation to national grids) and automotive(which moved from companies owning and maintaining their own fleet of cars to renting).

It impacts the way enterprises relate to:

� Their IT: it impacts the way they define, create, procure, and consume IT assets.

� Their IT departments: cloud computing enables (by freeing IT people to focus on key projects) andundermines (by enabling users both within and outside IT departments to bypass establishedprocesses) enterprise-wide IT strategies. It redirects IT people to new activities that generatecompetitive advantage as well as to their local job center via redundancies.

� One another: among other things, it makes available to SMEs what was formerly only available tolarger organizations, and makes it easier for companies to share IT assets.

� Their IT vendors: cloud computing shifts the risk of investing in, and managing, IT to the vendors.

This makes it a slow-moving phenomenon, as relationships evolve much more slowly than technology.

Public, private, and hybrid clouds

Public clouds: SaaS then IaaS and PaaS

The “cloud” in cloud computing refers to the Internet. In this public space, cloud computing started asSaaS, with Salesforce.com as the flag-bearer of this new software delivery model. It then moved to IaaS,with Amazon as the key pioneer, and then PaaS, with Google and Salesforce.com leading the way.

The trendsetters were all relatively new Internet-centric companies rather than software or IT serviceincumbents (e.g. IBM, Microsoft, Accenture). The incumbents, however, are scrambling to catch up andhave the muscle it takes to elbow their way in. No one company has a market-leading position andmany vendors are, by now, playing in at least one of the three public cloud domains.

Private clouds

In the past 18 months, an increasing number of vendors and users have been pulling the cloudcomputing blanket into the private IT space, to the horror of those that define cloud computing as astrictly public phenomenon. What matters, however, is not whether or not private clouds are clouds atall but how, and to what extent, private clouds relate to public ones and impact the way IT infrastructuresare currently evolving.

Hybrid clouds

The problem with defining boundaries in the IT industry is that technologies and their packaging areevolving in a way that quickly blurs these boundaries. In the cloud computing space, hybrid offeringsare emerging between public and private clouds as well as between traditional IT services offerings(e.g. hosting, outsourcing services) and public cloud ones (see Figure 2.2.1). In fact, the hybrid cloudspace is where most cloud computing breakthroughs will happen in the next five years.


2.3 The public cloud market is more complex

than expected

Infrastructure-as-a-service

Basic infrastructure building blocks

IaaS combines compute or storage or both with network resources based on standardized hardware(servers, switches, routers, etc.) and software components (hypervisor, operating system, management, etc.)and associated services (Internet addressing, directory and security services, etc.). They usually require theapplication components that run on top of IaaS building blocks to be packaged as virtual machines.

Wide variety of offerings

There is a wide variety of IaaS offerings, which reflect the immaturity of the IaaS market. Among otherthings, these offerings vary in the following ways:

� Scope: some are limited to one area (e.g. storage with Nivanix) while others offer a broad range ofservices (e.g. Amazon Web services include compute, storage, database, and message-queuingservices, among others).

� Focus: some are generic (e.g. Amazon EC2), others are specific (e.g. IBM’s offering focuses onworkloads such as application development and testing).

� Configuration: some enable users to do some configuration (e.g. central processing unit and memoryconfiguration for servers). Others do not offer configurable options.

� Technology: some limit themselves to support for Linux and Windows. Others support a wider range ofoperating systems such as Solaris. Some support custom virtual machine images. Others don’t.


Public

cloud

Hybrid

cloud

Outsourced

IT assets

Private

cloud/

internal

data center

Figure 2.2.1: The emergence of

hybrid clouds Source: Ovum

New vendors are emerging, eager to add a specific spin to the IaaS theme. This trend will continue for atleast two years; then, as the IaaS market matures and consolidates, it will standardize.

Ecosystem platform (e.g. Amazon)

Amazon has become the yardstick by which every other IaaS offering is measured. IaaS and PaaSproviders define their pricing strategy against Amazon’s. A wide ecosystem is expanding around it, withindependent software vendors (ISVs), for example, keen to:

� add value on top of it (e.g. EngineYard’s Ruby on Rails platform on top of Amazon’s compute service)

� use it as a new software delivery channel (e.g. Oracle partnered with Amazon to deploy Oracle softwarein preconfigured Amazon virtual machine images and to enable database backups on the Amazonstorage service)

� build a business on top of it.

Platform-as-a-service

Makes it easier to develop and run applications

PaaS adds a new layer of software services on top of those usually found in IaaS to make it easier todevelop and/or run (web) applications. While some, but not all, PaaS offerings feature development tools,they all offer run-time services usually found in application servers (e.g. transaction management, processenablement, scalability, user authentication, cache, etc.). For example, the PaaS run-time automaticallytakes responsibility for scaling cloud applications up and down, depending on usage levels. Developers donot have to hard-code this elasticity into their applications as they would in an IaaS environment.


As with IaaS, PaaS offerings differ in a variety of ways: not just the portfolio of technologies and servicesthat they offer and the way that they allow users to make use of these, but also in the way that theyapproach run-time (e.g. reliability), development (e.g. the ability to develop outside, not just inside, of thePaaS environment), and deployment (automation) issues.

Ecosystem platform

Like IaaS, PaaS is: a platform on which new software ecosystems, not just applications, are being built;related to online marketplaces in which ecosystem participants offer their wares; and encouragingdeveloper and user communities, not just marketplaces.

Evolving towards more specialization and abstraction

The PaaS environment both helps and constrains developers in a variety of ways (application language,tools, design, etc.), which makes it difficult to migrate applications from internal IT infrastructures to PaaSand back again. As the PaaS market matures, it will divide between specialized environments that focus onone particular set of technologies (e.g. Force.com from Salesforce.com) and more generic environmentsthat seek to lessen the constraints PaaS imposes on developers and applications (e.g. Appistry’s Cloud IQ).

Software-as-a-service

The most developed public cloud market

SaaS combines application-functionality delivery via a web browser with data encryption, transmission,access, and storage services. It can be consumer-centric (e.g. Flickr photo storage, management andsharing offering), enterprise-centric (e.g. Salesforce.com’s and Microsoft’s CRM offering), or both (e.g.Google’s Gmail email offering).

The SaaS market was the first to develop and, as a result, there are now SaaS alternatives to many, if notmost, enterprise and consumer software products. It has expanded rapidly, attracting the attention ofsoftware incumbents, which has fueled further expansion and competition. The pioneer in the enterprisesector (ten-year-old Salesforce.com) recently became the first pure-play SaaS vendor to reach $1 billion inrevenue. Other SaaS companies such as NetSuite, RightNow Technologies and Workday aim to follow suit,although the next big SaaS vendor is more likely to be an incumbent such as Microsoft.


Part of the cloud computing phenomenon

Some point out that SaaS predates cloud computing and differs from IaaS and PaaS in a variety ofways (e.g. some SaaS offerings are not available on-demand on a pay-as-you-go basis). They preferto exclude SaaS altogether from their definition of cloud computing, which they limit to IaaS and (inmost, but not all, cases) PaaS. Others do include the enterprise-centric elements of SaaS but excludeits consumer-centric ones. Ovum believes that SaaS is part of the cloud computing phenomenon. Theobjective of this report is to help you understand how SaaS, in its diversity, relates to IaaS and PaaSas well as private clouds.


SaaS offerings vary not just in terms of the type of application functionality delivered but also thebreadth and depth of configurability and customization allowed as well as the back-end infrastructurethat underpins this functionality. For example, some have a multi-tenant design, while others usevirtualization to achieve a one-to-many deliver model. While IaaS and PaaS are likely to standardizewithin the next three years, SaaS will continue to spread in various directions for a while longer. Besidesthe expansion from business applications down into PaaS (e.g. Salesforce.com’s Force.com offering)and out into vertical market-specific software, one of the next big trends in this market will be theemergence of new SaaS offerings based on a combination of other SaaS offerings (including consumerand enterprise SaaS combinations, such as Salesforce.com’s and Parature’s integration with Twitter).

SaaS and process: business-process-as-a-service

Above the standardized SaaS layer exists a budding business process-as-a-service layer wherevendors provide a more complete combination of business process, data, and services. An example isthe Australia-based Workforce Guardian service that helps customers implement compliantemployment processes, including constantly updated template contracts, letters of offer and terminationand detailed process guidance specific to employment legislation. An increasing number of end userswill also make available some of their internal processes as a service to third parties. Ovum knows ofone financial company that has recently done so.

The next step, which some call “business-as-a-service”, is to take over the delivery of the service (e.g.payroll) on an outsourced basis.

SaaS and professional services: Service-with-Software

Besides pure-play SaaS vendors, a number of players offer SaaS and business services in onecontinuous, single unified service in a variety of markets. A good example is Experian. Everyone thinksof Experian as a credit reference agency, but it is more than that. On top of its data provision service,the company has built a range of SaaS decision-support and marketing tools.

This “service-with-software” approach is also likely to be adopted by an increasing number of end-usercompanies, especially those in the professional service sector such as recruiting agencies,accountancy/audit firms and legal services providers. Using SaaS allows businesses in these sectorsto enhance the value of – and reduce the cost of delivering – their services. For example, suppose thatan audit firm required its customers to use its SaaS accounting software to manage their businesses.At the end of every audit period, the accounting firm would have all the information it needed to performthe audit, already pre-processed into the format required.

Hosted software to SaaS continuum

There is an increasingly complex continuum between application-centric IT services and SaaS.Application-centric IT services include:

� Hosted dedicated software: vendors own and run the software on their own servers but deploydifferent instances of the software for each customer.

� On-premises managed applications: the application resides on the enterprise’s server or premisesbut is owned and managed by the vendor.

Unlike SaaS offerings, they do not typically include the cost of the license and do not usually rely on amulti-tenant architecture. The latter is key to reducing management costs.


IaaS, PaaS and SaaS interactions

Not quite a stack

IaaS, PaaS, and SaaS are usually graphically depicted as a stack, with IaaS at the base, PaaSsandwiched in the middle and SaaS on top. This depiction is useful but it leads to a number ofmisconceptions (e.g. that SaaS depends on PaaS, that IaaS is inferior to PaaS, etc.). SaaS can run ontop of either IaaS or PaaS environments, among others (private cloud, outsourced data center, etc.),while IaaS and PaaS environments can run any type of application, not just SaaS ones (as shown inFigure 2.3.1).


Non-SaaSapplications

PaaS(tools – runtime)

IaaS(compute – storage – network)

Internal and/oroutsourced

IT infrastructure

SaaSNon-SaaS

applicationsSaaS

Figure 2.3.1: Not quite a stack Source: Ovum

PaaS offerings have IaaS components (e.g. Microsoft’s Azure Service Platform has an IaaS storagecomponent). Some are layered on top of, and independent from, an IaaS foundation. For example,Tibco Silver is available as a pre-built, preconfigured Amazon Machine Image (AMI) and Tibco plans toadd support for other third-party IaaS environments, including those supporting VMware technology.

Different markets that vendors are increasingly striding

IaaS, PaaS, and SaaS are different markets that cater to different needs, types of application and targetaudiences. IaaS and PaaS target IT personnel (developers and IT operations), while SaaS targets bothIT personnel (with development tools for developers, for example) and end users (with businessapplications). No single provider currently offers a comprehensive and complete suite of IaaS, PaaS andSaaS, but we expect big infrastructure vendors to do so within a year, for customers, partners and thirdparties to mix and match. As a result, the boundaries between IaaS, PaaS, and SaaS are likely to blur.

Hard to differentiate at times

It can already be difficult sometimes to clearly distinguish between IaaS, PaaS, and SaaS. Storageservices, for example, can be IaaS (e.g. Amazon S3) or part of a PaaS or SaaS offering. Some areSaaS relying on IaaS (e.g. Zmanda back-up on Amazon S3). Virtual desktop infrastructure software isanother good example. Some define it as an IaaS offering because it is infrastructure software, othersas a SaaS offering because it delivers desktop functionality online. It is SaaS, not IaaS.

Common characteristics

IaaS, PaaS, and SaaS have various characteristics in common:

� They are online services delivered by a third party available to any connected devices over theInternet (or other networks) via web-browser graphical user interfaces (GUIs) and to other softwaremostly through open application programming interfaces (APIs). The latter vary depending onwhether the service is IaaS, PaaS, or SaaS (and between offerings in the same area, e.g. IaaS,which creates complexity).

� They offer standardized services. They are user-centric greenfield approaches to simplifying andstandardizing IT to make it much easier to try, buy, and consume IT services. Standardization wasinitially viewed as a limitation (especially for SaaS), but is increasingly becoming best practice.

� They do not require ownership or management of hardware or software (other than the accessdevice). The service provider takes care of hosting, developing, managing and maintaining theservices.

� They are always on. They rely on massive data centers that mix virtualization and automated systemmanagement technologies to provide economies of scale (and low cost) as well as a satisfactoryquality of service (QoS) in areas such as reliability, availability, scalability, and security (RASS). Theyuse operational support systems for functionality such as management and reporting and businesssupport systems for functionality such as usage metering, service activation and billing. These varydepending on the type of public cloud offering.

� They are available via a self-service online catalogue or portal that offers transparent pricinginformation. Besides being self-service, they enable customers to access peer support.

� They enable vendors to upgrade all users centrally and evolve the service iteratively based oncustomer feedback as well as actual user behavior data.

Positive feedback loop

There is a positive feedback loop between all three types of public cloud offering, as follows:

� SaaS users are likely to be more open to experimenting with IaaS and PaaS, and vice versa.

� The lower cost that IaaS and PaaS provide via economies of scale will lower SaaS cost (as SaaSvendors increasingly build their offering on a PaaS or IaaS foundation, or both), thus strengtheningSaaS and expanding the potential of IaaS and PaaS for economies of scale.

� A growing ecosystem of partnerships is being built that straddle all three public cloud domains (e.g.the alliance between Salesforce.com, Amazon, and Google allowing enterprises to use Force.comPaaS platform as the main platform, but to reach out to Amazon for its IaaS offering for storage andto Google for SaaS document sharing and collaboration). Partnerships are also growing within eachmarket (e.g. the alliance between SaaS providers NetSuite and Salesforce.com to create SuiteCloudConnect).

Convergence

This feedback loop is strengthened by the increasing convergence of SaaS with IaaS and PaaS froma variety of perspectives:

� Infrastructure: besides building their own data centers or outsourcing them, SaaS ISVs increasinglyuse IaaS or PaaS clouds, or both, as the foundation for their services, especially since an increasingnumber of IaaS/PaaS providers (e.g. Fujitsu) target them with SaaS ISV-specific services.

� Service portfolio: Salesforce.com, for example, has expanded from SaaS to PaaS (Force.com).Google and Microsoft started with SaaS then moved to PaaS. IBM offers both IaaS and SaaS but islikely to expand to PaaS.

� Ecosystem: cloud computing vendors are increasingly partnering with one another.

� On-demand availability on a self-service basis: most consumer SaaS services are available on thisbasis, the way that IaaS and PaaS are. This is less the case for enterprise SaaS (but not all, e.g.Webex), although some enterprise SaaS offerings (mostly from new start-ups) are moving in thisdirection.

� Pricing: many consumer SaaS offerings are free to use (financed by advertising), although anincreasing number of vendors are moving towards subscription revenues. IaaS and PaaS areunlikely to adopt the same approach, although some vendors will move towards free-to-try or set-upofferings, or both.


� Pricing/licensing elasticity: most enterprise SaaS is available via automatically renewed annualsubscription contracts that make it relatively easy to increase the number of user seats but notdecrease them: the latter is usually only allowed at the end of annual subscriptions. Newcomers(rather than incumbents that will stick to the subscription model) will adopt a more IaaS/PaaS-likeusage-based/metered approach with no long-term commitment/contract and the ability to scaleusage up and down on demand. Amazon is also pushing ISVs in this direction. Its market presenceand established metering and billing processes have resulted in many software offerings beingavailable as SaaS on the Amazon IaaS cloud (using virtualization to achieve a one-to-many deliverymodel). IBM, for example, is expanding the portfolio of its software available on Amazon EC2, basedon a new Processor Value Units pricing model. IaaS and PaaS will move in the opposite direction,towards a subscription model. Some enterprises, especially large ones, prefer the more predictablesubscription approach to pricing, which often includes volume discounts.

Wider perspective

IT services impact on public clouds

The boundaries are not only blurring between IaaS, PaaS, and SaaS but also between cloud computingofferings and traditional IT service offerings (e.g. hosting and outsourcing). The flexible pay-as-you-go-and-as-much-as-you-consume approach of part of the cloud computing phenomenon could have anobvious effect on services firms’ bottom lines, and such firms are understandably not ready to abandontraditional businesses in favor of trumpeting “cloud-only” models for their enterprise customers. Fornow, they are positioning cloud-based services as an additional delivery model, one that could work intandem with IT services delivered either in-house or through an external provider.

They position themselves closer to cloud computing not only by providing IaaS, PaaS, or SaaS cloudsor all three themselves, or mixing public cloud services consumed in a one-to-many model withdedicated one-to-one (on- or off-premise, or both) services, but also by adding public cloud computingcharacteristics (e.g. fast provisioning) to their traditional services. Customers have started to mix andmatch traditional IT and public cloud computing offerings. For example, Wordpress.com combineshosted servers and Amazon’s S3 IaaS storage services to run its blog platform.

Cloud computing is transforming the relationship that IT service providers have with their customers.With cloud computing, whose value proposition centers on the delivery of a standardized set ofservices, the customer adapts to the offering, not the other way around, as was the case until now forIT services. We expect a lot of hybrid solutions stemming from the convergence of these twoapproaches (with various balance levels between adaptation to customers and customer adaption).

Public sector impact on public clouds

When it comes to IT, the public sector used to be the last to know and implement. This is no longer thecase. For a variety of reasons (renewed focus on cutting IT costs, creation of shared services, etc.), thisvertical sector has morphed into a much more aggressive user of IT assets, with a particular interest inopen-source software and cloud computing. Its influence on the IT market is compounded by the factthat it is not only a user but also the legislator.

Government clouds (g-clouds) are emerging not only for internal use (between public sector agencies)but also as tools to promote national interests and the local ICT industry. The objective is to avoidsubstantial proportions of national IT workloads, along with their tax revenue and employmentopportunities, moving offshore. To do so, governments need to bring together the often separate, andcontradictory, policy portfolios of industry development and public sector efficiency to drive investmentin domestic cloud infrastructure.

G-clouds will not be the only vertical market-specific public clouds to emerge. One of the key trends inthe cloud computing movement will be the verticalization of public cloud offerings.


2.4 Private clouds are catching up with the public

cloud Joneses

Cloud computing shifts to private clouds

In the first 18 months of its existence, cloud computing was a purely public phenomenon. The following

18 months saw a significant shift in focus away from public clouds towards a new concept (that of the

private cloud), owing to a powerful mix of vendor push and user pull.

Vendor push

The private cloud is, to a large extent, a rebadging of what data-center-focused hardware, software, and

service vendors have been doing under different names (utility computing, autonomic IT, on-demand

data center, etc.) for the past ten years. In this market, vendors offer either building blocks or complete

solution offerings. For example, IBM offers:

� The IBM CloudBurst Smart Business System platform, which combines hardware, storage and

networking components with virtualization and management software as well as on-site QuickStart

implementation (and training) services. It is part of IBM’s ongoing efforts to combine network,

compute, and storage capabilities into packaged offerings that are easier to manage and consume(with single invoice, installation, and support structure).

� The Smart Business (private) cloud, which is a service-wrapped hardware and software offering thatcan leverage existing IT infrastructure or use IBM CloudBurst, or both. It is a natural extension ofIBM’s data center building and management capabilities. IBM can not only put a private cloudtogether, but also manage it – or leave its management to the customer.

Many of IBM’s IT service competitors have made similar moves.

Not only incumbents like IBM but also cloud computing start-ups (mostly in the PaaS domain) are taking akeen interest in private clouds. They want to bring public cloud technologies into the data center, with theambition to elbow the incumbents out of (at least parts of) the data center (as well as help customersmanage complex, hybrid IT infrastructures that combine public cloud resources with locally managed ones).

User pull

Many users are wary of the QoS/RASS as well as legal/compliance limitations of the various types of

public cloud, but are curious about the possibility of adopting the technologies, designs, and bestpractices of public clouds (e.g. virtualization, standardization and automation) to create elastic pools ofIT resources within their firewall to cut costs and make it easier and faster to provision new services.

Users’ caution is strengthened by the unwillingness of some IT departments to adopt public cloud

components for fear of losing control (as well as their jobs).

The shift reflects the maturation of cloud computing

Many disagree with the notion of the private cloud

Many consider the notion of the private cloud to be an oxymoron for a variety of reasons, including:

� Semantics: since the “cloud” is the Internet, and the Internet is a public infrastructure, clouds cannot,

by definition, be private. They are about third parties providing services via the Internet.

� Economics: cloud computing is about changing the way IT resources are paid for, not just

consumed. It enables users to avoid upfront infrastructure costs. They simply rent, which makes it

easier for them to move on.

� Infrastructure: a key feature of cloud computing is scale, and not all private clouds will have sufficient

scale to actually be clouds at all.


� Marketing hype: vendors seeking to sell new hardware, software and services to enterprise chiefinformation officers (CIOs) are the guilty parties here. Public cloud supporters argue that extendingthe definition of cloud computing to private clouds stretches the concept so much that it loses allmeaning. They also point out that it will lead to users getting increasingly skeptical as the term getsapplied to all and sundry.

We agree with most of these points, yet we do not believe that arguing over definitions is worth theeffort.

It is simply a reflection of cloud computing’s success

Every IT trend, when it gains momentum, gets redefined as an increasing number of vendors and usersmanipulate it to fit their needs and expectations. From that point of view, the current market interest inprivate clouds is a natural evolution of cloud computing. It is the price cloud computing has to pay forbecoming mainstream, reflecting the need to relate the success of public clouds to what currently existsinside firewalls. Rather than fight over definitions, we’d rather understand how, why and to what extentpublic and private clouds relate to one another.

New twists and old trends

Old trends

Infrastructure vendors have long been busy promoting the industrialization, consolidation, andstandardization of “next-generation” data centers based on:

� automated management processes to scale the infrastructure without having to scale the ITworkforce with it

� virtualization technologies to boost utilization and allocate resources dynamically

� service-oriented architectures (SOAs) to redesign IT software into reusable components and get ridof IT silos in shared IT infrastructures.

New twists

The private cloud embraces automation, virtualization, and SOA while increasing data center focus onthe following, among other things:

� Self-service portals that provide instant on-demand access from a catalogue: the cataloguebecomes the key interface that provides product detail and pricing information, enablesconfiguration, manages the ordering process, and offers account management tools. It is also keyto make sure that governance policies apply to clouds: IBM’s Service Catalog portal, underpinnedby Tivoli Service Automation Manager, for example, enables IT departments to limit users’ choicesto a predefined set of services.

� Providing access not only to internal standardized and reusable services but also to a marketplaceof vetted applications and a community of peers: IBM, for example, has an online catalogue for bothits SME and large enterprise Smart Business offerings. While the SME online catalogue is genericand geared towards third-party partners (26 in India and 16 in the US as of May 2009), the largeenterprise catalogue is workload-specific and, in the case of application development and testworkload, mostly limited to IBM software. The SME-focused IBM Smart Market is not just an onlineapplication store, but also a marketplace and related portal with Web 2.0 features to compare, rate,and buy applications and services (such as managed security and hosted backup). It is also acommunity in which clients, experts, and vendors interact. The large enterprise equivalent is likelyto evolve along these lines.

� Usage monitoring and chargeback mechanisms: metering and billing is the next frontier when itcomes to private (and public) clouds. Many enterprises are not able to calculate then allocate costs,despite being willing to do so, as they do not have the necessary infrastructure, processes andmetrics in place.


Two roads ahead

The public cloud space is neatly segmented into IaaS, PaaS, and SaaS, but the private cloud space is moreamorphous. Users are unsure of, or have very different views on, what constitutes a private cloud, whichmakes any survey about the subject pretty meaningless. Vendors approach them from two perspectives:as a journey and as a shortcut.

Private cloud as a journey

The first approach defines the private cloud as a long, patient evolution that starts with companiesunderstanding what they currently have, then shaping it slowly to achieve a fully dynamic sharedinfrastructure. From this perspective, the private cloud is the aim of the data center evolution journey. It isfrom this standpoint that many discussions around cloud computing start. By and large, customers rarelyapproach services providers to inquire about implementing cloud services within their organization; moreoften a discussion around security or virtualization may eventually evolve into broader strategies aroundleveraging the cloud for some cost or operational efficiencies.

Private cloud as a shortcut

The second approach emphasizes the need to take shortcuts along the way by pushing parts of the datacenter ahead to deliver focused return on investment. From this perspective, the private cloud is the part(s)of the data center that is ahead of the rest. Some shortcuts are technology-centric: they are aboutpurchasing modular hardware and software components tuned up to specific workloads, such as test anddevelopment. Some are design-centric: the objective is to turn existing IT assets from siloed resources intopools of resources to be shared (pools that are defined as “private clouds”). A good example is the bladefarms that finance companies are using for processing-intensive applications such as simulation (e.g.Monte Carlo risk analysis). The goal of the redesign of these farms is to make available their computeresources for other applications, not just simulation.

Two approaches to be reconciled from a process, not technology, perspective

What is needed is a way to reconcile the two approaches (private-cloud-as-a-journey and -as-a-shortcut) tounderstand when, on the road towards a next-generation data center, users should take shortcuts.Unfortunately, most vendors currently emphasize the second approach rather than trying to reconcile the two.

They also take an overly technology-centric approach: standardization, virtualization, and automation areonly the starting point, not the endgame. The focus should be on people, policies and processes rather thantechnology, from both an IT-business alignment and an internal IT point of view. For example, data centermanagers need to consolidate processes, policies, and best practices (logical consolidation) before tacklingphysical consolidation, not the other way around.

They also have a tendency to minimize the challenges of transforming a traditional IT shop into a shiny newprivate cloud (as they did when the fashion was to redesign the IT shop on a SOA basis). This requiressignificant investments in the latest data center technologies and the skills to operate them. The problem isthat you can’t make a silk purse out of a sow’s ear. In many cases, it is a triumph of hope over experienceto allow a CIO to run a big project to build an internal cloud, which is the reason some prefer to just go outand rent an existing cloud or buy one pre-built from IBM or HP.

2.5 Hybrid clouds are the next frontier

From public to private clouds

Public clouds encourage data center transformation

Public clouds encourage enterprises to move to a next-generation data center or private cloud faster thanthey would have done if public clouds were not present as an example to follow. These enterprises willimport some of the technologies and best practices of the massive data centers that underpin public clouds.


Public clouds extend private clouds

As an extension, the public cloud provides a place for private clouds to reach when and where there isa short-term need for extra resources – hence the term “cloudburst”, whereby private clouds “burst” intopublic clouds, driven by “bursty” software whose resource requirements (such as storage andcomputing) see-saw considerably. The objective is to help clients avoid having to build another datacenter for peak requirements.

Public clouds complement private clouds

As a complement, the public cloud provides a domain in which enterprises can offload computingactivities they do not wish to do themselves (for a variety of reasons such as high costs or insufficientresources), leaving more of their resources free to focus on private-cloud-based IT activities that delivercompetitive differentiation.

