making the move to cloud computing - ICAEW.com [PDF]

MAKING THE MOVE TO CLOUD COMPUTING BY DR MARK I. WILLIAMS

business with CONFIDENCE

icaew.com/itfac

ICAEW’s IT Faculty provides products and services to help its members make the best possible use of IT. It represents chartered accountants’ IT-related interests and expertise, contributes to IT-related public affairs and helps those in business to keep up to date with IT issues and developments. The faculty also works to further the study of the application of IT to business and accountancy, including the development of thought leadership and research. As an independent body, the IT Faculty is able to take a truly objective view and get past the hype surrounding IT, leading and shaping debate, challenging common assumptions and clarifying agreements. For more information about the IT Faculty please visit icaew.com/itfac

Copyright © ICAEW 2012 All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should first get ICAEW’s permission in writing. ICAEW will not be liable for any reliance you place on the information in this material. You should seek independent advice. The views expressed in this publication are those of the author. ICAEW does not necessarily share their views. ICAEW will not be liable for any reliance you place on information in this publication. ISBN 978-0-85760-617-4

MAKING THE MOVE TO CLOUD COMPUTING BY DR MARK I. WILLIAMS

Contents

1 INTRODUCTION

03

1.1 Your business

03

1.2 Your data

04

1.3 Your planet

04

1.4 The cloud roadmap

04

1.5 Checklist

05

2 UNDERSTANDING THE OPTIONS

06

2.1 Service models

06

2.2 Deployment models

06

2.3 Adoption scenarios

07

2.4 Checklist

08

3

IDENTIFYING OPPORTUNITIES

09

3.1 Internal IT review

09

3.2 Internal business review

10

3.3 Legal checks

10

3.4 Opportunity selection

10

3.5 Requirements gathering

11

3.6 Checklist

11

4

CLOUDSOURCING

12

4.1 Multiple choice

12

4.2 Risk mitigation

12

4.3 Vendor selection

12

4.4 Costing clouds

14

4.5 Do it yourself – private clouds

14

4.6 Checklist

14

5

IMPLEMENTATION

16

5.1 Usability and performance

16

5.2 Deployment

17

5.3 Exit strategy

17

5.4 Monitoring

17

5.5 Checklist

17

Making the move to cloud computing

01

6

KEEPING YOUR HEAD IN THE CLOUDS

19

6.1 Summary

19

6.2 Concluding remarks

19

APPENDICES

20

APPENDIX A: GLOSSARY

20

APPENDIX B: FURTHER INFORMATION

22

ABOUT THE AUTHOR

24

02


1 INTRODUCTION

Cloud computing in its purest form is pay-as-you-go IT, online and on demand. The IT capabilities provided as a service to businesses include: single software applications or software suites; online software development platforms; and virtual computing infrastructure, ranging from data storage to computer grids. These services can be readily procured from public cloud providers or supplied within larger organisations as private clouds by internal IT departments. In the UK there is now a growing awareness of cloud computing as a set of viable IT service models, as well as an understanding of many of the benefits and risks inherent in the adoption of cloud-based services by businesses. In 2011 two independent surveys carried out by VMWare and the Cloud Industry Forum revealed that 48% of UK businesses were already using some cloud-based services, while around two-thirds of the remainder were evenly split between those considering and those definitely planning to use cloud computing in 2012. Other European countries and the US have seen even higher adoption rates. At the time of writing, however, there remains a great deal of uncertainty and confusion that prevents many businesses, particularly in the UK, from taking more than just baby steps into the world of cloud computing. This practical guide is a follow-up to the IT Faculty publication ‘Cloud computing: A guide for business managers’ published in 2010 which you are recommended to read as an introduction to the subject. This latest guide aims to build on the initial guide by helping forward-looking executives select appropriate IT problems and potential cloud computing solutions, and make the move to public, private or hybrid clouds.

1.1 YOUR BUSINESS The great promise of cloud computing for many organisations is cost reduction, coupled with increased flexibility and fewer IT maintenance headaches. In an era of austerity and global financial crises, pay-as-you-go IT, which typically requires less capital expenditure and fewer overheads, is a particularly attractive proposition for smaller businesses with limited resources and uncertain futures. Significant capital expenditure on computing hardware and software licenses involves large up-front costs and also increases an organisation’s tax burden in the short term, whereas purchases of cloud computing services are considered as operational expenditure – because the resources are rented and no assets are accumulated – so these costs can be deducted directly from profits. As for larger, established organisations, the financial benefits of public clouds may not be so clear-cut. Sharing computing resources with others on a multi-tenanted system may not be a viable option for regulatory reasons, but the cloud computing service model can be replicated internally so that disparate departments can benefit from a shared resource pool and be charged for the on-demand services they use. For organisations compiling a case for cloud computing adoption some of the most commonly cited business reasons include: • Less time spent administering non-core commodity IT systems internally. • Faster development and deployment of differentiating, customer-centric applications. • Data storage and compute resources scale seamlessly with your business. • Faster entry to new markets using cloud-based software delivery and content distribution services, and online application marketplaces. • Fewer hardware assets and software licenses to track.


03

• Instant access to the latest version of cloud-based software with no upgrade costs. • Mobile services, online collaboration and remote access supported ‘out of the box’. But every organisation is different and not every cloud has a silver lining. Surveys consistently reveal that data security and data privacy in public clouds are the primary concerns for businesses but other common concerns include: • The inherent dependency upon internet access. • Finding reliable and viable cloud providers. • The potential for vendor lock-in. • Unexpected cloud service charges and internal costs. • Contractual liability for services if service level agreements (SLAs) are missed.

1.2 YOUR DATA There may be convincing operational advantages and financial incentives for processing and storing your data in public clouds, but it is important to remember that data protection and data privacy are your organisation’s responsibility. A customer could take you to court if a security breach in your cloud provider’s systems leads to some of their sensitive data being stolen. In the UK you may also be prosecuted by the Information Commissioner’s Office using existing laws such as the Data Protection Act 1998, which allows them to take action against offending organisations if any security breaches are shown to be due to inadequate controls. In January 2012, to address directly the legal challenges presented by cloud computing, the European Commission published a proposal to reform the EU’s 1995 data protection rules and strengthen online privacy rights with a single law that will be implemented consistently across the EU over the next two years. So be careful which data is stored in a third-party provider’s data centre and if they are hosting sensitive data for you then ensure they have appropriate controls that have been tested and verified by independent third parties.

