in cooperation with

T-SYSTEMS WHITEPAPER

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD

CHAPTER 1: THE RISE OF MULTI-CLOUD

A well-managed multi-cloud approach can make your business much more flexible and agile, while simultaneously reducing costs.

Talk of cloud computing often refers to ‚the cloud’, as though it were a single, easily managed entity. Yet for most forward-thinking companies, the situation is far more complex. Cloud computing doesn’t have a ‚one size fits all’ solution for all prob lems, and so businesses are increas­ingly looking to both private and public clouds to address specific workloads and applications. As a result, each company partners with a variety of different cloud providers for their IaaS, PaaS and SaaS needs.

Having this choice means that companies are no longer restricted by the technology that they provide in­house, but they are free to pick the cloud which best­matches the job they need to perform. For example, one enterprise may select Salesforce’s SaaS platform for CRM, MSOffice for email, WebEx for conferencing and multiple IaaS providers for main-taining web hosting and web­based applications.

By taking this approach with cloud, businesses can significantly improve both flexibility and scalability, with resources that are simple to provision and expand at any given time. In this model, the cloud is simply an addi tional IT resource which can be leveraged as and when it’s needed, boosting IT power and performance whilst reducing management costs at the same time.

As a result of this, businesses are left managing multiple cloud services from a variety of partners. According to cloud management firm RightScale, more than four in five firms are using multi­cloud services today, running an average of 3.6 public and 4.4 private clouds, while analysts at IDC predict that multi­cloud architectures will be adopted by more than 85% of enterprises by 2018.

1

Hybrid cloud is the preferred enterprise strategy, but private cloud adoption fell also bringing hybrid cloud adoption down.

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 2/12

CLOUD ADOPTION IN PERCENT

Enterprises with multi-cloud strategy

Private Cloud Adoption

Hybrid Cloud Adoption

2017 2016 SOURCE: RIGHTSCALE 2017 STATE OF THE CLOUD REPORT

82 85

77 72

71 67

MULTI-CLOUD IS GOOD FOR BUSINESS CONTINUITY

Multi­cloud is more than just about running workloads and jobs, it’s also the perfect way for many businesses to ensure business continuity. Replicating infrastructure, data and applications across multiple cloud providers, means that if a primary provider has an outage, the sec-ondary one can take over immediately, dramatically cutting downtime.

This can save a considerable amount of money; according to analysts at the Ponemon Institute unplanned outages cost businesses 8,751 dollars per incident per minute.

Furthermore, the distribution of applications and data can also be cheaper, as cloud removes the need to provision and equip data centers around the world. With this type of distribution, it may make economic and performance sense to use clouds from different providers, with cloud charged per usage – thereby reducing running costs (assuming, of course, services and workloads are managed carefully).

MULTI-CLOUD REQUIRES CAREFUL CONSIDERATION

However, while there are plenty of benefits around this new phenome-non, multi-cloud does introduce its own set of issues for CIOs and their IT teams. Top of that list is the technical complexity, with the manage-ment of multiple disparate clouds often requiring a diverse set of opera-tional skills. In addition to the management issues, each business must also make sure they have the right people, expertise, technology and processes to fully exploit the opportunities of multi-cloud.

To gain the greatest benefits, applications, data and entire systems should be able to migrate between different cloud providers at any point, either permanently for efficiency or cost reasons, or temporarily, such as for business continuity. The challenge is to make the migration easy, safe and quick. From a company perspective, applications, platforms and infrastructures need to be developed and managed in such a way that these migrations can happen.

Regulations and governance can also be more difficult with multi­cloud, ensuring that all of your business obligations are met on each platform. This is particularly important with the EU’s General Data Protection Regulation (GDPR) and MiFID II set to come into effect in 2018, with both regulations having an impact on data privacy and protection. Cyber­security is another huge issue for all companies.

UNPLANNED OUTAGES COST BUSINESS

8.751 DOLLARS PER INCIDENT

PER MINUTE.

SEE CHAPTER 4 FOR MORE INFORMATION

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 3/12

Yet the simple truth is that the benefits of multi­cloud far outweigh the complexities. Correctly managing SLAs, ensuring governance and compliance requirements are met, and choosing the right cloud for the right applications can help to significantly increase business agility while also reducing total cost of ownership (TCO).