A variety of hybrids

Not public or private, but both, and then some more

When not debating the nature of a “true” cloud, participants in the cloud computing discussion like toexplain why their preferred type of cloud is better than the other. Some define private clouds as superiorto public ones because they offer more control and can run legacy applications, among other things.Others favor public clouds because of their flexibility, lack of upfront capital expenditures (capex), etc.

Each type of cloud has its strengths and weaknesses, but that does not make it necessarily better orworse than the other, simply different. The “yours is better than mine” private-versus-public debate is allthe more pointless because the reality of cloud computing is not at the extremes but in the middle,being:

� not just one or the other but a mix of private and public clouds

� not just one and the other but a variety of hybrid offerings in between.

For example, an increasing number of companies will turn part of their private cloud into a public one,for partners as well as customers. Some of these offerings will be infrastructure (IaaS/PaaS-type) ones;other will be SaaS/business process offerings.

Generic-specific cloud hybrids

Some point out that private clouds are generic (they need to be able to run a variety of workloads), whilepublic clouds are specific (optimized to run a particular type of workload). Others believe it to be theother way around: private clouds can be customized more easily for specific needs, while public cloudsare more generic because they are designed around a common denominator approach for satisfyingthe needs of a broad range of workloads.

In reality, private clouds can be whatever they need to be, and the link between public clouds andspecific ones is not so clear-cut. Broadly speaking:

� IaaS clouds are generic. They provide an infrastructure capable of running a variety of workloads.

� PaaS clouds are halfway houses. They constrain the design of the software that they run in order tooptimize performance. As a result, they may not be suitable for certain workloads.

� SaaS clouds are mostly specific, optimized to deliver a particular type of workload (although theunderlying platform of many of them is maturing into an increasingly generic one).

Dedicated – shared cloud hybrids

Others point out that private clouds are usually dedicated to a single organization, while public ones areshared.


The two issues are orthogonal to one another:

� Some private clouds are shared: The notion of a private shared cloud is particularly popular amongpublic sector organizations at the moment. We expect that the success of cloud computing as aconcept will lead to more shared private clouds across different organizations, not just business unitsof the same organization. For example, IT services company Savvis offers a variety of cloudservices, available both as a dedicated infrastructure offering devoted exclusively to a singlecustomer and a shared infrastructure service in which pooled resources are provided to multiplecustomers on an anonymous, on-demand basis and at a lower price point. It is also considering acloud exclusively for the use of customers in the capital markets, yet shared among them.

� Some public clouds have parts dedicated to a single user: In August 2009, for example, AmazonWeb Services (AWS), the cloud computing subsidiary of Amazon, added a virtual private cloudoffering to its portfolio. We expect hybrid public-cloud-based virtual private clouds to become one ofthe major trends in cloud computing in the next two years.

Hybrid products for hybrid clouds

An increasing number of products are taking advantage of the rise of the hybrid cloud for the followingreasons:

� To straddle both public and private clouds: an increasing number of applications (e.g. DynamicsCRM 4.0) are using the same code base for on-premise and SaaS implementations.

� To deliver extra functionality using public cloud resources such as storage (e.g. office productivityapplications are starting to enable users to save and open documents in public clouds) andcomputing resources (e.g. anti-virus software moving most of its protection activity into a publiccloud while the content remains with the user).

� For more flexible asset usage: a good example of this is Atlassian’s Elastic Bamboo continuousintegration server. Elastic Bamboo supports frequent integration of code under development with themain body of the release. New code can be automatically compiled and tested as it is developed,accelerating the feedback loop and minimizing the “chasing your tail” effect that arises when teamsof developers periodically apply new code to a constantly changing code base. Continuousintegration, however, can create large and unpredictable server workloads as multiple cycles ofintegration and testing are carried out, particularly in the lead up to a major release. Scaling thehardware to accommodate peak loads is not necessarily justifiable in terms of costs. Elastic Bambooenables developers to use a mix of on-premise or remote (cloud-based) agents for integration andtesting, minimizing the need to bolster local resources to accommodate peak testing loads. Thesystem provides seamless access to the processing resources of Amazon’s EC2 cloud services.

Complexity lies ahead

No cloud is particularly easy to implement

Public and private cloud supporters have one thing in common: they all claim how easy it is toimplement their favorite type of cloud, while pointing out the difficulties in implementing the other type.They are both right and wrong: cloud computing is not that easy to implement. It needs planning andpreparation. Besides the current confusion as to what exactly cloud computing is, many enterprises lackthe knowledge, skills and metrics (among other things) to figure out what is best for them, hence theincreasing number of vendors offering their services to help them do just that.

Cloud computing simplifies but creates new challenges

The cloud may simplify the delivery and provisioning of IT resources but it also has the potential tocreate a host of new management challenges, especially if a customer wants to access hybrid cloudservices (combining services delivered from both private and public clouds). This hybrid approachrequires the integration of provisioning, billing, and management capabilities, among others. Howservices providers deliver service-level management (SLM) and cloud orchestration, either through thedevelopment or acquisition of proprietary tools or through partnerships, is poised to emerge as a highlycompetitive area in the cloud services market.


The hybrid public/private cloud infrastructure is going to get complex

As hybrid public/private cloud infrastructures emerge, the link between private and public clouds will atfirst be one-to-one. Then, as private and public clouds mature and enterprises develop theirunderstanding of clouds and abilities to make the best of them, they will use and manage a growingportfolio of federated public and private cloud services. Workloads will fluctuate between the private andpublic clouds based on seasonal traffic patterns or user behavioral changes.

2.6 Recommendations

Recommendations for enterprises

Be specific

Cloud computing means different things to different people. When talking about it, be specific. Are youtalking about IaaS, PaaS, SaaS, public clouds, private clouds, or a mix?

Be pragmatic

It is difficult not to get drawn into the endless debate about what cloud computing is and is not, yet youneed to avoid it. Most of it is not only pointless, but tends to push participants to extremes, irrespectiveof the fact that the reality of cloud computing is somewhere in the middle.

Know yourself

In order to figure out which IT assets to keep and manage within a private cloud, which to trust to atraditional IT service provider, and which to source from the various public cloud solutions on offer, youneed to understand what you have and where you want to go.

Focus on the end, not the means

Cloud computing is a means to an end, not the end itself. Focus on the business outcome you have inmind first, then how a particular approach to cloud computing may or should deliver it.

Consider whether you are ready for cloud computing, not just whether cloud

computing is ready for you

Adoption is a two-way street. It is not just about whether cloud computing is ready for you: it is, moreimportantly, about whether or not you are ready for it. The fact is that many enterprises are currently notready for private or public clouds or any type of hybrid in between. Many enterprises lack theknowledge, skills, and metrics among other things to figure out what is best for them, hence theincreasing number of vendors offering their services to help them do just that. Train specialists andadapt systems, processes, and metrics to remain in control while benefiting from the instantprovisioning capability of public clouds.

Head up, take stock, and create your own recipes

Get briefed on the latest developments in cloud computing and the implications for your vertical sector.Find out if and where cloud services are already being used in your organization and others, anddiscuss the strategy and policy implications with customers and stakeholders. Mix and match public andprivate cloud elements with traditional hosting and outsourcing services to create solutions that fit yourshort-term and long-term requirements.

Take your time, but start now

The hype surrounding cloud computing makes a lot of enterprises think that if they do not act now theywill be left behind. This is partly true for vendors, but enterprise users should take their time. Cloudcomputing is here to stay. It will become part of an enterprise’s IT arsenal, and organizations need toget acquainted with it now but adopt it at their own pace.


Look at cloud computing with a fresh eye

Look to what the cloud can offer and where it might best be applied, rather than being so preoccupiedwith its shortcomings that you fail to recognize its value. Avoid the temptation to impose the full baggageof legacy IT expectations, requirements, and regulations on cloud services. Many of the benefits ofcloud computing stem from the fact that it is a commoditized, standardized, take-it-or-leave-it serviceenvironment. Successful early adoption of cloud services will require an acceptance of its limitations,astute selection of appropriate opportunities, and a preparedness to solve the new problems that willemerge. The trick is to apply it to areas where in-house IT is failing your enterprise, rather than seekingto apply it to areas where in-house IT is already adequate.

Cloud computing will make IT more complex

As enterprises weave cloud computing into their IT mix, they will face increasing interoperability andmanagement problems. It will take a lot of effort to make this work. Instead of becoming nimbler andreducing the costs for maintaining the status quo, ill-prepared IT organizations will end up with their ITmess spread across a wider area as they venture into the cloud.

Recommendations for vendors

Acknowledge the diversity of the cloud phenomenon

Besides proclaiming the superiority of the cloud offering you deliver (IaaS, PaaS, SaaS or private cloud,or all of the above), acknowledge the diversity of the cloud phenomenon. Point out that the cloud willbe hybrid both in itself (with a mix of IaaS, PaaS, SaaS and private clouds) and in relation to moretraditional offerings (e.g. a mix of IaaS and hosting).

Weave cloud computing into your strategy

Ignoring this new IT delivery model is not an option. Cloud computing will certainly not be the only modeof IT provision but it will be an important element of the IT market. We do not suggest that every vendorought to offer cloud services, but every vendor ought to have a strategy of how to accommodate cloudcomputing and its ramifications.

Focus on why customers should rather than can

Vendors need to shift from helping enterprises move to the cloud to figuring out whether, and to whatextent, they should do so. The trick is to look for opportunities to apply the new logic and capabilities ofcloud computing in areas where the current in-house or outsourced IT operations (ITO) are inadequate,broken, or too expensive. Public cloud service providers as well as those targeting private clouds shouldmake more effort to frame the debate from a business perspective.

More explicitly define how to get from current data centers to private clouds

Depending on whom you talk to, the private cloud is either the aim of the data center evolution (the“next-generation data center”) or the part(s) of the data center that is ahead of the rest (with specificworkloads running on the part or parts reengineered to act as a cloud). What is needed is a way toreconcile the two approaches (private-cloud-as-a-journey and -as-a-shortcut) to understand when – onthe road towards next-generation data centers – users should take shortcuts. Unfortunately, mostvendors currently emphasize the second approach rather than trying to reconcile the two.



WWW.OVUM.COM

CHAPTER 3:

Cloud computing costs inperspective


OVUM

3.1 Summary

Catalyst

Most cloud strategies have an initial focus on cost reduction or improved cost efficiencies, for

two main reasons: the global recession, and the failure of many on-premise IT investments to

deliver the cost savings they were supposed to. This is easier said than done, as cloud

computing may lead to some cost reductions but introduce complexities of its own for users.

This reports looks at costs, pricing, and licensing issues related to the various types of public

cloud offering. It contrasts these offerings, including comparison with private clouds.

Ovum view

Cloud computing’s focus on cost is part of a wider cost scrutiny effort

Software vendors have always offered their wares on the promise of cutting costs or boostingproductivity. The lure of cost savings usually turns out to be a triumph of hope over experience,however. Cost savings are now a more explicit and definite objective. Many organizations arestrengthening benefit realization processes that increase executive accountability for cost-savingtargets. This is flowing through to an increasing interest in cloud computing from early technologyadopters.

Public clouds can lower costs, but need to be scrutinized

Public clouds lower upfront and operational costs by shifting investment in and management of ITassets to public cloud providers. However, they are not necessarily less expensive than internal datacenters (especially well-managed “private clouds”) and traditional service offerings. It depends on avariety of criteria, including the pricing structure of public clouds (a structure that is quickly becomingcomplex) and whether the design of the applications that run on it make the best use of this structure.

Practicality is more important than lower costs

Public clouds may not be cheaper (and, in many cases, they are not), but they are certainly easier toprocure than on-premise hardware and software assets. Their flexibility is more appealing to someenterprise customers than their claimed cost-lowering properties. Enterprises are often happy to pay apremium for the convenience that public clouds offer.

IaaS, PaaS, and SaaS are converging from a pricing and licensing perspective

The subscription model used by software-as-a-service (SaaS) – as well as open-source vendors –disrupted the status quo of the incumbent software vendors. The transparent and flexible usage-based/metered approach of infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) is evenmore disruptive. The IT industry is moving towards hybrid pricing and licensing approaches to publicclouds to cater for as wide a range of needs as possible. Consequently, while SaaS will move towardsthe pay-as-you-go (PAYG) approach, IaaS and PaaS will move in the other direction – towardssubscription and less flexible, but cheaper and predictable, schemes.

Private clouds are emerging to make the internal data center more cost-effective

The notion of private clouds has become popular with the objective of boosting data center economics(an endeavor that was hastened by the emergence of public clouds but predates this emergence). Formany large enterprises it makes more sense to boost the cost-effectiveness of currently owned datacenters (via virtualization, automation, service-oriented architecture, etc.) than to seek to drive costsdown by turning to public clouds.

CHAPTER 3: CLOUD COMPUTING COSTS IN PERSPECTIVE 3355

Hybrid clouds are the way to go but will be complex

In order to assess, on a project basis, whether to turn to public or private clouds, or both (or to opt formore traditional on-premise software or outsourcing options, or both), enterprise customers need tohave the infrastructure in place to understand and manage private as well as public cloud costs. Theproblem is that this infrastructure is still in the making.

Key messages

�� Enterprises need to scrutinize and adapt to public cloud cost characteristics.

�� Public cloud pricing structures are evolving, but not always as expected or forthe better.

�� Private clouds put public cloud costs in context.

3.2 Enterprises need to scrutinize and adapt to

public clouds’ cost characteristics

Public clouds have attractive cost characteristics

Lower costs via economies of scale

The cost advantage of public cloud services is based on the economies of scale achieved in large (oftenbrand new and state-of-the-art) data centers that underpin the public clouds’ services. Theseeconomies stem from a variety of sources, such as:

� Volume discounts for resources including facilities, power, bandwidth, hardware, and software.

� Automation, consolidation, and standardization efforts (for example, provisioning, maintenance, andbackup) that minimize costs by enabling a smaller group of people to take care of a larger pool of ITassets.

� Centralization of resources, which enables, for example, easier and faster upgrades (along withsoftware design choices such as multi-tenancy).

� The use of commodity hardware and software assets: software is often tweaked or custom-built tomake the most of its underlying commodity hardware. Most of this is open source, with the publiccloud service vendor taking charge of freely available source code and optimizing it for its own ends,rather than turning to commercially available versions of open-source products.

� Uncorrelated demand aggregation: as they pool demand from multiple customers, cloud serviceproviders reduce usage variation and maximize use. For example, they can help the retail sectordeal with the peak of Christmas shopping and the public sector with tax return season, without usersin these sectors having to invest in IT assets that would be underused at other times of the year.

Lower upfront and operational costs

Public clouds:

� do away with (hardware and software) upfront costs via a subscription and PAYG pricing andlicensing model, with the public cloud provider investing in the infrastructure required to deliver thecloud services

� reduce ongoing operational costs (development, deployment, integration, maintenance, support,upgrade, consolidation, training, administration), as the public cloud provider takes responsibility forthe lifecycle of the hardware and software components required to deliver cloud services.


Ongoing costs are much higher than upfront costs, which significantly drives down the total cost ofownership of IT assets delivered via public clouds. Lower upfront and ongoing costs make it easier tocorrelate the benefits of using the software with the cash flow required to invest in that software. Theyalso result in faster time-to-benefit for each of the projects that public cloud services underpin.

Affordable IT for all

Public clouds provide small and medium-sized enterprises (SMEs) with technologies that theypreviously could not afford to use. In the IaaS space, for example, these include analytical frameworksbased on massively parallel processing technologies such as Amazon’s Elastic MapReduce service.This redistribution of IT capabilities will radically impact supply chains.

Public clouds turn capex into opex

Public clouds widen the case for opex

The subscription and PAYG approaches of IaaS, PaaS, and SaaS turn IT asset costs from upfront capitalexpenditures (capex) into ongoing operating expenditures (opex). The move from capex to opex is notlimited to cloud computing: for example, open source vendors are also keen supporters of the subscriptionmodel. We expect that at least one-third of IT assets will become opex within the next year, partly fueledby the current difficult, albeit improving, global economic situation: when times are tough, cash is king.

A shift should be handled carefully

Be careful of the opinion peddled by some public cloud providers that capex is “passé” and opex “the newblack” – a panacea for IT budgets. Neither accounting strategy is inherently superior. A choice should bemade by the chief financial officer (CFO) strictly based on financial considerations, such as estimatedreturn on investment and opportunity costs. CFOs need to bear in mind a variety of criteria, including:

� The overall position of the company: it makes sense for a cash-strapped start-up to favor opex, butthis is less the case for cash-rich companies such as (some) software vendors.

� The specific vertical sector in which it operates: for example, in the public sector it is much easier toget finance for capex than for opex.

� Tax-related tactics: on-premise hardware and software capex can be turned into depreciation write-offs for tax purposes. However, opex cannot be depreciated.

The capex-to-opex transition may also be culturally difficult for organizations if they are unwilling tomove from a familiar, controllable capex model to an opex one, in which expenditures are partly paidfor by a variety of difficult-to-control means such as credit cards.

Public clouds’ cost-attractiveness is not that straightforward

It depends on the type of public cloud offering

The way public clouds drive down development, deployment, and operational costs depends on thetype of public cloud service being used. The higher in the IaaS-PaaS-SaaS stack it is, the greater thenumber of cost-saving opportunities.

� IaaS only provides basic infrastructure services. Companies need to pay for the rest, and for thedevelopment and maintenance of their applications.

� PaaS makes it easier to develop applications, but enterprises still need to invest in the resources tocreate and maintain them.

� SaaS delivers ready-to-use application functionality, but still requires configuration andcustomization and, like IaaS and PaaS, integration efforts.

It depends on the market dynamics behind the public cloud offering

The price level and attractiveness of public cloud offerings stem not just from the nature of theseofferings, but also from the market dynamics behind them.


� In the IaaS space, public cloud providers compete with hosting providers that are used to thinmargins. As a result, while public cloud offerings start cheaply, they only prove cheaper for specifictypes of usage – for example, handling of peak workloads and ad hoc processing of data such asvideo encoding. In most cases the hosting offering, although not as flexible, proves a cheaperalternative in the long run.

� In the SaaS space, public cloud providers compete with on-premise application software vendorsthat are used to high margins. It is, therefore, easier to pitch their wares below the cost level of theircompetitors.

Public cloud service costs quickly add up

The cost competitiveness of public cloud services depends not only on the type of service and theindustry dynamics that underpin their market segment; it also depends on whether the targeted site isbrownfield or greenfield.

In brownfield sites, where public cloud services try to elbow out an already established on-premiseoffering, public cloud service providers compete with annual maintenance fees that are significantlylower than upfront license costs. This makes it more difficult to displace incumbents (a problem alsofaced by open-source software).

Competition for greenfield sites is much more open. In this space, public cloud services:

� reduce start-up costs but not long-term costs

� incur not just usage but also migration costs (such as recoding, re-architecturing, integration, newprocesses, and training), as well as the costs required to reach satisfactory quality-of-service (QoS)levels.

It is relatively easy to calculate long-term costs. Deciphering migration costs is more difficult, as itrequires knowledge of internal resources, interdependencies, and complexities that many do not have.QoS levels will not necessarily be available, even when customers are prepared to pay for them.

Because of long-term costs and, more importantly, migration costs, many enterprises remain wary ofpublic cloud services. This skepticism is supported by past experiences: they have been repeatedlydisappointed following return on investment and total cost of ownership claims from on-premisesoftware vendors. Overall, however, and especially in the SaaS market (the most established and cost-competitive of the three public cloud segments), far fewer companies report exceeding their budgets asmuch as they did with on-premise software, if only because the lower upfront fees make it easier to cutinvestments when things do not go according to plan.

The transition to public clouds needs to be managed from a cost

perspective

Procurement specialists need to adapt and update their skills

Deciding whether public cloud services are worth it depends on a variety of issues, such as the type ofpublic cloud (IaaS, PaaS, or SaaS) and type of project (mission-critical or not). It also requires a holisticapproach to cost calculations – for example, taking into account data transfer costs that quickly makeprojects such as online data warehouses costly on an IaaS PAYG scheme.

Procurement specialists need to adapt to these new requirements. Overall, they are more used to fixed,front-loaded cost structures than subscriptions and PAYG schemes. For example, without a good graspof spending, the latter can easily turn from an attractive pricing model into an expensive mess. Theproblem is exacerbated by the fact that many people, from both vendors and user organizations, focusnot only on the ease of provision of cloud computing services but also on the ability of cloud serviceprovision to bypass traditional IT structures. This encourages the creation of a shadow IT infrastructure.

Procurement specialists also need to learn the tricks of the public cloud trade. For example, IaaSstorage services are sold according to the number of gigabytes used. Vendors use a variety oftechnologies (compression, de-duplication) to reduce customer footprint, but base their prices onunreduced footprints rather than the space data use.


Enterprises need to set up procurement systems, processes, and metrics that support not justprocurement experts but also the average user. Anybody can procure cloud services easily, but thisdemocratization of procurement comes with its share of dangers. Even those companies with tightcontrols on business card purchasing have had nasty surprises on receipt of their monthly bills. Thesecome as a result of employees using the business credit card to buy public cloud services but failing tounderstand what they are getting into, or to use and manage the services they bought. For example, itis common for developers to provision themselves with an Amazon virtual machine, use it for awhile,and then forget about it. More importantly, they also forget that while they are not using it, Amazonhappily keeps charging for it.

Technology use needs to adapt to public cloud specificity

The way companies use technology also needs to adapt to the specific cost requirements of publicclouds. For example, virtualization may be used for both public and private clouds, but its management,from a cost perspective, should be different in the two environments. In a public cloud environment, thefocus is on cost control: virtual machines need to be taken down as soon as they are no longer neededto avoid paying unnecessarily for them. In a private cloud environment, the focus is on availability,whereby virtual machines can sit idle, waiting for the next workload to be allocated. Many companieshave yet to set up their virtualization scheduling policies (underpinned by a properly set up governanceprocess) to reflect these different requirements.

Architects and developers need to understand the cost implications of their actions

Architects and developers need to understand the impact of IaaS and PaaS pricing structures on thesoftware design choices they make. For example, a pricing structure that combines cheap computeresources with not-so-cheap storage resources should be met with applications that are processing-intensive but not overly demanding from a storage point of view (or at least compress data). It shouldnot be the other way around, either, as this would go a long way towards neutralizing the cost savingsthat public clouds are supposed to deliver.

Unfortunately, most enterprises are unaware of this issue. Even if they were, most would be unable toaddress it, as it would require the re-engineering of their application lifecycle management (ALM)processes (if they have any). Similarly, developers can easily spend too much time fine-tuning theirAmazon IaaS virtual machines instead of being more productive elsewhere.

Difficulties will fuel a backlash

Disillusionment is the usual result of hype. However, while hype is mostly fueled by vendors,disillusionment has as much to do with user inadequacies as it does with the misalignment andmiscommunication of expectations and vendors’ inability to deliver on their promises. Expectunchecked proliferation and inadequate management of public cloud computing services to fuelbacklash against public clouds’ claimed cost-effectiveness in 2010.

Practical considerations trump economics when it comes to public

clouds

Cost savings are not the most attractive characteristics of public clouds

In difficult times cash is king, even though opex may cost more in the long run than capex. Indeed,companies are not turning to public cloud services because these are necessarily cheaper thanalternatives or the solutions they currently use. Instead, many are choosing this option because publiccloud services enable them to do what they would not have been in a position to do otherwise, and todo it faster and with fewer risks (because of the low upfront costs).

Speed and ease of procurement are more attractive than lower costs

Public cloud services are provisioned faster and more easily than their on-premise alternatives. PaaShelps to drive development times down. SaaS does the same for application implementation. Thesecharacteristics mean faster time to benefit or to market, or both, which helps customers outflankcompetitors.


Lower risks and flexibility are more attractive than lower costs

Public clouds reduce not only the cost and pain, but also the risk, of using IT assets. This is more thecase for IaaS and PaaS, with their PAYG approach to pricing and licensing, than for SaaS, which favorsthe less flexible subscription approach.

IaaS and PaaS vendors have a usage-based/metered approach with no long-term commitment orcontract and the ability to scale usage up or down on demand. They do not penalize users if their levelof usage changes, which allows users to do away with capacity planning. (However, this will requireinternal controls to ensure that users do not go overboard.) It makes it easier not just to use IaaS andPaaS (as well as some SaaS) services, but to:

� Meet unpredictable demand: the ability to do this cost-effectively and with an acceptable QoS is,according to some, the key value that public clouds bring to the IT table.

� Innovate: supporting innovation is not only one of the two main challenges facing IT today (besidescutting costs), but also the most important. Therefore, many enterprises consider this flexibility to bemore important than the cost savings enabled by public clouds.

Focus is more attractive than long-term costs

PAYG and subscription approaches may be more expensive in the long term but, in the meantime,enterprises can use the upfront and operational savings to focus on projects that can make a differenceat the business or IT level, or both. At the IT level, they avoid being distracted by the operationalactivities and non-differentiating tasks that have been taken over (often more efficiently) by public cloudservice providers.

Along with focus, the objective of a move to public clouds may also be part of an effort to de-clutterexisting architectures – an effort that also includes private clouds and outsourcing options – in areaswhere companies do not have the knowledge, resources, or inclination to improve, redefine, ortransform their existing IT assets.

New technology and efficiency are more attractive than lower costs

In October 2009, the Los Angeles City Council awarded Google a $7.25 million, five-year contract toput the council’s 30,000 employees on a SaaS email offering. It would have cost the council significantlyless to stay on Novell’s on-premise GroupWise system. However, the council wanted to switch to a newtechnology and the efficiencies that come with it in areas such as procurement, flexibility, and cost.

3.3 Public cloud costings evolve, but not always

as expected or for the better

Evolution will not result in complete commoditization

Commoditization is the name of the game, within limits

Many believe that, driven by their underlying economies of scale, public cloud services are engaged ina race to the bottom that will depress prices and profitability across the IT industry. They are partly right,but will eventually be disappointed if they expect the impact of the trend towards commoditization to bebroad and deep. (Commoditization has always been there – cloud computing is only one of its newestfaces.) Instead, it will be neither, for a variety of reasons including the different cost profiles of thevarious public cloud segments and a lack of interoperability between public cloud services.

On the other hand, some expect that as the public cloud market consolidates around a smaller numberof players and remains riddled with interoperability issues, prices will eventually increase. However, wedo not think so. There will not be any large-scale consolidation in the short to medium term, andinteroperability is likely to improve, as it is key to the ecosystems underpinned by cloud services.


IaaS will remain the most commoditized

The IaaS market is about three years old. It will remain a low-margin business based on commodityhardware and software. On the other hand, many vendors will raise prices along with QoS in areas suchas security, scalability, reliability, and availability. There will be a wide continuum of offerings rangingfrom those created under a “pile them high and sell them cheap” approach to those that propose a more“enterprise-level” experience. At the end of the day, customers will simply get the QoS they pay for.

PaaS is less likely to be commoditized than IaaS

The PaaS market is as young as the IaaS one. In this market, vendors will boost prices based not juston QoS, but also on the breadth, depth, and ease of use of their development and runtime services. Asa result, the PaaS market will not experience the same level of commoditization-driven price war as theIaaS market. This is why it will, in the long run, become more attractive to software vendors, whileservices and telecoms companies familiar with thin profit margins will find it less difficult to cope withthe harsh realities of the IaaS market.

