, , ,

Since you put it that way… Making sense of making a decision about the cloud.

In my opinion, the cloud provides the most cost effective, innovative, efficient, reliable and secure method of providing specific core IT services to business and organizations. Most people out there, or at least those people in IT, already know about the cloud, and most of us have our own thoughts and perceptions about what it is and whether it is relevant to us, however I think most IT decision makers are still “on the fence” or still don’t know if the cloud is the right move for their organization. Considering moving to the cloud is something that makes a lot of IT managers and decisions makers a little apprehensive. In a lot of cases the result of this apprehension is what some call “analysis paralysis”. In some cases this is financial analysis. We know how much cloud services costs, but it is often difficult for us to determine what it is actually costing us to provide that service today. In my experience, this is one of the easiest to address as it is rational to understand that standardized cloud services can be provided much cheaper than in house solutions due to economies of scale. One of the analyses that often goes unmentioned or undefined is the benefits analysis. IT decision makers, especially those that are technical, are quick to point out what they will be giving up if a service or solution is moved to the cloud, and what some organizations are giving up is some level of control.

In any cloud based solution, especially those that are standardized offerings which provide the greatest levels of cost savings, you will be giving up a little to hopefully get much more. When moving any solution or service to the cloud, you will be essentially putting a good deal of trust in your cloud vendor (which is why choosing the right one is important).( Note: It is also important to insure that this isn’t blind trust, which is to say make sure that there is a way to “cut ties” with the vendor or the solution and bring it back in house if desired in the future, and insure this is something that would not be cost prohibitive or disruptive to your end users.) In most cases, the benefits are reduction in costs and management overhead, providing increased levels of reliability and high availability, and providing anywhere access to services. On the other side of the coin, most of the perceived disadvantages are based on giving up control. This could be related to security, supportability, or in most cases flexibility. I would argue that supportability and security are actually better in the cloud, but flexibility; this is something that is possible in the cloud but right now that comes at a price, and for some vendors that price is higher than others, and for some there is little to no flexibility at all. The flexibility discussion is one to be had, however, first it needs to be accepted and understood that the cloud, or the potential for the cloud within your organization, is a valuable to asset to the business of your organization. So how do we get there? I wanted to share an analogy I use when considering the cloud, especially when talking to those that are apprehensive, and that’s making an analogy to how we travel. I’ll use my own travel planning as an example.

Comparing the Cloud to How we Travel

I currently live in Los Angeles, and I am originally from Boston. I need to get to Boston to visit and spend the holidays with my family. This is important to understand! The goal of my trip is NOT to get to Boston and back, the goal of my trip is to spend time with my family. It is very important to understand this when evaluating my options and this also applies to how we consider IT solutions and the cloud. Take email for example, the goal of IT is not to provide email, the goal is to provide a method for communicating with my co-workers, partners, and customers or citizens so that I can improve and/or streamline the way I do business. It’s important that the goal is clear, because often times we look at providing a good IT service as our goal, when our goal is to provide a service that benefits the business, not just the best of breed IT solution.

When planning to make a trip across the country I have many options. For the intentions of this analogy I will analyze 3 options. The first option is to drive across country and back, the second option is to charter a private plane, and the third option is to fly commercial.

Option 1: Doing it the old fashioned way

If I drive I won’t have to make any significant upfront purchases (capital expenses) as I already own a car. The benefits of driving across country (aside from sightseeing) are that I have a great deal of flexibility and control over my trip. I can leave whenever it is convenient for me, I can take my preferred route, and my safety and security is (for the most part) in my own hands. The disadvantages would be cost and inefficiency. I will have to pay all of my expenses such as fuel, food, hotel, and car maintenance after driving almost 7,000 miles (operational expenses). In addition, this would take significantly longer than my other options. This option is appealing to me as the driver (because I am effectively “in the driver’s seat”), but does not lend itself to accomplishing the goal of spending the most time with my family. I am effectively taking away resources (in the form of time I spend with my family), so that I have more control.

