Cloud Computing A Guide for Business Managers

ICAEW

INSPIRING CONFIDENCE icaew.com/itfac

CLOUD COMPUTINGA GUIDE FOR BUSINESS MANAGERS

CLOUD COMPUTINGA GUIDE FOR BUSINESS MANAGERSby Barnaby Page

This report is published by the Faculty of Information Technology of the Institute of Chartered Accountants in England and Wales. The views expressed do not necessarily reflect those of the Council of the Institute.

Copyright © 2010 ICAEW

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior permission of the publisher.

No responsibility for the loss occasioned to any person acting or refraining from action as a result of any material in this publication can be accepted by the publisher.

ISBN 978-0-85760-000-4

CLOUD COMPUTINGA GUIDE FOR BUSINESS MANAGERS

Contents

1 INTRODUCTION 4

2 CLOUD COMPUTING DEFINED 5

3 PROS AND CONS OF THE CLOUD 7

4 CHOOSING AND DOING BUSINESS WITH A CLOUD PROVIDER 12

5 BUSINESS IMPLICATIONS OF CLOUD COMPUTING 14

6 THE FUTURE OF THE CLOUD 16

7 CONCLUSIONS 17

APPENDIX A GLOSSARY 18

APPENDIX B FURTHER INFORMATION 19

APPENDIX C EXAMPLES OF CLOUD PROVIDERS 20

4 Cloud Computing – A Guide for Business Managers

For decades, managers have wrestled with the question of whether to keep IT functions in-house – which maximises control, but can be complex and wasteful – or contract them out to a specialist supplier. Cloud computing is a new solution to that problem, harnessing the Internet to deliver IT services that, its proponents maintain, are more flexible, more efficient, and cheaper than a business’s own data centre can hope to be.

But is it the right solution for everyone, and for every IT process? Does it pose threats – to the integrity of data and the business’s governance capabilities – as well as presenting opportunities? How does one choose a cloud computing supplier in such a new, and sometimes confused, market? What, precisely, do the different kinds of suppliers offer? How should the relationship with them be managed? And, going beyond IT, what are the implications of cloud computing on issues as diverse as corporate social responsibility and HR management?

This guide answers these questions. Using it, managers in both IT and other disciplines should be able to plot their next steps in exploring the potential of cloud computing – perhaps by using the further information sources listed at the end – as well as outline their requirements when seeking a cloud supplier, and the policies they will follow in employing this latest response to an age-old IT dilemma

1. INTRODUCTION

5Cloud Computing – A Guide for Business Managers

2. CLOUD COMPUTING DEFINED

‘Cloud computing’ is a relatively new phrase, dating to around the beginning of this century, but the principles underlying it are not new. Its roots can be seen decades ago, when it first became common for organisations to entrust parts of their IT processing requirements to external suppliers.

Metaphors to describe cloud computing abound. It has been compared to putting supercomputer power on the desktop; it has also been suggested that an Apple Mac plus an iPod constitutes a (tiny) cloud. The fact that such vastly different descriptions can be applied to the same concept illustrates the lack of clear definition in this rapidly emerging field, as do the frequent overlaps both conceptually and in terminology between cloud computing and related developments such as grid computing. However, it is possible to outline some clear characteristics.

CHARACTERISTICS OF CLOUD COMPUTINGThe essence of cloud computing is that some IT processes move from the user’s PC, or the in-house file server, to an external supplier. This supplier provides the cloud: a very large, virtualised set of resources such as CPU power, memory and storage, scalable on demand and accessible online. Software runs on hardware belonging to the cloud provider, and the individual user accesses it over the Internet, their desktop becoming a kind of remote terminal.

Most of us already use cloud computing without being aware of it. For example, one of the first applications was the Hotmail email service, launched in 1996 (and acquired by Microsoft the following year). A more recent arrival is the Google Docs productivity suite, which provides tools such as a word processor and a spreadsheet over the Internet – the end user can access not only the applications but also their saved documents from anywhere, needing only an Internet connection.

An even more sophisticated example is eBay. While to the casual browser the auction website may seem little different from many other online stores, to the seller eBay offers a wide array of cloud services for managing stock lines and customers. The seller runs little or no eBay-related software on their own PC, but employs eBay’s tools, billed on a pay-per-use basis. Thus, although it does not market itself as such, eBay is a cloud provider.

Larger organisations, of course, have IT requirements far beyond sending email or selling goods. But cases such as Hotmail, Google Docs, and eBay are worth remembering for they illustrate that cloud computing is an approach to providing IT rather than a technology in itself.

MOVING TO THE CLOUDCloud applications have been employed, then, by individual users on an ad-hoc basis for some years. But what is changing now is that organisations large and small are starting to consider moving substantial parts of their IT operations to the cloud, whether strategically over a long period, or tactically over a shorter one.

In either case, the ultimate responsibility for the IT function remains firmly with the business – and in practice, it is much more likely that some rather than all IT processes will move into the cloud. This is particularly true with larger businesses, with complex computing requirements not all of which are suitable for migration immediately (or perhaps ever), and for which a wholesale move to the cloud might be too large and risky a project.