Amazon has had such an impact on the market that other IaaS vendors, and even PaaS vendors, aredefining their pricing in relation to Amazon’s. The “Amazon effect” is likely to shrink as the PaaS marketmatures and users become familiar with PaaS services. On the other hand, powerful newcomers suchas Microsoft with its Azure PaaS offering are so keen to gain market share that they will start byprioritizing growth over profitability, and thus keep pricing down.

SaaS competition, rather than commoditization, will keep prices down

The SaaS market is more than ten years old. Its success reflects enterprises’ desire to assert thecommodity status of some types of business application and their rejection of extensive functionality infavor of “good enough” features. At the same time, open-source software has had the same effect inthe infrastructure software market.

From a pricing point of view, SaaS is much more open than the IaaS and PaaS markets, as it featuresa wider range of niche segments, and SaaS vendors are increasingly moving their focus from low costto added value. As a result, quite a few enterprises have started to complain that SaaS products are notas cheap as vendors claim, especially in the long term.

A good example of a vendor sustaining price levels via added value is Salesforce.com. The companyhas not only kept adding functionality (such as better sales lead management), but has also introduceda PaaS infrastructure (for customization) and generic application capabilities (such as contentmanagement and collaboration.) These are backed by a carefully nurtured ecosystem of partners usingSalesforce.com’s PaaS or marketplace offerings, or both.

However, SaaS price rises are kept in check by:

� The increasing competition between SaaS vendors as well as the incumbent on-premise software-centric independent software vendors (ISVs) such as Microsoft entering the SaaS market.

� The fact that most SaaS vendors, like IaaS and PaaS vendors, prioritize market share growth overprofitability – which is low (in the lower single digits) compared to on-premise software vendors. Thislack of profitability has led to some vendors, such as Lawson, looking to dismiss SaaS as a fad.Other, more serious incumbent software vendors, such as SAP and Microsoft, are moving to SaaSwith the stated objective of making their SaaS offerings as profitable as their on-premise offerings.Some (such as Microsoft) are happy to forego profitability to gain market share initially. Others (suchas SAP) are more cautious and would prefer profitability parity between their on- and offline offeringsfrom the start. That may prove difficult under the twin competition of those less cautious and a newgeneration of SaaS vendors even more aggressive on pricing than the first. (This is based on thecost savings delivered by the IaaS and PaaS infrastructures that they rely on, among other things).

The new SaaS generation, even less addicted to high margins than the first, will force first-generationSaaS vendors to compare their pricing not only to on-premise offerings, but also to SaaS offerings. Thiswill make it difficult, but not impossible, for software incumbents moving to SaaS and first-generationSaaS vendors to remain disciplined in their pricing. The lack of market influence of this secondgeneration will limit its impact, however, at least for the time being.


Overall, vendors will need to carefully balance the drive for market share with the desire for profitability.Thus, such efforts are unlikely to result in price wars in the SaaS market that are as deep as those inthe IaaS and PaaS markets. Many vendors will increasingly benefit from the cost savings delivered byIaaS and PaaS infrastructures but, in order to boost profitability, will not pass all of these savings alongto customers.

From upfront license to subscription to PAYG, and back

SaaS is part of the software market’s move to subscription licensing

In the past ten years, the software market has shifted from large upfront license payments followed byannual maintenance fees to a more flexible subscription licensing. On-premise software vendors have(tentatively) started to do this for a variety of reasons, including exiting the cyclical, erratic revenuepattern generated by perpetual license models, as well as making themselves able to compete withopen-source software and SaaS.

IaaS and PaaS move one step further to PAYG

IaaS and PaaS are moving the software market one step further: from subscription to PAYG. Theirusage-based approach to pricing does away with long-term commitments and provides the ability toscale usage down or up on demand. It does not penalize users if their level of usage changes, so theuser does not need to worry about capacity planning. Some see PAYG as one of the corecharacteristics of public clouds (and, partly on that basis, declare SaaS out of public cloud bounds sinceSaaS vendors have so far stuck with subscription licensing and avoided PAYG schemes).

This approach is different from what some on-premise software vendors mean by the term “PAYG”,which involves enabling companies, after they have bought and installed a software product, to unlockadditional functionality for an extra fee.

SaaS will take one step towards PAYG

Part of the SaaS market is already using a PAYG approach: the vendors that use Amazon’s IaaSplatform (such as IBM and Oracle) to deliver their software as AMIs (Amazon Machine Instances),complete with new pricing schemes to adapt to the PAYG approach of Amazon. In the next five years,SaaS will evolve further towards PAYG pricing as second-generation SaaS vendors use PAYG flexibilityto improve their appeal at the lower end of the market. First-generation incumbents will stick to thesubscription model, if only because they do not have the metering and billing capability in place tosupport a shift to a PAYG approach. The move will be gradual. Instead of expanding from annualsubscription contracts to PAYG, many companies could add new flexibility via, for example, quarterlyuse reviews.

Venture capitalists (VCs) will be key to this evolution. Currently, VC executives are not so keen onPAYG, as it is riskier for the vendor than a subscription approach (which itself is riskier than an upfrontlicensing approach). VC executives’ attitudes will change, however, as:

� PAYG-based business models start to make serious money (after all, Amazon’s IAAS offering grewfrom nothing to more than $300 million in three years, most in beta form).

� Start-ups shift the upfront investment risk to IaaS and PaaS providers by building their SaaSofferings on top of IaaS and PaaS offerings.

IaaS and PaaS will take one step backward to subscriptions

While SaaS will move towards the PAYG approach, IaaS and PaaS will move in the other direction.Some enterprises, especially large ones, prefer the more predictable subscription-based approach topricing, which they tie to volume discounts. Microsoft’s Azure PaaS platform, for example, is availableunder PAYG, subscription and volume licensing contracts.


SaaS will shift from price to licensing flexibility

In March 2010, RightNow announced a new standard subscription agreement that enables customers to:

� Fix pricing for three years, with the ability to renew for three more years at a capped percentage (upto 15%) of the original price, provided the renewal is at the same capacity level.

� Reallocate their annual subscription fee (for example, fewer users and more sessions), decreasecapacity (which may increase the per-unit net price up to an agreed point), or terminate theirsubscription – once a year, with 90 days’ advance notice. Customer can add capacity at any time.

� Use “annual capacity pools” of usage (transactions or seats) over a 12-month period, with monthly“rollover” usage to accommodate seasonality and fluctuations without having to pay extra. This couldprove particularly attractive in verticals such as retail that have peak periods (Christmas, forexample).

We expect more first-generation SaaS vendors to follow in RightNow’s path: towards more flexiblelicensing terms that develop risk-sharing with customers. We also expect a second generation of SaaSvendors to be even more aggressive than the first from a flexibility and risk-sharing point of view.

Free-to-use offerings will remain limited

Unlike the IaaS and PaaS markets, the part of the SaaS market targeted at consumers is free –subsidized by advertising. Some basic IaaS and PaaS offerings are free (For example, Google hasadopted a free-to-start approach to PaaS). However, these are few and far between. The same appliesto SaaS for the enterprise (although RightNow offers unlimited capacity for 90-day pilots for customersto try before they buy).

IaaS and PaaS will remain pay-to-play offerings, at least when it comes to running applications.However, some public cloud providers will boost their competitive advantage by offering a free-to-startapproach to (IaaS) virtual machines or (PaaS) application creation and fine-tuning, or both, so users donot start to pay until they are up and running. Should this approach expand, it would help public cloudadoption.

In parallel, the free consumer components of SaaS will increasingly seek revenues via additional paid-for services and better ways to deliver advertising. For example, they could move advertising from a“push” to a “pull” model, based on identity systems that allow customers to express their tastes andpreferences.

Towards greater price transparency – within limits

More detailed, easier-to-find pricing

Price transparency is part of the ease of procurement of a PAYG approach: in order to make resourcesavailable on demand, service vendors need to provide easy access to pricing information. As a result,IaaS and PaaS pricing and licensing schemes are much easier to find and provide more granularinformation than SaaS or on-premise software vendors.

� SaaS vendors: Salesforce.com is more the exception than the rule in this instance. Most SaaSvendors are not very open about their pricing, as customers are often put off not just by the lack ofupfront information, but also by the variety of “extras” to be paid for on top of a basic license (forintegration, for example). However, SaaS vendors are likely to open up – and simplify – as theymove towards a PAYG approach to pricing.

� On-premise software vendors: there is nothing to prevent on-premise software vendors fromdisclosing more information. (The rise of public cloud offerings may nudge them in this direction via,for example, the use of online calculators to help customers figure out the price of a particularconfiguration.) If a vendor chooses not to disclose information, it is more likely to be an attempt toboost its bargaining power in negotiations with customers than to be for competitive reasons.


All-in-one pricing

Public cloud pricing is more transparent than on-premise software pricing because it includes updatesand upgrades as well as technical support. In a perpetual upfront licensing scheme, updates andupgrades are excluded from the upfront price (although they may be included if it is a term license).Updates, upgrades, and technical support are priced either independently or bundled together as a“maintenance” fee and paid on an annual basis as a percentage of the upfront price (usually a nominalrather than discounted price).

Because of lower upfront license revenues and industry consolidation, in the past ten years vendorshave:

� increased upgrade and maintenance fees, as well as charges to transfer ownership in the case ofmergers and acquisitions

� started to limit customers to small updates rather than version upgrades and offer upgrades for ahigher fee; for example, the 2005 Microsoft Open Value three-year license payment programincluded new version rights as well as support and training for 27% of the upfront price

� limited the technical support included as part of the maintenance fee.

These are some of the reasons why enterprise customers have started to turn to public cloud services(among other tactics, such as negotiating maintenance fees down, turning to third-party maintenanceproviders, or doing away with maintenance altogether). Some public cloud vendors are keen to build onthis by adding more value to their bundles, such as free training (for example, SaaS vendor Intacct).

Less discount leeway

Although discounts are available, the discrepancy between actual and official price is much narrowerfor public cloud services than in the case of upfront software licenses, if only because the upfrontamount paid is much smaller due to subscription or PAYG schemes. In contrast, understanding thedetails of the discount policy that applies to upfront software licenses is difficult. The vendor is in a muchbetter bargaining position than the customer, in that it has an overall view of its customer base.Discounts depend on a variety of criteria such as the size, the negotiating skills and reputation of theprospect, the opportunity for further up- or cross-selling, and whether it is a greenfield site or a deal thatelbows out a key competitor.

These criteria also apply in the case of subscription deals, but are less relevant for PAYG schemes. Onecriterion that does not apply is the need for sales representatives to achieve end-of-quarter quotas,since both subscription and PAYG schemes do not result in the end-of-quarter peaks to which upfrontlicensing fee schemes lead. In addition, prices tend not to fluctuate as much from contract to contract.(Upfront license discounts are usually limited to the initial contract, so customers pay full price for anysubsequent or additional deal.)

Increasingly complex

Customers have always complained that upfront licensing schemes are overly complex, based on avariety of “units”, including:

� named, concurrent, and power users (or seats)

� server or central processing unit (CPU) – or, in the case of an appliance license, hardware boxes,boards, blades, and so on

� component or component stack/suite, site, and so on

� “all-you-can-eat” enterprise volume licenses.

These schemes are complicated further by technological developments such as the increasingdistribution, componentization, and virtualization of software applications, as well as the rise of multi-core and grid/cluster computing. Vendors say that this complexity reflects customers’ wide-rangingrequirements.


Public cloud services only partially do away with this complexity. Subscription approaches to pricing andlicensing are less complex than upfront perpetual licenses (which are mostly limited to units of users, seats,or sites). PAYG approaches started out simply, but are becoming increasingly complex.

PAYG pricing may be available for all to see, compare, and contrast, but users have to compare granularstructures (such as the price for a CPU per hour, data transfer, or storage space), which can differsignificantly. In the process, they need to decipher what lurks behind the various terminologies adopted. Inaddition, in the IaaS space (with the PaaS and then SaaS markets likely to follow), public cloud serviceproviders are expanding from PAYG pricing schemes in a variety of directions. Amazon Elastic ComputeCloud (EC2) is a good example. It started with a straightforward on-demand PAYG scheme and then, in2009, added:

� Reserved pricing (March), which enables customers to reserve compute resources for importantapplications for one- or three-year terms. This “tiered commitment” pricing scheme offers discounts of30–50%.

� Spot pricing (November), which allows customers to bid for unused on-demand or reserved computeresources and keep using them until Amazon needs them back or the customer is outbid. Customerspay the spot price rather than the maximum bid price that they specify. This scheme is relevant toworkloads that can deal with lower resources such as batch image conversion, video rendering, andfinancial analysis.

Other pricing schemes include:

� a configuration approach, where the customer starts with a basic configuration for an entry fee and thenpays extra to add various services

� an upfront or joining fee to build and configure the system, and then yearly, quarterly, or monthlyrecurring payments

� a schedule-based approach, whereby enterprises commit to a fixed number of units based on expectedrequirements

� buy-back, which enables public cloud providers to buy back some of the capacity of a virtual privatecloud if it is unused – this approach is similar to the smart-grid/metering work in the utilities space

� vendor load balancing, in which the public cloud provider adds capacity based on resources (forexample, if the CPU is more than 80% busy for five minutes, the vendor adds 30% more capacity) orvirtual machines (the vendor adds virtual machines to run any extra workload).

As a result, while pricing is transparent, cost-benchmarking exercises quickly become challenging (but notimpossible).

From pay-as-you-go to “pay-as-you-grow”

Whatever their approach, in order to compete with on-premise software vendors, it is not enough for publiccloud service providers to simply tout lower costs. They should also consider moving pricing away frominternal vendor criteria (namely internal costs plus margin) and towards pricing based on customer benefits,and away from IT-specific units and towards more business-related ones.

Combining a business model based on lower profit margins than those of on-premise vendors with a pricingstrategy that focuses on business issues could provide public cloud service vendors with a key advantageover on-premise vendors.

Some will focus on transaction-based models, such as pay per lead in CRM, per pay slip in payroll, or perinsurance claim processed. This approach has been in place for many years in global transaction platformsin the finance industry, as well as computer reservation systems and global distribution systems (CRS/GDS)in the travel industry. Users of these precursors to public cloud services only pay if they generate revenuesfrom the system – for example, if they carry out a financial transaction or receive a booking. Some SaaSvendors, such as Taleo, have already moved in that direction. Not all user companies will choose to godown this route, however, as it involves an amount of planning effort that not everyone is willing or able tocarry out, and generates a level of uncertainty that not everyone is prepared to face.


A smaller group will focus on success-based models – for example, payment based on achievingcertain productivity, employment, and/or revenue growth objectives. Most public cloud service providersshy away from this approach, as it is much more dependent on the ability of the user company than thatof the underlying software used by the firm. On the other hand, the ability to demonstrate anunderstanding of the needs of a specific customer or industry sector from a pricing and licensing pointof view could yield benefits and strengthen the customer relationship based on a partnership approachto pricing. It would also make it easier to build a business case in terms that business executives, asopposed to IT specialists, would understand.

Public cloud price diversification will be limited by IT systems

Vendors are still feeling their way

Public cloud providers are still wondering which pricing approach is best – not just to survive, but tosucceed. They will continue to try a variety of strategies that will limit the impact of cost transparencyby introducing new complexity. This diversification reflects a maturation process that is shared withother industries. Telephony services, for example, can be priced based on usage rates, pre-pay models,or a flat rate. Diversification enables customers to pick and choose the scheme that suits them best,both overall and on a project-by-project basis. Customers will take advantage of this diversity, althoughthey will also pressure vendors into standardizing part of their pricing schemes.

Focusing on operational efficiencies to bring costs down

In order to stave off competition, boost profitability, and remain flexible as well as inventive in theirpricing structures, public cloud vendors need to invest in IT systems that enable them to squeeze asmuch efficiency out of their hardware and software infrastructure as possible. To a lesser extent, theyare driving down marketing and sales costs via online marketplaces. This is currently their number-onestrategy. It is focused on driving costs down and, to a lesser extent, profitability up. This focus onoperating costs is important, but not enough for success.

Better pricing management systems

Pricing management is more important than cost management. According to a 2003 McKinsey reporttitled “The power of pricing”, the impact of a 1% price increase on operating profits is 50% greater thanthat of a 1% decrease in variable costs, and more than 300% greater than that of a 1% increase insales. Public cloud vendors need to start focusing on this area much more. As competition intensifies,they need to develop an objective, structured, consistent, and flexible approach to pricing based on theuse of pricing management and optimization systems (a mix of business application, businessintelligence, and middleware components).

Improved usage metering and billing systems

Public cloud vendors need to back up pricing flexibility with usage metering and billing systems that cancope with their requirements. As their market evolves and competition becomes more intense, theability to create new tariffs, packaging, or service bundles will become a key differentiator. Customersare already starting to move from one provider to another, partly because of more flexible billingfacilities. The problem is that, as exemplified by the telecoms and utilities markets, public cloudproviders will soon experience increasing pain as operational systems and processes struggle tosupport the business.

Help is at hand, however. Billing is a well-trodden, mature market, with old-timers such as SPLWorldGroup (now owned by Oracle) and Convergys (including through the acquisition of GenevaTechnologies). However, newcomers such as SaaS providers Zuora and Aria Systems are redefiningthe category, just as Salesforce.com reinvigorated and redefined the CRM market.

Many providers have created their own custom systems, however, which could prove to be a mistake.Public cloud requirements, both functional and non-functional, are complex and costly to build foranything other than the most naive of use cases. Those who begin to build software with only thesetrivial use cases in mind will soon find their sales and marketing colleagues developing more complexscenarios, and the development projects will be stretched to breaking point.


In the IaaS and PaaS markets, public cloud service vendors’ usage metering and billing systems need tobe able to cope with not only their own requirements, but also those of the third-party developers and SaaSvendors that use their platforms. IaaS and PaaS service providers are particularly keen to makedevelopers and SaaS vendors’ lives as easy as possible by offering them, among other things, the abilityto sell and bill applications via an online marketplace. These capabilities need to become more flexible.For example, Amazon cannot currently support multiple vendors per virtual instance because it would bedifficult to split revenues from each virtual instance between Amazon and a variety of vendors.

Third-party developers and SaaS vendors using the usage metering and billing systems of IaaS and PaaSservice providers are also facing a growing challenge. The more diversified the portfolio of public cloudservices they use, the more complicated it will be to integrate their own usage metering and billing systemswith the usage metering and billing systems of these public cloud services. Currently, few are alert to thischallenge. There will be tears along the way for those that do not start to design their systems to cope withheterogeneity soon.

3.4 Private clouds put public cloud costs in

context

Private cloud: a cost-centric notion

Boosting data center economics

Most public clouds put many internal data centers to shame when it comes to cost (and QoS). This isnot just because of economies of scale but also, and more importantly, because many data centers areunderused and badly managed. Vendors are marketing private clouds as the way to make data centerscost-effective. Many users have embraced the notion to do just that. IT departments are coming underincreasing pressure to compete with the prices and flexibility of public cloud offerings, as public cloudservices are increasingly used alongside private cloud services.

Putting public cloud cost-effectiveness in context

The cost-effectiveness of public clouds depends on a variety of elements, such as the type and size ofthe application and the skill of user. In many situations, they are not as attractive as public cloudproviders claim as an alternative to internal IT infrastructures – all the more so if data centers becomemore cost-effective.

Private clouds: the larger, the more cost-attractive

McKinsey is right: pull your data center together first

An April 2009 a McKinsey report entitled “Clearing the air on cloud computing” took a detailed look at thecost of Amazon’s IaaS offering and concluded that it was not cost-effective for large enterprises. It rightfullywarned CIOs not to be distracted by public cloud cost gains and to keep focusing on private cloud.

Overall, the larger the data center, the less attractive public clouds are cost-wise. It makes more senseto boost the cost-effectiveness of currently owned data centers (via virtualization, automation, orservice-oriented architecture) than to seek to drive costs down by turning to one or more public clouds.The potential improvement in cost-effectiveness in most data centers is such that by getting their datacenter acts together, enterprises could achieve cost gains that outweigh the gains via public clouds.

The problem is that before a company can resource the construction of a private cloud, it has to escapefrom the logic of: “90% of the budget goes on maintaining the legacy.”

Put your efforts in context

What applies to a large company in general does not necessarily apply to:

� Some of its specific projects: depending on the circumstances, public cloud offerings presentattractive alternatives to private clouds.


� Smaller companies: the McKinsey report acknowledged that IaaS may not be the best option forlarge enterprises, but it can be cost-effective for SMEs as well as start-ups. (However, it still dependson the types of application used as well as breadth and depth of IT assets and expertise.) Indeed,VCs have begun to require start-ups to use IaaS and PaaS public clouds in order to take advantageof their flexible pay-as-you-succeed-not-if-you-fail approach to pricing and licensing.

� The whole spectrum of the public cloud services: the McKinsey report focused on IaaS. The othercomponents of the public cloud stack (PaaS and SaaS) can be more cost-effective because theydeliver more services or require fewer resources and efforts. McKinsey itself acknowledges the cost-effectiveness of SaaS over on-premise solutions.

McKinsey did a thorough job. However, its approach has shortcomings.

� An all-or-nothing perspective: the cloud will not be either public or private, but a mix of the two.Companies are unlikely to give up on their existing data center investments because of publicclouds, and they should not shy away from public clouds because of these investments. The keyissue is to understand, for each company, how and the extent to which public and private cloudscomplement one another (and other options such as traditional hosting and outsourcing), rather thanpitting one against the other.

� A focus on hard costs rather than soft costs: Some data centers cannot keep up with internaldemand, meet requirements on time and on budget, deliver a satisfactory QoS, or retain key skilledworkers. These shortcomings have a cost. From that perspective, public clouds are more attractivethan it seems from a private cloud angle. In addition, the more dysfunctional the data center, themore likely both developers and end users are to turn to public cloud offerings (creating moredysfunction along the way).

Cost management is getting more complicated

On-premise software vendors fight public clouds with new financing and pricing

options

Comparing public cloud service options from a cost point of view is not as straightforward as manybelieve. Comparisons between public cloud options and more traditional IT consumption models areeven more complex – all the more since the vendors behind these models are endeavoring to providecustomers with the same flexibility as offered by public cloud. They do so via new financing, pricing, andlicensing options.

The financing options make it relatively easily, for example, to turn an upfront capex investment into opexvia a leasing financial structure. Examples of vendors that offer new pricing and licensing options include:

� Sword Ciboodle: this provider of customer interaction and contact center solutions has not only begunto look at the SaaS model (In South Africa, rather than its main markets), but also changed its pricingstructure to adapt to the success of SaaS solutions in its core market. It now provides customers withthe option to rent on-premise software or pay with a usage-, value-, or transaction-based model.

� SAP: towards the end of 2009, the company started to offer to those that spend more than about $2million annually the choice of paying for a subscription quarterly or monthly instead of upfront.

� Microsoft: the company will offer its forthcoming online version of Office 2010 suite on a PAYG basis(alongside more traditional licensing schemes).

� IBM: like many other ISVs offering their wares as Amazon virtual machine images, the company hasadapted to Amazon’s PAYG approach with its new Processor Value Unit pricing model.

Under pressure from IaaS and PaaS offerings, the hosting and IT service industry is also moving towardsPAYG-like approaches.


More needs to be accomplished, and vendors will find it hard to cope

While offering new financing options is attractive for software vendors because it has a limited impacton their businesses (if they can afford it), the transition from an upfront licensing model to a recurrentrevenue model is more difficult. Many software companies (unless these companies already draw a bigportion of their revenues from recurring maintenance fees) find it hard to cope with the short-termrevenue decrease that results from this transition. They have no choice, however, as public cloudproviders fight back with lower, more flexible options, such as Amazon’s reserved and spot pricingschemes.

This is not the first time for on-premise vendors to show flexibility, as exemplified by CA’s now-defunctFlexSelect scheme, which was launched in 2000 based on monthly payments and business metricsagreed by vendor and users. The rise of public as well as private clouds will make them more willing tocompromise. In the meantime, however, customers grow frustrated with the inability of many licensingschemes to allow for the transfer of IT assets from internal data centers and private clouds to publicclouds. (In the same way, many could not cope with moving IT assets from a physical to a virtualizedinfrastructure at first – a problem that has yet to be resolved and is replicated in the IaaS space, sincemost IaaS offerings use virtualization).

Hybrid clouds make the situation even more complicated

Enterprises increasingly mix public and private cloud components and traditional IT service offerings tocreate solutions that fit their specific short- and long-term requirements. They mix and match:

� Private and shared private clouds to collaborate with partners on common goals.

� Public and private clouds, applying public clouds to workloads that have unpredictable spikes in useor applications that are only occasionally used.

� Public clouds and traditional hosting and outsourcing service offerings; for example, hosted offeringsare usually cheaper for static websites than the Amazon IaaS service. On the other hand, for usessuch as application testing, in which a small number of servers are required for a few weeks, a fewhours per day, Amazon IaaS is the better solution.

� Public cloud offerings (IaaS, PaaS, and SaaS), based on their respective cost-effectiveness.

In order to mix and match a variety of IT components and services to ensure cost-effectiveness,enterprises need to improve their knowledge of how much a given asset costs, and how best toapproach this cost.

Enterprise users need better systems to manage both public and private clouds

In the same way that public cloud service providers need to improve their IT systems to boost pricing,metering, and billing management, enterprise users need to put in place the infrastructure that enablesthem to:

� understand and manage internal costs (as well as QoS), based on a mix of tools such as ITresources, assets, service planning and portfolio management solutions, chargeback tools, andmetering and billing systems

� deal with public cloud billing and metering systems: the more they mix and match different publicclouds, the more diverse will be the public cloud metering and billing systems with which they willhave to cope.

Better systems would enable users to track a variety of measures (such as the price of a gigabyte ofstorage), whether the service is a private or public cloud. It would enable CIOs to demonstrate the costof the services they provide and put public cloud costs in context in response to CEOs’ increasingdemands.


An asset lifecycle approach is key

Enterprises need to manage IT asset lifecycles to understand when and where they should make newinfrastructure and application investments, using the most appropriate financing options. As part of aproactive IT asset lifecycle management effort, they need to consider:

� Moving some of their IT assets from capex to opex, which means identifying which IT assets are thebest candidates for sale and leaseback or for transfer to public clouds.

� Planning for the end-of-life phase of all assets, taking into account economic and physical as wellas environmental issues. With IT assets often used beyond their true economic life, operating costs,including the cost of asset disposal, can easily outweigh acquisition costs. At this point, public cloudofferings can be considered as an alternative to on-premise.

� Using project financing to bring forward time-to-profit and improve benefit alignment (thus reducingthe attractiveness of public cloud services in this domain). They can offset finance costs against theextra discounting that vendors are willing to offer in tough economic conditions.

The objective of automated cloud auctions is far away

Many believe they will one day be able to send intelligent agents scurrying across internal and externalnetworks to find the best fit, cost-wise, for particular applications. These agents could be set up toorganize auctions whereby private, shared, and public clouds, as well as any hybrid – not to mentiontraditional hosting and outsourcing service providers – would contend for the job of either delivering theentire application (the SaaS way) or providing some (IaaS) or all (PaaS) of its infrastructure.