1.3 YOUR PLANET Aside from any direct benefits to your business that may come with cloud computing there may also be environmental benefits. Whether your organisation has a formal Corporate Social Responsibility (CSR) policy, or you simply prefer to choose the green option where possible, then cloud computing is worth considering. If your organisation is so large that it is subject to the UK Government’s Carbon Reduction Commitment (CRC) Energy Efficiency Scheme then there is a financial incentive for being environmentally friendly too. Firstly, on the IT front, sharing a pool of computing resources with other organisations or internal departments is generally more energy efficient overall than multiple independent systems in disparate data centres all doing similar things, especially if you can make do without a data centre of your own. Though, as mentioned in Cloud computing: A guide for business managers, this only becomes a significant issue where the business is operating a very large data centre and moving a substantial portion of its work into the cloud. Secondly, if cloud computing adoption makes remote working easier for your employees then you can encourage more home working and less business travel. If those same workers can make use of their own laptops and mobile devices to access your cloud-based systems you can avoid buying as much hardware for your staff and perhaps make more use of contractors so that you need less office space and your workforce can scale up and down just like your cloud computing systems.

1.4 THE CLOUD ROADMAP In the next four chapters this guide presents the following key stages in a journey to the clouds: • U nderstanding the options – three service models and four deployment models are described, along with twelve example adoption scenarios, supported by a number of brief case studies. • Identifying opportunities – from internal IT reviews, business reviews and legal checks through to problem/opportunity selection and requirements gathering. 04


• C loudsourcing – risks and costs vary greatly and it is important to keep the ‘big picture’ in mind whether you choose a private cloud or multiple public clouds. • Implementation – test, deploy and monitor cloud-based systems, and make sure you have an exit strategy. The final chapter presents a six-step iterative process for cloud computing adoption based on the above, which can be summarised as follows: 1. Familiarise yourself with the options for deploying cloud services. 2. Conduct relevant internal reviews of your people, processes, policies and IT capabilities. 3. Select appropriate opportunities for cloud computing keeping in mind your organisation’s objectives. 4. Document prioritised requirements for named beneficiaries. 5. Find candidate cloud solutions and test them fairly and systematically. 6. Execute an implementation plan with an exit strategy.

1.5 CHECKLIST Before you go any further consider the following questions on behalf of your organisation: • What are your competitors and peers saying about cloud computing? • Would you consider sharing resources in a public cloud? • Is capital expenditure worth avoiding in these uncertain times? • What responsibilities do you have in terms of data privacy and protection? • Could cloud computing be a good CSR option? • Would you consider allowing more home working?

CASE STUDY When Richard Messik first set up RFM Associates two years ago, after many years as a partner in a top 20 firm of chartered accountants, he was determined to have an organisation that worked purely in the cloud, both for all of its internal procedures and more importantly in its dealings with clients. As a consequence, all of the applications and systems used in the company are totally cloud based – from telephone to accounting; email to file storage. This means that no IT infrastructure is required, the only requirement being that the team, who all work from separate locations, have access to the internet. One of the main benefits of this set-up is that all staff have access to the same information at the same time, without the costly infrastructure required in a normal on-premise server set-up. Backups and security are not a problem as this is all taken care of by the relevant service provider and the systems and data are accessible on a true 24/7 basis from anywhere, any time. For example, Richard always uses his iPad when he is away from his desk and has access to all of his data and office systems. This principal is also extended to working with clients. For example, when RFM Associates was selected by PensionsFirst, a solution provider to the pensions industry, to provide outsourced financial administration, they devised a cost effective and efficient method of administering the weekly and monthly processes based on using cloud technology for the transfer of information and data. Security was a concern for the client. So, using the online accounting system E-conomic, a process was set up whereby all data processing is accessible by client and outsource team on a real time basis. Supplier invoices are scanned directly in and linked to the transaction to which they relate, thus providing a permanent and accessible audit trail. Both teams can review and discuss data and deal with any amendments as required, without the need for time-consuming and often inefficient file transfer protocols. At end of year, the company’s auditors, one of the big four, are given access to E-conomic so that the audit routines can be carried out.


05

2 UNDERSTANDING THE OPTIONS

A widely accepted and freely available, formal definition of cloud computing is provided by the National Institute of Standards and Technology (NIST) on behalf of the US Department of Commerce, and it begins with the following statement: ‘Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (eg, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.’ In less than two pages the NIST definition then goes on to define five essential characteristics, three service models, and four deployment models of cloud computing. It is clear then that ‘cloud computing’, even when formally defined, means many things and there are many choices to be made.

2.1 SERVICE MODELS According to the NIST the five essential characteristics of cloud computing are on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service; and it is the measured, on-demand, self-service nature of cloud computing that makes it a game changer. The three cloud computing service models are: 1. Software as a Service (SaaS) – ready-made online applications and software suites, which are typically charged per user per month; 2. Platform as a Service (PaaS) – online tools and components for developing bespoke applications, which can be charged by user, application, data storage and data transfers; 3. Infrastructure as a Service (IaaS) – more fundamental computing resources such as virtual servers, networks, data storage and data transfers often charged per unit (eg, Gigabytes) of resource used on a pay-as-you-go basis. Depending on the internal skills and particular requirements of your organisation you could choose off-the-shelf SaaS, which requires negligible technical expertise but may tie you to a vendor’s product; toolkit PaaS if you have non-standard processes that may be reproduced online using standard parts in a managed development environment; or the basic building blocks of IaaS which affords the most flexibility and control but also requires the most in-house expertise.

2.2 DEPLOYMENT MODELS The four deployment models of cloud computing are: 1. Public cloud – you share computing resources with other organisations, which may include your competitors. 2. Community cloud – you share computing resources (and costs) with trusted organisations that may have similar or related concerns to yours. 3. Private cloud – disparate departments and offices in your organisation benefit from a shared pool of computing resources managed internally. 4. Hybrid cloud – a private cloud that can expand securely into a public cloud (or virtual private cloud) when additional resources are required.