BENEFITS OF CLOUD COMPUTINGThe cloud customer is no longer burdened with procuring and managing physical hardware: they simply request from the cloud supplier what they need to meet current requirements, and the resources


reported to be acquiring 10,000 servers per month to operate its Windows Azure cloud platform, and while it is clearly an exceptionally large IT player, it is important to bear in mind that a cloud is on a far larger scale than most business’s data centres.

All these are public cloud models. It is also possible for larger organisations to develop their own private clouds, gaining some of the benefits of cloud computing within their own data centres. Effectively, they act as their own cloud provider, using some of the techniques of cloud providers (such as virtualisation) to provide a variety of the benefits (such as reliability and scalability) although they do not free the business from the cost of buying and running systems in the way that true cloud computing can.

However, this is a rational option only for very large organisations: for example, when the British government’s ‘G-cloud’, which will host applications for all local and central departments, is fully deployed in 2013-14 it is estimated that the number of data centres they collectively need could be reduced by more than 90 percent.

And there are hybrid cloud models where a private cloud is combined with the public cloud, each taking on some of the IT workload. (These should not be confused with hybrid applications which mix elements of web applications and local PC applications, and are not necessarily related to cloud computing.)

This guide will concentrate on the public cloud approach, which has driven the development of cloud computing; the private and hybrid alternatives share much the same strengths and weaknesses as the public model. Most of the issues we look at relate to the deployment of SaaS – cloud computing in its most full-featured form – although we also mention some points particular to IaaS and PaaS.

available to them are grown or decreased accordingly, generally without human intervention and in near real time. Billing is, broadly speaking, based entirely on usage. These, along with the fact that the relationship between a business and its cloud computing provider can be extremely short if necessary (even measured in days or weeks), are the principal differences between the cloud approach and the older practices of outsourcing or employing a computer bureau’s services.

VARIANTS ON THE CLOUD MODELInevitably, however, not all clouds are implemented alike – and if one thing is certain, it is that new variants on the cloud computing model will continue to appear rapidly over the next few years.

Some cloud computing suppliers provide complete, ready-to-use applications, which the business can easily customise to its requirements and then quickly start using: Software as a Service (SaaS). Often, applications offered as SaaS are online versions of familiar software that previously ran on users’ own PCs or servers.

The SaaS approach, which first became prominent in customer relationship management (CRM) but has since spread to many types of application, is also characterised by the emergence of an ‘eco-system’ of third parties offering further software based on the cloud provider’s core product.

At the other extreme, cloud providers may offer nothing but raw hardware capability and networking connections, an approach often termed Infrastructure as a Service (IaaS), or less often Hardware as a Service (HaaS). Or they may also provide a development platform on which the customer can build and host their own applications: Platform as a Service (PaaS)

IaaS and PaaS suppliers may deploy thousands of servers, although many SaaS providers run significantly fewer: their more specialised service means a smaller customer base. Microsoft, for example, was recently


3. PROS AND CONS OF THE CLOUD

What does the cloud computing approach have in its favour – and what goes against it?

PRO: THERE SHOULD BE COST SAVINGSThe typical data centre has to provide for peaks in the demand for computing resources, and a highly heterogeneous mix of applications. As a result, most of the time much of the resource may be lying unused – a wasted investment. With cloud computing, however, at any given moment the organisation is paying only for the precise amount of IT horsepower that it requires, because the resources available to it can be automatically increased (provisioned) or decreased (de-provisioned) in close to real time as computing demands grow or shrink, within pre-agreed levels. The in-house data storage requirement can also be dramatically reduced.

It is also worth remembering that the cloud allows a very granular approach to buying computing power: the in-house data centre cannot, realistically, buy a quarter of a server! But when purchasing server capacity as a service rather than servers as hardware, that is commonplace.

Moreover, the data centre has likely grown over time to include a wide range of hardware from different suppliers. But the cloud provider usually operates a much simpler hardware environment on a much larger scale, allowing it to achieve economies both in purchasing and in support, which can be passed on to the customer.

There are less obvious savings to be passed on too. For example, electrical power is an important cost to all data centres. The cloud provider has the luxury of siting its facilities where power is cheap and designing them from scratch to maximise power efficiency, for example through state-of-the-art cooling systems.

And in larger organisations, the floor space saved now that fewer servers are housed in the data centre may also be noticeable.

CON: BEWARE ILLUSORY COST SAVINGSNote, however, that we say there should be cost savings. The financial pros and cons of moving to the cloud are not always easy to ascertain. In particular, while pricing and service guarantees from the cloud provider may appear transparent, it can be difficult to compare those on a like-for-like basis with the in-house data centre.

For this reason, many organisations may prefer to explore cloud computing by launching a new IT project there, avoiding the need for capital expenditure and with a reasonably clear picture of the costs that would be involved in pursuing the project in-house.