This is unlikely to happen anytime soon. For example, although Amazon introduced “Spot Instances” atthe end of 2009, these are based on a price that Amazon, not the market, specifies. They have little todo with real auctions, which would mean Amazon giving up control over its pricing to market forces –something we do not expect vendors to be willing to do.

In the meantime, a new generation of public cloud brokers is emerging. It is expanding from gateway(access) services to brokerage services – including volume licensing for customers.

3.5 Recommendations


Analyze your figures

In theory, public clouds are cheaper than internal offerings and other IT service solutions. However, inpractice, depending on the project, this is not always true. Do not assume anything, and analyze yourfigures carefully.

Opex is not a panacea

The PAYG and subscription approaches of the three types of public cloud (IaaS, PaaS, and SaaS) turnIT asset costs from upfront capex into ongoing opex. Many prefer opex as they wish to conserve cash,a basic requirement in a difficult economic situation. However, opex is not a panacea, and the capex-versus-opex investment decisions need to be made based on a variety of criteria that have little to dowith cloud computing. (For example, in the public sector capex is more easily obtainable than opex.)

Train specialists and adapt systems, processes, and metrics

Adapt your approach to procurement to remain in control while benefiting from the instant provisioningcapability of public clouds. Train architects and developers to understand the cost implication of theirpublic cloud actions. Establish cost management systems, metrics, and processes to understand bothinternal and external cloud computing costs.



Get ready: train specialists and adapt systems, processes, and metrics

As part of their efforts to cut costs and see off competition, cloud service providers should not only boostoperational efficiencies but also develop highly flexible pricing management and usage metering andbilling systems. The move to a subscription and/or PAYG licensing scheme requires a thoroughredefinition of pricing, packaging, and sales incentive plans as well as an upgrade of the systems thatunderpin them all.

Mix and match pricing and licensing approaches

Depending on company size and project type, companies prefer both PAYG flexibility and subscriptionpredictability. Public cloud service providers should mix these two approaches and consider movingbeyond them towards pricing based on business outcomes (such as pay per lead in CRM and per payslip in payroll). Combining a business model based on lower profit margins than those of on-premisevendors with a pricing strategy that focuses on business issues could provide public cloud servicevendors with a key advantage over on-premise suppliers. A good first step for traditional softwarevendors is to adapt licensing and pricing schemes to make it easy for customers to transfer on-premisesoftware assets to the cloud or substitute online software for on-premise software.

Compare your organization to its peers rather than on-premise alternatives

Public cloud service providers like to compare themselves to on-premise alternatives. However, theywill increasingly have to position themselves against one another. This plays into the need for greatertransparency in pricing models and offerings.

Use free-to-start offerings to boost adoption

Some public cloud providers will define part of their competitive advantage via free-to-start approachesto (IaaS) virtual machines or (PaaS) application creation and fine tuning, or both – so users only startto pay when they are up and running. Wider use of this approach would boost market adoption,especially at the low end of the enterprise market.



WWW.OVUM.COM

CHAPTER 4:

Cloud computing quality ofservice in perspective


OVUM

4.1 Summary

Catalyst

Public cloud service providers will rise and fall on their ability to execute and deliver

satisfactory quality of service (QoS) in areas such as reliability, availability, scalability, and

security (RASS). Many enterprise users are wary of public clouds’ QoS and RASS limitations but

curious about the possibility of adopting the technologies, designs, and best practices of public

clouds for their own data centers (rebadged as “private clouds”). The situation is evolving

rapidly with both public and private clouds, as vendors and users are struggling to keep up with

new developments.

Ovum view

Public clouds’ QoS is under close scrutiny

Public cloud providers claim superiority over on-premise IT infrastructures on two fronts: cost and QoS.On-premise IT supporters counter-attack at both levels, but the brunt of their offensive focuses on QoS– with a mix of valid criticisms and hyped assertions aimed at generating fear, uncertainty, and doubt(FUD). Public cloud providers should expect the criticism (and FUD) to continue at its current intensity.

Public cloud SLAs need to improve

The market is slow to trust that public cloud service providers will deliver on their RASS promises – allthe more since the service-level agreements (SLAs) that back these promises are skewed in favor ofthe providers. Market trust will build up, however, as SLAs, backed by certification schemes, improve.Those with QoS requirement levels for which public clouds cannot cater will keep to private clouds(including shared or virtual private clouds, or both).

Security is the number-one QoS issue

Security concerns are the most important obstacle to public cloud adoption, along with concerns relatedto regulatory compliance and data governance. However, public cloud risk can be managed like anyother risk. It requires vendors, users, auditors, and governments to cooperate – a process that hasstarted but will prove slow-moving.

Private clouds will find it hard to keep up with the public cloud Joneses

Enterprises’ QoS expectations are rising. The rise affects both private and public clouds. The moredemanding enterprises become with public cloud SLAs and QoS at all (RASS) levels, the more likelythe same enterprises will be to make the same demands of their IT departments. Considering the statusof many internal data centers, public cloud providers may find it easier to meet these demands than ITdepartments.

Private clouds will converge with public ones

In order to deliver satisfactory QoS and SLAs, public cloud providers have made technology and designchoices that enterprises may not be able or willing to make. Both sides are on a convergence path,however. On one hand, enterprises will take a step forward and, for example, rethink how best to designnew applications for scalability. On the other hand, public clouds will take two steps back. Many havechosen designs and technologies that have yet to become mainstream. These will evolve towardsapproaches that are more familiar to developers, or will mask the “exotic” elements of their approaches,especially when it comes to platform-as-a-service (PaaS) offerings.

CHAPTER 4: CLOUD COMPUTING QUALITY OF SERVICE IN PERSPECTIVE 5555

Key messages

�� SLAs are key to cloud adoption.

�� Security is the number-one cloud QoS concern.

�� Reliability and availability are under increasing scrutiny.

�� Scalability underpins cloud computing’s elasticity.

�� The road to reliable and scalable private clouds requires new thinking and skills.

4.2 SLAs are key to cloud adoption

Enterprises are adapting to public clouds’ QoS

QoS is a priority for both vendors and users

Enterprises moving to cloud services want to ensure QoS levels regardless of whether the service isdelivered from a private (internal) or public (external) cloud. In response, public cloud providers positiontheir offerings based on the quality (and relevance) of their service as much as on their price-competitiveness. They claim that public cloud services’ QoS is better than that of many, if not most,internal data centers (which is probably true), and use QoS as the cornerstone of their “enterprise-ready” image.

Users’ attitudes are evolving rapidly, within limits

Many enterprises are still unconvinced. For example, in early 2010, the first Risk/Reward Barometersurvey of the Information Systems Audit and Control Association (ISACA), based on responses from1,809 US IT professionals, found that 45% thought cloud computing (a phrase used as a synonym forpublic clouds) risks outweighed the benefits (such as lower cost and provision flexibility).

On the other hand, 38% of respondents believed that the risks and benefits of cloud computing wereappropriately balanced, and 17% agreed that the benefits achieved with cloud computing outweighedthe risks. These figures are impressive, considering the immaturity of the cloud computingphenomenon. Much fewer enterprises had such positive views on cloud computing only a year ago. TheUS is less conservative than the rest of the world when it comes to public cloud adoption, however. Itwill take time for overall attitudes to evolve.

Users put public cloud use in context

Horror stories hyped up by the IT press, the conservatism of IT departments, and knee-jerk reactionsfrom business executives make it difficult to have a balanced debate around public cloud QoS issues.Some enterprises are overly ready to trust public clouds, but others are paranoid. Many do not knowexactly what questions to ask. Nevertheless, an increasing number of companies are working out howto adapt their use of public cloud resources to the QoS level that public cloud service providers arewilling or able to provide.

A whole industry is being built to enable them to do so, with workshops, guidelines, and other ITservices offered by a variety of vendors. For those still unsure about the risks, insurance providers havestarted to develop cyber liability offerings specific to public clouds.

However, both providers and users will make many mistakes along the way, ensuring a steady flow ofhorror stories and knee-jerk reactions.


This context will increasingly be that of supply chains, not just individual suppliers

Enterprises are increasingly aware that SLAs between service providers are as important as thosebetween users and providers: a whole public cloud service ecosystem is being created as, for example,software-as-a-service (SaaS) vendors increasingly rely on infrastructure-as-a-service (IaaS) and PaaSofferings. The growing interdependency of service providers makes SLA guarantees and enforcementmore complicated, especially when many providers do not want to face up to this complication. Forexample, when Tibco released its Tibco Silver PaaS offering on top of Amazon EC2, it downplayed SLAissues, focusing on its own offering instead of taking a more holistic view that would have includedAmazon.

Users will have to improve the way they manage SLAs

SLAs underpin and define the provider/consumer relationship at the heart of the cloud computingnotion. These relationships need to be formalized at all levels: between business and IT, between ITteams, and between IT and public cloud service providers. (They also need business units,departments, or both, to agree on how to prioritize the dynamic allocation of private and public cloudresources.) As a result, they need to manage an increasing number of SLAs and discrepancies betweenthese SLAs: not just public cloud discrepancies (at both the supplier and supply chain level), but alsoprivate cloud ones. To do so, they need to set up new systems or bullets.

� Systems: to monitor and enforce SLAs across public as well as private clouds. For example, suchsystems would prevent data from being transferred to the wrong location.

� Processes: procurement processes need to be redesigned to cater for the specific requirements ofSLAs in the cloud. These processes need to target the specificity of the main types of public cloud(IaaS, PaaS, and SaaS). SaaS, for example, is sometimes procured by business users who lack theknowledge to ask the right SLA-related technical questions.

Public cloud providers need to manage the gap between QoS hype and

SLA reality

The gap fuels skepticism

Many enterprises are still skeptical about public cloud providers’ QoS promises because of the gapbetween these promises and the SLAs that these providers offer – if they offer any. The terms andconditions of these SLAs limit their scope and compensation.

� Scope: most SLAs only guarantee uptime, not performance, for example. Scheduled maintenanceis not considered downtime and, in some cases, neither are outages of less than a specified duration(e.g. ten minutes).

� Compensation: many limit refunds to credits against future charges. The credits are either pro-ratedas time lost against uptime promised, or limited to small percentages of monthly fees. In many casesredress, if any, is reactive rather than proactive: customers have to ask for it.

Many SLAs are open-ended contracts. Providers can withdraw their services at will or make changesto their offerings without end users having any say.

The gap will take time to narrow

Most of the criticism targeted at public clouds can also apply to other outsourced service offerings.Managed services, for example, have similar scope and compensation limits. Their one-to-manybusiness model, like that of public cloud providers, reduces SLAs to the lowest common denominator.However, even in the tailor-made one-to-one world of outsourcing, it took about 20 years for contractsto reach an acceptable balance between providers’ and users’ interests. It could take that much time forthe same balance to be achieved in the public cloud sector.


The ten-year-old SaaS market is the most mature of all three public cloud service markets, but its SLArecord is still mixed at best. The IaaS and PaaS markets have yet to catch up with SaaS. Major IaaSand PaaS players such as Amazon and Google have a low SLA starting point, owing to their:

� consumer-sector roots

� willingness to keep their offerings in beta form for a relatively long time

� “pile them high, sell them cheap” approach to the market.

The gap has already started to narrow

Amazon and Google, among others, have already started to improve their SLA terms under theinfluence of:

� An increasing focus on the enterprise market.

� New start-ups that want to challenge incumbent public cloud providers.

� Incumbent vendors of software, IT services, telecoms, etc. that seek to become public cloudproviders based on their record as “enterprise” vendors. Their focus on QoS enables them to avoidcompeting on price.

� Implementation partners such as systems integrators that have a track record when it comes tounderstanding the QoS requirements of enterprise customers.

� Industry bodies such as the newly created, UK-based Cloud Industry Forum, which has put togethera draft public cloud provider code of practice that promotes transparency and accountability. Havingbeen available for public consultation from 26 April–31 May 2010, the code of practice will bepublished in autumn 2010.

� Customer pressure: the larger the enterprise, the more expertise and influence it has to investigateand challenge SLAs. Overall, enterprises’ expectations and negotiating skills will rise with usage andresult in more user-centric terms and conditions. Some organizations are already getting results. Forexample, when the Los Angeles City Council decided at the end of October 2009 to award Googlea $7.25 million, five-year contract to put its 30,000 employees on a SaaS email offering, theorganization added to the contract a provision for compensation in case of a data security breach.

SLAs will improve as competition increases. Public cloud vendors will become increasingly:

� Transparent when dealing with QoS/RASS breaches: the best will move from reactive to proactive,and then predictive. Transparency will strengthen customer relationships rather than underminethem, as the more transparent the vendor, the easier it is for customers to take QoS breaches instride. Enterprises understand that problems are inevitable; what they want is for public cloudproviders to take responsibility for and learn from their mistakes.

� Clear and detailed in the way they define SLA metrics: metrics that will broaden to include more QoSareas, such as support and system response time, not just uptime.

� Competitive when it comes to compensation (within limits, as overly generous public cloud providerswill quickly find themselves out of business): refunds will remain unlikely, but credits will increase.

Currently their SLAs only target their data centers. End-to-end SLAs that cover both network and datacenters will take time to emerge.

Public cloud SLAs will standardize and diversify

SLAs will standardize

There is currently no accepted best practice for how to approach each of the main QoS elements (RASS)from an SLA point of view. We expect SLA terms and conditions to standardize across public clouds as themarket matures and consolidates, but it will take time. As part of the process, SLAs will increasingly:

� Rely on certification schemes such as that promoted by the Cloud Industry Forum. Certification will enablepublic cloud service providers to simplify their SLAs and back their SLA promises with accreditation.

� Converge with private clouds as well as traditional IT and telco services SLAs.


� Become more business-related. Vendors will express SLAs in business terms, not just IT-relatedterms, and define them from an end-user point of view, not just an IT standpoint.

SLAs will diversify

Public cloud service providers will not only standardize and simplify the way they define and expressSLAs, but also fine-tune them to the needs of various market segments. As they seek, along with theircustomers, to find the right balance between lower cost and higher QoS, they will adapt SLAs basedon a variety of criteria such as customer profile (at the low – consumer – end of the market, lower costswill continue to trump QoS) and usage (for example, whether an application is mission-critical). At theend of the day, customers will simply receive the QoS they paid for. There will always be a gap betweenthe way providers and users relate cost to SLA level, however. The development of a wider continuumof offerings, ranging from those created under a “pile them high and sell them cheap” approach with lowSLAs to more expensive “enterprise-level” QoS-backed services, will require service providers toimprove their SLA management and monitoring facilities.

SLAs are central to the notion of private and hybrid clouds

QoS concerns fuel the rise of private clouds

The past 18 months have seen a significant shift in focus away from public clouds and towards a newconcept – that of private clouds. It stems from a powerful mix of vendor push (to sell the latest hardwareand software and respond to users’ QoS concerns) and user pull (from business executives wary of publicclouds’ QoS credentials and IT executives keen to remain in control of IT and in possession of their jobs).

Private cloud SLAs will have to keep up with the public cloud Joneses

Business users are increasingly comparing internal QoS levels with the levels of service delivered bypublic cloud providers. As a result, the goal of private clouds is to turn internal data centers into moresecure, scalable, reliable, and available shared dynamic pools of hardware and software assets backedby stronger, more flexible and more explicit SLAs than those currently offered (if any). Turning a datacenter into a private cloud will take time and will reuse many of the RASS technologies and bestpractices of public clouds.

Enterprises mitigate public/private cloud risks with hybrid mix

An increasing number of companies are learning how to adapt their use of public and private cloudresources to the QoS level that both external service providers and internal IT are willing and able toprovide. In the process, they mix both private and public cloud elements to find the right balancebetween risks and benefits, leading to the rise of:

� shared private clouds, whereby several companies share the same cloud services, which are usuallyprovided by a third party

� virtual private clouds, whereby public cloud providers designate part of their public clouds for use bya single company.

4.3 Security is the number-one cloud QoS concern

Trust in public clouds is growing, but security concerns fuel interest

in private and hybrid clouds

Enterprises find it difficult to grapple with public cloud security issues

Of all QoS concerns, security is the biggest hurdle on the way to public cloud success, as illustrated by anumber of surveys. Public clouds are deposits of a wealth of software and data that can easily be turnedinto real money. They are open to cyber attacks, but at least as many efforts are made to defend as to lootthem. Caught in the middle, users are not sure whether they can trust public clouds yet – especially sincethe stakes are high, not just in terms of financial losses but also damage to brand and reputation.


Users need time to familiarize themselves with cloud-specific security challenges. Some security risksare similar to those encountered internally or with more traditional IT outsourcing services. Public cloudservices introduce more potential vulnerabilities as a result of sharing these services and the possibilityof subcontracting parts of them, among other things.

Despite the hysteria surrounding security issues, cautious trust is growing

Security is an issue around which a lot of FUD was traditionally created, fueled by a variety of high-profile incidents such as an attack on Google’s infrastructure by Chinese hackers in late 2009, whichled Google to withdraw from China. Despite the FUD (and the growing reality of cyber attacks), attitudeshave evolved significantly, although enterprises are still cautious. As with any other budding ITtechnology, they start with small projects and build on trust and track records. To speed up the process,various efforts are being made, such as the Cloud Security Alliance launched in March 2009, which hasproduced best-practice security guidelines. Public cloud providers also make their own securityguidelines available.

Security concerns fuel the rise of private and hybrid clouds

Vendors have been quick to respond to enterprises’ security concerns with private and hybrid cloudalternatives and complements to public clouds.

Private clouds enable enterprises to remain in control of their IT assets in order to maintain security.The enterprise has a clear view of the security regime in place, and can make an audit at any time.Indeed, certain types of security control, particularly at the network level, cannot be applied to publicclouds. On the other hand, the rise of private clouds creates new security challenges. For example,most traditional approaches to security assume that IT assets are physical rather than virtual. This is aproblem, considering that private clouds are based on the pooling of IT resources using virtualizationtechnology.

Hybrid clouds enable enterprises to mix private and public cloud elements to remain in control of at leastpart of their IT assets. (For example, the data remain internal but the application moves to a publiccloud, or vice versa.) Public cloud vendors are keen to meet these hybrid requirements through avariety of approaches. In the IaaS space, service providers offer virtual private network (VPN)-basedvirtual private extensions to their offerings. (Amazon announced its own in August 2009 – see the Ovumopinion piece “Amazon adds support for hybrid clouds”.) In the SaaS market, service providers partnerwith companies that offer extensions to their offerings. For example, Salesforce.com, which does notyet have a data center in Europe, partners with PerspecSys to serve those unwilling or unable (forregulatory reasons) to transfer data to the US. The Salesforce.com edition of PerspecSys’ Cloud DataGovernance Solution allows companies to run Salesforce.com applications in the cloud while storingprivate and sensitive data at home.

Public cloud security needs more work

Public cloud providers have a holistic approach to security

Public cloud service providers counter security fears with assertions that they have secured theirofferings against both internal and external threats at all levels:

� The mega data centers that underpin public cloud services: they do so via a mix of technologies(biometric authentication, mantraps, etc.) and processes (for example, to limit the damage thatmalicious insiders might cause).

� The software platform and applications delivered as a service: at this level, security is (or should be)built into the development process, design, and various technologies that underpin these platformsand applications. Design is key, with many public cloud providers considering security to be as mucha byproduct of good architecture design (for example, network-based domain isolation) as a goal initself. Design and technology choices have different security impacts. For example, the securityrequirements of a multi-tenant platform are different from that of a platform that relies onvirtualization technology to deliver SaaS.


� The data and metadata (while in transit, in storage, and in use) processed and generated by publicclouds: public cloud providers combine a variety of technologies, such as VPN, data leakageprevention, enterprise digital rights management, multi-location backup, and encryption.

� Public cloud access points: public clouds use service access controls based on identity and accessmanagement (IAM) technologies to ensure that only authorized users and applications gain accessto the relevant functionality and data. Securing their various application programming interfaces(APIs) is also becoming a priority.

� Public cloud supply chains: to ensure that no provider in the chain weakens the secure provision ofcloud services, the supply chain includes security-centric service providers such as those thatprovide single sign-on or identity management services.

Based on the various resources at their disposal in terms of technology and expertise, public cloudproviders claim that they are at least as secure as most internal data centers. They point out that thespecialization, homogeneity, automation, and centralization that public clouds offer increase security.They can remain tightly focused on their particular offering, which they can easily and rapidly update orupgrade in case of a problem, whereas enterprise IT staff have to take a more generalized approach.

Providers also rightfully assert that, while some public clouds have been used as platforms for malware,they are mostly used as platforms for a new generation of security-related services (such as identitymanagement services, disaster recovery, antivirus, and application security testing) to secure bothprivate and public clouds. For example, SaaS application security testing provider VeraCode achieveda sevenfold increase in revenue bookings in 2009. Most of its revenue comes from large organizations,mainly in the financial services and government sectors, that demand that a security code specialistindependently examines software (for both on-premise and SaaS configurations) before they will buy it.

Public clouds’ security credentials will take time to mature

Overall, public cloud security needs to improve at a variety of levels:

� Security measures: for example, public clouds currently do not have particularly strongauthentication and encryption capabilities. They also use technologies such as virtualization, IDfederation, data privacy, and API security, which need to mature and require better standards. Thegrowing complexity of public cloud supply chains complicates things further.

� Security information: many service providers are reluctant to supply details about the way that theysecure their offerings, hanging on to the discredited myth that security is impaired if you discloseyour security procedures. They should shift from assurances to accountability and be more open ona variety of issues such as internal procedures (for example, the power they give to systemadministrators), access to log files, and the security technologies they have selected.

� Standards and best practices: these are lacking. Public cloud providers usually mention SAS 70Type II and ISO 27000 standards, but these are not cloud-specific and can be implemented in apiecemeal fashion.

Public cloud service providers are slowly improving at all levels, owing to the barrage of scrutiny towhich they are subjected. They have started cross-industry efforts such as the CloudAudit initiative,which aims to provide a common interface and namespace for public cloud providers to automate the“Audit, Assertion, Assessment, and Assurance” of their environments via an open, extensible, andsecure interface and methodology. Overall, however, their efforts will take time to mature. In themeantime, enterprises need to familiarize themselves and keep up with the security measures in place.

Public cloud security begins at home

Public cloud security is an extension of internal security efforts

Public cloud user security should rely on strong internal security practices to avoid public cloud usersbecoming the weakest link in the public cloud security chain. (This is currently the case, as public cloud useis often on CIOs’ and internal security teams’ radars.) It should be woven into the multiple layers thatunderpin internal security – continuous monitoring, data encryption and backup, and controlled virtualmachine image creation, for example. The challenge for public cloud providers is to make sure their securitymeasures are not only effective, but also usable: they should not require internal security overhauls.


Security software vendors are keen to enable enterprises to move towards a hybrid cloud-centric viewof security. For example, Novell asserts that for the cloud to become an extended part of theirinfrastructure, enterprises should use the same security and access control technology, model, andinterface for the public cloud as they use internally.

An increasing number of people (including representatives of the UK government talking about thecountry’s “government clouds”) point out that public clouds provide an opportunity to take a good lookat internal security procedures, weave security more tightly into the fabric of IT processes, and redefinethe mix of skills needed to achieve IT security. Too many enterprises do not have the governanceprocesses and metrics in place to track the effectiveness of their security efforts.

Users’ security efforts depend on the type of public cloud

The level of required security varies depending not just on the type of data or application involved (themore sensitive/mission-critical, the more security required), but also on the type of public cloud. Thehigher up the public cloud stack, the less responsibility there is for customers when it comes to security.

IaaS service providers are responsible for the security of the compute, storage, and network resourcesthey provide. Customers are in charge of the rest – namely, securing virtual images and their content(operating system, applications, and data). Developers need to build their virtual stacks carefully,removing any unnecessary software and opting for a closed configuration policy by default. Systemadministrators need to keep an eye on their applications to detect any sudden changes of traffic patternthat might indicate a security breach.

PaaS service providers are responsible for the security of the application development tools andruntime platforms they offer. Customers are responsible for securing the applications they develop forand run on PaaS offerings. PaaS helps in that it constrains the design and development of applicationsin a way that may generate more secure code. It also offers built-in security features (such as federatedidentity services) as well as APIs to connect to third-party security services.

SaaS service providers are responsible for securing the entire stack, from infrastructure to applicationand data. They rely mostly on the security capabilities of their underlying database technology, whichhas had time to mature security-wise. (IaaS providers, on the other hand, have to grapple with theimmaturity of virtualization technology.) However, SaaS customers are responsible for IAM-relatedsecurity as well as the governance of the data processed by the SaaS application.

Public cloud security requires a redesign of current security approaches

Many companies have already extended the perimeter of their security defenses to cater to the securityneeds of mobile devices and customers, as well as to partner within their supply chains. Public cloudproviders point out that public clouds allow security to be delivered more effectively across supplychains.

However, public clouds do not so much extend internal security defenses as deconstruct them, movingthem towards a much more decentralized security model, and thus requiring different technologies.However, the technologies and standards needed to underpin this model either are nonexistent or needto mature. This decentralized model relies on hybrid clouds so that, for example, encryption keys forpublic clouds can be stored in private clouds.

Public clouds increase the importance of data security

There is a growing consensus that public clouds provide the IT industry with an opportunity to redefinethe way it approaches security by shifting its focus from application to data. The objective is to wrapsecurity around data so that security measures can be applied to data regardless of their locationacross public and private clouds, depending on data type, sensitivity, and use, among other criteria.

Public cloud providers are already working on making this vision a reality, but it will take time. In themeantime, user organizations can help by putting their data centers in order. They need to take a hardlook at the types of data they have in order to adapt their use of public clouds to the sensitivity of theirdata. They need to distinguish between sensitive and non-sensitive data, and various levels in between– an ongoing exercise that few companies have gone through.


These providers also need to take an interest in the way that data are secured across the data lifecycle(data creation, use, sharing, storage, archiving, and destruction). In the minds of many users, the wholepoint of outsourcing resources to public clouds is to forget about the operational details of theseresources. This is a luxury that firms cannot indulge in. As societies and economies grow digitalized,data governance legislation is likely to tighten rather than relax, making it impossible for enterprises(SMEs included) to wash their hands of this issue.

They need to pay particular attention to the following:

� Data location: enterprises need to know where their data go and what they go through. (As a result,data location transparency is one of the main issues emphasized by the “open cloud manifesto”published in early 2009.)

� Data replication technologies, processes, and compliance: user organizations need to understand howpublic clouds replicate data in order to secure them. They need to know what type of synchronizationand recovery technologies are used; whether the locations are independent enough so that if one fails,it does not create problems in the others; and what the data retention and transfer policies are to makesure these do not contravene privacy and data transfer-related legislation and so on.

� Data confidentiality: some public cloud providers give themselves the right to peek into enterprisedata for a variety of reasons, such as advertising or to avoid discriminatory content. Enterprise usersneed to be aware of these rights and curtail them if necessary (or if possible). These concerns areless related to digital identity and online privacy issues (which are key to the consumer side of publiccloud services) than to the protection of intellectual property and trade secrets.

� Data return policies: enterprises need to consider not just entry, but also exit strategies, and howbest to move their data elsewhere should they decide to terminate their use of a particular publiccloud offering or should the service provider become unable to provide the service they signed for.They need to seek contractual guarantees that all of their data will be returned promptly and in thedesired format at the end of a contract, and that all backup copies will be destroyed.

