"Shaped like a Blogg! or a Garden hose!"

This is part one of a guest blog I was asked to create for the Service Management Conference. you can find the original here and where it was published completely in the July issue of the itSMF Bulletin.

Why moving to the cloud can give you more control, not less.

What are the opportunities and challenges for the IT service management team in a world where more applications are moving into the cloud, offered as subscription services, from a multitude of vendors? Can you keep control and visibility?

Recently I led a discussion at an itSMF Special Interest Group meeting about IT service management in an “as-a-Service” world – a world where the way IT is procured, delivered and consumed has fundamentally changed with the advent of cloud computing. Not that cloud computing is new by any means – particularly in smaller organisations, but it is now becoming more and more prevalent in large enterprises. Or it is expected to be…

While there has been a lot of hype around “the cloud”, what became apparent at the meeting is that most information is targeted at the executives in high level overviews, or at techies in great technical detail.

Meanwhile, the IT service management team has been left in the cold. There is little clear direction on “how to” or “where to start” and too much hype versus fact. Yet it is the service management team who often has the responsibility to “make it happen”.

In our discussion, which included IT service management professionals from government, financial services and IT vendors, the concerns/queries about service management in a cloud environment were startlingly consistent across industry sectors:

•        What is the best way to monitor and report service delivery?
•        How have other organisations done it?
•        What is hybrid cloud and how do you manage it?
•        How do you manage service integration across multiple vendors?

The Australian Government defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Interestingly, the itSMF group viewed cloud as a commercial model for delivering IT, rather than a technology. And the overriding concern is that these services are not in their control.

So how does cloud impact the policies, processes and procedures service management uses to plan, deliver, operate and control IT services offered to end-users?

For me it comes down to recognising that while traditional IT procurement has changed, you can still be in control; defining a clear – but flexible – business map for how the technology, processes and people will support the business; and ensuring transparency across multiple vendors.

New Ways of IT Procurement Don’t Have to Mean You Lose Control

Much of the fear of losing control comes from the feeling that IT departments are relinquishing control to IT third parties because they no longer own the IT and can’t see, touch or grab it. Yet in many ways they have more control than ever as it is easier to increase or decrease capacity quickly in response to changes in your organisation or the market in which it operates. And, if you chose the right vendor, they should provide you with regularly updated innovative solutions and contracted service levels rather than you being locked into a technology that will start to age as soon as you implement it.

Of course it’s not simple matter of moving everything into the cloud. Sometimes legislative requirements will dictate where data can be stored or who has access to it which may force an application to be insourced. Or it may depend on the maturity of an organisation’s approach to IT – an immature organisation may refuse to outsource because it is simply fearful of doing so whereas a mature approach is open to pushing risk outside the organisation.

And not all clouds are the same. A private cloud is used by a single organisation. A community cloud is for the exclusive use of a specific community of consumers with shared concerns (eg security requirements or mission). A public cloud is for open use by the general public. And a hybrid cloud is comprised of multiple distinct cloud infrastructures (private, community or public). Whilst the debate over public vs. private cloud services rages on, in the context of the above and the relative organisational needs and maturity, they all have a place.

This feeling of a loss of control can be exacerbated by departments choosing their own systems, easily bought and delivered over the Internet. However this “shadow IT” should not be feared – instead it should be seen as an indicator that the IT department is not delivering what they need. This is why business mapping is so important.

Part 2 of this blog will cover why business mapping is critical to ensuring IT and Service Management truly support the business and how to get started.

It seems to be an almost biannual occurrence, people arc up and talk about cloud security, specifically data security/protection. It even got attention at this year’s Cisco Live in Melbourne. The last time I had a rant about this in “Cloud computing protection – Is this the place for Law?” I looked at malpractice laws for misuse or mishandling of data but not the bigger picture:

• Data sovereignty;
• Government mandate on export of data (EU as an example);
• Compliance and regulatory;
• housing in politically unstable regions;
• Data Destruction; and
• Damage and/or destruction.

The above are by no means exhaustive, these are just the ones that I’ve got kicking about in my head at present. 12-18 month ago I had a great chat with a lawyer who was taking a keen interest in this area and at the time was as confused as I on some of the ramifications (he put out a paper as well, when I can find it I’ll link to it here). For getting it out of my head sake I thought I’d put it here for good measure; as it has been sitting in my drafts for about that long.

Data Sovereignty – In a nutshell, this is the issue where what laws come into play based on the location of the data. This is a nebulous area and one that I think most in the law profession are still coming to grips with. Even here in Australia we have a crazy scary amount of laws, depending upon the information type (personal, financial, health, etc) not to mention international laws. This need to be taken into account when looking at what it is you place in the cloud.

Government mandate on export of data – I was thinking of the EU’s law specifically here, where the personal information (combined & interpreted data) cannot be exchanged with non-EU countries unless they have equivalent or better security standards (adequate level of data protection). What does this mean for a providers infrastructure residing in the EU destruction, or for someone in the EU trying to use a cloud service. There is a good blog article it including some examples and explanations. here. Another issue could be that the local/federal government may dictate that data is not to be off-shored. Are you sure that the provider is going to provide you with the ability to ensure that? Including backups?

Compliance and regulatory – This is the same old piece that every monkey trots out. Most of the control requirements are subjective, as in it is up to the auditor’s discretion on whether or not the control is adequate or not (unless it is extremely specific). Most of these are box ticking exercises. If there is a smart control mechanism that will meet your businesses security requirements, and you have clearly documented your rationale so you can call it a compensating measure.

Housing in politically unstable regions – Comes back to knowing what country your data resides in. If by chance it happens in a country where the local government has no qualms in walking in and taking ownership of the entire facility (or a subset there of), including your data, what happens then? What happens if that can be used to replicate your business model, take your customers, etc? Similarly, what about when government or law enforcement requests that data be disclosed, does the provider comply with the request or resist?

Data Destruction – When you decide to move platforms, services, providers, etc, will the provider destroy your data sufficiently so that it isn’t recoverable?

Damage and/or Destruction – What happens to you/your business when data is accidentally or maliciously damaged or destroyed. What happens to your reputation? What are your liabilities? This I covered off briefly in the above mentioned post, “Cloud computing protection – Is this the place for Law?“.

Depending on he size of your business and the service you are going for your ability to negotiate the SLAs will vary greatly. At the end of it, you will still have to look at all of these generic risks as well as the specific risks associated with your business and decide accordingly (through risk assessment). As with most of these, there are compensating measures that can be put in place to mitigate or reduce the affects.

At the end of the day, like any traditional outsourced relationship you don’t want to rely on a service credit against a breached SLA when your business is impacted. I’m not trying to take an alarmist approach, I prefer to see this as a more pragmatic one.

Just my $0.02 worth.