“We believe a multi­cloud strategy based on hiring staff with negotiation skills, expanding investments in automation software, and revising cross-country connectivity options is a must for IT departments support ing innovative organizations,” said Giorgio Nebuloni, research director, IDC European Infrastructure Group, in a recent report.

Most savvy digital businesses are quickly getting the message; US­based video streaming giant Netflix is believed to back up data hosted on AWS to Google Cloud for more robust data protection, while Apple reportedly has three IaaS providers to boost the resilience of its iCloud service.

To reduce complexity of running multiple clouds you need the right man -a gement to give you central control of your disparate infrastructure. By offloading management to a service provider, you can reduce overhead to focus on business, better provision resources and retain a tighter grip on your organization’s IT.

CHAPTER 2: CHOOSING THE RIGHT CLOUD FOR EACH APPLICATION

Choosing the right platform for each workload is the best way to optimise your services and applications, letting you focus on growing your business.

Choosing the right cloud provider and the correct type of cloud for each workload and application is a crucial first step on the path to multi­ cloud. The discussion has long moved on from choosing between the ‘risky’ public cloud and the ‘safe’ private cloud. Rather, the focus is on the business value added and an appropriate risk assessment. Nor is it just about using public clouds to move into the future, as some jobs are still best run in a private cloud. For example, some enterprises may look to managed private clouds to improve security, performance or reliability. Ultimately, understanding how these clouds fit together, and how to choose the right one for each application or workload is the key to unlocking the greatest value for most businesses.

CHOOSING A PUBLIC CLOUD

Typically, cloud services are provisioned on a pay­as­you­go basis, where you only pay for the resources that you need. This can make the public cloud cost­efficient, with the ability to accurately predict future costs based on growth. There’s often less waste with a public

2

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 4/12

cloud, too, compared to in­house, both in terms of power consumption and utilisation. For example, it’s estimated by McKinsey and Company that a typical server delivers between five and 15% of its maximum computing output each year.

General Electric (GE) is one such company to have embraced public cloud, consolidating and closing data centers and migrating applications where possible to the public cloud.  However, there is clearly a balance to strike here with Chris Drumgoole, COO of Global Operations CoreTech at GE, recognizing that most of the GE apps and systems that build or trans­port machines [such as turbines] “are not cloud­ready by any stretch.“

Other firms are migrating at scale to the cloud; online accounting software provider Xero recently moved 1.4 petabytes of data, 3,000 application servers and 120 databases into public cloud. “We just saw a huge opportunity in public cloud,” Mark Rees, general manager of plat-form, architecture and delivery for Xero told Fortune, with the company recognizing that a move to the cloud would result in the delivery of new features and functions at speed.

Yet while cloud is often seen as a way of improving efficiency and reduc­ing costs around their applications, there are still questions that need to be asked around areas like compliance, liability and cyber­security.

CHOOSING A PRIVATE CLOUD

There are other business requirements that public clouds cannot cover and this is where a private cloud may be the better choice. A private cloud is preferable when it is necessary to provision IT infrastructure in­line with specific local requirements, or in the case of a fully man­aged, business­critical production environment.

With a private cloud, businesses get a secure and reliable operation of large production environments and business applications, as it is usually the case that these environments have specific requirements around performance, operations and support or service.

The need for highly­available, fail­safe infrastructure can be addressed by private cloud’s high service levels and 24/7 support for business­crit­ical applications. In addition, legal and internal compliance regulations concerning data hosting can enforce operations in a specific geography or on premises. At this point, it should be decided if the company wants to manage operations by itself or outsource to a provider.

In a bid to drive major economic and technological advantages in IT operations for the Frankfurt Airport, Fraport AG decided to build a new data center and outsource operations to T­Systems. Subsequently, Fraport is using the provider‘s economies of scale to purchase, maintain and operate the solution and was able to reduce costs per unit by 3% in the first year. In addition, the company was also able to decrease energy consumption by 30%.

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 5/12

In some cases, a public cloud is seen as preferable due to its flexibility. However, a good private cloud platform is also able to adjust capacities dynamically according to usage, thanks to flexible pricing models. This is helpful for cost­efficiency, for example, in disaster recovery scenarios, where critical data cannot be stored in a public cloud.

It is unlikely an organization would adopt a purely private or solely public cloud strategy. The requirements for individual applications and data are too specific. Furthermore, each cloud has particular strengths and weaknesses which make it suitable for or preclude it from certain usage scenarios.