06


Smaller organisations generally have limited resources and are unfettered by onerous regulations so public clouds are the first port of call. Larger organisations, especially those in highly regulated industries, will deploy private clouds if they require cloud-based services and only use public clouds, perhaps in a hybrid cloud configuration, to store or process non-sensitive data. Community clouds are generally the preserve of connected communities like government bodies, scientific collaborations or charities.

2.3 ADOPTION SCENARIOS Here are some examples of cloud computing adoption scenarios ranging from SaaS to IaaS: • A start-up business can use a browser-based SaaS system to enable varying numbers of employees and contractors to send company emails, share files and create documents and presentations on any computer from anywhere. • An established business that uses Microsoft Office templates and macros heavily, along with one or more desktop software packages, can choose a cloud-based Windows hosted desktop service so that remote workers can use the company’s preferred tools in the same way as office-based workers. • A business that takes on temporary staff for a brief but intensive sales campaign can make good use of a SaaS Customer Relationship Management (CRM) system which is charged per user per month, and they can configure it so that data exports by non-staff are not permitted. • If a company’s desktop software is obsolete and needs updated or replaced but their PCs are too slow to run newer applications, then SaaS products, which are always kept up to date and run in a browser, can increase the lifetime of their PCs. • If you have security fears surrounding data stored on laptop computers taken out of the office then you can either encrypt the data on the laptop and protect it with a password or fingerprint recognition software or store the data in a SaaS application and use two-factor authentication (a security approach where the two factors are ‘something you have’ and ‘something you know’ – a common example being the chip and PIN card where the card is the physical item and the PIN is the number known to the user). • You can use a ready-made SaaS system or develop your own system using PaaS to afford more effective online collaborations with partner organisations. • If your staff would benefit from access to business data from their smart phones when they are out of the office then most SaaS and PaaS products support such devices, and many offer tools to integrate with external data sources and legacy systems. • If you plan to develop a software product and sell it online then you could choose a PaaS system with its own marketplace for your application and other applications that can be easily integrated with yours. • If you merge your company with another that is based elsewhere in the country and has systems and processes that are no better and no more modern than yours, then moving everyone to a new cloud-based system (probably PaaS) is a good way to connect your offices, integrate legacy systems, and bring everyone together to develop new ways of working rather than risk alienation by choosing one old system over another. • If you are planning intensive but sporadic marketing campaigns that you fear may overload your current web server then you could move it to an elastic public cloud (IaaS) where its specifications can be manually or dynamically increased to deal with temporary highs in web traffic. • If you need to run a large and complex computer simulation that would drain your own computing resources for a long time you can run it quickly instead on a temporary, cloud-based (IaaS) compute grid and pay only for the resources you use. • You can also make use of IaaS for disaster recovery by automatically backing-up your IT systems, virtual machines and business data from your data centre as well as your employees’ desktops.


07

Surveys reveal that the most commonly used public cloud services in 2011 were remote data storage and back-up solutions such as DropBox, while email and office applications such as Google Apps were the most popular type of SaaS product. This was almost certainly because of the low (or zero) cost associated with these services, especially for small businesses, and the relative ease of deployment. However the number of businesses paying for these ‘basic’ services and more complex SaaS products, which require a bit more consideration, such as accounting, collaboration and payroll systems is on the rise.

2.4 CHECKLIST There are numerous cloud computing options, not all of which will be appropriate to every organisation, but here is a quick list to aid your decision process: • Choose (SaaS) if you want ready-made online applications. • Choose (PaaS) if you need customised applications to match your processes. • C hoose (IaaS) if you require complete control over your applications and the underlying operating systems. • C hoose a community cloud, private cloud, hybrid cloud or no cloud for data and processes that should not be stored in a public cloud.

CASE STUDY For West Midlands-based accountancy firm, Prime Chartered Accountants, the adoption of Xero online accounting software has delivered more than improvements in efficiency. They see the cloud-based solution as being a key marketing tool and something that helps to differentiate themselves from the competition. Laurence Moore, Prime’s Chairman explains, ‘Xero is important from a marketing perspective, it means that we have a lot more tools in our kitbag to go out and win business. It’s a differentiation that has enabled us to develop new revenue streams.’ In these challenging times clients want accountants to be part of their team and Moore believes that a cloud-based system allows this, ensuring that a higher level of ongoing support can be provided. And getting close to a business means that the accountant can be much more proactive in suggesting and selling new services. One of the strengths of the cloud-based approach is the ready availability of specialist apps and Prime have made extensive use of these, including WorkflowMax, an online job, time and invoice management solution and Unleashed, an online inventory management product. Another strength is that the cloud model enables businesses to be much more mobile. So, for example, a sole practitioner can keep up with their bookkeeping while staying overnight in a B&B. Equally, the location of the client is no longer an inhibiting factor, and indeed Prime have a number of overseas clients. So successful has the company been in their use of Xero that they are now a gold partner and have around 140 clients using the software. This has given them a clear view of the key success factors in implementing an online accounting solution. And Moore firmly believes that it’s crucial ‘somebody at the top needs to buy into the idea’. Ultimately, of course, it’s about providing the client with a better service.

08


3 IDENTIFYING OPPORTUNITIES

Understanding what cloud computing is and what you can do with it is a good start, but before you begin searching for a cloud provider it would be wise to conduct internal reviews. And unless you have an obvious requirement for operational expenditure on IT systems that scale up and down with usage or user numbers, or new cloud-based software that can be accessed remotely and will enable your users to be more productive and less reliant on internal IT staff, then you need to find an appropriate ‘problem’ to solve, an opportunity for positive change in your organisation. In the following sections there are suggested activities for internal IT and business reviews, but you may also choose to augment your in-house resources and analytical capabilities with external expertise where necessary.

