Managing Business Expectations through the Hype of Cloud Computing
Cloud computing is truly one of the major technology shifts of our era. It’s natural for a technology solution as pervasive and beneficial as cloud computing to be oversold to users with inflated expectations. Industry observers have consistently highlighted the rapid adoption of cloud computing and cloud services by business users, which is driving an explosion of interest within the vendor community.1 Given the conservative growth rates for most software and hardware in our current economy, it’s understandable that the huge growth rate forecast for cloud attracts almost every high-tech vendor. That pervasiveness is hype, but it’s a “good” hype in that critical technologies do emerge as legitimate offerings. Unfortunately, that pervasiveness also means that many products and services (and vendors) being touted as “cloud” will not survive. So how does an IT organization manage through the good and bad hype of any emerging technology … including cloud computing? How does an IT organization ensure that IT’s cloud decisions are in alignment with the Business (BSM).
As an IT analyst, I’ve been struck by how the consistent lack of IT operational management almost always plays a major role in a technology’s descent into the disillusionment created by “hype.” This has been true for local area networks (LANs), enterprise resource planning (ERP) and customer relationship management (CRM) applications, databases, and operating systems — and the list goes on. Invariably the surviving products become great solutions, but only after the “bugs” of IT operational management have been resolved by vendors and users working together. And so I ask, will IT management (once again) be a factor in the descent of an emerging technology — in this case, cloud computing — into the typical slough of disillusionment?
The answer doesn’t have to be “yes.” Cloud computing is becoming too pervasive and too critical to IT’s alignment with business needs for that disillusionment to impede the rapid ascension of cloud services in any lasting way. I would offer that IT operational management can and should become a barometer for measuring which cloud technologies and cloud service providers are going to survive as great long-term solutions for its business customers.
WHAT IS THE DUE DILIGENCE PROCESS FOR EVALUATING CLOUD PROVIDERS?
The past cloud failures by Epsilon and Amazon are excellent examples of business risks that were probably not adequately assessed, monitored, and managed by enterprise customers. While the costs for Epsilon are estimated at US $225 million for damages incurred by an unfortunate 3% of its customers, what are the business ramifications of this massive data breach for these 75 companies?2 What was the due diligence process followed by Hilton, Marriott, Ritz-Carlton, Red Roof Inns, Disney Destinations, and other hospitality companies that chose Epsilon for cloud services? Did they move beyond the loss of email addresses in their risk analysis? What was the due diligence process followed by Foursquare and Quora in choosing Amazon for cloud infrastructure?
A meaningful process of due diligence in procuring cloud services, including identifying and managing risks, is basic to enterprise survival. I’m unaware of any industry-accepted certification or accreditation standards in place that can assist IT organizations in ferreting out the strong and capable cloud providers from those who lack competency, experience, and/or resources. It’s a “buyer beware” environment, with each IT shop imposing its own individual standards or lack thereof. However, there are significant benefits to properly evaluating the financial, legal, compatibility, marketing, operational, management, insurance, and liability issues that pertain to each potential cloud provider.
A critical part of that due diligence would be the implementation of a private cloud in some form by enterprise-class IT organizations. How can IT operations managers, pressured by the optimism of the business users, be prepared to evaluate a cloud service provider if they have not been through the firsthand experience of implementing their own private cloud offering? How can they specify or track SLAs when they have no experience with the unique attributes of cloud metrics? It’s elementary that if IT buyers do not know what to look for in a cloud technology or vendor, they will end up with cloud infrastructure that is poorly supported and maintained.
Evaluative question: What is your due diligence process for evaluating cloud service providers?
WHAT CLOUD SERVICE IS BEING MANAGED?
Examination of requirements for cloud “management” will reveal criteria essential for the evaluation of cloud options. One of the foundational management requirements is to identify what is being managed. The management demands of infrastructure as a service (IaaS), with its rapid provisioning of shared IT resources, are very different from the management needs of software as a service (SaaS), with its consumer usage of business applications. Platform as a service (PaaS) management issues are unique, as the target audience is actually the IT application development community, which tends to be much more IT self-sufficient than corporate business users.
Evaluative question: Are your proposed cloud management capabilities consistent with the needs of the target usage and user?