PRO AND CON: THE NATURE OF COSTS CAN CHANGE TOOIn broad terms, locating IT in the cloud involves no capital expenditure: all cost is operating cost.

Whether this is an advantage or a disadvantage depends on the customer organisation: some non-commercial bodies, for example, may find it easier to gain funding for capital expenditure than for ongoing costs.

Historic capital expenditure can also have an impact on an organisation’s cloud policy. If a large amount has been invested relatively recently in servers or a new data centre and there is excess capacity, it may be more appropriate to convert this into a private cloud, rather than paying a public cloud provider.

But whether the cloud is public or private, the pay-as-you-use billing model of cloud computing should make it easy to associate costs with individual IT processes and projects. In private clouds, of course, it is the


different departments or divisions of the business that nominally ‘pay’ for their use.

Of course, there will be a few relatively trivial items – both capex and ongoing cost – not paid directly to the cloud provider but still related to using the cloud. For example, the business may need to increase its network capability to handle the constant communication between its own premises and the cloud.

PRO: UPGRADES ARE SMOOTHER AND MORE FREQUENTIt is the responsibility of the cloud provider to manage upgrades and fixes to hardware and software. Because these are at the heart of their core business, they are processes which the cloud provider should manage promptly – perhaps faster than the average in-house IT department is able to, beset by other demands on its resources and constrained by other business requirements. (For example, it is often not practical to take systems down in order to immediately install a software patch.)

Moreover, because the customer’s IT processes in the cloud can seamlessly move from one physical resource to another, the cloud provider can perform maintenance and upgrades without noticeable effects on service.

PRO: CLOUD COMPUTING INCREASES AGILITYMuch the same factors that reduce costs also increase IT agility. The ease of provisioning or de-provisioning services in the cloud makes it easier to respond to swings in the business’s demand for IT resources, whether those are predictable (as in the case of end-of-month and end-of-year jobs) or unpredictable (such as a new business opportunity). It also, of course, makes the cloud an enticing way of providing IT for start-ups and new locations.

The IT department’s own internal work can also be freed from the resource constraints on the data centre. For example, the cloud is often used for testing newly developed software; a very large virtual computing environment mimicking the real organisation’s IT infrastructure could be created in the cloud purely for testing with true-to-life workloads. Similarly, third party software can be tried out in the cloud without consuming resources.

With PaaS, software development itself can also be carried out in the cloud, although this has drawbacks as well as advantages – as we discuss below.

CON: SECURITY ISN’T SO SIMPLEThere is no getting around it: security, and related concerns such as legal compliance, are among the biggest question marks most potential users raise over the prospect of cloud computing. The more that the cloud is embraced, the more of the business’s data will be stored outside its own firewall, and the more IT processes will take place there. Even if the risks turn out to be illusory, it would be an irresponsible manager who did not consider them carefully.

Of course, cloud computing is not unique in this; conventional local area network computing carries many potential risks too. And nearly all cloud-related dangers can be guarded against, however, or at least (in extreme cases such as natural disaster) the damage they cause can be minimised, so the best guarantee of security is a detailed evaluation of potential cloud providers – as well as continuous, proactive monitoring of data integrity.

The nature of data being stored in the cloud, and the criticality of processes running there, dictate the level of security needed. How sensitive is the information, how desirable might it be to steal or tamper with, how badly would the business be affected if an application were compromised?


Possible risks include:

• Attacks from outside the cloud. These could be malware such as viruses or worms as well as attempts to hack into the cloud in general, or into your data specifically. The actual risk of coming under attack may be no greater in the cloud than in the organisation’s own data centre; the difference is that although the organisation can monitor the integrity of its data within the cloud, practical responsibility for guaranteeing security must lie with the cloud provider.

• Attacks from inside the cloud. Clearly it is not in the interests of any cloud provider to employ maliciously or criminally motivated staff, and given the nature of its business it should have exceptionally high levels of internal security – but it is worth establishing exactly what these are and comparing them against industry norms.

• Inadequate separation of cloud customers. The resources of the cloud are shared among customers, so is important to be confident that data and processes are invulnerable to effects – deliberate or accidental – caused by other users’ activity.

• Disasters. Again, because of the nature of its business, the cloud provider will most likely have a better developed disaster recovery and continuity plan than many of its customers. But it is important to assess this, bearing in mind that the provider may well have multiple data centres in different parts of the globe.

• Business failure. What happens if the cloud provider goes out of business? Normal checks on its stability, track record, financial status and so on will help ascertain risk. But, again, it is worth reiterating that the cloud provider may well be in a remote jurisdiction, with different standards, regulations, and records.