3.1 INTERNAL IT REVIEW One common temptation that faces executives is to bypass their IT department and adopt an external cloud computing service because it is so easy to do and may seem good value for money. However, such an approach also means bypassing established information governance policies and processes, and potentially exposing your organisation to undue risk. It is clear, therefore, that your IT department needs to be heavily involved in your research into cloud computing, even if the end result may involve changes to job descriptions or even job cuts. Your IT department can help you modify policies governing internal information controls so they can encompass external systems. With cloud computing in mind, you can request detailed answers to the following questions about your current IT set-up: • Is there a tried and tested disaster recovery plan in place? • Do key systems have sufficient redundancy and failover mechanisms? • Can staff work effectively from home or on the move if necessary? • How quickly can new servers be procured, configured and deployed? • How quickly can new software packages and updates to existing software packages be deployed to users? • What are the core functions of the IT department and what services do they provide? If you have time for a more thorough audit of your current IT systems you can also document the following: • Hardware specifications. • Key functionality of software currently employed. • Upgrade costs for hardware and software assets. • User details, including the assets they use and their physical locations. • Technical support and hardware maintenance requirements, and associated costs. • Data storage requirements, including offline storage on PCs. • Internet connectivity and usage. • Key technical people, their responsibilities and expertise. The information and understanding you glean from an internal IT review will certainly help you gauge the true value and cost of a cloud-based solution and whether your current systems are fit for purpose.


09

3.2 INTERNAL BUSINESS REVIEW Another common temptation is to forget about the big picture and choose a particular cloud computing service because it solves one obvious problem and seemingly saves you money. However, such an approach risks overlooking more important issues and missing something potentially transformative. Small businesses usually have business plans, while large organisations constantly review their mission, their targets and their objectives; but paradigm shifts are possible if you make fundamental changes to the way you do things. Here are some high-level suggestions for an internal business review, which you may already have performed (the word ‘staff’ refers to employees and regular contractors): • Document all tasks your staff (including IT staff) perform on a day-to-day basis, any IT systems they use as part of the process, and measure how much time (and therefore internal cost – depending on salaries and computing resources) they spend on each. • Taking each department in turn, engage with staff to determine which tasks and which systems are the most valuable in terms of meeting your organisation’s objectives or generating revenue. • Request suggestions from staff on how more time can be freed up for the most valuable tasks. • Ask your customers where you are succeeding and failing to deliver good and timely service, and find out which methods of communication and interaction they prefer. • Document processes and practices, referring to those tasks identified and timed earlier, and identify any expensive bottlenecks. • Look again at your business objectives and see if any improvements in working practices or processes could help you meet them. Conducting an internal review with people and processes in mind may reveal problems for which cloud computing is not the best solution. This is a useful result in itself, but your findings may also suggest implementations you would otherwise not have considered. Even if a reduction in staff numbers is on your agenda it is important to involve employees in an internal review like the one sketched out above. There is often resistance to change but introducing change without consultation is rarely a good idea.

3.3 LEGAL CHECKS You will, of course, need to involve your legal team if your organisation is subject to industry regulations or you have data protection responsibilities. You should also get legal advice if staff reductions may result from cloud computing adoption. Although procuring cloud services is not the same as traditional outsourcing because of the automation involved, there is a small chance you could face financial exposure from staff claiming unfair dismissal under the UK’s Transfer of Undertakings, Protection of Employment (TUPE) regulations. A successful claim would depend on whether the affected employees can be clearly identified as performing the same service that is being provided by the cloud provider.

3.4 OPPORTUNITY SELECTION After conducting an internal review you may identify particular operations or processes that could potentially be done better using a cloud-based system. There may be one standout problem with a genuine business case that clearly needs to be resolved quickly, or there may be a group of tasks that can be performed better with cloud computing. If you have separate and unconnected opportunities for change competing for your attention it is probably better to concentrate your initial efforts on one that saves you money or improves customer service and is the easiest to implement. A quick win will justify all the effort you have put in thus far. You may, however, prefer to select a problem or opportunity with the lowest risk involved if you are considering a public cloud. In this case you should choose a solution that involves non-sensitive data and applications that are not business critical.

10


3.5 REQUIREMENTS GATHERING As with any IT project you should work with relevant staff and other stakeholders to put together a prioritised list of measurable and testable requirements for key features and functionality. Insist formally that beneficiaries of each function or feature sign off on a clear description of what it is and why it is needed. This will enable you to compare cloud services effectively against agreed criteria and be less swayed by any other technical ‘bells and whistles’ that may not be needed.

3.6 CHECKLIST • Review your current information governance policies and processes with cloud computing in mind. • Take stock of your current IT costs and capabilities. • Engage openly with employees and customers. • Perform necessary legal checks, including TUPE. • Find genuine problems/opportunities with a clear business case for solving/realising via cloud technologies. • Select an urgent problem, a quick win or a low risk solution. • Create requirements documentation with key stakeholders.

CASE STUDY The integration of cloud-based accounting packages with other business applications can deliver significant benefits. White Springs is a small company with 25 employees that develops software to support sales teams. The company implemented FinancialForce Accounting which now runs seamlessly alongside Salesforce CRM software. This combination provides a number of benefits, not least the fact that both sales and finance can see which customers have been billed, what they have been billed for and what has been collected. Previously, those responsible for debt collection had been running in isolation from the rest of the business. Now they can see opportunities in the pipeline and support cases that might influence a customer’s willingness to settle up. Gary White, the CEO of White Springs explained that they are also seeing some significant time savings. ‘As a SaaS company, we usually receive customer contracts at the start of the year. Rather than accounting for revenue over 12 months, we are required to account monthly, something we were doing manually before implementing the cloud-based accounting solution. Now that we don’t have to manage a deferred revenue spreadsheet, we can rely on the information in the monthly management reports, they are quick and easy to produce, and we have no spreadsheets to worry about outside of the system.’ ‘Our accounting team has saved at least 20% of the time that was spent posting invoices manually. It’s all automated, from an opportunity being closed in the CRM system to an invoice going out from the accounts system. Preparation of the monthly management accounts takes only one day now instead of two. These savings are significant for a business like ours.‘


11

4 CLOUDSOURCING

Before you proceed to build your own private cloud or move to a public cloud you can begin ruling out some potential providers, armed with the knowledge of what risks and costs are acceptable to your organisation.

4.1 MULTIPLE CHOICE The previous chapter stressed the importance of understanding your existing systems, data, processes, policies, people and problems, before you actively consider cloud computing. The bigger your organisation is and the more systems you have then the more planning and consideration a migration involves. There is usually no one-stop shop where you can find a single integrated system that does everything you need – no cloud-based panacea – so most cloud consumers end up using multiple cloud services. Therefore, not only do you need to ensure that your remaining internal systems are integrated with any cloud-based systems you choose, you also need to ensure that your cloud-based systems afford integration with each other where necessary. Now, cloud computing by its nature is service-based and application programming interfaces (APIs) are provided that enable software applications to access the services of other software applications. So it is up to you and your IT team/consultant to select the cloud-based systems that most easily fit into the underlying structure which supports communications between such services (commonly referred to as a service oriented architecture) for your organisation.

