Cloud Freedom or Cloud Control? Why Not Both?
Let’s face it. As users, we all love the cloud model. Cloud enables us with self-service freedom, on-demand resources and pay-as-you go flexibility. In a matter of minutes we can get access to cloud resources without too many constraints. That freedom leaves users wanting more. The proof of this adoption is evident in both market growth estimates (Gartner[i] predicts cloud services to grow 49% annually until 2014) and overall usage growth. At Skytap we have seen our usage grow by 400% from last year[ii].
Business and IT leaders, however, are worried about data security and governance issues. They want to ensure the transformative value of the cloud model does not come at the cost of having no visibility and control. This concern is the primary barrier to cloud adoption in user surveys.
The natural question is, can a cloud solution provide both security and freedom? Can users be empowered with self-service access while the business maintains full visibility and control? What is required to make that happen successfully? Customers who are using the cloud successfully to transform their business typically organize their solution requirements under three Ps:
- Platform Technology
Let’s discuss individual solution requirements that make up the three Ps.
People – First and foremost, before you engage a cloud provider with your business applications and data, you have to be able to identify the right people with specific roles in your organization. Here are some questions to explore:
- What business problem is the user trying to solve?
- Does the problem require highly dynamic IT resources?
- Is this a cloud proven use case such as development, test, migration, training or POC type environments?
- Does the user have the functional skills to manage cloud resources on their own?
- Are they moving an existing application or creating a new application?
- If an existing application is being moved to the cloud, will the cloud require custom code? For example, a solution such as Skytap may be able to run your existing applications without modifications, while infrastructure services such as Amazon Web services may require you to fit a particular format. Knowing the difference will help you be clear about whether the user has the skills to leverage the cloud they are after.
- How will the data movement be handled? Will it be as easy to move out, as it is to move in?
By being clear about these questions upfront you can identify whom the primary cloud owner in your company is going to be. Successful cloud customers assign a primary cloud owner that has the day-to-day business and IT management responsibilities and individual users with specific roles. For example:
- In a development and test project, the dev manager may be defined as the primary cloud owner with lead engineers and testers defined as project users.
- In a virtual training project, trainers may be defined as cloud users and students may be provided only anonymous access to cloud resources.
- In an app migration project, the IT administrator will likely be the cloud owner with individual developers and business analysts playing a restricted functional role.
By being clear about the problem, the team, the cloud owner, the user roles and responsibilities, you can govern the security and compliance aspects of the cloud per your individual corporate policies.
Process – The next step is to be clear about the process of moving to the cloud and managing the cloud on an on-going basis. Defining an upfront process that is simple, easy and automated is necessary for consistent and successful cloud adoption.
If you are using a cloud-based application such as Salesforce.com, you have to be clear about the sales process it automates and define the rules of engagement. If you are using cloud resources to automate your development, test, and training processes, you must be clear about process your users will adopt.
Here are some best practice process tips:
- Create application and system templates that are policy compliant from a security, licensing and data perspective
- Organize different use cases by project
- Create users with project specific roles and provide project specific templates
- Provide user specific quota limits to align cloud usage with business needs
Once you define the process, it is easier to empower your teams with a self-service cloud solution.
Platform technology – The cloud solution you choose determines how well you can instrument your process and more importantly, how well your people can adhere to them. While cloud computing is about delivering self-service, scalability, and cost efficiencies, it is also about enabling your business and security processes.
Here are some important technology factors to consider.
Self-service solution – Does the solution you are considering implement the applications and business processes you already have? Can you manage your user groups as a team? Will your users require substantial training and enablement?
Visibility and control – Can the cloud solution deliver detailed visibility reports at the user level as well as at the project level? Does it give you granular control over user access by role and by project? Will you be able to avoid uncontrolled usage with pro-active monitoring?
Scalable and reliable architecture – Can the solution provider articulate how they can provide on-demand resources you need? How do they operate on a reliable basis? Do they allow you to snapshot and save an entire virtual data center as a template?
Security – It is important to cover with the provider how they will enable you to manage your application and data security. The security topic can cover many aspects including:
- Application and data transportability – How open and flexible is the cloud solution provider? Do they allow you to move in and move out easily?
- Data center security – Do they operate out of SAS 70 Type II data centers? Are their personnel well trained?
- Resource security – How are the physical machines and storage controlled and how is access to the machines managed?
- Virtualization security – Do they use virtualization? If so, how are the compute nodes, network and storage nodes integrated and secured?
- Granular access controls – Does the cloud solution enable you to define multiple groups, individual roles, granular role based access control for projects, proper password policies and data encryption (in transit and at rest)?
Cost efficiencies – How is the cloud architected to scale so that you get the benefits of volume discounts as well as a pay-as-you go model? Will you be required to pay upfront capital expenses? When you exceed your subscription level how are overages handled?
Up to this point, individual developers taking matters into their own hands have driven most of the cloud adoption. As businesses focus on getting visibility and control, factors identified through the people-process-technology framework can play a crucial role in how you will adopt the cloud model for your business. Of course, only a hands-on trial can help you decide that for yourself. Armed with this knowledge you can actively engage your business users, partner with them to define the right roles, process and select the right cloud solution that will transform your business.
[i] Cloud Infrastructure as a Service – Lydia Leong, Sep 2010