HOW ARE HETEROGENEOUS SYSTEMS SUPPORTED?
As an industry, we’ve made enormous strides in accommodating the multiple stacks of network protocols and the immediacy of network monitoring, and we’ve achieved consistency in Web user interfaces. We’ve coalesced management of divergent operating systems, even though some have originated within telecom infrastructures and others within information processing computing paradigms. We’ve achieved interoperability as delivered by server farms and concurrent data structures, enabling simultaneous data access. This successful history of heterogeneous management is now challenged by new types of mobile devices (iPads, smart phones, etc.) that have completely altered the concept of perimeter security3 or by the need to simultaneously accommodate multiple languages. We’re now putting parts of our mission-critical, bet-the-business data center in multiple places, with multiple owners and multiple management processes. (Sometimes I wonder if core IT management issues have really changed or whether we are simply experiencing a rehash of decades-old data center management issues.)
Evaluative question: Do your proposed cloud management services and tools address this “multi-multi” issue that has made IT operational management such an “interesting and dynamic” field of endeavor? (Note: I’m trying to be tactful with this question and not dwell on the unresolved problems/issues of heterogeneity of systems, protocols, data structures, interfaces, and so on that have sabotaged too many IT operations organizations.)
HOW ARE AVAILABILITY COMMITMENTS ENSURED?
It’s déjà vu all over again: the discussion of capacity planning for purposes of high availability is strikingly reminiscent of the former mainframe art of predicting, managing, and delivering required computing and storage capacity. When computing/storage (mainframe) resources were scarce, ensuring adequate capacity to meet business commitments was a holy grail. Now as computing/storage resources become the business transaction of the cloud environment, we’re returning to the art of capacity planning and execution as mandatory in satisfying service-level metrics. When betting your business on the maturity of cloud availability processes, “good enough” solutions are inadequate. Disaster recovery is an essential part of cloud business continuity commitments and as such demands detailed documentation from cloud service providers on not only the task of planning and executing against disruptive events, but also the contractual commitment in case of default.
Evaluative question: What are the capacity planning and disaster recovery commitments of your cloud provider, and what financial penalties will the provider incur for noncompliance?
HOW IS SYSTEM INTEGRATION ENABLED?
One good sign of cloud computing’s favorable long term prospects is the fact that outsourced service providers have made possible the integration of computing infrastructure, platforms, and software applications. Given the long-standing system integration problems of IT, cloud computing is offering a new plateau of API enablement. Such APIs originate within a new mashup universe that enables data and functionality to come from more than one source. Advances within open sourced software have set a stage of great expectations regarding the feasibility of achieving these benefits. The integration of tools and processes for ITIL, service management functions, agile computing, andlean/green initiatives is an indication that we’ve entered a new world.
Evaluative question: What is your cloud provider’s implementation of APIs that enable mashup? IaaS, PaaS, or SaaS initiatives without strategic intent and execution toward mashup are hollow shells.
WHAT IS INTEGRATED WITHIN SERVICES MANAGEMENT?
The use of the Service Management Lifecycle as defined by ITIL4 within the last 10-12 years has significantly improved the process integration of IT services management (ITSM). Enormous strides in maturing the management of technology have resulted when IT organizations implement these best practices and guidelines. Vendors are promoting the integration benefits of their ITSM tools for sharing data and tasks associated with problem resolution, change tracking, asset discovery, configuration management, incident reporting, and SLAs, to name only a few ITSM disciplines. IT services management has been aligned with business objectives in the emerging discipline of business-oriented service management (BSM).5 The good news is that cloud service providers are identifying the critical importance of integrating ITSM within their cloud services. The bad news is the inconsistency with which ITSM processes, tools, and concepts are being included in cloud offerings.
Evaluative question: Does your cloud services provider or cloud technology vendor address ITSM in a manner consistent with your existing or intended usage?
HOW IS REGULATORY COMPLIANCE ACCOMMODATED?