4.2 RISK MITIGATION Here is a list of common cloud computing risks and some suggestions on how to overcome them: • Internal security breaches – through user account management processes and security technologies such as two-factor authentication and single sign-on. • Internal resistance from staff – avoided through consultation, engagement and involvement. • Cloud security breaches – by ensuring your provider has adequate controls verified by a reputable third party. • Data protection litigation – by storing only non-sensitive data in public clouds. • System outages – by only using cloud-based applications that are not business-critical. • Data loss – by backing-up your data to another provider’s cloud. • Vendor lock-in – by adopting clouds that utilise open standards and support interoperability and data migrations. • Vendor failure – by thoroughly researching your provider and monitoring their progress.

4.3 VENDOR SELECTION In Appendix B you can find a list of cloud provider directories. Every cloud service you consider, including private and hybrid clouds, should be judged in the same way, and in this section are listed some example selection criteria under four categories that may help you decide. Firstly, in terms of their processes and practices, does the cloud provider: • Have systems that satisfy your internal requirements for governance and compliance?

12


• Follow any industry best practices for IT service management, such as the Information Technology Infrastructure Library (ITIL)? • Have independently audited internal controls of IT systems and processes to ISAE 3402 (successor to SAS 70) specifications? • Have ISO 27001 certification for their information security management system? • Have favourable independent and verifiable online reviews and client endorsements? Secondly, even if providers are certified, data protection is your responsibility so it is important to have a formal agreement that contains specific answers to the following issues: • Your ownership of your data. • Where your data and backups are stored geographically and where the provider is based, whether the host countries subscribe to international Safe Harbor privacy principles, and whether those countries or the provider’s home country have laws in place that can override Safe Harbor agreements, such as the Patriot Act, which allows the US government to access and copy any data stored by an American cloud provider, even if they are stored outside the USA. • How the data centres are secured physically. • Who, including system administrators, has access to your data, how are they vetted and how data access is controlled and logged. • What happens to your data if a service agreement is terminated or if the provider’s business fails. • Controlled facilities for making automated and authorised backups to other clouds, including private clouds. • Flexible data retention facilities for regulatory purposes. • Their standard procedures for responding to government inquiries and legal investigations of their customers’ data, and the costs to be incurred by individual customers being investigated; • Assurance that your data will not be compromised or seized if another customer of theirs is being investigated. • The provider’s disaster recovery plan. • How your data is stored, backed-up, encrypted and kept separate from other organisations’ data in the cloud. • How and when security tests are performed, especially during service updates. Thirdly, regarding continuity of service, find out from your provider: • What is the notice time, frequency and duration of scheduled downtime. • How they define complete and partial service outages. • How they measure and report on downtime and outage severity. • How customers report service problems. • How customers are compensated for outages. • How much downtime they have had in the past. And, finally, on quality of service (QoS), your provider should be able to answer the following questions: • How quickly are additional resources allocated to over-loaded virtual servers? • How fast is the automated failover? • What monitoring tools and QoS metrics are used by the provider and which of these, if any, are made available to customers?


13

4.4 COSTING CLOUDS The features, functionality and service levels of one or more public clouds may seem to meet your needs but be sure to understand your potential providers’ pricing models and try to forecast as accurately as possible your service consumption before you proceed to testing and implementation. In particular you should find out: • What computing resources are chargeable and how much do they cost per unit? • Are there any set-up costs, minimum monthly charges or minimum contract lengths? • What notice period is given of price changes and service levels? • Are there additional operational costs for user support, third-party services, software licenses, operating system licenses or anything else? • And are there any additional charges for retrieving and transferring data on terminating an agreement? As well as the recurring and varying service consumption charges there are, of course, other costs associated with cloud computing adoption. Larger organisations, especially, will incur significant internal costs due to the necessary involvement of their IT departments and legal teams, as well as the costs associated with training and documentation if a new IT system is to be implemented.

4.5 DO IT YOURSELF – PRIVATE CLOUDS If the total long-term cost associated with public cloud usage is too large, or the service levels are unacceptable and not negotiable, but you have a genuine requirement for cloud computing in the form of Infrastructure as a Service, then private clouds may be more suitable for your organisation; but you still have decisions to make and questions to ask. You could, for example, invest in an integrated package of consultancy, computing, network, storage, and management capabilities from IT powerhouses like VCE (VMware, Cisco and EMC) or a VCE partner. At the other extreme you could repurpose your existing hardware and set up a private cloud yourself. There are now numerous cloud operating systems to choose from – some proprietary and some open source – but not all of them include metering technology for internal billing. Microsoft, VMware and other major software vendors offer proprietary private cloud operating systems with varying levels of interoperability and open APIs, while popular open source private cloud offerings include Eucalyptus, OpenStack and OpenNebula. And you also have the option of procuring a managed private cloud or virtual private cloud from Amazon, Rackspace and others.

4.6 CHECKLIST F or the particular business application or applications that you are considering for your organisation, candidate public and private cloud services should have: • Acceptable levels of downtime, performance and security for the relevant business application. • Adequate security controls, service level agreements and monitoring capabilities. • Affordable total monthly service costs for your maximum expected usage in the long term. The cloud services should also: • Satisfy your organisation’s IT service management, data protection and industry compliance requirements. • Integrate easily with your favourite desktop software, internal systems and other cloud services. • Fit well with your development platforms and programming languages. • Preferably be interoperable and afford easy extraction and migration of data in a structured form where meaning is preserved.

