In a previous article, Cloud Strategy and Roadmap: the Path to Agile Business, I outlined the first four steps required to successfully transition to the cloud:
- Adopt a progressive mindset
- Watch, learn, and experiment
- Demonstrate quick wins
- Develop a business case
Typically, the more detailed activities of the next four steps provide additional information that helps companies fine-tune and refine the results of previous steps. In this sense, this is an iterative and cyclical process that companies can apply throughout the IT life cycle.
Step 5: Understand the risks
Like any new technology that offers credible business value, there are also risk factors to consider. Risks around security, privacy, and governance are major concerns for nearly every company. Sand Hill’s “Leaders in the Cloud” 2010 research study found a broad range of attitudes about security, privacy, and governance. Security concerns vary greatly by company — depending on the following factors:
- Business goals and rewards
- Perceived or real risks
- Level of risk tolerance
- Value and sensitivity of information assets and data
- Regulatory concerns
Sand Hill’s survey of IT executives found large enterprises were more concerned about data privacy, security, and governance issues than smaller companies (see the chart below). Most of the small and midsize SME IT leaders were emphatic that a cloud vendor’s security processes must be superior to any that their own company could provide. The reason: small companies’ cost structures are such that they cannot afford to build secure infrastructures that match those of large enterprises or the leading cloud vendors.
Among many examples of surveyed business executives from SME companies who were pleased with the security of their cloud vendors is the following statement from a SME manufacturing company executive:
“We have been using SaaS applications for more than nine years, and we haven’t had a security breach so far. At the end of the day, we are very vigilant about security, including strong passwords and frequent password updates; and we audit usage patterns of our users to monitor for any untoward behavior.” – CEO, manufacturing company
However, vendors could fail, as was the case with Amazon’s high-profile failure in April 2011, which resulted from a configuration error. What would happen to a customer’s data in that case? Would the provider return the data, or would it be lost forever? The good news is that companies that properly understood their cloud vendor’s offering made sure they included data backups and redundancies in their applications. They also conducted due diligence to ensure they properly understood the vendor’s offerings, service level agreements (SLAs), and architecture. Such companies remained unscathed and ran their operations without any interruption during the Amazon outage.
Many vendors are getting certified to security standards such as SAS 70. Even if a vendor is certified, the most important question to ask is: does the certification meet your specific security requirements? As one surveyed executive stated:
“You should really ask for a security review, especially if you are a big company dealing with a smaller company and the risk to you is greater than the risk to them in case of a security breach. On the other hand, if you are a small or medium-sized business, your risk is much lower if you are dealing with a well-established large cloud vendor such as SAP, Salesforce, Amazon, or Microsoft, that is betting their business on their cloud services.” – Principal consultant, leading security firm
Step 6: Analyze your existing IT portfolio
Another important step in the roadmap of getting to the cloud is performing an inventory of the company’s current IT systems and developing a logical model of the existing architecture including all relevant systems, data, applications, processes, functional components, and services. As part of this exercise, companies should ask the following questions and analyze the systems from the following perspectives:
- What is working and what is not?
- What is core to the business and what is not?
- What is driving innovation and what is preventing progress?
- Where are the cost inefficiencies?
- What is driving business value and what is not?
- How are the systems coupled and interoperating with each other?
This analysis not only provides a snapshot of the company’s current state of IT but also delivers crucial information to help fine-tune its business case based on the new architecture. Without doubt, the cloud deployment options in the architecture will drive down cost inefficiencies and improve agility and scalability, among other benefits. Analyzing an existing IT portfolio in this manner typically takes no longer than four to six weeks in a midsized company.
Step 7: Create a vision of the end-state
Once the company has a clear understanding of the current state of its IT portfolio, the pain points, and the cost inefficiencies, it can then begin to map out the vision of moving purposely to the end-state. That end-state will include a description of which architectural components, data, applications, systems, services, and processes will move to the cloud in what order, and how much decoupling will be required to isolate the components. In designing the end-state vision, the company needs to design a reference platform that leverages cloud technologies for highly scalable automation, low-cost hardware, middleware, and application servers to connect new and existing applications.
Such an analysis will consider not just the technology piece but also the people, process, and the cost aspects including the most important areas such as budgeting, TCO, service level greements, governance, and compliance. The Sand Hill study found that, even if the cost of moving to the end-state from the current state is $5 million (for example), most small to midsize companies will move ahead with the initiative if the end-state generates cost savings of more than, say, $10 million per year.
Step 8: Develop and execute the roadmap
After creating a vision of the end-state, companies then need to determine which applications and data to move when, and where, before detailing the specifics around how to move them. It is not necessary or practical to move everything all at once. Create a roadmap for a long-term perspective (say, three years) and map out how the architectural components will move over in a staged manner to a much more effective, efficient architecture. This roadmap exercise should not take more than a month to map out in a small or midsized company; this includes a cost and benefit analysis for each stage of the roadmap.
Typically, companies focus on the low-hanging fruit with the most business value and place them on the roadmap first. For example, companies initially select a relatively less-critical application that is currently not running cost-efficiently in house. Moving it to an external cloud quickly will create significant business value. As a next step, they then select the less valuable and more risky systems that are still worth moving, and place them at the back end of the roadmap.
Another consideration is to review the project portfolio and identify new and innovative revenue-generating projects that will benefit from a faster time-to-market advantage using cloud technologies.
For each of the identified applications, companies need to evaluate the vendor capabilities and the risks associated with the security, data privacy, and governance with each vendor. Compare different cloud provider offerings. They also need to evaluate the offering of cloud vendors to ensure that it meets the security, scalability, reliability, and privacy needs of the enterprise and meets established security and compliance (SAS 70, FISMA, ISO/IEC 27001, PCI, and HIPAA) standards. This evaluation includes:
- Review the vendor’s SLA provisions based on the company’s specific business risks, risks that typically may not be covered in standard SLAs.
- Identify changes required in the vendor’s data compliance and security procedures (if any) to adapt to the company’s risk, compliance, and business metrics.
- Identify interoperability, lock-in, and compatibilities issues and determine workarounds as applicable.
- Carry out a hands-on product and technology validation and evaluation against the above criteria.
- Assess the company’s financial stability and longevity.
- Evaluate the company’s commitment to innovating with its customers.
- Obtain examples of customers’ successes.
A company’s decision today to invest in the cloud—or not—will clearly have a critical impact on the business for many years to come. Based on the emerging, opportunity-rich trends of cloud computing and the strategies for exploiting such disruptive innovations, companies can fully realize the growth potential that awaits them. Taking a long-term view is the ticket to ride this next massive economic and technological wave to ongoing growth and success.
Kamesh Pemmaraju heads cloud computing research for Sand Hill Group. Follow him on Twitter @kpemmaraju.