• Compliance breaches. Although data resides in servers owned by the cloud provider, it remains the business’s responsibility to ensure that it is stored and used in compliance with legal requirements. These could include legislation in the territory where the cloud servers are physically located, as well as everywhere the business operates. It is thus essential to establish exactly where data might be held – Google, for example, has servers in four continents and more than a dozen nations – and to consider all possible permutations of data transfer between one of the territories involved and another. This is, of course, especially significant in privacy-oriented and highly-regulated sectors such as banking, gaming, and healthcare, but the requirements of legislation such as the Data Protection Act apply across the board. If a cloud provider is certified as complying with the US-EU Safe Harbor principles, that is a good indication of strong data protection measures being in place.

CON: CUSTOMISATION IS NOT SO EASYThe economics of the cloud are based on providing identical services – whether hardware capability, in the case of IaaS, or software too in the case of PaaS and SaaS – to a large number of customers. The lack of variation in the services on offer helps the cloud provider keep down procurement, installation, operation and support expenses, and maximise efficiency, often through custom-building hardware. In turn, it can pass on those cost reductions.

In this respect, the cloud provider’s business model is rather similar to that of a fast food restaurant. And, like the burger joint, the cloud provider will generally be unwilling to offer customisation of what it sells, outside narrow and pre-established parameters.

This makes the public cloud unsuitable for certain kinds of computing that have very specific and unusual hardware requirements, for example in scientific


research. Even if it is technically possible to perform these tasks in the cloud, the degree of customisation required may make it more expensive than in the data centre.

PRO: THE CLOUD ENABLES REMOTE WORKINGWe mention the environmental aspects of remote working below, but of course the freedom for staff to work away from the office has other advantages. These include hard benefits such as reduced costs for office space and car parks, as well as many more soft benefits such as employee satisfaction, retention, and improved productivity.

Moving IT to the cloud is certainly not a pre-requisite of remote working – the practice had been adopted for years by many organisations, long before cloud computing appeared on the scene. However, the fact that the cloud by its nature permits remote access to IT resources helps to overcome the technical hurdles that distant working can pose. It does not, of course, address the more significant managerial and HR issues.

PRO: THE CLOUD FREES UP THE IT DEPARTMENTOnce an appreciable amount of IT resources are relocated to the cloud, the IT department is liberated from many routine tasks such as installing new equipment and software upgrades, and tracking and fixing minor faults.

This frees up the IT team to work on more creative tasks such as software development and/or allows a reduction in head count, although this is likely to be one of the main reasons for internal resistance to cloud computing. This is discussed further below.

Moving to the cloud does not just free human resources within IT, however. It also frees up technology resources to be used in a more efficient way. A carefully designed split of the organisation’s IT workload between the cloud and the data centre can allow the latter to be much more productive,

concentrating in-house resources on a smaller number of tasks to which they are best suited – rather than wastefully dedicating them to rarely-performed jobs, or keeping them idle in anticipation of unusual demand peaks.

POSSIBLE CON: BEWARE SUPPLIER LOCK-INDifficult-to-break ties to the cloud provider’s technology are sometimes cited as a potential disadvantage of migrating to the cloud, but in reality some of the advantages greatly mitigate this.

It is true that the SaaS customer is committed to using software that is ultimately controlled by the cloud provider, who determines, for example, the upgrade cycle – and this does appear to create a kind of lock-in. Set against this, however, must be the alternative: where software is hosted in-house, the investment in purchasing it also acts as a barrier to change. Additionally, since the customer can (at least in theory) switch cloud providers or abandon the cloud model altogether at any time, there is a strong incentive for the cloud provider to remain responsive to customer needs.

Thus, in the case of SaaS, in practice the business may well be less locked in to specific software than it would be if hosting systems itself.

IaaS, meanwhile, is a commodity service without vast differentiation between suppliers, which it is relatively straightforward to enter and leave without impacting business processes or data.

Lock-in only becomes a factor worth major consideration under the PaaS model, where the customer must invest time and resources – perhaps considerable ones – in developing for the cloud provider’s platform. So it is important to be sure that the development and deployment platform is the right one before committing. If it is based on software components widely used elsewhere, that should


provide reassurance that applications developed for a specific cloud will not be confined there.

Under all three models, however, it is best practice to ensure that data entrusted to the cloud is easily recoverable in a standard format, and that any application code developed for the cloud can be reused or ported to another platform.

PRO: IT IS (PROBABLY) GREENWith environmental issues ever more to the forefront of the managerial consciousness, it is not surprising that the green credentials of cloud computing are becoming significant. Cloud providers’ data centres are likely to use power much more efficiently than their clients’ – running and cooling hardware is a major cost to the cloud companies, whose data centres may each consume as much as a medium-sized village – and the principles of standardisation, virtualisation, and sharing of IT resources among clients (multi-tenancy) on which they are operated mean that resources are employed more efficiently.

However, this only becomes a significant issue where a business is operating a very large data centre and moving a substantial portion of its work into the cloud. If data centre power consumption is not already an issue which the organisation actively manages (whether for green or financial reasons), it is unlikely that migration to the cloud will make more than a very marginal environmental difference.

It is also worth noting that if the cloud provider’s data centres are located in territories where most power generation is considered environmentally unfriendly – for example China or India – this may negate all other environmental benefits.