This option is similar to most current IT environments in small, medium and some large organizations. These organizations have built a data center, or multiple data centers that house and run all equipment (electrical, heating, cooling, networking, servers) and software (operating systems, applications, line of business solutions, etc.). The goal of this entire infrastructure is ultimately to provide a solution that is part of my day to day business. All of this infrastructure is there to support this goal, and is part of the operational expense required for me to provide this solution. As an IT administrator, I am “in the driver’s seat”, but this is at the significant expense incurred to install and maintain all of the supporting infrastructure. In this scenario I am taking resources (most of which can be associated directly with cost) away from organization and allotting a large amount of time and money to simply support this infrastructure. So if my goal as an organization to provide better services to citizens (in the case of government), I am not utilizing my resources effectively as I am allotting a large amount of resources to maintaining my IT infrastructure.

Option 2: First class is second class… I fly private.

My second option (kind of) is to charter a plane (or even buy one if I travel enough, maybe this seems far-fetched for an individual but not when you think in terms of an organization). The advantages of this option are that I get a lot of flexibility as I can decide the exact time of my departure, I exercise some control over security as I can screen and select my own crew and equipment, and time it takes to travel will be minimal. The disadvantages are cost, maintenance and reliability. Obviously, chartering or owning a plane will be expensive so I don’t have to expand on these details. In addition, if I or my organization was to buy a plane there would be a significant amount of cost associated with maintenance. If I owned the plane then I would also be constrained by the model of equipment I am using. For example, if a newer, faster, or more fuel efficient aircraft was available, there would be a significant investment necessary for me to upgrade my equipment. Finally there is the matter of reliability. If my plane or equipment breaks, I cannot travel so there is less reliability (or high availability) in this model. I could buy multiple planes to alleviate this constraint; however this would also significantly impact my cost. So this option will certainly be an effective way of spending the most amount of time with my family, while still providing some level of “control”, but this will come at a significant, and most likely prohibitive, cost.

This example aligns with most medium to large organizations. These organizations have large, enterprise scale, data centers and IT infrastructures. These infrastructures are maintained by hundreds of IT staff and 3rd party contractors. The goal remains the same, which is to provide a “world class” solution that is part of day to day business, but the cost is exponentially greater due to the scale and requirements of larger organizations. These types of organizations support large, diverse communities of users that require that these services be highly available and reliable. This often requires significant investments be made in redundant infrastructure and often redundant data centers. Also, this organization is constrained by the complexity and cost associated with upgrading and maintaining these systems. In order to implement a newer version of software or service it will often require a long, expensive process that will most often have them running at least one version behind the current version causing them to lose money and/or market share to competition. Again, all of this cost is going towards maintaining IT, and not toward supporting or improving the business of my organization.

Option 3: I’ll be home for Christmas… and can afford to buy Mom a gift.

Finally there is the option to fly on a commercial airline. The benefits of flying commercial are cost, efficiency and reliability. This will be the most cost effective because I will only be paying the airline for my ticket (and a bunch of additional fees in this day in age). It will be much cheaper than driving and definitely much cheaper than chartering or purchasing my own plane. The trip will also be efficient, in that it will take less time for me to get to my destination and also I will not have to spend additional time and money on maintaining my car or aircraft and preparing it for travel each time. Finally, this is my most reliable option because the airline is responsible for insuring that I will get to my destination. If my flight is not available I will have the option to choose a different flight, or travel from a different airport. In most cases, the airline is responsible for incurring any additional costs to provide this reliability. The biggest disadvantage to this option is flexibility. Once I am booked on a flight, I have no input regarding how this service is delivered. I have some options like where my seat is located or what types of services (meals, entertainment, etc.) are available to me onboard. I do not have input into exactly how the service is provided, such as who my pilot is, what type of plane we are flying on, when the flight departs or any of the other operational and maintenance tasks that are part of providing this service. I do have the option to choose which airline to fly however, so based on research, credibility, and past experience, I am able to choose the airline that I feel is the most affordable, safest, reliable and comfortable airline (or that meets my specific requirements). I will lose some levels of control, but not all, certainly not enough to impact my overall goal, which is to get home and spend time with my family.

This option is similar to utilizing a cloud based service. In this instance, let’s take email as an example. If I am a business or a government organization, my goals and business objectives do not include providing and maintaining email. My goals and business objectives due include providing a product or service to my customers in the most profitable, or cost efficient manner possible. Email is certainly a method for doing this as it provides me with a way to effectively communicate and collaborate with my co-workers, partners, and customers (or citizens) and I recognize it is an essential tool to my organization. I could provide this tool to individuals by building or continuing to support all of the infrastructure necessary to provide this service. This often means that I will be incurring all of the costs identified in the previous examples if I decide to maintain all aspects of this solution in my own data centers. As an alternative I could provide an even more feature rich, reliable and secure email environment and do so at a fraction of the cost using a cloud based service. By utilizing a cloud based service you can provide the same, if not better levels of experience for your end users (depending on your existing email system, and your choice of vendor). For example, if you’re using Microsoft Exchange and Outlook today, you can do the same in the cloud.