Public clouds require strong identity and access management

Strong IAM (identity provisioning and de-provisioning, authentication, federated identity management,user profiles, and access control policy) needs to be implemented by both users and service providers toavoid dangers such as account or service hijacking. This is a challenge on both sides. Many public clouds,for example, use flat access controls based on weak authentication credentials (basically user ID andpassword). The best option is federated standard-based IAM practices such as assertion-based accessusing security assertion markup language (SAML), which transfers the burden of authentication to theservice that issues the assertions. User organizations should be able to specify access permissions to adeep level of granularity so that individual users can be limited to subsets of data and service functions.Help is at hand from an increasing number of single sign-on or identity management service providers.

Compliance is more of a concern than security

Security, not compliance, should come first

Security concerns are often confused with compliance concerns when it comes to clouds.

� Security compliance requires organizations to be secure and to demonstrate this. Even where thereis no need to satisfy formal external audit requirements, the need to demonstrate security is almostas pressing as the need to apply security controls to establish business confidence. Because of thecurrent lack of transparency, demonstrating security is a weak point in public cloud services.

� Regulatory compliance requires organizations to obey a variety of laws, many of which are specificto countries or vertical sectors, or both, such as the Payment Card Industry Data Security Standard(PCI DSS) and the US Health Insurance Portability and Accountability Act (HIPAA). These add avariety of twists to generic security (compliance) issues. Here again, the current lack of transparencydoes not help. However, as an increasing number of providers become vertical-market-specific, theywill seek compliance with vertical-market-specific legislations based on a mix of their own efforts andcooperation with customers and auditors.


A clearer distinction between the two types of compliance allows public cloud service consumers andproviders to put security compliance ahead of regulatory compliance. Most focus too much on the latterat the expense of the former. Instead, security should come first: once secure, IT assets can then bemade compliant.

Consumers also need to understand how the two issues relate to one another. For example, whenAmazon acknowledged in 2009 that enterprises could not run PCI Level 1-compliant applications on itscompute and storage IaaS offerings, too many people believed that these offerings (EC2 and S3,respectively) were not secure. That is not the case. The non-compliance stems from Amazon notallowing on-site audits, not from its offerings not being secure.

A more balanced approach to risk management is required

A clearer approach to compliance, as part of a holistic view of business and IT risk management, would giveenterprises a more balanced approach to public cloud risks and opportunities. This would help themunderstand why and to what extent public cloud opportunities are worth the risk. As ISACA pointed out whendiscussing its recent survey of 1,809 US IT professionals, risk management is too much about public cloudcompliance and not enough about the innovation and business change that public clouds can enable.

Certification is key to cost-effective and balanced security and compliance

Public cloud providers and users are in the process of finding the right balance between the need forsecurity and compliance and that for low cost and innovation. The more secure and compliant the publiccloud, the more expensive (and less flexible) it becomes. Costs are also driven up by the increasing“right to audit” (RTA) demands of enterprise customers. As a result, both sides see certification byindependent bodies as a way of alleviating individual customer security and compliance demands.Certification should apply to complete public cloud supply chains when the public cloud service isdelivered using a mix of offerings.

Certification schemes will take time to emerge

These certification schemes are not yet in place. They will require auditors to re-evaluate compliancecriteria to achieve the “reasonable certainty” they seek. Auditors are much less willing to do so than isclaimed (or expected) by public cloud providers. While auditing practices and standards mature andadapt, many public cloud providers will have to self-audit or rely on limited cloud audit services such asthose offered by the likes of HP and IBM. For example, HP Cloud Assure, launched in early 2009, teststhe security, availability, and performance of cloud services. Security testing includes code scans andpenetration testing. However, it mainly focuses on the external access control aspects and does notvalidate internal operational procedures.

The public sector is a key participant in the security and compliance

debate

Governments are still grappling with the cloud computing phenomenon

When it comes to security and the Internet, governments are users, regulators, and cyber-attackprotectors as well as initiators. The 21st century is one of cyber warfare, and war, in all its variousguises, is a governmental affair. However, as with actual war, the current problem is less to do withnation states than hard-to-anticipate rogue terrorist movements. As a regulator, the public sector is alsoa key participant in the compliance debate.

However, the public sector finds it as hard to grapple with public cloud security and compliance issuesas enterprise users do. In March 2009, for example, the US Federal Trade Commission, theOrganisation for Economic Co-operation and Development, and Asia-Pacific Economic Cooperationheld a meeting to discuss cloud computing security. The overwhelming message from the delegateswas that there was no consensus yet on the best way to regulate cloud services, which are rapidlybecoming globalized. Efforts are still mostly national and piecemeal, with many governments remaininguncertain of the best way to approach public clouds. As usual, the US leads the way with centralizedefforts to define a national security and compliance framework for public, private, and hybrid clouds.


Their role is particularly important when it comes to data governance

Data governance is particularly important to public cloud providers and users. This is due to a series ofdata-related laws such as those that focus on:

� restrictions on holding data in foreign jurisdictions (as in the US Patriot Act and EU Data Protectionlegislations)

� data breach notification (which requires organizations to notify data subjects that may have beenaffected by a data leakage incident)

� data privacy, especially with customer data increasingly being used as a source of revenue.

Public cloud providers want some of these laws (such as restrictions on holding data in foreignjurisdictions) to be loosened and others (such as data privacy laws) to be strengthened to boost publiccloud adoption. For example, the US coalition Digital Due Process, which is supported by the AmericanCivil Liberties Union, eBay, the Electronic Frontier Foundation, Google, and Microsoft, among others,would like a review of the 1986 Electronic Communications Privacy Act to boost data privacy.

Users are taking their fate into their own hands. For example, when the Los Angeles City Councildecided to move to Google’s SaaS email offering in October 2009, it requested a contract that wouldprevent Google employees from accessing the content of its emails.

Besides making sure public cloud providers apply restrictions on the holding of data in foreignjurisdictions and employ data breach notification and data privacy laws, enterprises are concerned withthe following:

� The release of their data to government agencies: in the US, for example, although public cloudproviders do not own customer data, they can be forced to release them. (They can also be stoppedfrom notifying the relevant customers if this happens.) While there are legal means to forceenterprises to release data stored internally, enterprises are more likely to resist as long as possible– something a public cloud provider would not necessarily be willing to do. In addition, public cloudproviders may not have the audit data required to satisfy legal investigations, making things morecomplicated for enterprises embroiled in a legal fight. As a result, even those enterprises willing totrust public cloud providers need to make sure their contracts offer a clear electronic discoveryframework.

� The law applicable to their data (as well as their procurement contracts): this is a standard IT issuethat takes more importance in public as well as hybrid clouds. This is due to the possibility for theclouds and their data to span multiple jurisdictions, some of which have unwelcome twists to theapplication of the rule of law.

Finding the right balance between regulation and economic development

Public cloud service providers claim that public clouds deliver IT as a utility but are determined to avoidgovernments regulating them to the same extent as other utility sectors. Governments are split on theissue between two responsibilities:

� As regulators, they intend to boost public cloud security and compliance with additional, morespecific regulation, as well as via support and participation in security, identity, and privacycooperation efforts.

� As national economy managers, they want to attract public cloud data centers. Some are alreadyrethinking old rules to achieve this objective. For the Netherlands and Canada, for example, thereare arguments in favor of relaxing restrictions on holding data in foreign jurisdictions if the data areencrypted. There may be setbacks on the way, however. For example, the EU is currently re-examining the US Safe Harbor agreement and may end up tightening the rules that govern thetransfer of data between the US and the EU. Similarly, in early 2010 the Indian governmentannounced its intention to tighten data location regulation to prevent enterprises from storing tax-related data offshore for tax-evasion purposes.


4.4 Reliability and availability are under

increasing scrutiny

Reliability and availability are growing public cloud concerns

Public clouds assume constant failure

Public clouds position themselves as reliable and available based on the enterprise-grade quality oftheir hardware and software components, the design of their architecture, the adoption of bestpractices, the deployment of edge-of-network infrastructure (such as content delivery networks), and soon. The design of their offering assumes that components will fail and, in order to deliver on theirreliability and availability promise, providers weave into their offering a level of redundancy – both withinand between data centers – that few private clouds and traditional hosting solutions can match.

Public clouds have a relatively good reliability record

As a result, public cloud service providers have a relatively good reliability and availability record. Forexample, Salesforce.com has been around for more than ten years, and its SaaS offering may havesuffered from a few hiccups, but it has had no major breakdowns. Similarly, Amazon Web Services’(AWS) IaaS offering has never gone down as a whole – only in parts. AWS provides its customers withthe concept of an availability zone across which they can spread their application. Availability zones areinsulated from failure in other zones (and help compliance by limiting data to a particular zone).

Public clouds can fail

However, public clouds regularly go down: sometimes indirectly (the fault is in the Internet connection,not the public cloud itself), sometimes directly. Providers have track records of 99.9%-plus uptime, butonly when averaged over long periods. Significant outages happen, and there is no evidence that thiswill stop.

Some observers argue that outages have simply been the result of growing pains and that, as theindustry matures, reliability and availability will improve. Others point out that, as the number of publiccloud users increases, public clouds’ reliability and availability limitations will become increasinglyapparent. The truth is probably between these two perspectives. It will take time for public clouds, andthe Internet itself, to mature enough to provide enterprises with the level of reliability and availability thatthey require for their mission-critical applications. For example, many public cloud offerings, such asMicrosoft’s Azure, currently only offer 99.9% uptime, significantly short of the 99.999% that enterprisesrequire for their core mission-critical applications.

Users are increasingly concerned about reliability and availability

As public cloud usage increases and public cloud outages continue to happen, enterprises will:

� Put public cloud providers’ reliability and availability claims under increasing scrutiny – especiallysince any public cloud failure could impact a large number of enterprises. Private clouds may be justas unreliable, but their failures impact far fewer companies at a time.

� Prepare for the pains inflicted by public cloud outages via temporary fallback procedures as part ofan overall public cloud risk assessment exercise. Of course, these procedures must be limitedbecause the expense of installing elaborate IT backup systems would defeat the purpose of publiccloud services. They will vary based on how mission-critical the various services and applicationsare.

� Agree to SLAs that not only define providers’ responsibilities but also limit consumers’ rights toreliability and availability assurances should their use of public cloud resources reach certainthresholds.


Public cloud providers need more transparency

As public clouds continue to go down regularly, to counter the “cloud is no good” hysteria service providersare becoming increasingly responsive and transparent. Many are quick to put their hands up, apologize,and explain the problem and what is being done to solve it. This proactive attitude goes a long way inmaintaining and nurturing trust – although public cloud providers could hardly have done otherwise.Customer reactions are so quick and large-scale, and the press so keen on their doomsday scenarios, thatproactive management of the problem is the only sensible course of action.

However, public cloud providers should also be more proactive in sharing reliability and availability data so thatenterprises can anticipate issues rather than having to deal with them as they start using cloud services. Thesame applies to scalability and performance issues. The service records that suppliers currently post on theirwebsites (such as Amazon’s Service Health Dashboard, Google’s App Status Dashboard, andSalesforce.com’s Trust site) are useful but too basic and short to give any idea of reliability. The records postedfor Google Apps and Amazon Web Services cover only the previous two months and 35 days, respectively,while Salesforce.com’s service history runs back less than one month (but lists response times, which is anunusual bonus). The records also fail to provide latency data, and usually do not mention outages.

Customers should ask suppliers to provide detailed and comprehensive histories of their uptime over at leastthe previous 12 months. They should request that providers be more proactive in notifying users of any failure.On the other hand, they should also understand that vendors are coy about outage-related information, notjust because they want to minimize attention, but also because it is not easy to quantify outages. In manycases the recoveries are rolling, with many customers not affected for the length of the outage.

Reliability and availability are both a problem and an opportunity

Reliability and availability will take time to improve, but they will do so as public cloud providers strive to offermore expensive but reliable/available services (in a continuum that ranges from public to hybrid as well asprivate clouds). Availability zones are nice earners, for example, because customers have to pay extra forinter-zone data transfers. Service providers also generate increasing revenues by helping enterprisesdevelop contingency plans (such as multiple Internet service providers with multiple Internet connections topublic clouds, and regular backup of public cloud data). Compuware, for example, is raising the profile ofits Gomez subsidiary via the beta CloudSleuth website, launched in April 2010, which provides reliabilityand performance information about a variety of public cloud infrastructure. It is broader in its coverage thanthe CloudStatus monitoring service, also currently in beta.

Reliability and availability are private and hybrid cloud objectives

The data center as it stands and should be

The concept of private clouds relates to reliability from two perspectives:

� The data center as it stands: many private cloud supporters argue that the average data center is morereliable than public clouds. The reverse, is, in fact, more likely to be true.

� The data center as it should be and could become: private cloud supporters aim to turn the traditionalinternal data center into a private cloud, namely shared scalable pools of assets available on demand,to improve reliability.

A hybrid cloud issue

Increasingly, the debate about public versus private cloud reliability is moving towards hybrid clouds, asenterprises are seeking to combine private and public clouds to achieve satisfactory reliability overall.

From an application point of view, the objective is not just to work out which applications to keep internally(the mission-critical ones) and which to entrust to public clouds (such as web applications and collaboration-centric applications). It is also to split application components and decide which to keep internal and whichto move to public clouds. In addition, it is about figuring out how to design applications that work both onlineand offline, something that is being considered for desktop applications in the consumer market but is likelyto become more prominent for enterprise applications.


4.5 Scalability underpins cloud computing’s

elasticity

Scalability is public clouds’ number-one feature

Scalability positions public clouds well against private clouds and outsourcing

When the QoS debate about public clouds tackles security, reliability, and availability issues, these aremostly defined as concerns. When the debate shifts to scalability, the conversation is dramaticallyaltered: it is no longer about shortcomings, but benefits. Public clouds are sold on their ability to scaleup (and down) dynamically, providing enterprises with the flexibility they need to innovate and take risksat a price they can afford. This flexibility is a key differentiator against traditional data centers andoutsourced hosting offerings.

Public clouds have different scalability profiles

IaaS clouds provide a pay-as-you-go (PAYG) scalable infrastructure, but it is up to users to put togetherthe right infrastructure components and design applications that can scale.

The PaaS runtime handles scalability (scaling out across servers or up across processors), sodevelopers do not have to worry about building scalability into their application code. The PaaS PAYGapproach to pricing delivers on-demand elasticity. On the other hand, PaaS constrains developers tospecific technologies and application designs.

SaaS providers build scalability into their applications; however, the subscription approach to licensingadopted by most SaaS vendors limits the ways in which users can benefit from this. In return fordiscounts, most customers prefer annually negotiated contracts. These can be reviewed easily to addnew users, but make it awkward to reduce the number of users.

Public cloud providers are open about their scalability recipe, within limits

Scalability cannot be an afterthought. It is an upfront design issue that is difficult and expensive toachieve. There are many ways to approach it (with the ability to use more computing, storage, ornetwork resources and the ability to parallelize applications across multiple servers), and it can bedelivered via a mix of design and technology choices, such as additional hardware, virtualization, datagrids, and distributed caches.

Public cloud vendors are willing to share details of choices they have made and provide guidance onhow to make the best of their offerings from a scalability point of view. SaaS providers using IaaS andPaaS clouds are also relatively open to sharing their experience (for example, SmugMug’s use ofAmazon Web Services).

On the other hand, many public clouds reach their scalability objectives via custom software (and, to alesser extent, hardware) assets that they are not so open about discussing. These often consist of acustom software middleware layer aimed at squeezing the most out of basic, inexpensive (x86)hardware and (often open-source) software components.

Scalability is a goal for private clouds, too

Size matters

Existing internal data centers, when they are turned into private clouds, can compete with public cloudsfrom a security, reliability, and availability point of view. This is much less the case when it comes toscalability, as the average data center is much smaller than the mega data centers that underpin mostpublic clouds. That is one of the main reasons that an increasing number of companies are turning toshared private clouds, which provide a good midway solution between small internal data centers andmega public cloud data centers.


Scalability via sharing

Scalability is one of the main objectives of the transition from data center to private cloud, achieved byturning existing IT assets from siloed resources into pools of standardized and consolidated resourcesto be shared. A good example is the blade farms that finance companies use for processing-intensiveapplications such as simulation (e.g. Monte Carlo risk analysis). These are being revisited (partly byreusing public cloud designs and technologies) to make their compute resources available for otherapplications – not just simulation ones – to use. The objective is to achieve better economies of scale,reduce usage variation, and maximize use. In other words: the fewer silos, the more sharing, and themore potentially scalable the infrastructure.

Different perspectives on scalability

Public and private clouds have different perspectives on scalability design issues. For example, privateclouds need generic compute pools that can be shared to maximize usage, while public clouds needspecialized compute pools (focused on a specific task, such as search, selling, and bidding pools in thecase of eBay), which they scale independently from one another to maximize availability.

4.6 The road to scalable and reliable private

clouds requires new thinking and skills

Public clouds open up new avenues

A renewed debate around how best to deliver QoS

Part of the public-versus-private-cloud debate revolves around which type of cloud is most able todeliver satisfactory QoS at all (RASS) levels. This has led to a renewed debate on how best to achieveQoS levels. There is:

� consensus on the need to use old, trusted software-engineering principles such as abstraction,separation on concern, loose coupling, and modularization (principles that underpin service-orientedarchitectures)

� disagreement on which technologies and technology implementations to choose, as exemplified bythe debate concerning database partitioning versus federated database design.

Like similar debates, it is extremely nerdy, but reflects a renewed, healthy focus on new ways to deliverQoS.

Public clouds challenge conventional wisdom on a variety of fronts

At the infrastructure level, public clouds are looking anew at the following:

� How best to package infrastructure components: in the past ten years, for example, the applicationserver has emerged as the cornerstone of data center infrastructure. It packages a variety ofservices (such as transaction processing, integration, and process enablement) into a single,simple-to-use offering. In the brave new world of highly scalable and distributed public cloudinfrastructure, this packaging is being reconsidered. The variety of services that application serversprovide are being scattered across the infrastructure, a move facilitated by the modularization ofapplication servers using technologies such as OSGi.

� How best to achieve transactional integrity: according to the CAP theorem defined by Inktomi’s EricBrewer in 2000, only two out of three key distributed system design objectives (namely consistency,availability, and partition tolerance) can be achieved at any one time. Many public clouds focus onavailability and partition tolerance at the expense of consistency. They reject the stricture of the“atomicity, consistency, isolation, durability” (ACID) approach in favor of the more laid-back “basicallyavailable, soft state, eventually consistent” (BASE) method, among other techniques such ascompensating transactions, ubiquitous caching, and distributed replication.


� Which database technology is best: over the past 20 years, the relational database model emergedas the dominant jack-of-all-trades, pushing alternatives into the periphery of the market. This trendis now reversing, however, as many public clouds have rejected the model in favor of new and oldalternatives.

Some of these developments are independent from but accelerated by cloud computing (such as theatomization of the application server services and the virtualization of software, storage, andinput/output).

At the application level, public cloud providers are leading the move towards stateless applications thatrelate to the underlying compute infrastructure via asynchronous, persistently queued events. This, inturn, leads to the redesign of data center infrastructures in a way that supports the new statelessapplications as well as legacy stateful applications (and ensures that stateful applications deliver truelinear scalability by making them more parallelized, partitioned, and distributed).

Public and private clouds will converge, within limits

Public cloud technology and design choices will not be fully adopted by private

clouds

Adoption is a two-way street. It is as much about whether a particular IT offering is ready to meet therequirement of a particular market as it is about whether the market is ready to handle the new offering.Many expect the QoS-related technology and design choices of public clouds to move over to privateclouds, but this will not happen to the extent that they predict. Many enterprises are not able or willingto do this yet. They may not have the skills and resources to cope with the magnitude of some of thechanges proposed – at least not quickly.

Private clouds will take one step forward

It will take time for many IT departments to move out of their comfort zones of relatively simple client-server and N-tier systems to build more scalable shared infrastructures and the applications that run ontop of them. However, many have already started to do so, often as part of service-oriented architecture(SOA) efforts. Public clouds encourage them to move further more quickly.

Public clouds will take two steps back

While there will be some crossover from public to private clouds from a QoS technology and designchoices perspective, it is likely to be smaller than the other way around. Private cloud users will getpublic cloud service providers to standardize on the technologies and designs they use internally, ratherthan adopt the exotic approaches of some public clouds (although these approaches will remain acompetitive differentiator for some public cloud providers). Public clouds will evolve towardsapproaches that are familiar to developers, or public cloud service providers will keep masking thecomplexity of their approaches (especially when it comes to PaaS offerings). A good example isMicrosoft, which started with an “exotic” database technology before stepping back, under developerpressure, to support a more mainstream database technology.

Convergence will be fueled by hybrid clouds

Irrespective of whether public clouds will influence private clouds more from a QoS perspective thanvice versa, it is undeniable that these two approaches are on a convergence course. This is acceleratedby the rise of hybrid clouds, which combine public and private cloud services in a variety of ways.Hybridization will help public and private clouds find common ground.


4.7 Recommendations


Put your use of public clouds in context

The debate about public cloud QoS too often revolves around extreme positions. The reality of publiccloud usage is in the middle – in the careful balancing of risks, costs, and benefits. Enterprises need tocarefully assess the QoS requirements of the data, applications, and processes that they plan to moveto and get from public clouds – this is an ongoing effort that they need to weave into their IT governanceefforts. A strong cloud computing governance framework would also enable them to manage their ownside of the QoS bargain: responsibility for QoS, especially at the security and compliance level, isshared between providers and consumers.

Leverage public cloud SLA competition

SLAs will become a key competitive differentiator for public cloud service vendors. Make sure you takeadvantage of this competition to drive SLAs up (or down) to the level you require. Large enterprises willstill be able to twist SLA terms and conditions to their advantage. Smaller entities will have to do withwhat they are offered and will need, as always, to understand all aspect of their providers’ SLAs. (Forexample, they will have to understand exactly what “downtime” means.)

Adopt a balanced approach to security

Do not accept public cloud providers’ claims of 100% security. Challenge their assertions and ask fordetails. However, do not be put off by security FUD either. Be on the front foot in terms of managingstakeholder perceptions and prejudices.

Overall, public clouds are neither more nor less secure than on-premise data centers. However, they doraise challenges that need to be thought through carefully. Make sure you are not the weakest link in thesecurity chain that links you to public clouds. You may want to start with applications that will either benefitfrom increased sharing of information or have relatively benign security and privacy profiles.

Always have a “plan B”

The way to ensure success with clouds is to plan for their failure. The cloud can evaporate, but thereare a variety of options to deal with this issue, including cloud-based ones. This could take the shapeof data synchronization so that you keep a live copy of your (important) data on-premise or in differentclouds. It could also be delivered by application failover/migration capabilities to bring applications backin-house (for those limited-in-number applications that require such a drastic set-up) or move them toanother cloud.

Adopt a holistic approach to public, private, and hybrid clouds

The move to public and private clouds, and to the variety of hybrids in between, has consequenceswhen it comes to the technology and design choices that enterprises have to make. These choices areinterconnected. Some public cloud choices will impact private clouds, and vice versa. Enterprises needto remain in control of these choices instead of leaving them to vendors and service providers orlearning about the consequences of their decisions when it is too late to do anything about it. They needto develop new skills and capabilities to be ready to exploit the cloud (to develop stateless applicationsbased on asynchronous messaging, for example).



Focus on the business outcome rather than technical issues

The current debate around public and private cloud QoS issues focuses on nerdy technicalconsiderations. Public cloud service providers as well as those targeting private clouds should makemore of an effort to frame the debate from a business perspective.

Improve and diversify SLAs

In addition to improving your SLAs, you should also seek the right balance between lower costs andhigher QoS for each segment of the market, based on a variety of criteria such as customer andapplication type.

Be transparent and proactive

In order to build your reputation and track record, you need to be transparent with your successes andfailures, as well as open and proactive in handling the latter. Make sure that you are regularly auditedby a reliable third party.

Build your security credentials on openness

Welcome discussion of your general approach to security. Strength comes from communityengagement, not just to boost security itself, but also to understand customer needs. Provide clearstatements about security policies and reports, and be willing to share audit reports with clients. As partof these efforts, make clear statements about how your services meet compliance requirements, andhow they can be integrated with the client’s own applications in a way that is consistent with majorregulations.

Help enterprises make the right technology and design choices

In order to deliver satisfactory QoS and SLAs, public cloud providers have made technology and designchoices that enterprises may not be able or willing to make. They need to evolve towards approachesthat are more familiar to developers, or that will mask the complexity of their approaches, especiallywhen it comes to PaaS offerings.

Adopt lock-in risk-mitigation strategies

The provision of service portability, if not frictionless migration, is important for the success of individualcloud services and the entire IT consumption model alike. A degree of lock-in might be hard to avoid,particularly in PaaS services, so there are no excuses for failing to adopt lock-in mitigation strategiessuch as open-source licensing, code escrow, standardization on widely adopted frameworks, orinteroperability with alternative platforms. You also need to influence the direction of related legislation.



WWW.OVUM.COM

CHAPTER 5:

Cloud governance: an overview


OVUM

5.1 Summary

Catalyst

Cloud computing enables enterprises to:

� deliver IT resources via automated, virtualized, and service-oriented architecture (SOA)-

centric private clouds

� consume and combine IT resources from a variety of public cloud offerings

� mix and match private and public cloud services together into hybrid clouds.

Cloud governance enables enterprises to exploit these new opportunities and tackle cloud

computing in a systematic manner (instead of the piecemeal approach that currently

characterizes most cloud computing-related initiatives). This systematic approach needs to be

woven into current application lifecycle management (ALM) and SOA governance efforts as part

of IT governance’s efforts to cross-reference and coordinate governance initiatives.

Ovum view

IT governance is necessary and difficult, and cloud computing (in the form of public, private and hybridclouds) makes it even more so. It introduces an additional layer of complexity that enterprises need tocontrol in order to make the most of its benefits (including lower costs and on-demand flexibility).However, cloud governance best practices and underlying tools are in their infancy, which makes itdifficult to strengthen current ALM and SOA governance efforts in areas such as cloud-centricapplications and application programming interface (API) management.

Key messages

�� Cloud governance builds on IT governance.

�� Cloud governance delivers the right recipe from a variety of ingredients.

�� Cloud governance, like IT governance, is a work in progress.

�� ALM governance needs to expand to the cloud.

�� Cloud governance builds on SOA governance.

5.2 Cloud governance builds on IT governance

An IT governance driver, among others

Similar to other disruptive trends

Cloud computing is the latest in a series of disruptive trends affecting IT departments. These include:

� SOAs: the redesign of IT systems into more modular components.

� Virtualization: the abstraction of IT hardware and/or software assets from one another.

� Outsourcing: the provision and/or management of an increasing amount of IT assets by third-partyservice vendors.

CHAPTER 5: CLOUD GOVERNANCE: AN OVERVIEW 7755

Each of these trends, including cloud computing:

� cannot succeed without an effective IT governance framework that promotes and ensurescoordination between IT teams

� promotes, and builds on, the other governance efforts.

Impacts all three IT domains

Like the other disruptive trends, cloud governance impacts all three IT domains:

� IT business management (ITBM), managed by the office of the CIO: this is the IT domainresponsible for overall IT governance. It is at this level that IT executives define the business casefor IT initiatives and manage business expectations as well as project/application portfolios, change,quality, enterprise architecture (EA), and procurement.