PRO: SMALLER BUSINESSES GAIN RELIABILITY AND FLEXIBILITYWhile larger organisations can consider replacing their own data centres with the cloud, smaller businesses that move to this model are in effect gaining a real data centre for the first time – and it is likely to be more secure, more resilient, better managed, and more regularly upgraded than the office PC network.

Cloud computing also allows smaller organisations to easily enable their staff to work on the road or from home without the complication of configuring in-house systems for remote access, and can even permit the use on a pay-as-you-go basis of applications that they couldn’t justify purchasing outright. For example, high-priced software for a specialised engineering, design, or statistical task might be very useful but only very occasionally; purchasing it on a conventional licence basis would be prohibitive, but as a cloud application it would be charged-for only when used.

Some supporters of cloud computing have even argued that when (or if) the approach becomes universal, the cost of all applications for small businesses should tend to decrease. Their logic is that, at the moment, most software lies idle most of the time; switching to a pay-per-use model would mean that the cost of an application more accurately reflected its contribution to the business. This, though, remains a theoretical point: however popular the cloud model becomes, applications installed on desktop PCs or local servers are still likely to be with us for some time.


4. CHOOSING AND DOING BUSINESS WITH A CLOUD PROVIDEROnce a decision has been made to take IT functions into the cloud, identifying a cloud provider is the next step, and it requires a clear definition of requirements. This is true not only in terms of technical capacity – which will be effectively unlimited where most cloud providers are concerned – but in a number of other important respects.

COMPATIBILITYHow easy is it to enter – and maintain – the relationship with the cloud provider? Making the first move into the cloud requires transferring data, and probably applications too (unless the move is to a pure SaaS provider). That task will be eased by the use of common data formats – unless, perhaps, the organisation’s hardware and software is extremely old, in which case any problems are offset by the reality that the data would soon have to be transferred to a newer system anyway. In any case, however arduous moving existing data may be, it is a one-off task.

Hardware incompatibilities between the cloud and the data centre are also unlikely to prove a major stumbling block, as all communication between them is mediated by a network compatible with both – the open Internet or a virtual private network (VPN).

Much more likely to be a challenge is the continuing interaction between software in the cloud and software in the data centre, and the movement of data between them. As a rule, it is advisable to keep each side as self-contained as possible. For example, rather than running a purchase order system in the cloud and an invoice settlement system in the data centre, all systems related to purchasing should be located in one or the other.

SECURITY AND COMPLIANCECan the cloud provider offer a level of security that is, at least, practically equivalent to that currently delivered by the in-house data centre, bearing in mind

that moving to the cloud also introduces new security threats?

Can the cloud provider guarantee compliance, both with regulatory requirements in all the territories involved – those where the organisation operates and those where the cloud operates – and with internal corporate governance standards? How trustworthy are those guarantees? What remedies are available if they are not met?

AVAILABILITY AND PERFORMANCECan the cloud provider guarantee adequate uptime (the percentage of time that the cloud is functioning properly and available for use)? Depending on the business’s needs, this could be quoted as 99.9 percent or 99.99 percent, with some striving for 99.999 percent; usually it is codified in a service level agreement (SLA).

Uptime requirements may vary among processes – for example, a real time system handling retail payment transactions needs the highest possible uptime, while a system collating figures for financial reports will be less affected by occasional unavailability. Remember that uptime’s opposite – downtime – includes not just occasions when there is a fault within the cloud, but also scheduled interruptions for maintenance.

Performance and availability can be monitored by the business using technology such as a dashboard, which gives a snapshot view of key indicators concerning the client’s ‘part’ of the cloud.

The business’s broadband service, while no responsibility of the cloud provider, is also a major consideration. Moving critical applications to the cloud means that the Internet link is the only way to access them; it also means that data may now be stored at a great physical distance from the business, possibly even on a different continent, inherently creating delays in accessing and retrieving it. Connections that


are slow or unreliable will therefore directly impact the capability to do business.

Organisations located in areas that do not yet have the fastest broadband available may consider delaying their move to the cloud, or at least limiting it to less vital applications; others should be prepared to invest in the best possible connectivity.

THE BUSINESS RELATIONSHIPHow easy is it to exit the relationship with the cloud provider?

How easy is it to extract data stored in the cloud and applications developed and/or hosted there, and use them elsewhere? We discussed this in more detail in section 3.

Is the cloud provider stable in the long term? Again, we discussed this in more detail in section 3.

Who owns data stored in the cloud?

MAKING THE CHOICEIt is worth noting that while there are some household names offering cloud services – notably Amazon, Google, IBM, and Microsoft – they are by no means the only alternatives: and indeed in all these cases, operating the cloud for external customers is not their principal business.

There is also a steady stream of new entrants to the field, and because it is a relatively undeveloped one, even established companies may not have as many client testimonials as one would expect in more mature markets such as hardware and software. Differentiations among the various types of cloud providers are not always clear, either.