The vendor will also be responsible for incurring all of the infrastructure, maintenance and high availability costs. In most cases reliability will be far better than current on-premises solutions and you will also have service availability across multiple geographically dispersed locations without incurring the cost of maintaining them. Overall, you will be able to provide better levels of service to your staff, at only a fraction of what you are currently spending, making it hard to argue that the cloud is the best option for providing this type of service. There is of course the concern about control. There will be some “control lost” using a cloud solution and this may be more true depending on the vendor and terms of service provided for the solution. As an example, most administrators will argue that they have less control because they are less able to do comprehensive troubleshooting to support the specific service today. In reality, however, most cloud based services offer (and the best ones guarantee) certain levels of service, some of which exceed 99% availability. If the service is in fact more reliable than the service you are providing today, than perhaps that level of control is outweighed by the overall reliability of the solution (if the service is always available, there will be less to troubleshoot). This is one example of weighing the overall benefits against the perceived loss of control.

In these examples, the first two options (driving and private air travel) are similar to on premises IT solutions. These are methods of travel that will certainly work, but they are not necessarily the best options for me or my business. The third option, which is to fly on a commercial airline is an example of standardized, cloud based service. While I am giving up some perceived levels of control and flexibility, the overall value and the quality of service that I am getting make it the most reasonable alternative.

Saftey (Security) is my top priority… until it’s not my only priority

Finally, one aspect that I’ve yet to discuss is security, and this is one of the most common concerns when moving to the cloud. This is also an area of the cloud where we can use the travel analogy to recognize the benefits of utilizing the cloud versus on premises solutions. In my first example (driving my own car), I am literally “in the drivers seat”. This not only means that I am able to tailor my trip (or solution) so that it meets my needs or requirements, but the responsibility of safety and security also fall solely on my lap. I have to insure that my car is running well and safe to drive, I have to insure that all of the routes are through safe areas, and I have to insure that I am driving at safe speeds, obeying traffic laws and wearing my seat belt. Now on paper at the start of my trip I put together a plan that includes having my car tuned up before I leave, always driving the speed limit, sticking to my planned route, and always wearing my seat belt. Now, this is a very sound plan and seems like it is pretty safe and secure, but already I have made a few concessions with regards to my safety and probably don’t even realize it. For example, my car does not have the highest safety rating available, or may not even be considered in the top tier for the safest cars available. So if safety (or security) is my top concern I could go out and buy a safer car, but that just isn’t financially viable so I accept this risk and move on. This is very common in most on premises data center environment today. When looking at the types of security of solutions available on the market today, most of us don’t have the money to buy all of the “best of breed” solutions available today, but instead we balance the cost of security with the levels of security we require. There are other examples of where I may have “cut corners” with regards to safety or security. Another example would be the types of diagnostics and testing I run prior to beginning my trip. I certainly won’t go out and have my car’s safety rating “re-certified”, and the “tune up” I have done on my car was done either by myself, by my chosen mechanic, or by me personally, none of which probably follow any documented standards for safety or service. To draw a parallel to the cloud, when I utilize a cloud service, I am hopefully choosing a vendor that has obtained 3rd party security certifications, exercises absolute change control, utilizes best of breed security solutions, and constantly monitors and audits their environment. I’m sure you can continue to identify some concessions that are made with regards to safety in this scenario so I won’t continue to list them.