� ALM, managed by the application development (AD) team: this is the IT domain responsible for userrequirement-driven software design, sourcing, coding, testing, build generation and deployment aswell as versioning and configuration management. Following deployment, developers are alsoresponsible for application maintenance, including updates and upgrades.

� IT service management (ITSM), managed by the IT operations (ITO) group: this is the domainresponsible for the management and support of deployed applications. Its responsibilities includeapplication monitoring and troubleshooting as well as helpdesk.

A shared and service-centric IT driver, among others

The more IT becomes shared and service-centric, the more governance is needed at all levels: IT, ALM,SOA, and cloud, among others.

Drives increased resource sharing

Both public and private clouds (and the various hybrids in between) aim to provide enterprises withpools of IT resources/assets for their various divisions, lines of business (LoBs), and departments toshare. By cutting through infrastructure and application silos, SOA initiatives also make it easier toshare infrastructure and application assets. By abstracting application and infrastructure assets fromone another, virtualization facilitates this sharing further. In that context, IT governance needs tomanage the transition towards increasingly shared IT assets. This requires:

� an enterprise-wide viewpoint that moves away from local-division/LoB/department issues toprioritize usage based on overall business requirements

� good conflict management skills and the ability to make compromises, as sharing is not always easy

� the alignment of cloud, SOA, and virtualization governance efforts.

Drives service-centric IT

Shared assets are increasingly delivered as a service. The evolution of IT departments from technologymanagers to providers of technology-based services is fueled by:

� ITSM, a top-down, business-driven approach to the management of IT that specifically focuses onthe need to provide satisfactory service levels

� ALM, with the aim being to have developers create software that can live up to service-levelagreements (SLAs)

� SOA that is both about service-centric software design (the splitting up of software into componentsthat provide services to one another) and service-centric software delivery (whereby softwarecomponents are combined and provided on-demand)

� cloud computing that offers on-demand service-centric IT (hardware and software) asset delivery inboth private and public clouds, and thus redefines the way businesses see, use, and pay for IT.

Service-centric software delivery (as well as service-centric software design) relies on a contractualapproach to services that defines the context in which service providers and consumers relate to oneanother. The service-level agreement (SLA) is the mechanism that makes the service provideraccountable to the consumer (accountability being a core governance tenet). In that context ITgovernance needs to make sure that the IT department:


� Successfully manages the transition to service-centric software delivery at all levels (ALM, ITSM,SOA, and cloud computing governance).

� Does not mistake the transition for the main objective. Service-centric IT is not the end but the meansthat underpins a top-down approach to IT focused on business scenarios and outcomes rather than abottom-up approach focused on technology and vendor stacks. This is particularly relevant to cloudgovernance, where technology considerations often take precedence over business concerns.

From a cloud computing governance point of view, the objective is to make sure that IT departments dothe following:

� When acting as consumers (of public cloud services), they must insist on satisfactory SLAparameters and require strong SLA guarantees, besides putting the service provider through a duediligence evaluation process.

� When acting as providers (of private or public cloud services), they must deliver SLA parameters andguarantees that meet consumers’ requirements.

An IT governance federation member, among others

IT governance federates a variety of governance efforts

There will never be one master governance lifecycle that regulates all matters IT. Instead, ITgovernance cross-references and coordinates various governance efforts that overlap one another. Asshown in Figure 5.2.1, these efforts include:

� organizational-centric governance initiatives; for example, ALM governance carried out by the ADgroup and ITSM governance carried out by the ITO group (with IT governance federating the twofrom the point of view of a cradle-to-grave approach to ALM)

� cross-organization governance programs such as SOA or cloud computing governance

� IT practice-centric governance efforts such as architecture, data, and security governance (critical tocross-organization programs such as SOA or cloud computing).


SOA governance

Cloud computing governance

ALM governance

ITSM governance

Security governance

Data governance

IT govern

ance

ITgov

ernance

Figure 5.2.1: IT governance federates a

variety of governance efforts Source: Ovum

The objective is to build a positive feedback loop between these various governance domains. Thecomplexity and difficulty of doing so is such that IT governance is not the aim but the journey. There isno “big bang” implementation but an approach similar to the Japanese Kaizen concept of “gradual andorderly, continuous improvement”.

Cloud computing governance must be woven into all IT governance’s federation

efforts

IT governance federates other governance efforts with a variety of perspectives. Cloud computinggovernance should be woven into each of these. They include the following:

� Asset lifecycle management: IT governance promotes a lifecycle management approach to thevarious IT assets (hardware, software, information/data) from their creation or sourcing down to theirdisposal or re-purposing. Each governance effort has its own specific approach to lifecyclemanagement, linked to the specificity of the assets being managed (for example, ALM and SOAapply lifecycle management to applications and software services, respectively). However, thesevarious specific lifecycles can be correlated to one another on the basis of a generic lifecyclemanagement approach, illustrated in Figure 5.2.2. Cloud computing governance relates to alllifecycles (hardware, data, software application, software service, virtual machine etc.). It expandsthese lifecycles from internal to external IT systems. When both private and public clouds are used,it ensures that the same lifecycle deliverables are created on both sides.

� Dependency management: cloud computing (along with SOA, virtualization, open source) is one ofthe reasons why IT departments need to keep up with increasingly integrated, portable, abstracted,and open IT assets. The more these assets prove so, the more (dynamic rather than static)dependencies there are to manage, orchestrate, and automate. The vertical dependencymanagement approach of IT assets also helps map each step of horizontal asset managementlifecycles to one another.


ALM

Applicationlifecycle Inception

IT/cloud computing governance

Inception

Construction

Construction

Provision

Provision

Operation

Operation

Change

ChangeSoftware service

lifecycle

ITSM

SOA

Figure 5.2.2: IT governance underpins

IT assets lifecycle management Source: Ovum

� EA governance: EA governance provides a system-centric backbone to federated IT governanceefforts. In the case of public clouds, it stretches to architectures and IT assets managed by thirdparties. This requires a difficult cultural shift that will take time. EA governance is also important inefforts to turn (parts of) current data centers into private clouds.

� APM/PPM integration: federated IT governance relies on the integration of project portfoliomanagement (PPM) and application portfolio management (APM) people, processes, and tools (whichmay be part of the same suite as EA tools). It also integrates PPM and APM with a variety of teams,processes, and systems outside IT – such as the CFO office, investment portfolio managementprocesses, and enterprise transaction systems and risk management systems – to link all stages of thesoftware application/service to their business context. When it comes to cloud computing, thechallenge is for PPM and APM tools to expand to manage assets that are outside of the organization.

Cloud computing governance federation expands IT governance federation

Federation efforts, in the context of IT governance, focus on the coordination of various IT-relatedgovernance domains within the enterprise. In the context of cloud computing governance, meanwhile,they relate to coordinating inter-enterprise governance in the context of:

� public cloud service consumer/provider business-to-business interactions

� public cloud service provider/provider cloud-to-cloud interactions (the building of public cloud supplychains and integration of various public clouds via an “intercloud” infrastructure).

Like IT governance, cloud governance needs to identify the right

objective(s)

Cloud governance should focus on enabling flexibility

Public and private clouds’ ability to make it faster and easier to procure or let go of (as well as develop,deploy and/or manage) hardware and software assets will make the biggest difference. Cost and qualityof service (QoS) issues are critical, but cloud computing governance should not over-emphasize themat the expense of enabling enterprises to strike the right balance between effectiveness (low costs,relevant performance) and innovation (making it easier to try something new).

Private cloud governance should focus on ease of controlled internal procurement

Private cloud governance should focus on controlling as well as taking advantage of the ease ofprocurement and efficiency that private clouds deliver via a self service portal (so that it no longer takesweeks or months, only hours or at most days, to acquire/relinquish IT assets). It should prevent ITpeople from diving too quickly into the technicalities of delivering fully automated, virtualized, and SOA-centric data centers to understand what it takes to become IT service delivery centric.

Public cloud governance should focus on getting rid of “shadow” IT

Many enterprises have created SOA services and virtual machines without being ready to properlymanage these new IT assets, and they are doing the same with public cloud services. A great proportionof these services have been adopted behind the CIO’s back. They are part of a “shadow” ITinfrastructure that is out of the control of IT departments. The main objective of public cloud governanceshould be to use a variety of means (carrot as well as stick) to bring these public cloud services backinto the governance fold. As usual, the key problem is to reach the right balance between flexibility andcontrol – not just to align business and IT but also business users with one another, as public cloudsmake it easy for various LoBs to go their own way, reinvent the wheel several times over, and create apatchwork of incompatible systems.


5.3 Cloud governance relies on the same

ingredients as IT governance

The Ps of governance


Paraphernalia(of systems, tools and

technologies)

People

Processes

Polic

ies

Pla

ns

Perfo

rm

ance

monito

ring

Figure 5.3.1: The Ps of governance Source: Ovum

As shown in Figure 5.3.1, there are six main ingredients to any good governance recipe including cloudgovernance: people, processes, policies, plans, performance monitoring, and paraphernalia (varioussystems and tools).

People are the main ingredients of cloud governance

Cloud governance requires a center of excellence

As shown in Figure 5.3.2, governance is both applied to management (strategic corporate governancemanaged by the board of directors) and part of management (tactical corporate governance partlydefined and wholly executed by the executive team). Like other cross-IT domain governance initiativessuch as SOA governance, cloud computing governance requires the creation of a center of excellenceindependent from, but closely working with, the enterprise’s project/program management office. At astrategic level, the center of excellence draws together business as well as IT experts. At a tactical levelit relies on resources from all three IT domains (ITBM, ALM, and ITSM).

Cloud governance is about relationship management

Cloud computing impacts the way enterprises relate to:

� Their IT assets: it impacts the way they define, create, procure, and consume IT assets.

� IT departments: by freeing IT people to focus on key projects, it enables as well as undermines (byenabling users both within and outside IT departments to bypass established processes) enterprise-wide IT strategies.

� One another: among other things, it makes available to SMEs what was formerly only available tolarger organizations, and makes it easier for companies to share IT assets.

� Their IT vendors: cloud computing shifts the risk of investing in and managing IT to the vendors.

This makes it a slow-moving phenomenon, as internal and external relationships evolve much moreslowly than technology. Cloud computing governance is about managing the evolution of theserelationships for controlled, managed, and incremental cloud adoption.

Cloud governance is about empowerment, not just control

The more structured and effective the governance, the more people can get involved in it, feeding apositive feedback loop of implementation and adoption. This requires a lot of support as well as clearcommunications, as inertia makes it slow for cultures to evolve, for people to move from being awareof the need for governance to implementing it. Governance is not just about control, and keeping aneye on individuals to make sure that they behave as expected, but also about empowerment, based ona realignment of objectives and incentives to encourage behavioral change. The notion ofempowerment (via self-service) is particularly important to cloud computing.


Corporategovernance

ITgovernance

Governance appraisal

Directors/executives

Cloud Centerof Excellence(business focus)

Board ofdirectors

IT executiveteam

Cloud Centerof Excellence

(IT focus)

Businessexecutive team

Governance definition

Governance execution

Cloudgovernance

Strategicgovernance

Tacticalgovernance

Figure 5.3.2: Strategic and tactical

governance Source: Ovum

Public cloud governance is about managing IT department evolution

Public clouds will not kill IT departments but shift their focus:

� from IT provisioning and implementation tactics towards a more logical and strategic view of IT(turning IT people from IT implementers into IT project managers)

� towards a more holistic approach to the way they connect network, hardware, and software issues,hence the need for EA governance; infrastructure-as-a-service (IaaS) pioneer Amazon, for example,created its IaaS offering as part of a process to boost interactions between network engineering andAD people

� from a focus on producing services/applications to a focus on mixing and matching theseservices/applications into the right processes

� from a focus on maintenance to a focus on value and innovation, with public clouds takingresponsibility for commodity IT assets and IT departments concentrating on those IT assets thatdefine competitiveness

� towards more risk-taking, because public clouds reduce the cost of doing so and free IT people topay more attention to risky but high-reward ventures

� towards control sharing: sharing IT control with public cloud service providers as well as withpartners in shared (virtual) private clouds.

Public cloud governance is about managing and controlling these various transitions.

Private cloud governance is about enabling private clouds to keep up with public

ones

The past 18 months have seen a significant shift in focus away from public clouds towards a newconcept – that of private clouds. This stems from a powerful mix of vendor push (to sell the latesthardware and software and respond to enterprises’ concerns about public clouds) and user pull (fromboth business executives wary of public clouds’ QoS credentials and IT executives keen to remain incontrol of IT and in possession of their jobs). IT executives cannot ignore public clouds, however, asinternal IT cost and QoS will be increasingly compared to that of public clouds. From that point of view,private cloud governance is about:

� managing the evolution of internal IT from the mundane data center to the state-of-the-art privatecloud and making sure that private clouds can live up to public clouds’ challenge in areas such asQoS as well as speed and ease of procurement

� positioning internal IT services as competitive alternatives as well as complements to public cloudservices (and IT executives as competitors as well as trustworthy managers of these services).

Policies, plans, performance monitoring and processes are the

backbone of cloud governance

As shown in Figure 5.3.3, governance connects high-level strategy objectives to low-level projectimplementations via policies, plans, and performance monitoring.



Governancedomain

Strategy

Adjustments

Monitoring

Targets

Plans

Policies

Misson

Projects

Figure 5.3.3: IT governance

connects strategy with projects Source: Ovum

Policies define the compliance context

Policies are the backbone of any governance process. When it comes to IT governance, the mainobjectives are to ensure compliance as well as satisfactory cost and QoS levels. The same applies tocloud governance:

� The aim of private cloud governance is to build on internal data centers’ QoS credentials andimprove on their cost definition and management capabilities. Many enterprises are not able tocalculate then allocate costs, despite being willing to do so, as they do not have the infrastructure,processes and metrics in place.

� The aim of public cloud governance is to take advantage of the subscription and/or pay-as-you-go(PAYG) payment facilities to help cost control and match usage with QoS levels (with a particularfocus on security and data governance policies).

Plans define the governance roadmap

While a strategy defines the “why”, plans define the “where” (to go from and to) and (for each step ofthe way) the “what”, “how” and “who”. They are roadmaps that help enterprise manage:

� the transition to cloud computing

� each cloud computing project

� the lifecycle of each cloud service.

The first step of any plan is to assess current status to identify where to start and what to prioritize, andto define and coordinate tactics and objectives. This includes resource allocation, as well as changeand impact management.

Performance monitoring enables governance efforts to adapt

Performance monitoring ensures plans are on target and enables those in charge of governance toanalyze usage patterns and adapt to them by making adjustments to projects and strategy. It is key tothe management of SLAs that define the relationship between public as well as private cloud serviceproviders and consumers. This management needs the capture and correlation of performance metricsacross different IT layers – a tough challenge for both private and public cloud service providers.

Process automation delivers consistency and enforcement

Governance requires process automation to ensure consistent policy and plan implementations. Thechallenge is to find the right balance between tight enforcement (policy control via automation) and lightguidance (empowerment to achieve governance objectives without too much constraint on how to doso). This challenge is particularly important to public cloud usage, which mostly takes place outside ofIT control. Here governance means improving controls rather than taking control. In a private cloudsetting, it means creating a control framework that encourages, rather than limits, innovativeexperiments.

Cloud governance relies on paraphernalia in the form of systems,

tools and technologies

Paraphernalia are the foundation for cloud governance, yet managed by it

The definition and implementation of policies, plans and performance monitoring as well as processesrely on paraphernalia in the form of systems, tools, and technologies. As with processes, theseparaphernalia:

� underpin governance; for example, IT policies are enforced by rule and/or process engines

� are subject to EA governance that defines which systems, tools, and technologies to use and howto design and mix them, among other things.

The tools are becoming:

� public cloud-enabled (e.g. Xactium Salesforce.com-hosted GRC requirement management solutionor Monitis Amazon EC2-based SOA load testing service)

� public-cloud service enablers (e.g. PerspecSys’ salesforce.com Edition Data Governance solution,which enables Swiss banks to use Salesforce.com CRM while retaining sensitive data in-house asrequired by Swiss law).

The self-service portal is the core cloud governance system

When it comes to both public and private clouds, one of the critical governance-related systems is theself-service portal that provides instant on-demand access to a catalog of services and can either beon-premise or delivered on a software-as-a-service (SaaS) basis. Backed by usage monitoring andchargeback mechanisms, it is the key service provider/consumer interface that delivers product detailand pricing information, enables configuration, handles the ordering process, and manages useraccess on the basis of governance policies.


5.4 Cloud governance, like IT governance, is a

work in progress

Governance efforts need to improve

Too reactive, technology-centric and piecemeal

Cloud governance suffers from the same flaws that have been affecting other IT governance areas.Overall, IT governance has so far proven:

� Too reactive: most IT governance efforts are prompted by new regulations or by the need to keepup with uncontrolled SOA software services, virtual machines or public cloud services (wherebygovernance starts when the public cloud bill is much higher than expected).

� Too technology-centric rather than focused on business outcomes: the use of public clouds is a goodexample of this. Despite growing interest in IT transitioning from managing technology to providingtechnology as a service, neither business nor IT executives have been particularly proactive inmanaging the various (cultural, policy, process) changes that such a transition requires at all levels(e.g. SOA and cloud governance).

� Too piecemeal, leading to mismatched and/or overlapping governance: for example, thoseorganizations that have undertaken SOA pilots have implemented SOA governance in parallel to(rather than as part of) ALM governance. This results in separate processes for vetting requirements,quality assurance (QA), release management, and portfolio management, which leads toinconsistency and duplication of resources. The same is happening to cloud computing. Mismatchedand/or overlapping governance efforts stem from organizational as well as technological silos, thelatter often the result of the former.

Integration standards are a challenge

Technological silos stem from various governance efforts using different badly (if at all) integratedsystems and tools. This is true of ALM and ITSM tool integration, for example, despite the fact that bothusers and vendors have had years to implement it. Some data linkages exist, but the workflows as yetdon’t. Similarly it will take years for SOA and cloud computing tools to integrate into a federated ITgovernance architecture.

There are no cross-industry standards for exchanging ALM metadata or artifacts, and there probablynever will be. On the ITSM side, there is more hope; growing acceptance of the Information TechnologyInfrastructure Library (ITIL) framework has planted the seed for a mandate to manage golden copies ofkey IT infrastructure configuration item data within federated configuration management databases(CMDBs). In 2007, most of the main players (BMC, CA, Fujitsu, HP, IBM, and Microsoft) agreed on theneed for a specification for federating CMDBs. Unfortunately, the proposal has stalled since then andhas still not undergone a standardization process. Obviously, vendors cannot invent demand forintegration specifications that currently lack any type of market groundswell, but they can set the stageby at least lowering the technology barriers to integration and raising awareness of the fact that it makessense to close the loop on application quality and operational performance. The same applies to cloudcomputing service vendors.

Best-practice frameworks are missing for cloud

IT governance benefits from best-practice frameworks; cloud governance doesn’t

IT governance practitioners, backed up by both IT vendors and users, are endeavoring to turn ITgovernance from an art into a science via the use of best-practice frameworks. Some of theseframeworks are IT-specific. They include the very broad Control Objectives for Information and RelatedTechnology (COBIT) framework, launched in 1996, as well as frameworks more limited in scope suchas the (Software) Capability Maturity Model, or (SW)CMM, which manages AD processes (althoughsome organizations have applied to ITO processes), and the ITIL, which manages ITO processes.


Many governance frameworks are even more limited in scope. For example, a variety of them (FIPSPUB 200, ISM3, ISO/IEC 13335, 15408, 17799 and 27001, IT Baseline Protection Catalogs, NIST 800-14) focus on security. Some are generic rather than IT-specific, such as the Balanced Scorecardframework (reused by COBIT), or the Projects in Controlled Environments (PRINCE) framework,applied to project management.

Implementing governance frameworks is not that simple. They are evolving quickly. COBIT, forexample, has recently acquired two new extensions, Val IT and Risk IT, to respectively help ITinvestment decisions and mitigate IT risks. Similarly, in 2002 (SW)CMM evolved into Capability MaturityModel Integration (CMMI). They have limitations. Most of them provide guidelines based on how actualenterprises have successfully managed IT, but some (e.g. ITIL) are not prescriptive, and organizationslooking for an easy answer will be disappointed: there is no blueprint for implementation.

Many are also old-fashioned, ignoring the real complexity of modern IT infrastructures. They have to beadapted to new trends such as SOA and cloud computing. Industry organizations have started to stepin, however, and provide either specific guidance (e.g. cloud security guidance from the Cloud SecurityAlliance) or more generic guidance (e.g. the cloud computing code of practice unveiled in April 2010 bythe UK-based Cloud Industry Forum).

Enterprises are struggling to keep up with best-practice frameworks; cloud

computing could help

Enterprises are struggling to keep up with the following:

� The rise of these frameworks: COBIT, CMM, and ITIL have garnered limited support. Otherapproaches (such as Lean IT) have relatively few reference implementations.

� The detail of these frameworks: some of these frameworks are so broad (e.g. COBIT, ITIL) that few,if any, organizations have implemented all of their recommendations. Most adopters “cherry pick”those portions that support specific corporate or IT objectives (such as consolidating the servicedesk in ITIL) or address key pain points (such as incident management or problem resolution inITIL). Adaptation to specific circumstance and cherry picking are the right way to go, however,provided organizations do not forget the big picture.

� The spirit of these frameworks: some IT organizations have used these frameworks in an inward-looking fashion to define processes and metrics without regards for the bigger picture of businessgoals, for example.

� The variety of these frameworks: there are many of them and they overlap and/or complement oneanother. Vendors add to the complexity with their own twists (e.g. the Microsoft OperationsFramework for ITSM).

New cloud computing guidance needs to clearly specify how and to what extend cloud governancerelates to established frameworks. In return, established frameworks need to evolve to take cloudcomputing into account, all the more since cloud governance-as-a-service (GaaS) could help in theadoption of these frameworks. As GaaS offerings begin to appear, providers will be able to:

� start providing feedback on the use of these tools for companies to benchmark themselves againsttheir peers

� leverage social web functionality for governance practitioners to create IT governanceimplementation communities

� make it easier for governance efforts to be shared across LoBs/divisions and between partners.


5.5 ALM governance needs to expand to the cloud

ALM has migrated to the clouds

ALM is hybrid: it spans public and/or private clouds

ALM is hybrid from two points of view:

� Development tools and ALM infrastructure services (e.g. business intelligence, collaboration,requirement management, change management services): deployed either on-premise or online orboth. For instance, development organizations can conduct project planning in the cloud but test on-premise, or vice versa.

� The applications being created by the ALM process: deployed either on-premise or online or both.For instance, an application can process data on-premise but store those data online, or vice versa.

Public clouds provide developers with a variety of options

Developers use IaaS platform to run their development tools and/or ALM infrastructure services as wellas the applications they create. They use platform-as-a-service (PaaS) development and deploymentfacilities to quickly develop scalable applications. They also use SaaS development tools and/orinfrastructure services as well as integrating the applications they create with SaaS applications. ManySaaS providers have turned the infrastructure on which their SaaS offering runs into a PaaS offering tomake the integration process easier.

ALM is for – as well as in – the public cloud

ALM can be in and/or for the public cloud as follows:

� ALM for the public cloud: the use of on-premise and/or public-cloud-based ALM tools and/orinfrastructure services to develop applications deployed in a public cloud.

� ALM in the public cloud: the use of public-cloud based ALM tools and infrastructure services todevelop applications deployed on-premise and/or in a public cloud.

The most likely trend is for vendors, especially large ones, to support both on-premise and online tools(e.g. Microsoft offers an on-premise ALM toolset for its Azure PaaS platform for now, with the plan beingto migrate the toolset to Azure).

ALM in the cloud is a mixed bag

Many ALM tool providers have web-enabled their offerings but have yet to fully embrace SaaS. On theone hand, this reflects vendors’ ability to adapt to customer requirements. For security reasons, somecustomers do not want multi-tenant tools, for example. Others do not want to adapt their procurementto subscription licensing and are happy with perpetual upfront licenses. On the other hand, it alsoreflects vendors’ inability/unwillingness to redesign their tools or to evolve their business model. In anycase, tool vendors need to make it easier for developers to take advantage of public cloud services,especially SaaS ones (such as collaboration services).

There are more public-cloud-based infrastructure services than public-cloud-based development tools.This is fine, as infrastructure services are more important than development toolsets from an ALM pointof view.


ALM and cloud governance should be woven together

ALM governance should facilitate ALM for and in the public cloud

Enterprises need to set up a governance framework that helps the AD team pick the right mix of IaaS,PaaS, and SaaS services as well as offerings within each type of service. For example, the use of SaaSinfrastructure services could lower the barrier to entry for integrating a high-impact process, such asclosing the QA/application performance lifecycle, as integration could be conducted tactically on amodest budget and hopefully with minimal integration headaches if lightweight data services areexposed by source systems. The two sides need to be properly integrated; for example, developersshould deploy application code directly from a code management system rather than from developmentor pre-production storage to avoid version control issues.

ALM governance in the cloud is likely to start with tests

Many enterprises are not ready yet to trust public clouds to run production applications but are morethan happy to use them as test platforms. As a result, public cloud test automation and test labmanagement offerings have been among the most successful public cloud offerings to date. They comewith integrated SaaS tools and infrastructure services and/or integrate with on-premise ones (for so-called dev/test offerings).

When it comes to cloud-based applications, the cloud is the logical testing environment. The decisionis less obvious for on-premise applications. Even IaaS offerings may have difficulties keeping up withthe rather complex infrastructures that many large companies have to deal with, or with therequirements of applications with specific requirement in terms of hardware, software, andperformance, for example. This limits testing to fairly generic, relatively self-contained web applications.Testing in the cloud is also more relevant to organizations that have relatively sporadic testing needs.Those that have more frequent needs are likely to have already invested in a test environment of theirown – although, as part of a private cloud effort, this environment can be turned into a pool of resourcesavailable to production applications.

ALM governance, at this level, makes sure, among other things, that:

� existing test-related investments are maximized (including turning them into a private pool of internalresources)

� test data are treated with the security and privacy they deserve (instead of using production data inthe cloud)

� developers are aware of the SLA (functional and non-functional) parameters that underpin the cloudoffering.

Increasingly dev/test public clouds enable developers and testers to share resources such as bestpractices, templates, and testing artifacts. This will benefit all parties involved. It also needs to becontrolled.

ALM governance in the cloud should start small but think big

Public clouds are unfamiliar territory for many developers. Most enterprises find it easier to start with asmall specialist team to adopt ALM in the cloud and/or for the cloud. Starting small and taking it onestep at a time is the right way to go. On the other hand, enterprises should not forget that, in the end,ALM in the cloud will make it easier to involve more people in ALM by offering:

� Centralized, standardized, dynamically scalable ALM infrastructure services to audiences distributedhorizontally across geographies as well as vertically across organizational units. The zero-deployment benefits of online tools coupled with monitoring and social web capabilities simplify thetask of ensuring that all relevant stakeholders view the status of projects, tasks, processes, andactivities that are relevant to them. This in turn makes the process of governance easier by gettingeverybody involved in the process onto the same (web) page.


