In Part 1 of this series we discussed the ideal rhythm for exploring cloud computing responsibly and the critical role a cloud computing assessment plays. An assessment allows you to get specific about what the cloud can mean to your company. Here in Part 2 we will consider assessment activities for envisioning, in which you take a look at where the cloud could take you.
Envisioning: Finding the Cloud’s Synergies with your Business
Cloud computing has so many value propositions that it’s almost problematic! When you hear general cloud messaging you’re exposed to many potential benefits that include cost reduction, faster time to market, and simplified IT among others. Different organizations care about different parts of the value proposition. In an assessment, we want to find out which benefits have strong synergy with your company—and focus on them.
A good exercise to evaluate where the value proposition resonates is to gather business and technical decision makers, provide some education on benefits, and have a discussion to see where there is interest. Your people may be enthusiastic about some of these benefits but neutral or even negative about others. Here are some of the benefits to consider:
It can be useful to have separate envisioning meetings with business and technical people; you’ll likely find different audiences have different interests and concerns. For example, a CIO could be gung-ho about the cloud while the IT department below them is apprehensive about the cloud.
Risks & Concerns
A benefits discussion must be complemented with a risk discussion. Anything new like cloud computing will naturally lead to concerns, real or imaged. Each concern needs to be mitigated to the stakeholders’ satisfaction. Examples of concerns frequently raised are security, performance, availability, disaster recovery, vendor lock-in, in-house capability, and runaway billing concerns.
Security comes up in nearly all cloud discussions. Sometimes there will be a specific risk in mind but often the concern is just a general expression of “I’m concerned about security in the cloud”. The best way to feel good about security in the cloud is first to understand how good security in the cloud is: cloud providers invest a massive amount in security. Next, start getting specific about areas of concern: only then can remedies be designed.
For specific security concerns, the consulting firm performing your assessment should have a knowledge base of commonly-raised concerns—such as data falling into the wrong hands—and standard mitigations for them. In addition, there should be a defined approach for threat modeling risks and planning defenses.
Security in the cloud is best viewed as a partnership between you and the cloud provider. There are certain things the cloud environment will do to protect you, and there are complementary things you can do yourself. An example of something you can do is encrypting all of the data you transmit and store. An assessment should capture your concerns and record the plan for dealing with them.
Performance & Availability
Since the cloud is a different environment from your enterprise, you can’t assume the dynamics are the same. You may find performance to be stellar, about the same, or disappointing depending on what you’re used to. An assessment should consider the performance requirements of applications and plan to validate them in a proof-of-concept.
Availability is more straightforward to predict because there is a published SLA, but the Internet path between the cloud computing data center and your users is outside the cloud provider’s control. If your users are in an area with poor or unreliable Internet service, availability expectations should be revised accordingly.
Some organizations have a fear of vendor lock-in: if you move something to the cloud, are you stuck there? There’s an interesting discussion to be had here. On the one hand, it’s perfectly possible to write applications that can run on-premise or in the cloud, preserving your ability to move back and forth. On the other hand, if you take advantage of new, only-in-the-cloud features such as Windows Azure AppFabric, you’ll lose some portability (but it may be worth doing so for the benefits). An assessment is an occasion to weigh these tensions and pick a lane.
Cloud providers have many mechanisms to protect your data, such as redundancy, but much of this is automatic and neither visible nor controllable by you. You may require a level above this where you can for example make time-stamped snapshots of your data and be able to restore them on demand. An assessment should map out your DR requirements, including RTO & RPO, and determine how you and the cloud platform will collaborate to meet them.
In-house Capability & Process
If you are going to adopt cloud computing your developers and IT department will need the appropriate skills. An assessment should include an analysis of where people skills are today and where they need to be for cloud computing adoption. It’s not only skills that need updating but process as well: the cloud will surely impact your development and deployment processes. Your cloud computing plans should budget for this training and process refinement.
Some find the “just like electricity” metering aspect of the cloud unnerving: what if your billing runs out of control? An assessment should identify procedures for measuring billing and monitoring applications proactively, identifying disturbing trends early so they can be investigated before large charges accrue. In the case of Windows Azure, for example, billing can be inspected daily and it’s not necessary to wait till the end of the month to learn how charges are trending.
By and large, trust is at the root of most cloud computing concerns. Trust is something that needs to be earned, and in cloud computing it can and should be earned in degrees. If you’ve had a good experience with a proof-of-concept in the cloud, that will bolster your confidence to put something in production in the cloud. Your assessment should produce a roadmap that promotes measured, increasing use of the cloud with validation that expectations were met at every step.
Since the purpose of a cloud computing assessment is to find the fit for your organization, it’s very important to understand what is already going on in the company. Any cloud computing plans should align with this backdrop.
Your company’s business plan likely has significant events on the calendar, for example launch of a new product line or service. Annual planning and budgeting are another example. The flow of business initiatives may suggest that certain cloud opportunities make sense sooner or later on the timeline.
Your IT department is also likely to have events on the calendar that should be taken into consideration. Is a server refresh cycle scheduled? Consider that using the cloud might allow you to avoid or reduce buying that hardware. Are there plans to overhaul the data center? A cloud strategy might allow you to drastically alter the size and cost of your data center, using the cloud for overflow at peak times.
Envisioning Provides Business Context
Much of a cloud computing assessment will involve identifying and analyzing specific opportunities (applications), but this initial envisioning activity is important. It gives you the business context for your technical decisions. In envisioning you capture both the areas of traction and disconnect between cloud computing and your organization. This information will help you in forming your cloud computing strategy and it will color the suitability scoring of potential cloud opportunities. Timing of cloud initiatives should take business and IT initiatives into account.
In subsequent installments we’ll look at more activities that are performed in a cloud computing assessment. If you’d like to see how we do it at Neudesic, visit http://cloud-assessment.com/.