If there is one IT management and security discipline currently acknowledged as being problematic, it has to be regulatory compliance. It is nigh impossible to adhere to all the emerging legal and financial requirements, so selective compliance policies are prioritized and implemented with the goal of reducing business risk and vulnerability. While it is easy to justify rapid provisioning and on-demand applications from an economic perspective, outsourcing “at-risk” elements of a computing infrastructure to cloud service providers could significantly jeopardize the financial integrity of that business decision. Even worse, the enterprise’s business and legal vulnerability is greatly increased when there is insufficient evidence of an attempt by the IT (or cloud) service provider to ensure regulatory compliance.
HOW IS SECURITY MANAGEMENT IMPLEMENTED?
While the compliance discussion is heavily weighted toward processes and policies, the tools that address security threats, risk assessment, perimeter protection, and reliability requirements are among the critical success factors for security management. But how much protection is actually provided by antivirus software, firewalls, vulnerability scanners, and the like? Do they warrant IT organizations’ feelings of complacency with regard to cloud providers?6 How will a company’s board of directors or senior executives react when WikiLeaks turns from exposing inappropriate manipulation of government events to exposing demonstrations of corporate greed and corruption?7 How will carefully managed perceptions of corporate valuations be damaged when confidential sales, marketing, development, or distribution issues are posted on external websites for all to see?
Evaluative question: Are your cloud security and risk management tools sufficient to protect computing infrastructure and corporate data from malicious intent? What kind of financial liability protection is provided by your third-party (cloud) service providers?
HOW ARE ENDPOINTS CONTROLLED?
The ability to grasp what endpoints are within your computing environment is a huge issue in moving to the cloud. It is not just that new endpoint technologies are forcing the network perimeter to become more porous by the week. It is also the fragile nature of the Windows operating system upon which so much of our computing infrastructure (and business objectives) depends. How can you talk about provisioning and managing a dynamic, heterogeneous cloud infrastructure when you can’t see 20% of your Microsoft endpoints? Increasing use of agentless technologies is now demonstrating that Windows reliance on agent software to discover, track, configure, update, patch, secure, and monitor software is highly suspect in delivering compliance to corporate IT policies.8 A large percentage of agents are simply not visible due to failed updates, missing agent software, and sometimes intentional rogue devices.
Evaluative question: Do your cloud services insufficiently address the fragile nature of Windows endpoints through sole reliance on agent architectures?
HOW ARE VISIBILITY AND REPORTING DELIVERED?
Another positive outcome from cloud initiatives is the potential focus on translating IT data into business information. For some time, business users and IT developers have had a genuine conflict regarding visibility to the business content essential to decision makers. Too frequently, the vendor’s development organization or the IT application development group does not find “reporting” technologically interesting enough to warrant adequate attention. Advances in the art of creating dashboards and business intelligence have helped to recapture the development community’s interest in translating IT data into business information, yet developers often make this harder than it has to be. I’ve often witnessed negotiation sessions between user and developer that end in the IT contributor’s exclaiming in relief, “Is that all you want reported?” as the reality of what the business customer really requires from the IT system sinks in.
Evaluative question: How rich are your cloud provider’s reports, dashboards, and BI capabilities in meeting fundamental business expectations? And how responsive are developers within your cloud service provider to modifying reports and output according to your end user requirements?
IT OPERATIONS RETAINS RESPONSIBILITY
No single cloud service or technology provider is going to have all the answers. That is what makes the cloud discussion so interesting. Most current cloud initiatives are driven by business demands for more rapid provisioning of infrastructure and applications at lower cost, reflecting dissatisfaction with IT’s ability to deliver technology in a format acceptable to business decision makers. Unfortunately the cloud trend also reflects some lack of understanding by business users regarding the critical role IT operations plays in delivering and managing technology for the enterprise. We can’t really expect the business to suddenly grasp the issues and trade-offs that are the hallmark of IT operations. However, the requirement for IT operations to effectively manage the infrastructure, platform, and application cloud initiatives that are popping up within the computing environment is a very real expectation …and one that cannot be outsourced completely.
1Beil, Joshua, Bob Egan, Mark Fidelman, Jeffrey Kaplan, Karl Scott, and Joe Tierney. “2011 Trends Report: Cloud Computing.” Focus Research, 30 December 2010.
Copyright © 2009-2012 BSMReview.com or individual contributors.