14


CASE STUDY Cost saving is one of the benefits frequently cited for cloud computing and this was certainly the case for BLUW. The company, which specialises in the design and manufacture of fun novelty gadgets has a head office in London with other locations in New York and Hong Kong. This young business had experienced major growth, which led to the following challenges of operating across three continents and different time zones: • Conventional ‘on-premise’ IT infrastructure, having a centralised server running on UK GMT time without 24 hour support meant occasional complete working days being lost due to not having access to centrally held data. • Customer management information was managed locally in each country with overlaps occurring between the Hong Kong-based merchandising and UK-based sales team. • Accounting systems were diverse and restricted to financial operations only. • Cash management and forecasting was extremely challenging due to miscommunication as a consequence of the lack of a centralised system. • Production planning and product development were also becoming extremely difficult with localised data and lack of accountability. A single solution was provided by NetSuite OneWorld. Ian Harkin, the Financial Director says ‘Having everything operating on a single platform is highly efficient. Our online stores, outsourced warehousing facilities, delivery and dispatch system, and shipping are fully integrated with UPS and our payment processing with PayPal, dramatically reducing investment on overhead.’ The system is expected to support planned growth from the current third year turnover of £2.7m to £5m, £10m, £20m and beyond. In terms of cost savings, Harkin confirms that the company has saved in excess of £50,000 in computer hardware and infrastructure alone and at least as much again in salaries and fees for IT maintenance and support. He concludes ‘It makes no commercial sense for BLUW to own computer equipment.’


15

5 IMPLEMENTATION

Once you have selected one or more candidate clouds that seem to meet your organisation’s documented requirements it is time to test them thoroughly, adopt the best one(s), and implement a project plan with an exit strategy.

5.1 USABILITY AND PERFORMANCE Before you test the performance of external cloud services you should test your local internet connections (packet transmission speed, packet loss and network latency) from your offices during peak times over a period of days. You can also benchmark the performance of any business applications that you are migrating to a cloud or replacing with a cloud service by measuring response times and timing key activities. If you have the in-house expertise you may find it useful to test applications on your own virtual servers, varying the memory and processor speed to find the baseline specifications required for acceptable performance on your local network. Armed with benchmarks and baselines you can then test systematically those cloud services with the ‘must have’ features and functionality you agreed with stakeholders. For SaaS ask a sample of open minded, affected users to test candidate SaaS applications by performing the same standard tasks on each system alongside an impartial trained observer whose job it is to document the user’s experiences, time tasks and record the difficulty ratings for each task. If you have a number of testers, which may include yourself, you can vary the order in which rival SaaS systems are tested to make the tests even fairer. Ask the users which SaaS application they prefer, why they prefer it, and how it compares to the system they currently use, if any; and you may find it instructive to repeat the tests with the same users to see if their experiences improve as they learn. One system may turn out to be the most easy to use, which is a key consideration. For PaaS ask your developers to test candidate PaaS systems by creating in each a basic database-driven software application to perform the same prescribed task, which may be one they are familiar with in your organisation. For each platform the developer can document their specific experiences and general impressions using a set of standard forms, and they can record the time it took to develop the test application. On the forms they can describe and rate the quality of, for example, online documentation, feature sets, ease of use, and response times. Which do they prefer and why? For IaaS the tests may include the self-service creation and destruction of, for example, virtual servers and server farms; data transfers and firewall tests. As with SaaS and PaaS, usability, online documentation quality and user preferences are also important factors to record and consider. The important thing is to test each cloud service in the same way and document the results. Another important criterion for candidate cloud services is that they perform well over any reasonable internet connection, so send some of your staff home early on the condition that they quickly run through a subset of tests for the relevant SaaS, PaaS or IaaS systems being considered, taking particular note of response times. Finally, a good test of candidate cloud providers is to send them the same technical support question – even if you know the answer – and record the speed and quality of the reply. If all else is equal then this simple test could make the decision for you.

16


5.2 DEPLOYMENT A cloud implementation plan, like the plan for any major IT project, should include relevant details of why, who, what, where, when and how much: • Why is the project happening – business drivers and objectives? • Who are the named executive sponsors, project management team members, project delivery team members and affected users? • What are the guiding principles, governance constraints, specific requirements, risks, deliverables and key success metrics? • Where (in an organisation with multiple sites) will the new systems be rolled out to if it is a pilot project? • When will stakeholder engagements and other scheduled activities occur? • How much will it cost in terms of internal resources – person hours, infrastructure, hardware and connectivity? An implementation plan should also include full details, estimated costs and schedules for user training and documentation; data migration; customisation and integration with other systems. Provision should be made for parallel running of old and new systems and a rollback (exit) plan, if required. And although performance testing, user testing and security testing may have already occurred (see previous section) it should probably be included in this plan, too, or in a separate project plan. Depending on your favoured project management methods your implementation plan may include a rigid functional specification to ensure there is no feature creep; or it may describe an agile approach where key project team members are involved at key stages to find the best solution rather than the solution initially envisaged. In any case regular communication with stakeholders will increase the chances of your new cloud-based systems being successfully rolled out to willing users.

5.3 EXIT STRATEGY Even if you follow all the steps in this guide you may find that a cloud service does not work out for your organisation. If you consider this to be a genuine risk you should prepare an exit strategy. The implementation plan described above suggested that provision be made for parallel running of old and new systems which you can do manually through double entry or, preferably, by integrating the systems to keep the old one automatically synchronised with the new one in case you need to roll back. Always be prepared to make a quick exit because at some point you may decide to move to another cloud (public or private) or you may simply need to extract your data in a structured form because, for example, your business is closing down. Make sure this is possible and build your cloud exit strategy into your implementation plan and disaster recovery plan and test it!

5.4 MONITORING At the cloud sourcing stage you may have selected a vendor that provides service level monitoring tools but you can augment these tools with your own. Your IT department can monitor the performance and availability of applications and systems running within IaaS clouds, while automated tools are available from third parties for automatically testing and timing transactions in web applications so you can be made aware of any interruptions in service or dips in performance. And it is also helpful to monitor usage patterns in any new cloud-based systems you roll out to ensure that they are being used.

5.5 CHECKLIST • Get relevant users to test candidate clouds in a fair and systematic way. • Put together a detailed implementation plan with a tried and tested exit strategy. • Continually monitor your cloud services after deployment.


17

CASE STUDY 1 An Australian accounting firm, Five Ways Chartered Accountants, uses multiple cloud services and no desktop accounting packages at all. They consistently use the following three SaaS products, which enable them to work completely online: • Xero Accounting – to access their clients’ up-to-date financial information, which affords closer engagement and has reduced their time spent on compliance work by almost 50%. • Batchbook Social CRM – to keep all contact information, email discussions and social media interactions for their clients in one place. • Box.net – to manage all documents online including standard documents, letters and client documents, and enable particular documents and folders to be shared securely by clients and appropriate staff. This focus on a particular set of cloud services means that they have a single effective way of working with their clients, which is completely cloud-based. Paul Meissner, Director of Five Ways, had this to say: ‘Overall the move to the cloud has made our client service more efficient, cut our overheads and made us more profitable’.