FACTORING IN SECURITY AND CONTROL

Cyber­security is a big concern that many companies have about the pub lic cloud, as applications and data are stored outside of the company, thereby destroying the traditional perimeter­based approach to security. And, with the EU’s GDPR set to come into force in May 2018, public cloud providers need to be GDPR­compliant, even down to storing data in EU data centers.

With all types of public cloud, as you don’t have control over the underlying hardware, it’s impor-tant to define the Service Level Agreement (SLA) with the vendor, including uptime guarantees, to meet company requirements, particularly for mission-critical applications and data.

Consider the speed of data access, too, as applications can feel slower when running over the internet, compared to those run locally. A fast internet pipe or secure connection, and distri-buted public cloud with nearby data centers can help improve performance.

Often true flexibility comes from being able to use multiple clouds, each chosen for a specific application and workload. A key aspect of being able to deal with multi­cloud is being able to choose the right provider for those workloads, and the ability to synchronize and trans-fer work loads and jobs between different cloud platforms securely, easily and quickly. Working with the right partner to help choose and manage these disparate clouds and the data flow between them is the key to unlocking their power.

Ultimately, businesses will likely find a hybrid approach to cloud works best. With organizations choosing from the three types of public cloud (Software as a Service, Platform as a Service and Infrastructure as a Service) – as well as private cloud and on-premise, different approaches emerge for different applications.

➞ Typically, private cloud is used for mission-critical applications and data storage, where absolute control is required. For example, Owens-Illinois, a Fortune 500 company that specializes in container glass products, built a private cloud for its engineering department, to meet the goals of a system that was highly available with responsive daily support to meet tight deadlines.

➞ The public cloud, meanwhile provides scalability and flexibility for other workloads and applications, such as hosting email and productivity apps via Office365.

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 6/12

So, how do you go about finding out the costs involved with migrating applications to the cloud? Writing on Network World, Mike Chan, CMO of software develop-ment company Thorn Technologies, advocates a four-step plan to calculating cloud migration costs. These steps include:

➞ Auditing current IT infrastructure costs ➞ Calculating estimated cloud infrastructure costs ➞ Estimating the cloud migration execution costs ➞ Approximating the additional post-migration costs

vs the benefits, such as higher uptime

3CHAPTER 3: BALANCING WORKLOADS BETWEEN ON-PREMISE AND CLOUD ENVIRONMENTS

Striking the right balance between on-premise and cloud en-vironments requires careful analysis and workload monitoring.

Getting the split right between on­premise and cloud environments is difficult but crucial to get the best performance benefits and reduce costs. Splitting your workloads is just about the most important job that you can do. Here, we’re looking at the criteria for measuring where that split should be.

Your first question is likely to be, ’Can an application or workload be run cheaper in the public cloud?’ Consider the cost of existing infrastructure, management overhead and licensing costs in your calculations, versus moving to the cloud. In particular, SaaS for well­defined applications could prove considerably cheaper to run in the cloud.

Calculating public cloud costs can be complex, and many CIOs worry about the costs of unnecessary cloud instances being spun up. Working with a cloud management company that can help you predict costs and manage cloud instances is crucial to maintaining budgets.

Analyzing TCO, can help define which applications and workloads will benefit most by migrating to a cloud infrastructure. Move the right applications to the best fitting cloud and the savings can be significant. Working with T-Systems, South Africa’s Consol – a glass packaging manufacturer – managed to cut its server operation costs by 25% in just two years by moving to the cloud, while also halving storage costs.

Measuring the performance of each workload is very important. You need to measure the typical performance, as well as looking at peaks and troughs and when they occur.

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 7/12

From this data, you can see good indicators of where each workload be-longs. If, for example, a job only runs intermittently, could you shut it down when no longer in use? If so, a public cloud could well be the right choice, as you’re no longer paying for resources when the job is not active.

For example, MAPFRE, the largest insurance company in Spain, has to run a monthly solvency check to meet its EU requirements, which required high-performance machines that were used sporadically.

THE RISE OF ’CLOUD BURSTING’

Jobs that have fluctuating loads are also ideal for the public cloud, as you can dynamically expand and shrink resources to match. Running the same loads in-house would require you to provision enough re-source to match the peak load, which could prove to be wasteful for the majority of the time.