� Self-contained (development plus deployment) offerings such as the ones provided by small PaaSvendors. These offerings can democratize ALM by making it easier for business or casual developersto get involved. They also lessen the pressure on IT departments by enabling casual developers tocreate so-called “situational” applications. They typically feature forms or GUI-based development ormashup capabilities, rather than intensive programmatic or transactional coding.

ALM governance in the cloud is about risk management

It is up to each organization to find the mix of private and public cloud components that fits the riskprofile of its ALM activities. Just because you could code in the cloud does not mean you should. Thereare quite a few reasons why ALM is poorly suited to the cloud; corporate policies regarding thesafeguarding of intellectual property or data governance could prevent it, for example. Policies may beselective, however. For instance, while code might be considered intellectual property that cannot beallowed outside the firewall, project plan artifacts, or working with compiled code assembling builds orrunning performance tests might be acceptable. On the other hand, if your company designs productswith embedded software, letting project plans out in the cloud may be an intolerable exposure. Policieswill likely vary by organization or industry.

Keep in mind that maintaining code inside the firewall is not necessarily safer than doing so externally.Unless client machines are heavily locked down, code inside the firewall could “escape” when laptopsare taken off-premise or copied to flash drives. Internal IT organizations may lack the degree ofexpertise to truly secure data and assets that organizations that perform hosting for a living have.

ALM governance in the cloud can help weave ALM and ITSM

governance together

ALM is expanding slowly to ITSM

When it first emerged, ALM focused on the software development lifecycle (SDLC). The objective wasto integrate the various development process steps (e.g. design, development, testing) while ensuringclear separation of concern and normalization between these steps. The concept of ALM thenexpanded to comprise the entire operating life of an application from the cradle to the grave based onthe coordination of ALM and ITSM (as well as ITBM) processes.

The reality of ALM has yet to catch up, however. In the on-premise world:

� Many user organizations have yet to properly implement ALM-as-SDLC. ALM’s expansion fromALM-as-SDLC to cradle-to-grave ALM is not even on their radar.

� Vendors have only started to integrate their ALM-as-SDLC offering and have yet to offer completecradle-to-grave ALM support. What they offer is limited-point integration between ALM and ITSMofferings.

Public clouds provides an opportunity to speed up the pace

Public cloud services provide both sides with an opportunity to take shortcuts in their move towards cradle-to-grave ALM. For example, VMware, via its SpringSource acquisition, mixes Cloud Foundry and Hyperictechnologies to support Java cloud deployment and ALM. The integrated offering enables developers tocreate Amazon IaaS runtime environment without having to deal with the intricacies of Linux scripting andApache web server configuration. VMware IaaS clouds will follow. Based on application and infrastructuremonitoring agents, the offering can automatically recover failed AMIs or database servers within AMIs. Theambition is to integrate these facilities with SpringSource’s ALM environment.

The integration of development, configuration, deployment, and monitoring technologies is one of the keytenets of a new movement (called DevOps) that seeks to bridge the old AD/ITO divide. This movementis closely tied to the emergence of public cloud platforms. The objective is to empower developers todeploy directly to the cloud without involving system administrators, and to facilitate cooperation betweendevelopers and system administrators for the latter to be kept in the loop rather than ignored.


ALM governance in the cloud must live up to the challenge of cloud-

centric applications

Adapting to IaaS and PaaS constraints

ALM governance needs to ensure that developers understand and adapt to IaaS and PaaS applicationdeployment environments from a variety of perspectives, including:

� Cost: developers need to understand the impact of IaaS and PaaS pricing structures on the softwaredesign choices they make. For example, a pricing structure that combines cheap compute resourceswith not-so-cheap storage resources should be met with applications that are processing-intensivebut not overly demanding from a storage point of view (or at least compress data). It should not bethe other way around either, as this would go a long way towards neutralizing the cost savings thatpublic clouds are supposed to deliver.

� Design constraints: IaaS offerings usually provide bare-bone virtualized environments that leavedevelopers on their own devices from a management perspective. They need to code the applicationin a way that enables it to take control of its environment and scale up to the level they want. PaaSplatforms handle much of this housekeeping but constrain application design to specific patterns.

Moving out of IT’s comfort zone

IaaS offerings, and to a larger extent PaaS ones, push IT departments out of their comfort zone bypromoting a variety of transitions:

� From relatively simple stateful client-server and N-tier systems to more distributed statelessparallelized applications that relate to the underlying compute infrastructure via asynchronous,persistently queued events.

� Towards availability and partition tolerance at the expense of consistency: according to the CAPtheorem defined by Inktomi’s Eric Brewer in 2000, only two out of three key distributed systemdesign objectives (consistency, availability, partition tolerance) can be achieved at any one time.Many public clouds reject the stricture of the “atomicity, consistency, isolation, durability” (ACID)approach in favor of the more laid-back “basically available, soft state, eventually consistent” (BASE)approach among other techniques such as compensating transactions, ubiquitous caching, anddistributed replication.

� Away from mainstream technologies such as relational databases in favor of newer and olderalternatives.

Many enterprises are not capable and/or willing to be pushed out of their comfort zone just yet. Theresponsibility of those in charge of ALM and cloud governance is to make sure that IT teams:

� do not get out of their comfort zone without being ready for it (and with a strong business casebehind the move)

� do get out of their comfort zone rather than hide in it.

Developing the right SaaS applications

When the application being developed is a SaaS one, the ALM governance process needs to ensurethat ALM does the following:

� Keep up with the SaaS application: traditional on-premise software applications have relatively longupgrade cycles, particularly if they are so complex and poorly documented as to turn any changeinto a potential risk to the underlying IT infrastructure and/or neighboring applications. SaaSapplications, on the other hand, are expected to have short review cycles to adapt to user feedback.This adaptation is key to customer adoption.


� Produce a properly designed SaaS application: that is, ensure acceptable costs and QoS levels, easeof integration, relevant functionality, and right design choices. The SaaS approach to functionality isdifferent to that of traditional on-premise applications. The latter focus on feature breadth and depth.SaaS applications focus on the 20% of features used by 80% of users. Design choices are critical atall levels, including infrastructure, interface, and service delivery. Developers need to pay particularlyattention to service-delivery-centric design, since they are likely to be unfamiliar with what it entails.They need, for example, to make it easier for users to trial the application or to use various levels offeatures (which may be linked to various price levels). Service-delivery-centric design also requiresdevelopers to build usage-monitoring capabilities into the application.

ALM governance for hybrid applications

Traditional applications are being extended via integration with:

� an increasing number of SaaS applications

� new application functionality/services deployed on a PaaS or IaaS platform.

The ALM process needs to make sure that these on-premise applications are properly designed tointegrate cleanly with these (e.g. no direct or hardcoded connections but loose coupling via well-definedAPIs).

5.6 Cloud governance builds on SOA governance

Cloud computing is SOA-centric

Same architecture-centric approach and design principles

Both private and public clouds have an SOA-centric design and the same service delivery-centricapproach to IT as SOA.

SOAs are neither methodologies nor solutions or technologies, although the concept of SOA was overlylinked to web service standards at first, then to lightweight integration middleware packages known asenterprises service buses (ESBs), before being joined at the hip to business process management(BPM) technology. An SOA is the by-product of:

� an EA-centric approach to software AD and management

� the application of old (but good) software engineering principles (abstraction, loose binding/coupling,and separation of concerns) to software AD and management.

SOA initiatives take a higher-level perspective on splitting up software than older componentizationefforts by moving:

� from individual applications to overall architecture, making fewer assumptions on how things shouldbe designed

� from the notion of software to that of service, whereby the focus is not so much on coding softwarecomponents but on defining their purpose, delivered via the provision of contact details andcapabilities information in the context of policies.

Present at both the SOI and SOA levels

There are two main levels of services in an SOA:

� The platform service level, also known as service-oriented infrastructure (SOI), delivers the hardwareand software foundation (server, network, database, operating system, clustering/grid/virtualizationtechnologies, etc.) on which software components run but are abstracted from.


� The application/process service level consists of software-only services, provided by softwarecomponents to one another. These are the types of service that most people refer to when talkingabout SOA services.

Public clouds relate to SOA at both:

� the platform service/SOI level: IaaS and PaaS runtime platforms have been designed on the basisof SOA engineering principles

� the application/process (SOA) service level: many SaaS applications have been designed on thebasis of SOA engineering principles.

Similarly, private clouds are expected to follow an SOA approach at both levels.

Cloud governance helps SOA governance

Cloud governance strengthens the need for SOA governance

The notion of governance is central to an SOA. Cloud computing makes it even more so. The objectiveis to sustain and guarantee SLA parameters at two levels.

� Service-centric software design: between software service consumers and providers. At this level,SOA promotes ALM governance with the view to deliver properly designed software services. Thereare several differences between traditional applications and SOA software services. For example,traditional applications are not usually designed for reuse and are deployed one version at a time(while the development and deployment infrastructure that underpins SOA software servicessupports versioning, as different classes of service consumers might be entitled to different versionsof a service). However, instead of focusing on the differences, an alignment of SOA and ALMgovernance should focus on the way ALM and SOA development processes can leverage, and learnfrom, one another. This means putting all development projects in an architecture context andcoordinating ALM and SOA lifecycle management.

� Service-centric software delivery: between IT as a service provider and the business as an IT serviceconsumer. At this level, SOA promotes IT governance with the view to deliver properly costed,usable, and reliable software services.

The irony is that SOA, meant to enable IT to slice through organizational as well as technology silos,has found itself a prisoner of such silos and as a result disconnected from IT and ALM governanceefforts. The objective of any SOA governance efforts must be a reconnection. As part of a federatedapproach to IT governance, the introduction of cloud governance provides a good opportunity forenterprises to do so, and map:

� their cloud governance efforts with their SOA governance initiatives: because they are SOA-centricat both the platform service/SOI level and the application/process (SOA) service level, public cloudspromote the development of good SOA practices

� their SOA and ALM governance efforts with one another: instead of approaching SOA softwareservice development as an island, public clouds provide IT governance with an opportunity tocoordinate ALM and SOA development efforts.

Cloud computing governance helps SOA transitions

In the past few years, SOA initiatives have been going through a variety of transitions:

� From building (software components and their underlying SOI) to composing (software componenttogether into applications and processes): it is at this level that SOA meets BPM for heavyweightprocesses and Web 2.0 mashups for lightweight user-interface level combinations of software (anddata) components.

� From development of software services to management of said services: this transition is overlytechnology-centric. In the same way it was once believed that the ESB makes the SOA, it is now toooften believed that SOA registry and repository respectively make design-time governance (policiesdefinition) and runtime governance (realtime policy enforcement). SOA governance is not that simple.


� From bottom up (technology) to top down (business): this transition is not so much about moving fromone perspective to the other as it is about linking the two together. SOAs are enterprise-level cross-functional initiatives that span multiple LoBs as well as IT domains. They need to involve both businessand IT so that SOA software component policies reflect enterprise-level as well as department-levelbusiness policies.

� From using internal software services to using external services: SOA has always had an externalbusiness-to-business aspect, although most SOA efforts have so far been internal application-to-application efforts.

� From service-centric software design to service-centric software delivery: while an SOA and the softwaredevelopment process that underpins it do not on their own turn IT into a service-centric softwaredelivery-driven organization any more than a chisel and hammer turn masons into sculptors, they makethe process easier.

SOA governance ensures the successful implementation of every one of these transitions. This means, forexample, making sure that the AD team:

� does not focus on reuse at the expense of the overall architecture perspective; significant retrainingand/or participation in mixed teams with architectural mentoring is essential to avoid an overlydevelopment-centric approach to SOA

� does not dive too quickly into process/BPM issues (an approach that requires too many details tooearly), instead of dealing with business outcomes first.

Cloud computing helps enterprises manage SOA transitions:

� From SOI to SOA: IaaS and PaaS offerings, as well as private cloud platforms, do not so much expandthe choice of SOIs as provide an SOI shortcut, allowing enterprises to focus on the delivery of softwareservices.

� From building to composing: PaaS and SaaS public cloud offerings provide ready-to-compose buildingblocks (via a self-service portal/catalog targeted at developers).

� From service-centric software design to service-centric software delivery (via a self-serviceportal/catalog targeted at end users).

� From bottom up (technology) to top down (business): actually in this instance, it is more a case of SOAgovernance helping cloud computing governance, as cloud computing initiatives are currently tootechnology-centric.

� From using internal software services to using external services: public cloud services provide SOAinitiatives with an easy way to reach out to third-party software components.

However, public cloud offerings are still rather immature and not quite ready to fully support SOA’s shift fromdevelopment to management.

SOA governance paraphernalia have yet to move to the cloud

SOA relies on design time and runtime infrastructure and tools to define and enforce the policies behind theSLA parameters than underpin both types of consumer/provider relationship. Because service consumersare not necessarily known in advance, the runtime infrastructure is particularly important in providing a layerof abstraction that enables SOA software service providers to adapt to the demands of new consumers. Itis also important in that it is responsible for the realtime enforcement of these policies. It consists of a varietyof tools, such as metadata catalogs, asset tracking, and system management tools. The star of the SOAruntime show is the repository, responsible for management of the software service lifecycle and of thedependencies between software services and SOA policies.

While the transition of ALM tools and infrastructure services to public clouds has started, the transition ofSOA tools and infrastructure services (not just their deployment on a public cloud but their ability to takeadvantage of cloud capabilities) has barely begun. Public cloud service vendors have yet to providecomplete SOA infrastructures that enable developers to discover and view their software services andassociated policies. Design-time policies cannot be enforced in a cloud runtime. Federation orsynchronization standards between internal and public-cloud-based registries/repositories are lacking.Even if they were available there would still be the challenge of mapping internal and public cloud SOApolicies. Cloud governance needs to federate with IT/SOA governance to manage these difficulties.


Interfaces are the link between SOA and cloud

APIs to services are at least as important to SOAs as SOA services

SOA software services providers make their features available to service consumers via applicationprogramming interfaces (APIs) that define the following:

� what is available: not all SOA services are made available as service providers and those that aredo not necessarily make all of their features available

� who it is available to: security policies may drive the enterprise to expose some services to only aselect set of users

� how to get it: which protocol and semantics to use to communicate and structure a service request.

APIs provide a layer of abstraction between service providers and consumers. They can provideservices that mediate between the two sides based on a number of technologies, from simplescript/look-up tables to service brokers. From an SOA point of view, API design is as important, if notmore, than the design of the SOA service itself. Good API design principles include technologyneutrality, use of standards, ease of discovery and invocation.

APIs are the keys to the cloud computing kingdom

Private and public cloud services are available via either a GUI (for human consumers) or an API (forsoftware consumers). For example, public cloud APIs are used:

� in a IaaS environment to provision, start, stop, and terminate virtual machines, manage virtualmachine metadata and related services

� in a PaaS environment to deploy application instances

� in a SaaS environment to access application functionality and data.

Public cloud service consumption is ahead of human consumption. Salesforce.com, for example, getsmore than 60% of its traffic via APIs, and the percentage is likely to increase as more devices takeadvantage of cloud services.

The number and complexity of these APIs is growing, with many public cloud vendors trying to turn theirAPIs into de facto standards – leading to the creation of a new acronym: YACA (“yet another cloudAPI”). The partner ecosystem built around these APIs is also growing (along with the need for publiccloud providers to manage this ecosystem). Some public cloud providers are promoting multi-cloudAPIs such as Deltacloud, jclouds for Java developers or libcloud for Python developers. IBM andMicrosoft support the Simple API project launched in September 2009 by Zend Technologies to makeit easier for applications running on the Amazon IaaS offering to migrate to their own cloud (or betweentheir public clouds and private clouds).

APIs are important to both service providers and consumers

Public cloud APIs need much stronger governance than internal APIs. Public cloud service providersare increasingly aware that their public cloud offering is only as strong as its weakest API. They havestarted to turn to a number of vendors that help them manage their APIs in a way that extends theappeal of these APIs to a wider audience, thus helping generate more revenue. These vendors can alsohelp enterprises turn from public cloud service consumers to public cloud service providers. A fewcompanies have already made this move, and we expect many more to follow.

API management tools enable them to keep up with the following:

� API traffic and usage – to make sure, for example, that big customers have priority over smaller ones(or have access to different APIs), that APIs do not turn into performance bottlenecks, and that themost used APIs get the biggest share of investment

� API versioning to help partners and customers move to new versions if and when necessary

� API mediation/transformation to keep API numbers at a manageable level

� API requirements of end points


� API policy definition and enforcement

� API security: APIs are one for the first ports of call for hackers.

API management tools need to be backed by strong governance, as API design and managementimpact both business and IT at various levels. For example, governance support is required to definethe context of:

� API monetization: service providers are currently testing a variety of business models and go-to-market strategies that mix free “basic” APIs and paid-for “enterprise” APIs on the basis of a varietyof parameters, such as who is using the API and how many requests are sent to the API, as well asa variety of licensing and payment conditions.

� API openness and constraints: an increasing number of APIs are open (well-designed and -documented, available via self-service). Many open APIs only request developers to give attribution(e.g. Raskpace API). Others are more demanding (Google API prevents reverse engineering, forexample).

� API adoption and community building efforts.

5.7 Recommendations


Cloud computing requires governance, but slowly does it

You need a governance framework to benefit from, and adapt to, cloud computing. There is no “bigbang” implementation to cloud governance, but a gradual build-up that provides an opportunity tolaunch and/or reinvigorate other governance efforts. The objective is to build a positive feedback loopbetween various governance domains as part of a wider IT federation governance effort.

Move towards increasingly shared and service-centric IT

Cloud computing is one driver, among others, towards increasingly shared and service-centric IT.Service-centric IT is not the end but the means that underpins a top-down approach to IT focused onbusiness scenarios and outcomes rather than a bottom-up approach focused on technology and vendorstacks. This is particularly relevant to cloud governance, where technology considerations often takeprecedence over business concerns.

Cloud governance is in its infancy

Cloud governance best practices and underlying tools are in their infancy, so you need to cast your netwide and learn from those ahead of you on the learning curve, and coordinate with vendors to build upthese best practices and tools.

Expand ALM and SOA governance to the cloud

Developers have taken to the cloud like fish to water, but their enthusiasm needs to be tempered andcontrolled by weaving cloud governance into ALM and SOA governance. From an ALM point of view,this will make it easier to connect ALM and ITSM governance. From an SOA point of view, it will bringto the fore the need to understand and manage cloud APIs.


Help users’ governance efforts

When outsourcing started and enterprises did not have a clue about how to manage it from agovernance point of view, the outsourcing service provider had to step in to facilitate the process ofcommunication between the business and IT as well as between ITBM, operations, and developmentgroups. They did not take over governance but in many cases were forced into a commanding role dueto the absence of managed communication lines and objectives. Similarly many cloud service and toolproviders need to step in and help enterprises define and implement cloud governance.


Boost best practice, tools and integration

Besides helping users define best practices and tools, you need to work on standards to integrate cloudgovernance tools with one another and other governance systems.

Weave cloud governance into your ALM and SOA governance tools

To avoid cloud governance becoming yet another governance silo, ALM and SOA governance toolproviders should adapt their offering to the requirements of both private and public clouds.

Collaboration and testing are the cloud ALM sweet spots

Team-related activities and testing are well suited for the cloud. On the other hand, there is still aquestion mark over coding in the cloud, not just because of corporate policies regarding thesafeguarding of intellectual property but also owing to the commoditization of integrated developmentenvironments and other developer client-related tools such as debuggers, unit testing tools, and build-scripting tools.

API management is the new cloud SOA frontier

Both public and private cloud services need to be accessible via clearly defined APIs. The managementof these APIs from a cost and QoS perspective is becoming an increasing challenge that serviceproviders, both inside and outside the enterprise, need to live up to.



WWW.OVUM.COM

CHAPTER 6:

Public clouds require IT servicemanagement to adapt


OVUM

6.1 Summary

Catalyst

As the adoption of public cloud services becomes more prevalent, IT organizations face a

variety of new IT service management (ITSM) challenges. Not only will they need to ensure that

existing policies, processes, procedures, and supporting technologies are fit for externally

delivered IT services, but also that the IT function remains relevant to the business as an

effective part of the IT service delivery chain.

Ovum view

ITSM is key to the adoption of cloud computing

CIOs will need to leverage ITSM people, processes, tools, and techniques to understand which ITservices would be better served from private and/or public clouds and the priority for migration fromprivate to public (and vice versa) based on business pain points, internal capabilities, the existing qualityof service (QoS), and the cost of provision, with the aim of providing better customer service andimproved productivity.

ITSM skills are key to managing public cloud service delivery

From a people perspective, there is no doubt that IT organizations will need to evolve to reflect thechange in focus caused by the externalization and loss of immediate management of some ITinfrastructure and IT services. However, even in an IT organization that migrates all IT services to publicclouds there will still be a need for IT or business resource to manage service delivery using best-practice ITSM processes.

ITIL v3 service strategy disciplines are important when optimizing public cloud

usage

Within the Information Technology Infrastructure Library (ITIL) v3 service strategy area, the processesof financial management, service portfolio management, and demand management will become moreimportant, as IT service costs are driven by the level of public (as well as private) cloud serviceconsumption. Enterprise need to get their IT financial management (ITFM: the function and processesresponsible for managing an IT service provider’s budgeting, accounting, and charging requirements)and service-level management (SLM – the process of maintaining and gradually improving business-aligned service quality) act together prior to moving to public clouds. Following service migration (topublic clouds), there is potential for IT functions to lose both visibility and control of IT services withinthe cloud. ITFM and SLM will again both be key ITSM capabilities, as will ramped-up suppliermanagement capabilities, as IT organizations endeavor to manage a blended mix of on-premise andcloud-based IT service delivery.

ITIL v3 service design elements will be needed for public cloud service delivery

IT service continuity and information security will become higher-profile ITSM activities in light ofbusiness concerns related to public clouds. Availability and capacity management will still be relevant,with the former potentially posing a big risk to be closely managed and the latter hopefully beingsimplified through public clouds’ ability to adjust capacity as needed. Service level, service catalog, andsupplier management will also be critical people activities in ensuring that public-cloud-based ITservices deliver on their promises.

CHAPTER 6: PUBLIC CLOUDS REQUIRE IT SERVICE MANAGEMENT TO ADAPT 9999

ITIL v3 service catalog management is particularly relevant to private cloud

service delivery

The ITIL v3-espoused service catalog management process and enabling technology can be used notonly for the design and costing of public-cloud-delivered services but also for private cloud self-serviceprovisioning, supporting the cloud ethos of agility and cost-efficiency. By defining a service catalog witha menu of standard service options, policy-governed self-service, and other key service managementcapabilities (such as pricing and usage tracking), IT organizations will be better able to manage privatecloud service delivery.

IT organizations need to be thinking now about the best approach to adding tools

for managing a hybrid data center environment

Niche cloud management vendors have already emerged with solutions to address a wide spectrum ofprivate and public cloud management needs and, in the same way that traditional systemsmanagement vendors have added virtualization capabilities to existing tools, so they will do with cloud-based capabilities. There is also a third tool possibility, where third-party vendors, spotting a gap in themarket, will create solutions that allow cloud management vendor tools and systems managementvendor tools to operate in their non-native environments.

ITSM practitioners should consider SaaS management tools.

IT organizations should not overlook a cloud opportunity that exists closer to home: moving thecorporate IT service desk tool outside of the firewall. Software-as-a-service (SaaS)-delivery is a goodfit for ITSM tools and, with the continuing influx of SaaS-delivered solutions from SaaS-only vendors,traditionally on-premise ITSM vendors, and new dual-play vendors, SaaS-delivered ITSM tools willcontinue to erode the market dominance of their on-premise siblings.

Key messages

�� Public clouds are changing the IT function.

�� Public clouds are changing the ITSM landscape.

�� ITSM technology has a big role to play in managing public clouds.

6.2 Public clouds are changing the IT function

The IT function is dead, long live the IT function

Public clouds will not kill IT departments

Some schools of thought predict the demise of the traditional internal IT function with the adoption ofpublic clouds, based on the argument that IT capabilities and skills will become redundant as the ITenvironment is pushed outside of the corporate firewall. The reports of the death of the IT function areboth a little early and, in Ovum’s opinion, misguided. The move to the cloud will not happen overnight.Vendor hype is still way ahead of corporate adoption, meaning that traditional IT people and skills willstill be needed for some time yet and, even if public clouds become the main delivery channels, theywill change the IT function but not eliminate it. Even with SaaS, where everything is pretty much handledby the service provider, IT will still have to do configuration and change management. In fact, changewill come much more often – at least two upgrades a year versus one upgrade every 18 months for on-premise software.


Cloud computing will be hybrid

It will not be “all or nothing” with cloud adoption: the reality will be organizations delivering IT servicesvia a blended mix of on-premise and public cloud-hosted applications, with internally delivered ITservices requiring traditional IT people skills and capabilities. Externally provided IT services will stillneed internal IT infrastructure to be delivered to end users within an enterprise.

Public clouds change IT departments

Current IT organizations can be poorly structured

The traditionally organized IT department structure, which has evolved based on the use of siloed toolsand is often characterized by many different siloed teams of technical specialists, has also driven thetechnology selection process within organizations – to a large extent governed by the existing skillswithin the organization’s IT department. This approach has created tensions between the requirementsof the business users and the ability of the IT department to manage the technology in such a way thatIT resources are locked into technologies and organizations face expensive retraining or new hiringcosts if technologies new to the organization are selected.

IT organization structure needs to become more matrix-like

Beyond the individual, Figure 6.2.1 shows Ovum’s view about how IT departments will change as firstlyvirtualization and now cloud technologies become more widely adopted.


Corporate Strategy

IT Department

Financial Analysis

Outsourced or Service Providers

Executive Management

IT Management

Busi

ness

Unit

Head

ofD

epart

ment

Busi

ness

Specia

list

s

ITStr

ate

gy

CIO

Functional Specialists

Technical Specialists

Project Mgmt.

Java

Develo

pm

ent

Figure 6.2.1: Impact on the IT

organization Source: Ovum

This structure might appear at first glance to be replacing one set of silos with another, with less clearlydefined roles and responsibilities, but it is nonetheless likely to be the more generally adoptedapproach, with a number of iterations to refine the model over time, because the implications of theproposed change are more fundamental and far-reaching than they first appear. The principle behindthe model is that organizational responsibility will become more matrix-like in its construction,translating into employees “wearing more than one hat”.

This model promotes specialization, but only in areas that need a particular focus

This might give the impression that the model is nothing more than a de-skilling of IT, effectively makingeverybody a generalist. However, on closer inspection, the model actually promotes specialization, but onlyin areas that need a particular focus. It also supports the concept of overlapping responsibility so thatdemarcation, or gaps in coverage, becomes less of an issue. It will necessitate the creation of newresponsible, accountable, consulted, informed (RACI) charts for roles, potentially extending those createdfor an outsourcing model.

At a basic level, this might be the creation of a specific commercial team to manage outsourced providerswith a specific focus on actual service delivery, contractual issues (often with differing interpretations), thefinancial implications of changes, and the application of service credits (penalties) where appropriate. Withmore complex service-provision scenarios, the relatively new concept of “service integration” could beapplicable across multiple suppliers. This is based on the fact that, while IT outsourcing can deliversignificant cost savings and improve an organization’s ability to compete, only around 50–60% ofoutsourcing partnerships are thought to be successful.