CASE STUDY 2 South West-based accountancy practice Glover Stanbury & Co took the decision to move all of their IT systems into the cloud in June 2011, opting for hosted servers rather than the office-based servers they had relied on previously. It’s a decision that has already paid dividends according to Kevin Salter a partner in the practice, who said ‘The move to the cloud has been a great success and, indeed, works even better than we had anticipated.’ The firm, incorporating six partners and 30 staff, uses a variety of software ranging from Microsoft Office and Exchange Server for emails through to SaaS products such as Google Docs, DocSAFE (a secure online means of sharing and storing client documentation) and Xero and Liberty accounts packages. Some of the benefits achieved include: • Software standardisation – all staff use the same versions of software together with a common operating system platform, compared to the array of versions that existed previously. • The ability to work from anywhere has been invaluable, both in terms of allowing staff to work from home or between offices when necessary and also providing access to all software while on client sites. • Cost savings – the hosted server costs over a five-year period are comparable with those incurred for the earlier office-based system, however the real benefits lie in the significant savings on time previously spent supporting the day-to-day operation of in-house servers. • Closer integration between the firm’s two sites, located 10 miles apart, as single database solutions have been implemented for tax, accounts and document management systems. And along the way there have been some valuable lessons learned: • Prior to migrating to the cloud make a list of the software you intend to use and prioritise it, so that the most business-critical applications are available immediately. • Use the move to the cloud to have a tidy up of existing files on servers, and review ongoing procedures and methods with regard to file saving generally. • Keep one in-house server available on stand-by, as there will almost certainly be the odd occasion when there’s a requirement for that ‘urgent file’ which hasn’t been moved across to the hosted service. The success of the move was reinforced by Salter who, when asked if the firm would consider going back to putting servers in-house, replied ‘Definitely not!’

18


6 KEEPING YOUR HEAD IN THE CLOUDS

Many organisations, including most famously the US Federal Government, have instituted a ‘cloud first’ policy, and the UK Government, which has been criticised for being a bit slow off the mark, is also planning a ‘shift towards cloud computing’ with a target of at least 50% of Whitehall’s IT services running in the cloud by 2015. Mirroring this difference, UK organisations tend to take a more cautious and sceptical approach to cloud computing adoption than their American counterparts. There are certainly significant risks and ‘big pictures’ to consider, which this guide attests to, and caution is understandable, but fortune can also favour brave cloud pioneers.

6.1 SUMMARY This guide has described a measured approach to cloud computing adoption which can be summarised in a six step process as follows: 1. Familiarise yourself with the options for deploying cloud services. 2. Conduct relevant internal reviews of your people, processes, policies and IT capabilities – keeping in mind your organisation’s objectives. 3. Select appropriate opportunities for cloud computing. 4. Document prioritised requirements for named beneficiaries. 5. Find candidate cloud solutions and test them fairly and systematically. 6. Execute an implementation plan with an exit strategy. This process is, of course, an iterative one. Once you have completed one successful cloud implementation project you can return to step 3 to choose the next problem or improvement, and when you have run out of problems and improvements you can return to step 2 and review or repeat your internal reviews, and so on. If you represent a large organisation planning to migrate numerous virtual servers and applications to the cloud you could follow the steps in a Cloud computing maturity model such as the model developed by GTSI (a provider of technology solutions and professionals services to the public sector in the US) that is preferred by the US Government.

6.2 CONCLUDING REMARKS After reading this guide you may have come to the conclusion that cloud computing sounds like more trouble than it is worth, which is generally not the case. According to the Cloud Industry Forum, 96% of the UK organisations they surveyed that have already adopted cloud computing in some form are happy with their cloud services. Therefore, as long as you choose your cloud or clouds with care, perhaps taking a hybrid approach or beginning with low risk data and applications, and have a strong business case to build on, there is a good chance your organisation will reap significant rewards. For large organisations it may be an initially slow and painful process moving to the cloud but once there they should find that change becomes easier and they can deploy new business applications and processes with lightning speed!


19

APPENDIX A: GLOSSARY

API (Application Programming Interface) – an interface implemented within a software application that enables other software applications to access some of its services. Cloud – a pool of configurable computing resources on the Internet. Cloud computing – a model for enabling convenient, on-demand network access to a cloud that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud portability – the facility for moving data or applications from one cloud to another. Cloud provider – a supplier of cloud computing services to multiple customers using the same multi-tenanted infrastructure. Cloud services – see service models. Cloudsourcing – finding and selecting a set of cloud services for your organisation from one or more cloud providers. Community cloud – a cloud shared by a particular community of organisations with common interests or data protection concerns. Compute grid – a collection of computers on which compute-intensive batch applications are run in parallel. Consumption-based pricing – the pricing model whereby customers are charged only for the discreet cloud computing resources they consume (compare with subscriptionbased pricing). Deployment models – public cloud, community cloud, private cloud and hybrid cloud (according to the NIST definition). Elastic computing – see rapid elasticity. Essential characteristics – on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service (according to the NIST definition). External cloud – a public cloud or community cloud provided by a cloud provider. Failover – the automatic capability to switch an IT service to a redundant or standby computer server, system, or network upon failure or abnormal termination of the service. Hosted desktop – a fully interactive view of a virtual computer desktop (usually Microsoft Windows) that is hosted in a public cloud and provides the user with remote access to their organisation’s data and software applications. Hybrid cloud – a private cloud linked to a public cloud. IaaS – see Infrastructure as a Service. Information governance – an organisation’s policies, procedures, processes and controls for information management. Infrastructure as a Service – the service model that includes virtual machines, data storage, processing power, bandwidth and networking resources. Internal cloud – see private cloud. ITIL – the Information Technology Infrastructure Library, a widely adopted set of best practices for the management and provision of IT services. Multi-tenanted system – a system shared by multiple organisations and users (an essential characteristic). Network latency – delays in application response time as data travels over a network through intermediate devices. NIST definition – the definition of cloud computing published by the National Institute for Standards and Technology (NIST).