So I’ve made a few concessions already with regards to safety but these concessions are risks that I accept before beginning the journey. Once my trip begins I am even more likely to compromise safety and security. Let’s say for instance I hit some traffic or get a late start one day and need to make up some time. I will probably elect to drive a little bit faster than the posted speed limits or even divert from my planned route to try and makeup time. Maybe I decide to drive through some bad weather like snow or thunderstorms so that I don’t lose any more time. At the beginning of my trip I had the best intentions to keep safety as my top priority, but as I started to put my plan into practice safety or security, took a back seat and I decided to make some additional concessions. This is similar to what happens in the real world today. Many organizations are faced with deadlines, outages, or changing priorities which cause them to deviate from their original plans or prompts them to circumvent the necessary change control process. Those of us with IT experience have all been in situations where if something doesn’t work, we say “let’s take away the firewall or elevate permissions and see if that works”, with the “intention” of using it as only a troubleshooting step, but sometimes, we eventually accept this as a solution. In cloud models, vendors have a responsibility to their customers to provide the highest levels of security and reliability. These vendors develop and strictly adhere to well defined processes to insure they are able to deliver on these guarantees.
There are many more examples of the hazards of self-imposed security. Most of the examples, outlined for the previous scenario, also apply to the second travel scenario as well (private air travel). When we fly on a private plane, we are in fact getting more sophisticated security as well, such as those travel restrictions placed on us by the FAA, but we also have the opportunity to circumvent some of this security. For example, when you fly a private plane, your luggage may not be screened nor will any items brought on board by other passengers or the plane’s crew. In addition, we have the ability to pick and choose what security and safety measures are followed both before and during the flight. This may mean skipping a few safety checks to expedite departure time, or even risking flying through less than optimal weather conditions to alleviate costs that will be associated with delaying or cancelling the flight. Even in the most sophisticated private data centers and technology environments, there are some security measures that are breached or not implemented due to cost or priority. For example, if making a critical deadline means circumventing some change control, or providing elevated access to a contractor, we are more likely to take these risks when put under the pressure of our day to day jobs. In a cloud environment, vendors are incented to make security a priority, and should have well documented and enforced change control and security measures in place. There is a significant cost and level of effort required to maintain these protocols and processes, but this cost is incurred by the cloud vendor and it is in their best interest to continue to insure that these processes are enforced and adhered to.

Finally we have our third option and that’s commercial air travel or the cloud. We’ve all heard the cliché about air travel being safer than driving, but the fact of the matter is the percentages of fatality and injury rates related to automobiles are drastically greater than the relative percentages of air travel injuries and fatalities. When flying commercial I think we can all agree that we are subject to much more sophisticated and thorough (sometimes very thorough) security protocols and procedures. Every passenger and all baggage (both passenger and crew) are thoroughly screened before being placed on the aircraft. All equipment is maintained and checked periodically and required to be certified prior to departure. All processes for providing and guaranteeing security and safety are well defined and enforced. These processes and procedures are in place not just because of the moral obligation to protect the lives and safety of passengers, but also because it is ultimately in the best interest of the airline, or the entity providing the service. Not only do 3rd party agencies like the FAA and TSA enforce these security standards, but the airline itself has a lot to lose if there is a catastrophe, or a public disclosure relating to compromised security. This also holds true with regards to cloud service vendors. It is paramount that the highest levels of safety, security and reliability be provided because even one incident could essentially jeopardize their existence. For this reason, cloud vendors undergo rigorous 3rd party testing and certification on an ongoing basis to guarantee that customer data is safe and secure in their data centers.

For sale: 2008 Gulfstream G550

As organizations consider moving to the cloud, there is an overwhelming apprehension because it is a new way of doing things and there are certainly a lot of questions that need to be answered before technical and business decisions makers can feel comfortable adopting the cloud as part of their environment, solution or service. This apprehension is natural and healthy, but ultimately business and IT leaders will realize that the cloud is an important vehicle in making IT a strategic asset to their organization as a whole. The cloud provides the most cost effective, innovative, efficient, reliable and secure infrastructure and services available today. It is important to understand that the cloud is not outsourcing of these IT of services, but instead it’s a way of providing better levels of service in a manner that allows them to focus IT on driving and enabling the business and goals of the organization, instead of getting bogged down with the business of running IT. Just as organizations today rely on services like air travel to enable their most valuable assets, their people, to perform their job effectively; the cloud gives organizations the opportunity to insure IT supports the business, without requiring the business to support IT.

Leave a Comment

One Comment

Leave a Reply

Daniel Daughtry-Weiss

For those of us who still don’t know what “the cloud” refers to, check out: http://www.wikinvest.com/concept/Cloud_Computing.

By the way, you’re not alone: “In June 2009, a study conducted by VersionOne found that 41% of senior IT professionals actually don’t know what cloud computing is and two-thirds of senior finance professionals are confused by the concept,[1]”