To succeed with outsourcing, IT organizations need a robust IT governance and service managementstructure between the service recipient and service providers for service integration. This should beimplemented at the outset of any partnership, with an estimated 80% of the causes of failure attributed togovernance issues. Consultancy organizations such as Capgemini, IBM, and Tata Consultancy Servicesare now providing both service integration advice and services.

We believe that some organizations will adapt to cloud computing based on the self-selecting team principle– where the concept of management is reduced in scope and leaders attract team members based on meritand the strength of their proposal – and that IT teams will become more fluid, potentially changing dynamicallyas both supply and demand change over time. The transition to this approach to IT structure will happenorganically as IT leaders recognize the merits of individual team members and their pertinent skills. It willrequire IT leadership to focus more closely on individual development and cross-team capability reviews toensure that skills consistently meet the requirements for a potentially changing set of needs. This fluidity ofoperation and the emphasis on strong individuals performing within flexible teams will also necessitate achange in the way that both personal and team performance is recognized and rewarded by IT.

6.3 Public clouds are changing the ITSM landscape

Some ITSM issues are traditional, others are new

Quality of service and governance rules apply to public clouds

From an overall IT governance perspective, external cloud services need to be managed as tightly asinternally delivered services in terms of risk, security, and standards compliance. IT services will still needresponsible internal owners no matter how they are delivered (as with an outsourcing model). An ITorganization needs to have a good understanding of the IT services it provides, along with the service-delivery quality levels required and the service-level agreement (SLA) targets agreed with the business.

People issues related to public clouds need to be addressed

Moving IT services, or more specifically the delivery of IT services, to public clouds is not just a technologyissue for IT service managers. They also need to manage the cultural implications of this IT and businesschange. At minimum there are end-user education needs to fulfill, and the potential for non-conformanceneeds to be managed through a mixture of communication, education, training, and senior managementsupport. Business perceptions of the potential for degradation of service in terms of availability, speed ofresponse, and security also need to be managed, with a special focus on data governance issues, whichare currently among the top business concerns when it comes to public clouds.

Public clouds’ ease of procurement is both a blessing and curse

The ease with which public-cloud-delivered IT services can be procured is both a benefit and a curse.Many are procured directly via lines of business (LoBs) rather than via an internal IT function“governance gateway”. This stores up service-management-related issues further down the line as theLoBs start to complain about business-critical issues related to cloud-delivered IT services that the ITfunction knows nothing about.


Public clouds require the same ITIL-espoused ITSM disciplines as

internal IT

ITIL is still very much relevant but needs to evolve

While ITIL v3 proposes the processes IT organizations require to effectively manage service delivery,whether it be from an on-premise private cloud or a public cloud perspective, its adoption to date (withtrue organizational commitment to the concepts of IT as a service and of the service lifecycle) has beensomewhat patchy. As with ITIL v2, the mantra of adopting and adapting the ITIL processes that deliverthe greatest business benefit still holds true, with ITIL process adoption prioritized based on acombination of immediate IT and business pain points and needs. However, with the advent of publiccloud computing Ovum expects the need for certain ITIL processes and associated people skills andcapabilities to come to the fore.

Understanding and applying the service lifecycle is critical

Understanding and applying the service lifecycle is critical, with IT staff viewing and managingtechnology provision as discrete IT services aimed at consistently meeting business needs for thetechnology enablement of business processes. SLM (the process of maintaining and graduallyimproving business-aligned service quality) is also vital, as the ability to effectively manage servicedelivery from a third party will become paramount from a business continuity perspective.

While the concept of “delivering IT as a service” was key within earlier versions of ITIL, ITIL v3introduces the concept of the service lifecycle as the backbone of IT service delivery, with servicedesign, service transition, and service operation as lifecycle phases for change and transformation,service strategy for policies and objectives, and continual service improvement for learning andimprovement (see Figure 6.3.1).


ITIL

ServiceStrategy

ServiceOperation

ServiceTransition

ServiceDesign

Continual ServiceImprovement

Cont

inua

l Ser

vice

Impr

ovem

ent

Continual Service

Improvem

ent

Figure 6.3.1: OGC/ITIL service

lifecycle Source: OGC

To elaborate, the Office of Government Commerce (OGC) Service Strategy book offers the followingdescription of the service lifecycle model:

“Service Strategy is the axis around which the lifecycle rotates. Service Design, Service Transition, andService Operation implement strategy. Continual Service Improvement helps place and prioritizeimprovement programs and projects based on strategic objectives.”

An important point to note is that the service lifecycle is driven by strategy, not operational expediency.

There is no doubt that IT organizations will need to evolve to reflect the change in focus caused by theexternalization and loss of immediate management of some IT infrastructure and IT services. However,even in an IT organization that migrates all IT services to public clouds there will still be a need for ITresources to manage service delivery using best-practice ITSM processes, and for systemsadministrators and networking professionals to acquire new skills for the new complexities of IT servicedelivery that public clouds will bring.

Service strategy: financial, service portfolio, and demand management focus

Within service strategy, the processes of financial management, service portfolio management, anddemand management will become more important as IT service costs are driven by the level of serviceconsumption, with the processes used for:

� creating the business case for migration to the cloud and ongoing cost control

� assessing delivered business value relative to the costs of cloud-delivered IT service provision

� balancing supply and demand.

Service design: required at all levels

Within service design, IT service continuity and information security will be high-profile ITSM activitiesin light of business concerns over public-cloud-based IT service delivery. Availability and capacitymanagement will still be relevant, with the former posing a big risk that will need to be closely managed,while the latter will hopefully be simplified through the cloud-based ability to adjust capacity as needed.

Service level, service catalog, and supplier management will all be critical people activities in ensuringthat public-cloud-based IT services deliver on their promises. Continual service improvement will alsocontinue to be a formal and people-intensive mechanism to both optimize IT operations (ITO) andimprove upon the quality of IT service delivery.

Service transition: change management to the fore

Within service transition, change, release and deployment, and service asset and configurationprocesses will still be applicable and require people resource. The complexity and importance ofchange management related to public clouds should not be underestimated. Given the issues generallyexperienced in-house, the addition of extra variables will increase the potential for failure and mayadversely affect the ability to “quick-fix”. From an asset management perspective, software licensemanagement activity in particular is required to ensure that an enterprise can meet its governance andcontractual requirements.

Service operations: business as usual

Within service operations, there will be the need for a people-based service desk (even with effectiveself-service facilities) and incident management resource. Event management and problemmanagement might be highly automated (if not eliminated) by the self-healing aspects of public cloudpolicy and orchestration engines, but both will still need some level of human resource to be applied, ifonly at a management level.

Relationship management becomes critical

External relationship management needs to improve

Improved supplier management capabilities will be key, with supplier strategies, policies, evaluations,contracts, and performance monitoring all needed in a public cloud world. While these and other ITILprocesses are mostly referred to here from a people-capabilities perspective, the same is also true fromthe point of view of designing, deploying, and consistently operating an effective process.


Internal relationship management also increases in importance

Relationship management will also be a key capability with public-cloud-delivered IT services, and notjust from an ITIL v3 business relationship management perspective (a business relationship managerrole was introduced in ITIL v3). ITIL v3 business relationship managers should act as liaisons betweenIT and the business, leveraging significant knowledge in subject matters pertaining to both. They arespecifically responsible for understanding the business and its needs, assisting in the prioritization ofIT-related projects, and directing IT strategy in support of business strategy.

At a granular level, business relationship managers should work with all levels within the business, fromday-to-day operations to strategic planning, to ensure that the right services are delivered at the right priceto meet business needs. Their primary goal is to build a true partnership between IT and the business(most likely at a business-unit level), providing the business with the opportunity to help shape the ITservices delivered. As IT becomes more of a conduit between external providers and internal customersand consumers, these softer skills will become increasingly important for the majority of IT staff, as theyneed to work more closely with the business and its component business units or functions.

Financial management puts public clouds in context

In Ovum’s opinion, IT has traditionally been poor at ITFM (the function and processes responsible formanaging an IT service provider’s budgeting, accounting, and charging requirements), particularly the useof service costing to understand the true cost of service provision and the associated cost drivers (as perthe service costing overview shown in Figure 6.3.2). Public-cloud-based service delivery will alleviate thissomewhat, but in many ways it is just a moving of the goalposts, with consumption-based charging meaningthat understanding and managing the costs associated with IT service consumption will be a key task withinthe IT organization. An IT organization will need to know enough about service costs, quality, and businessvalue to make informed decisions as to whether a public cloud is the best available delivery option.


COSTS

Hardware Software Staff Facilities Externalservices Transfer

Direct costs Indirect costs Unabsorbed indirectcosts

Service A Service B Service C Service D

Cost elements

Costs-by-service

Figure 6.3.2: Service costing

overview Source: Ovum

People policies will need to reflect the risk of IT service procurement

within the cloud

Public clouds make it easier for business users to slip under the IT governance

radar

While public clouds are often touted as offering a wealth of benefits and opportunities to both IT and thebusiness, they also create the potential for business people to circumvent the IT department, directlyprocuring public-cloud-based services to meet ever-pressing business needs for rapid technologyenablement. Whether it is due to poor IT-to-business relations, a need for speed that IT is perceived tobe unable to deliver against, the relative costs of internal IT to external provision, naivety, or justmaverick behavior, there will undoubtedly be instances of business people considering or evencontractually engaging with cloud-based service providers directly. While to many it may seem far-fetched, most IT service managers will tell “war stories” of business functions using local budgets toindependently procure the design and development of a business-enabling application – with the firstthe IT function knows about it being when the business function expects them to deliver it.

Unofficial public clouds will quickly make themselves known to IT when issues

occur

Public-cloud-based service provision both simplifies and extends the severity of such a scenario. Notonly can the application be designed outside the control or guidance of the IT organization, it also nowhas the potential to be delivered. The IT function will be blissfully unaware of the situation and therelevant business people will probably be happy with their decision to “go it alone” until something goeswrong. The potential consequences are as follows:

� The procured IT service cannot be consumed behind the corporate firewall.

� The IT service doesn’t deliver against the stated business requirements in terms of functionality,capacity, availability, or performance.

� Required changes to the service are not possible, financially restrictive, or both.

� The service provider goes into administration or just disappears.

� The promised levels of security are not provided or don’t meet corporate IT governancerequirements upon auditing.

When business people complain to the IT service desk, as the single point of contact for IT failures, andexpect it to be able to resolve the issue immediately, the IT organization may have no idea that theservice exists let alone what it is, the business process it supports, the third-party vendor used, theSLAs involved, and the escalation procedures required to restore “service as usual” as soon aspossible. Mayhem will follow and no doubt the finger of blame will at least initially be pointed at the ITorganization.

IT organizations need to get a grip on public cloud procurement

IT organizations need to act now to help prevent this scenario. The IT function needs to work with thebusiness to ensure that people are fully aware that the only way to procure IT services is via the ITfunction, and of the reasons why. Beyond communicating with and educating people, however, the ITfunction must also ensure that it has worked with human resources to ensure that disciplinaryprocedures are in place so that people are both dissuaded from and penalized for procuring IT servicesoutside of the business-agreed IT route. From a “carrot” perspective, a key objective is to shorten andsimplify provisioning processes so that people have fewer reasons for bypassing these processes.


While this may seem draconian, an enterprise cannot afford to be placed at risk by maverick or evenmisguided individuals endangering business operations by independently procuring IT services withoutthe necessary level of IT governance applied by experts within the IT function.

6.4 ITSM technology has a big role to play in

managing public clouds

Managing service availability will be more complex in the cloud

With public clouds, service availability can no longer be focused on hardware

By the very nature of the public cloud and its make-up, the ability to manage service availability can nolonger be focused on the particular pieces of hardware that support the critical business services. This notonly applies to infrastructure-as-a-service (IaaS), it also applies to platform-as-a-service (PaaS) and SaaS,which add their own particular twists to the situation. From a service availability perspective, public-cloud-delivered services can be considered far more complex than “traditional” IT infrastructure in that a workloadmight move across servers, whereas with traditional on-premise delivery a service could be broken downinto its “static” technology components, or configuration items, and be managed from a service availabilityperspective from the bottom up, with greater ITSM priority or emphasis placed on the hardware thatsupports critical business services.

Service availability should be measured end-to-end rather than limited to the data

center that provides cloud services

This complexity extends beyond the public cloud, however. As discussed earlier, IT organizations will befaced with the need to manage the availability of IT services delivered both in-house and via public clouds(or any hybrid in between). Cloud vendors will offer service-level-based information to enterprises but,especially early on in the customer-service provider relationship, an IT organization may wish to have agreater level of control and visibility over end-to-end IT service delivery.

New tools are emerging to cater for public clouds’ management needs

Niche cloud management vendors have already emerged with solutions to address a wide spectrum ofpublic cloud management needs for early adopters. For enterprise IT organizations that already usetraditional IT management products, however, are they going to want to add more tools to what is alreadyprobably an overpopulated tool bag?

Just as traditional systems management vendors have added virtualization capabilities to existing tools, sothey will do the same with public cloud-centric capabilities. However, will the cloud management vendors addtraditional systems management functionality to their solutions, or are they better off being niche playerscontinuing to offer potentially better capabilities than the consolidated approach of traditional systemsmanagement vendors? There is also a third possibility where third-party vendors, spotting a gap in themarket, will create solutions that allow cloud management vendor and systems management vendor tools tooperate in their non-native environments. All three vendor types will potentially offer fit-for-purpose solutionsto enterprises, but it is still too early to tell whether a particular approach will prevail over the others.

No matter what the future holds for these vendors, IT organizations will need to decide upon the bestapproach to managing a hybrid data center environment, a decision that needs to be considered andundertaken as part of the overall planning and costing of moving IT services to public clouds. The cost ofnew management tools will need to be factored in when calculating the total cost of ownership of public-cloud-based IT service provision. In many ways, an IT organization’s experiences of and lessons learnedfrom managing within a virtualized environment will be a stepping stone to managing service availability withIaaS public clouds.


Service catalogs can be leveraged for cloud provisioning

Service catalogs can help optimize IT provisioning

Service catalogs were very much in vogue during 2009 and continue to be so, given that appropriateservice catalog management activity and back-end technology can help to optimize the traditionallypeople-resource-intensive process of request fulfillment – at both the requirements capture andprovisioning stages. Employee self-service takes the burden and cost of ordering away from the servicedesk (allowing staff to concentrate on greater value-add activities) and can offer significant reductionsin the total cost of service request handling/provisioning (by as much as 75%) through the use ofworkflow and automation for authorization and service provisioning. In response to the changing IT-delivery landscape, service catalog vendors have, or are now extending, solution capabilities to caterfor public cloud environments.

Service catalogs are key to the cloud

The service catalog management process and enabling technology should be used not only for thedesign and costing of public-cloud-delivered services but also for internal self-service private cloudservice provisioning, supporting the cloud ethos of agility and cost-efficiency. Ovum fully expects ITorganizations to address many of the ITSM challenges offered by public cloud adoption by defining theirown service catalog with a menu of standard service options, policy-governed self-service, and otherkey service management capabilities such as pricing and usage tracking.

Service catalogs focus the enterprise on what it really needs

Through a service catalog front-office solution, IT organizations can better deliver against the utility-based concept of cloud-based service delivery, where IT services are turned on and off as required, inmany ways placing the onus on the consumers of said services to commence and cease services asneeded, with the specter of being charged (at a business-unit level) for services that are not being usedlooming large as an incentive.

Consider the management of the end-user interface and experience

Much is made of moving internal-customer IT services to public clouds (based on a well-consideredbusiness case). However, IT organizations should not overlook an opportunity that exists closer tohome: moving the corporate ITSM tool or other key IT management tools outside of the firewall.

The market for SaaS ITSM tools is growing

The market penetration of SaaS ITSM tools is still extremely low compared with on-premise tools. It is,however, a rapidly growing market segment both in terms of customer interest and vendor entry (or re-entry for traditional vendors offering a SaaS version of existing tools).

Increasing corporate familiarity with SaaS makes it easier for SaaS tools

SaaS vendors are not just riding on the back of the global recession, as the benefits are not limited to valuefor money. There are also the ease of use and ease of version upgrade, but one should not forget thebenefits of removing the operation and support of what is essentially a non-business-critical IT systemfrom the often already overrun internal IT organization, allowing it to focus on greater value-add activities.

Companies see SaaS ITSM tools as a cheaper, low-risk option

An oft-quoted industry figure is that, on average, organizations change their ITSM tool every five years,and while the effect of the downturn of the economy on this statistic is unknown, Ovum is seeing greaterattention placed on the overall cost of providing ITSM-related services and increased considerationmade before an organization will commit to the cost and inconvenience of upgrading an existing ITSMtool. Vendors are also reporting that customers are still readily switching between ITSM tools –archiving rather than porting historical transactional data across – with some clients viewing SaaS as alow-risk, potentially tactical solution in the knowledge that they can readily return to an on-premisesolution (with the existing vendor or an alternative) if needed.


SaaS is a good fit for ITSM tools

Overall SaaS delivery is a good fit for ITSM tools, especially given that, with a phased implementation,it can be a relatively low-risk environment for introducing both SaaS and ITSM into an organization.

Enterprises are now far more aware of the benefits and risks of SaaS and, with the continuing influx ofSaaS-delivered solutions from SaaS-only vendors, traditionally on-premise ITSM vendors, and newdual-play vendors, SaaS-delivered ITSM tools will continue to continue to erode the market dominanceof their on-premise siblings. Such solutions are well worth considering in the overall mix of technologiesrequired to help manage the cloud and cloud-delivered services.

6.5 Recommendations


Enterprises need to consider a wide range of public-cloud-based issues from an

ITSM perspective

Some public-cloud-based ITSM issues are obvious. An IT organization needs to have a goodunderstanding of the IT services it provides, along with the service-delivery quality levels required, andthe SLA targets agreed with the business. At minimum there will be end-user education needs to fulfill,and the potential for non-conformance needs to be managed. Business perceptions of the potential fordegradation of service in terms of availability, speed of response, and security will also need to bemanaged. An area where many IT organizations will struggle is service costing, and an IT organizationneeds to ensure that “oranges are compared with oranges” financially when making decisions aroundpublic clouds.

Public clouds will necessitate the introduction or reintroduction of certain ITIL

processes

Following service migration, there is potential for IT functions to lose both visibility and control of ITservices within public clouds. ITFM and SLM will both be key ITSM capabilities, as will ramped-upsupplier management activity, as IT organizations endeavor to manage a blended mix of on-premiseand public-cloud-based IT service delivery. The ITIL v3 service catalog management process andenabling technology should be used not only for the design and costing of public-cloud-deliveredservices, but also for self-service provisioning of private cloud services, supporting the cloud ethos ofagility and cost-efficiency.

IT organizations need to reassess roles and responsibilities, and people’s skills

and capabilities, to reflect cloud-based changes

There is no doubt that IT organizations will need to evolve to reflect the change in focus caused by theexternalization and loss of immediate management of some IT infrastructure and IT services. However,even in an IT organization that migrates all IT services to public clouds there will still be a need forresource to manage service delivery using best-practice ITSM processes, and for systemsadministrators and networking professionals to acquire new skills for the new complexities of IT servicedelivery that public clouds bring.

Understanding and applying the service lifecycle is key, with IT staff viewing and managing technologyprovision as discrete IT services aimed at consistently meeting business needs for the technologyenablement of business processes. SLM will be critical, as the ability to effectively manage servicedelivery from a third party will become paramount from a business-continuity perspective. As ITbecomes more of a conduit between external providers and internal customers and consumers, softerskills will become increasingly important for the majority of IT staff, as they need to work more closelywith the business and its component business units or functions.


People policies need to reflect the risk of non-conformant IT service procurement

While public clouds are often touted as offering a wealth of benefits and opportunities to both IT and thebusiness, they also create the potential for business people to circumvent the IT department, directlyprocuring public-cloud-based services to meet ever-pressing business needs for rapid technologyenablement. Not only can the application be designed outside the control or guidance of the ITorganization, it can now potentially also be delivered. The IT function will be blissfully unaware of thesituation and the relevant business people will probably be happy with their decision to “go it alone” untilsomething goes wrong.

IT organizations need to act now to help prevent this scenario occurring. The IT function needs to workwith the business to ensure that people are fully aware that the only way to procure IT services is viathe IT function and that they understand the reasons why. Beyond communicating with and educatingpeople, however, the IT function must also ensure that it has worked with human resources to ensurethat disciplinary procedures are in place so that people are both dissuaded from and penalized forprocuring IT services outside of the business-agreed IT route. While this may seem draconian, anenterprise cannot afford to be placed at risk by maverick or even misguided individuals endangeringbusiness operations by independently procuring IT services without the necessary level of ITgovernance applied by experts within the IT function.

IT organizations need to decide upon the best approach to, and tools for, managing

a hybrid data center environment

There are various options available to enterprises. Niche cloud management vendors have alreadyemerged with solutions to address a wide spectrum of cloud management needs. Traditional systemsmanagement vendors that have added virtualization capabilities to existing tools will do the same withcloud-based capabilities. Third-party vendors, spotting a gap in the market, will create solutions thatallow cloud management vendor tools and systems management vendor tools to operate in their non-native environments. However, no matter what the future holds for these vendors and their solutions,IT organizations will need to decide upon the best approach to managing a hybrid data centerenvironment, a decision that needs to be considered and undertaken as part of the overall planning andcosting of moving IT services to a public cloud, with the cost of new management tools factored in whencalculating the total cost of ownership of public-cloud-based IT service provision.

Alternative views

ITIL v3 is not the only best-practice ITSM framework available

While ITIL v3 is consistently referred to throughout this paper, it is not the only option available toenterprises. In many ways ITIL can be considered “documented common sense”, and for many ITorganizations the introduction of ITIL v2 in particular was a formalization of existing internal processesto improve consistency of application and the utilization of industry best practice where needed. Sowhile ITIL has been a platform for worldwide IT service improvement, gaining strong “brand awareness”and associated popularity in the process, it is not the only option available to IT organizations.

An organization could “go it alone” and use process improvement methodologies such as Six Sigmaand benchmarking to drive incremental improvements of existing processes to support cloud.Alternatively, it could opt for the international ITSM standard ISO/IEC 20000, which represents a fargreater challenge than ITIL but allows compliance to best practice to be measured. It could also opt forControl Objectives for Information and Related Technology (COBIT), the IT management frameworkthat offers best-practice IT processes with a focus on IT governance and internal controls. So ITIL isdefinitely not the only option available to IT organizations, just currently the most popular.



WWW.OVUM.COM

CHAPTER 7:

Glossary


OVUM

Cloud computing

IT (network, hardware, software) resources available on-demand either internally (private cloud) or froma third party (public cloud).

Infrastructure-as-a-service

Infrastructure-as-a-service (IaaS) combines computing and/or storage, as well as network resourcesbased on standardized hardware (servers, switches, routers) and software (hypervisor, operationsystem, management) components and associated services (such as DHCP, DNS, LDAP and SSH).

Multi-tenant architecture

Multiple customers are served simultaneously from one system, rather than from individual instancesset up for each customer. Data and processing are logically separated for security. The recoding ofexisting application software in order to do this involves reworking functions such as data indexing andsearching.

Platform-as-a-service

Platform-as-a-service (PaaS) adds a new layer of software services on top of those usually found inIaaS to make it easier to develop and/or run applications.

Private cloud

Private clouds are positioned as next-generation data centers. Some define them as the aim of the datacenter evolution journey, a long patient maturation that starts with companies understanding what theycurrently have, and then shaping it slowly to achieve a fully dynamic shared infrastructure. Othersemphasize the need to take shortcuts along the way by pushing parts of the data center ahead to delivera focused return on investment. From this perspective, the private cloud is the part(s) of the data centerthat is ahead of the rest.

Public clouds

Public clouds are usually split into IaaS, PaaS and software-as-a-service (SaaS) clouds.

Software-as-a-service

SaaS combines application functionality delivery via a web browser with data encryption, transmission,access and storage services. It can be consumer-centric (such as Flickr photo storage, managementand sharing offering); enterprise-centric (such as Salesforce.com’s CRM offering) or both (such asGoogle’s Gmail email offering).

CHAPTER 7: GLOSSARY 111133


WWW.OVUM.COM

CHAPTER 8:

Appendix


OVUM

Further reading

Datamonitor (2010) 2010 Trends to Watch: Cloud Computing, January 2010, BFTC2534

Ovum (2010) Cloud computing fundamentals, August 2010, OVUM052638

Ovum (2009) Cloud computing in IT services: a primer, July 2009, OVUM051158

Ovum (2009) Data security in the cloud, May 2009, OVUM050904

Ovum (2010) Identity services in the cloud, September 2010, OVUM052712

Ovum (2010) Managed hosting: more of a utility than a cloud, March 2010, OVUM051982

Ovum (2010) The cloud computing strategies of global telcos, July 2010, OVUM052546

Ovum (2010) The clouds open for enterprise storage, June 2010, OVUM052491

Ovum (2010) The role of multi-tenancy in a cloud environment, June 2010, OVUM052476

Ovum (2010) Transformation and sustainability complement the cloud in managed services, June 2010,OVUM052366

Ovum (2010) Virtual private clouds: a very public/private affair, July 2010, OVUM052572

Methodology

� Primary research/vendor briefings: ongoing briefings with technology vendors serving thegovernment sector.

� Secondary research: industry publications, companies’ annual reports and press releases, and datafrom public databases.

Author(s)

Laurent Lachal, senior analyst, Ovum software group

[email protected]

Stephen Mann, senior analyst, Ovum software group

[email protected]

Ovum consulting

We hope that the analysis in this brief will help you make informed and imaginative business decisions.If you have further requirements, Ovum’s consulting team may be able to help you. For moreinformation about Ovum’s consulting capabilities, please contact us directly at [email protected].

Disclaimer

All Rights Reserved.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any formby any means, electronic, mechanical, photocopying, recording or otherwise, without the priorpermission of the publisher, Ovum (a subsidiary company of Datamonitor).

CHAPTER 8: APPENDIX 111177


OVUM

� Why the public cloud market is more complex than expected.

� How private clouds are catching up with public cloud capabilities.

� Why hybrid clouds are the next frontier for the enterprise.

� That public cloud pricing structures are evolving, but not always for thebetter.

� Why service-level agreements (SLAs) are key to cloud adoption.

� Where public clouds are changing the IT function.

� Why security is the number-one cloud quality of service (QoS) concern.

� Why reliability and availability are under increasing scrutiny.

� That cloud governance, like IT governance, is a work in progress.

� How public clouds are changing the IT service management (ITSM)landscape.

This Report reveals:


Driving business value through collaborative intelligence OI00005-006

WWW.OVUM.COM

Ovum Europe

119 Farringdon Road,London, EC1R 3DA,

United Kingdom

t: +44 (0)20 7551 9850

e: [email protected]

Ovum Australia

Level 5, 459 Little Collins Street,Melbourne 3000,

Australia

t: +61 (0)3 9601 6700f: +61 (0)3 9670 8300

e: [email protected]

Ovum New York

245 Fifth Avenue, 4th Floor,New York, NY 10016,

United States

t: +1 212 652 5302f: +1 212 202 4684e: [email protected]


OVUM

planning for cloud computing

Documents