20


On-demand computing – the immediate availability of online computing resources upon request (an essential characteristic). PaaS – see Platform as a Service. Patriot Act – a statute passed into law by the United States Government in 2001 that enables law enforcement agencies in the United States to search telephone, e-mail communications, business records, and other records for suspected links to terrorism – without a court order. Pay-per-use (or Pay-as-you-go) – the payment model whereby customers pay only for the cloud computing resources they use and avoid capital investment in software and hardware (see consumption-based pricing and subscription-based pricing). Platform as a Service – the service model that enables software developers to quickly create and develop scalable, database-driven web applications. Private cloud – the deployment model where cloud services are provided internally by organisations. Public cloud – the deployment model where cloud services are provided by a cloud provider. Rapid elasticity – the availability of computing resources that can expand and contract on demand (see essential characteristics). SaaS – see Software as a Service. Safe Harbor agreement – a set of data protection principles approved by the European Union, the United States of America and numerous other countries. Self-service – the capability for organisations to consume cloud services under a pay-peruse model without communicating with the cloud provider. SLA (service level agreement) – a contractual agreement with a service provider that defines the level of service they will provide, including guarantees of availability and performance. Service models – SaaS, PaaS and IaaS in the NIST definition. Service Oriented Architecture – a set of principles and methodologies for designing and developing software in the form of interoperable services that represent distinct business functionalities. Service provider – see cloud provider. Single sign-on – the ability to log on to multiple IT services simultaneously using a single user name and password pair at one entry point. Software as a Service – the service model by which ready-made software applications and software suites are provided online. Subscription-based pricing – the pricing model whereby customers pay to use cloud services for a set period of time (compare with consumption-based pricing). Two-factor authentication – the combination of an additional hardware or software method and regular login credentials (user name and password) to uniquely identify a user when they log on to a computer system. Vendor lock-in – the restrictive commercial ties created between customer and provider in the absence of cloud portability. Virtualisation – the software methods that enable multiple virtual computing resources to run on a single hardware platform. Virtualised – see virtualisation. Virtual machine – virtualised computer hardware that executes programs like a physical computer. Virtual private cloud – an isolated private cloud running within a public cloud infrastructure. Virtual server – a virtual machine used as a computer server. Web services – the standard internet communication protocols that are used to pass data to and from cloud services.


21

APPENDIX B: FURTHER INFORMATION

In this guide various surveys, supplier directories and other resources are cited, all of which are referenced below.

ICAEW IT Faculty publications Simon Bisson (2007), An Introduction to Software as a Service. Lesley Meall (2010), Online Accounting Software Product Guide. Barnaby Page (2011), Cloud Computing – A Guide for Business Managers.

ICAEW IT Counts online community www.ion.icaew.com/itcounts

CIO Global Cloud Computing: Adoption Survey Result PDF from VMWare http://tinyurl.com/7yug2wx

Cloud First Buyer’s Guide: Resources Various links selected for the US Government http://tinyurl.com/6ob6u56

Cloud Provider Directories • CloudBook: www.cloudbook.net/ • Cloud Directory (UK): www.clouddir.co.uk/ • Cloud Industry Forum (UK): www.cloudindustryforum.org/ • CloudTweaks: www.cloudtweaks.com/cloud-vendors/ • GetApp: www.getapp.com/ • SaaS Directory: www.saasdir.com/ • SaaS Showplace: www.saas-showplace.com/

Cloud UK Paper one: Adoption and Trends 2011 PDF from the Cloud Industry Forum http://tinyurl.com/3f3dqba

Government ICT Strategy PDF from the UK Cabinet Office http://tinyurl.com/8x9qmda

GTSI Cloud Computing Maturity Model A PDF white paper from GTSI http://tinyurl.com/7btxrfv

22


Make IT Green: Cloud Computing and its Contribution to Climate Change PDF report from Greenpeace http://tinyurl.com/87mzvr7

NIST Definition of Cloud Computing (final) PDF from US National Institute of Standards and Technology http://tinyurl.com/3cwq47r

Open Cloud Resources A list of open cloud systems (see also the Open Cloud Manifesto at www. opencloudmanifesto.org/) • Cloud Foundry (PaaS): www.cloudfoundry.org/ • Eucalyptus: www.eucalyptus.com/ • Openstack: www.openstack.org/ • OpenNebula: www.opennebula.org/

Other Dr Mark I. Williams (2010), A Quick Start Guide to Cloud Computing, London: Kogan Page.


23

ABOUT THE AUTHOR

Dr Mark I. Williams began his postgraduate career in 1992 at CERN, birthplace of the World Wide Web, before switching to a similar facility (SLAC) in California in 1998, where he managed a major intranet redevelopment project. Mark formed his first company, Surfability, in 2000 with the help of an Enterprise Fellowship award from The Royal Society of Edinburgh, followed by a DTI SMART award. A partnership with an early cloud computing provider, Extrasys, four years later led eventually to Mark running that business for NG Bailey before helping to sell it on again in 2009. Mark’s current venture is Muon Consulting and he blogs at http://blog.muoncloud.com. He has chaired sessions at the annual Cloud Computing World Forum in 2010 and 2011 and is the author of A Quick Start Guide to Cloud Computing, which was published by Kogan Page in 2010.

24


ICAEW is a founder member of the Global Accounting Alliance, which represents around 775,000 of the world’s leading professional accountants in over 165 countries around the globe, to promote quality services, share information and collaborate on important international issues.

ICAEW is a professional membership organisation, supporting over 138,000 chartered accountants around the world. Through our technical knowledge, skills and expertise, we provide insight and leadership to the global accountancy and finance profession. Our members provide financial knowledge and guidance based on the highest professional, technical and ethical standards. We develop and support individuals, organisations and communities to help them achieve long-term, sustainable economic value. Because of us, people can do business with confidence.

ICAEW IT Faculty Chartered Accountants’ Hall Moorgate Place London EC2R 6EA UK

T +44 (0)20 7920 8646 F +44 (0)20 7920 8780 E [email protected] icaew.com/itfac

linkedin.com – find icaew twitter.com/icaew_ITFaculty facebook.com/icaew

£25.00

TECPLM11197 03/12