And waste in the data center is a common problem. As reported by Computerworld, one research study showed that 20% to 30% of servers are comatose, which means that they “are using energy but delivering no useful information”.

Conversely, jobs that have a pretty stable load could well be cheaper running in a private cloud. These kinds of jobs are easier to provision for and run, and the capital expenditure on the required resources could work out cheaper in the long term compared to renting the same resources in the public cloud.

In many cases, you don’t necessarily have to move to the public cloud permanently. Instead, you can use what is referred to as ’cloud bursting’. With cloud bursting, you provision your private cloud to deal with every­day levels of service. However, if you have key points in the year when you need more resources, it would be prohibitively expensive to build your own IT infrastructure to meet these peak demands.

Jacqui Taylor, CEO of data analytics firm Flying Binary, explains more in her IDG Connect article, Bursting the IT legacy: “An example of a cloud service which has implemented this Cloud Bursting capability in its ultimate form is a certain TV program which would be live on a Saturday evening for just one hour and includes an audience vote for the winning act. It would be cost prohibitive to build an IT system along legacy lines to collect audience votes for less than an hour once a week. By comparison, it’s relatively cheap to build a PaaS which as­sumes a huge burst in resources to collect the audience votes between 8pm and 9pm.”

Having applications written ’to burst’ – and the cloud management platform to manage this – is critical to making this strategy a success. For example, scalable microservices and docker technology are a lever to manage it.

USING PUBLIC CLOUD, MAPFRE CUT THE

THREE-YEAR HARDWARE INVESTMENT FROM

1.5 MILLION EURO TO 180,000 EURO.

20% TO 30% OF SERVERS ARE USING

ENERGY WITHOUT DELIVERING USEFUL

INFORMATION

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 8/12

RETAINING CONTROL AND OVERSIGHT

Legal and compliance reasons will sometimes force your hand, with some workloads easier to manage in a private cloud, where you have full control over access and physical location. Splitting data storage and applications can work, but you will need to make sure that any choices you make maintain your legal obligations – especially with GDPR mandating that data on EU citizens is stored on servers in the EU (or in countries approved by the EU).

Every company should know which applications and data are critical. This selection is most likely best suited to running on a private cloud, where you will have more control and insight.

Less critical applications should, where possible, be moved to a public or hybrid cloud environment. This transfer of operations can help reduce costs, but also frees up in­house resources for expansion of mis-sion­critical applications or new projects. As such, choosing a provider who can manage the multi­cloud environment may be the best solution.

How far do you need to distribute your application? If you’re looking at a European or worldwide rollout, using multiple public clouds to distribute and localize can give you an advantage, with improved performance a clear benefit.

As T-Systems explains in its One line is not enough article, interna-tional companies usually distribute to data centers in different regions because “the shorter the route the data takes, the shorter the trans-mission (latency), which means that real­time applications in particular work better”.

CHAPTER 4: MANAGING SECURITY IN A MULTI-CLOUD WORLD

While each cloud has its unique security concerns, planning your protection policy correctly can mitigate the risks.

With data and applications split over multiple clouds, security can be a lot more complicated. With different threats affecting cloud and virtu-alized environments, cyber­attacks can come from everywhere, and from anyone. Security is an even bigger concern under GDPR, which is designed to give individuals more control over their data; it also sets out bigger fines for companies found in breach of the regulations: up to 20 million or 4% of worldwide turnover (whichever is greatest).

Despite the risks, developing a powerful multi-cloud security policy can boost security and reduce the risk of data loss. Implementing a robust cloud management solution to help identify and implement security policy is an important step. Here are some of the areas that you need to look at.

EVERY COMPANY SHOULD KNOW WHICH

APPLICATIONS AND DATA ARE CRITICAL.

4

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 9/12

Cloud Infrastructure Policy: Many clouds are provisioned on an ad­hoc basis, with poorly­configured resources more likely to be compromised by cyber­criminals. And, as the multi­cloud grows, these errors are repeated and expanded into new resources and clouds. As a result, every company should have a policy that defines how cloud infrastructure should be configured.

As CSO Online explains in its 7 ways to take back control of your cloud strategy article, “Assemble a cloud governance committee comprised of executive, IT, legal, compliance/risk management, and lines of business representatives.