All these factors mean that choosing a cloud provider is not as straightforward as, for example, upgrading desktop PCs. Trust therefore becomes of paramount importance. Beware, too, the practice sometimes

termed ‘cloud washing’ – when vendors apply the fashionable term ‘cloud’ to a service that does not really deliver the benefits of cloud computing.

It is sensible to clearly specify in any contract with a supplier of cloud services exactly what is expected of them in terms of either transferring or deleting your data should you decide to terminate the agreement.

Some cloud providers have non-negotiable terms of use, which can include non-negotiated changes to the terms of use or the business model. So, ensure that you fully read and are happy with the agreement before signing anything.


5. BUSINESS IMPLICATIONS OF CLOUD COMPUTINGThroughout the life of a cloud computing project, but particularly at the beginning, a number of internal issues will be encountered which do not involve the cloud provider but must be addressed.

HOW FAR SHOULD WE GO?In most organisations there will be some applications which should never move to the cloud – perhaps because they involve extremely sensitive data, or because they form a fundamental part of a service which the business offers directly to its customers, in which case ceding even the slightest control could pose unacceptable risks and limitations on development.

STAFF RESISTANCEIt is no surprise that there may be strong resistance from staff at all levels to the introduction of the cloud, as indeed there typically is with the introduction of any new system. In some cases this may simply be based on the old principle of ‘not invented here’; in others it may be a genuine concern that the business is handing too much responsibility to an outside body and will live to regret it. There may also be a real (and even well-founded) concern that there will be job losses in IT. As always, communication and, where appropriate, consultation will alleviate many of these worries.

STAFF INVOLVEMENTWho should run a cloud project? It is tempting to think of it as purely an IT matter: that is certainly the department most affected, and it is the naturally appropriate part of the business to oversee the relationship with the cloud provider on a day-to-day basis.

However, there can be advantages in involving other parts of the business, too. For example, the marketing department may have shied away from developing ambitious ideas for customer behaviour analysis, merely because its managers knew that the

organisation would not have sufficient IT resources. With the cloud, that ambition could now be realised.

And, as with any major change, it is beneficial for leaders in every department to understand the main factors driving it and the expected benefits. The support of senior management in a range of disciplines, rather than just IT, can also be advantageous when seeking board-level ratification.

It can be surprising how far beyond the IT department the impact of the cloud can spread. For example, the business may need to adopt new models of costing and budgeting, enabling individual departments to directly request and authorise provisioning of cloud resources as they are needed, rather than continuing to ‘purchase’ IT centrally.

MYTHS OF CLOUD COMPUTING

It is tried and testedYes and no. The underlying concept certainly is, as is the technology, but it must be acknowledged that cloud computing has not yet been employed on a very large scale by many businesses. For smaller organisations, this should not be a concern, but those considering migrating a huge IT operation to the cloud should bear in mind that while the model is indeed built around scalability, it does not yet have a long track record. This situation will inevitably improve, and any limitations of the cloud become clearer.

It is all or nothingEmphatically no – in fact, moving an entire IT department to the cloud is not only rare, it is probably inadvisable too. There will most likely be some IT functions always better performed in-house.

The cloud needs no oversightAgain, emphatically no. The work of the IT department will change considerably when cloud computing is adopted, but it will not disappear.


While some functions will move to the cloud supplier – notably hardware procurement and maintenance, and perhaps some end user support, particularly under the SaaS model – the final responsibility for delivering IT to the rest of the business will remain with the IT department.

It must therefore continually supervise the performance of the cloud provider, and work to optimise the way systems are deployed between the cloud and the data centre. Governance, security and compliance also remain the duty – in many cases the legal duty – of the business.

Clear policies on who can use, alter and delete not only data but also cloud services are essential. Controls on user identity and access should be as tight as they are for in-house systems, and security should be ensured both by preventative methods and by continuous monitoring.

The benefits of cloud computing are also best realised when strong leadership from the IT department ensures that deployment in the cloud is planned to maximise its efficient use, rather than approached on an ad-hoc basis that will eventually leave the business with a confusing and difficult-to-manage melange of disparate cloud services. In that situation, applications or data – whether held in-house or in the cloud – may have dependencies on other applications or data that are not well understood, raising the possibility of unanticipated side effects when one element is changed.

A central part of good governance, therefore, is cataloguing all cloud services and recording exactly what they deliver, to whom, and how.

One cloud provider will do it allNo. In fact, many organisations embracing cloud computing have found it most efficient to use different providers for different purposes. This does, of course,

turn the two-way relationship between cloud and data centre into a three- or four- or more-way relationship, but the associated management overhead should be compensated for by the efficiencies and savings gained from assigning precisely the right cloud provider to each task.


6. THE FUTURE OF THE CLOUD

As with any fast-moving IT field, the future of cloud computing is impossible to predict with certainty, even within a period as narrow as two years. The unexpected entrance of a large player into the market, or the development of a new technology, could transform the cloud in a positive way; equally, restrictive new legislation on data privacy could hinder its growth.

However, there are some trends beginning to become apparent which, barring large surprises, are likely to be significant factors in the near future.

Standards will emerge covering issues such as the interface between the data centre and the cloud. These may be de facto standards forced on the market by dominant suppliers, or they may be formalised. In either case, whether or not they are the technically best solutions, they should make the choice of cloud provider and the processes of cloud/data centre transition and integration easier.

‘Cloud in a box’ products will make it swifter and simpler to establish a private cloud.

Growing enthusiasm will be accompanied by slip-ups – but that will be an opportunity for learning. There is indisputably interest in the potential of the cloud: 72 percent of small UK businesses will deploy cloud computing within five years, according to a survey released at the beginning of 2010 by the ISP Easynet Connect. A small majority believe cloud computing will save them money; nearly half believe it will enable remote working. The larger firms in that group – those with 50 or more employees – are the most interested. Yet few of the small businesses surveyed by Easynet Connect have formal cloud strategies in place. A few failed cloud projects in the public eye may well help to crystallise thinking on best practice.

As SaaS grows in popularity across a range of application types, so will the eco-systems of third party software vendors supplementing the core SaaS

software with their own specialist add-ons. This is already happening in some fields where the cloud is well established – the CRM SaaS pioneer Salesforce.com, for example, allows other companies to build specialised CRM products on its Force.com PaaS platform, and sell them to Salesforce.com’s customers. Among the products based on the Salesforce platform is the accounting system FinancialForce (previously known as Coda 2go).

More big vendors will enter the market. These will include not only the best-known names in IT (most of which already have some presence, or at least stated ambition, in the cloud). They are also likely to include major telecommunications firms, as well as a few very large businesses in other fields which see that they can sell their own internal cloud technologies to other users. Both Amazon and Google entered the market in this way.


7. CONCLUSIONS

Cloud computing:

• Is an approach to providing IT, not a technology.

• Is appropriate for, and will cut the cost of, many – but not all – IT functions.

• Will improve the agility and speed of IT’s response to business needs.

• Will ensure that upgrades and maintenance are seamless and transparent.

• Requires rigorous governance.

• Requires a clear plan of action and definition of IT requirements.

• Requires staff and management buy-in.


APPENDIX A GLOSSARY

cloud – a large pool of IT resources owned and operated by a cloud computing supplier and made available to its customers to carry out their own IT processes.

dashboard – a software tool providing a snapshot of key indicators that show the performance of IT resources located in the cloud.

de-provisioning – reducing the IT resources in the cloud that are available to a particular customer, at their request.

downtime – the time (usually expressed as a percentage of total time over a given period) that a system is not available for use.

grid computing – the technique of using multiple physical computers simultaneously to perform one software task.

hardware as a service (HaaS)/infrastructure as a service (IaaS) – a type of cloud computing where customers are provided with processing power, data storage, and other hardware resources, but no software.

hybrid cloud – a computing environment that includes both public and private clouds.

multi-tenancy – the practice of sharing IT resources in the cloud among multiple users. In particular, the term can refer to a single instance of application software being used simultaneously by different cloud customers, each of which experiences the software as if they were the only user.

platform as a service (PaaS) – a type of cloud computing where customers are provided with a software platform for developing and deploying their own applications, and also with hardware resources, but are not provided with actual application software.

private cloud – not strictly cloud computing, but a cloud-like approach to servicing an organisation’s own IT requirements making use of cloud suppliers’ techniques such as virtualisation.

provisioning – increasing the IT resources in the cloud that are available to a customer, at their request.

public cloud – a cloud available to be used (for payment) by businesses and other organisations unconnected with the cloud provider.

service level agreement – an agreement between a supplier and a customer quantifying the level of each service that is to be supplied, measured by key performance indicators such as availability and performance.

software as a service (SaaS) – a type of cloud computing where customers are provided with fully functional application software in the cloud, as well as hardware resources.

uptime – the time (usually expressed as a percentage of total time over a given period) that a system is available for use.

virtualisation – a technique whereby multiple IT resources (such as disks) can be logically treated as if they were one, or where one resource (such as a server) can be logically treated as if it were several, allowing a close match of resources to needs.


APPENDIX B FURTHER INFORMATION

Most of the major journals, magazines and online information sites for IT managers have covered cloud computing extensively, but here are a few resources that provide specific coverage:

The Business Case for Software as a ServiceDownloadable PDF from Intellect http://tinyurl.com/yf9dknj

Developing on the CloudDownloadable PDF from BASDA http://tinyurl.com/y94p3uy

BusinessCloud9Newsletter-style website at http://www.businesscloud9.com

Cloud Computing JournalMagazine-style website at http://cloudcomputing.sys-con.com

Cloud Computing: Benefits, Risks and Recommendations for Information SecurityComprehensive analysis of security implications from the European Network and Information Security Agency, downloadable as a PDF from http://tinyurl.com/yzbvvzu

NIST Definition of Cloud Computing v15Definitions of types of cloud computing from the U.S. National Institute of Standards and Technology, downloadable as a Word document from http://tinyurl.com/lovlvh

The Cloud TutorialOnline guide to many aspects of cloud computing, including detailed price data and vendor information, at http://www.thecloudtutorial.com

Cloud Computing for DummiesDespite its name, this book is an excellent overview for IT management new to the subject. ISBN 0470484705

IT Faculty Publications• OnlineAccountingSoftwareProductGuide

• AnIntroductiontoSoftwareasaService

• Web2.0–TheBusinessPerspective


APPENDIX CEXAMPLES OF CLOUD PROVIDERS

The following list of typical cloud providers is intended to illustrate the diversity of companies active in the field, rather than to be exhaustive or to recommend any specific company.