Together, this committee should hammer out a detailed cloud adoption strategy that includes app selection and security guidelines, a data loss policy, incidence response workflows, and reporting metrics.”

Shadow IT: It’s easy to lose track of everything when data and appli-cations are spread over multiple clouds. According to the Blue Coat Shadow Data Report, organizations typically use more than 840 cloud applications, most of which were adopted without the knowledge of the IT department.

Gaining visibility: You need cloud management software that can give you visibility: you need to be able to see what actions users have taken, current resource allocations and who has access to data. Gaining visibility can help you discover where threats lie, and where potential legal or compliance issues can arise.

Automated monitoring systems should also be implemented to detect and warn you of problems, giving you a chance to react to an issue before it becomes more serious. Your monitoring should also help find those unsanctioned cloud apps.

THE ROLE OF ACCESS CONTROL

With multiple clouds, access control becomes even more important, as it’s possible that you’re sharing too much data with too many people. As Michael Cooney explains in his deep dive on access control for Computerworld, “Authorization controls help implement the principle of ’least privilege’, which the National Institute of Standards and Tech-nology describes as allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accom-plish assigned tasks in accordance with organizational missions and business functions.”

The interconnection between multi­cloud and private clouds should also be controlled, so that the breach of one system doesn’t affect others. You should examine the levels of access that you have to third-parties, and that third­parties have to your systems too. When US retailer Target was hacked in 2015, the hackers found a route in via a heating, ventilation and air conditioning company (HVAC).

AREAS TO LOOK AT WHILE IMPLEMENTING

SECURITY POLICY

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 10/12

Commonly, many companies are moving to a model where applications are hosted in the public cloud, but the underlying data (or some of it) is hosted in the private cloud. That way, you get the benefits of public cloud’s scalability, but private cloud’s level of protection.

Splitting data can help meet your GDPR obligations, too, and this is where a technique called ’pseudonymization’ comes into play. This in-volves processing of personal data so that it can no longer be attributed to a person without the use of additional data. GDPR states that the non­identifiable information should be kept separate from the additional information. That way, in the event of a data breach, it’s harder for the cybercriminals to re­identify a person from the information stolen.

“It encourages businesses to adopt pseudonymization technologies, either as part of good information management or by reducing regula-tory burdens in the event of unforeseen events, like security incidents. Contrasted against that, companies that are not in compliance with the GDPR face regulators waving a very big stick — potential fines of up to 4% of annual worldwide turnover.”

So, what happens if the worst happens? You need to have a policy in place to deal with a data breach, considering your multi­cloud infra-structure. This should include how to react to the breach, prevent it spreading to other cloud environments, and how you’ll recover. Crucially, all plans should be thoroughly tested, so that the policy is smoothly implemented when needed.

„When it comes to managing a data breach, having a response plan is simply not the same as being prepared,“ Michael Bruemmer, vice presi-dent at Experian Data Breach Resolution, said in a statement reported by Computerworld. „Unfortunately, many companies are simply checking the box on this security tactic. Developing a plan is the first step, but preparedness must be considered an ongoing process, with regular reviews of the plan and practice drills.“

Security must be implemented at every level from deployment to access if you are to stay secure with your multi-cloud environment.

SUMMARY: YOU CANNOT IGNORE MULTI-CLOUD

Today, in this digital economy, organizations are leveraging different clouds for different workloads and applications. The resulting hybrid infrastructure and application landscape often gets complex and requires a diverse set of operations skills – which in many cases are not “core” to the organization’s processes or business model. The complex ity of this combined with different pricing structures, especially for public clouds, makes it essential that these systems are managed in a secure, reliable and cost­efficient manner – even though this is not always easy for IT departments to do.

„The GDPR introduces a carrot and stick

approach to promoting data masking,”

Phil Lee from the Privacy, Security and Information

team at Fieldfisher when he spoke to Computerworld

A PRACTICAL GUIDE TO MANAGING MULTI-CLOUD 11/12

As such, this “multi­cloud” is a challenge but one which – approached properly – represents a huge opportunity for IT departments to drive their businesses to become more agile and responsive.

To discover how T-Systems can simplify the management of your multi-cloud environment, and advise your company on cloud migra-tion and optimisation to help grow your business, get in touch to arrange a consultation.

© IDG GERMANY IN COOPERATION WITH T-SYSTEMS INTERNATIONAL (2017) 12/12