LARGE PROVIDERS

Amazon aws.amazon.comThe online retailer’s first step into the cloud was its Simple Storage Service (S3), launched in 2006 to take advantage of its unused server capacity. It has since added SimpleDB, a hosted database service, and Elastic Compute Cloud (EC2), which offers fully-fledged IaaS.

Google www.google.com/aThe search engine giant offers a comprehensive set of applications in the cloud, including mail, calendar, office suite, discussion groups, intranet hosting and video sharing.

Microsoft www.microsoft.com/windowsazureAs this guide went to press in early 2010, Microsoft had just gone live with its PaaS service Azure, giving users a Window-based development and deployment platform in the cloud. In addition, Office 2010 will offer web-based versions of Word, PowerPoint and Excel available via Microsoft’s own servers.

Rackspace www.rackspace.comRackspace’s Cloud Drive and Server Backup provide data storage as a service. It also offers hosting of web applications across multiple servers, provisioned and de-provisioned on demand (a service it calls Cloud Sites), while its Cloud Servers option gives unrestricted root access to Linux servers.

MEDIUM-SIZED PROVIDERS

ElasticHosts www.elastichosts.comOne of the few UK cloud providers, ElasticHosts offers a scalable service to small and medium-sized businesses.

Customers can pay by the hour or subscribe by the month.

GoGrid www.gogrid.comGoGrid is the cloud service of ServePath Dedicated Hosting, which also provides storage as a service.

VirtualAge www.virtualage.co.ukMyDesktopOnline from Britain’s VirtualAge is a suite of applications running in the cloud, including web browsers and office applications.

Zoho www.zoho.comZoho’s USP is providing basic applications in the cloud at low prices. They include project management, word processing, spreadsheet, presentation, customer relationship management, email and calendar.

MAJOR APPLICATIONS IN THE CLOUD

Accountancy accountsIQ www.accountsiq.com*

Liberty Accounts www.libertyaccounts.co.uk*

Netsuite www.netsuite.com*

Xero www.xero.com*

(*ICAEW accredited)

Customer relationship management Salesforce.com www.salesforce.com

Database MySQL www.mysql.com/products/enterprise/cloud.html

A list of over 60 SaaS billing and accounting packages, incorporating pricing information, geographical details and links to individual supplier websites, is available at https://bizcloudapps.dabbledb.com/page/bizcloudapps/QbqqpCrJ#

THE AUTHOR

Barnaby Page is a technology journalist of 20 years’ standing who has also worked on research and reports for corporate clients including HP Europe, the National Computing Centre, 3M, and some of the world’s biggest retailers.

IT FACULTY BENEFITS

•Keepontopofimportantdevelopmentswithe-bulletins,bi-monthlymagazineand technical reports.

•Accessinformationondemandviathefaculty’sexclusivewebsiteandtheITCounts community.

•Advanceyourcareerandbusinesswithpracticalhelpandresources–fromonline tools to free member events.

•Exchangeideasandmakeusefulcontactsthroughournetworkingfacilities.

•Haveyoursayandcontributetothefaculty’sreputationforengagingwiththeimportant issues and the key players in IT.

The IT Faculty exists to help accountants make better use of IT and to further the study of information technology in all its forms, including the development of thought leadership and research. Membership is open to anyone, not just Chartered Accountants, for an annual subscription of £99.

Visit us and join online at icaew.com/itfac.

© ICAEW 2010 |

As a world-class professional accountancy body, The Institute of Chartered Accountants in England and Wales (ICAEW) provides leadership and practical support to over 132,000 members in more than 160 countries, working with governments, regulators and industry to maintain the highest standards.

Our members provide financial knowledge and guidance based on the highest technical and ethical standards. They are trained to challenge people and organisations to think and act differently, to provide clarity and rigour, and so help create and sustain prosperity. The ICAEW ensures these skills are constantly developed, recognised and valued.

Because of us, people can do business with confidence.

Information Technology FacultyICAEWChartered Accountants’ Hall Moorgate Place LondonEC2R 6EA UK

T +44 (0)20 7920 8481F +44 (0)20 7920 8657E [email protected] icaew.com/itfac

Cloud Computing A Guide for Business Managers

Documents

Transcript of Cloud Computing A Guide for Business Managers