OPEN DATA CENTER ALLIANCE SM USAGE MODEL: CLOUD MATURITY MODEL REV. 2.5

Transcription

1 OPEN DATA CENTER ALLIANCE SM USAGE MODEL: CLOUD MATURITY MODEL REV. 2.5 Version Date Editor Description of Change Contributors The following individuals from the Open Data Center Alliance have contributed to the contents of this document: Christoph Jung T-Systems Christophe Gevaudan - UBS Matt Estes Disney Corporation Catherine Spence Intel Pankaj Fichadia National Australia Bank (NAB) Ryan Skipp T-Systems

2 OPEN DATA CENTER ALLIANCE SM : Page 2 of 17 CONTENTS Contributors... 1 Legal Notice... 3 Executive Summary... 4 Overview of the Cloud Maturity Model... 5 Description of the Cloud Maturity Model... 5 Terminology... 7 Cloud Maturity Model Progression (Overall)... 8 Cloud Maturity Model Business Perspective... 9 Cloud Maturity Model Perspective... 9 Cloud Maturity Model Progression (Service Model-based) Maturity and Self-Assessment: Cloud Adoption Roadmap Conclusion... 16

3 OPEN DATA CENTER ALLIANCE SM : Page 3 of 17 Legal Notice Open Data Center Alliance, Inc. ALL RIGHTS RESERVED. This Open Data Center Alliance SM Usage Model: <Document Title> document is proprietary to the Open Data Center Alliance (the Alliance ) and/or its successors and assigns. NOTICE TO USERS WHO ARE NOT OPEN DATA CENTER ALLIANCE PARTICIPANTS: Non-Alliance Participants are only granted the right to review, and make reference to or cite this document. Any such references or citations to this document must give the Alliance full attribution and must acknowledge the Alliance s copyright in this document. The proper co pyright notice is as follows: Open Data Center Alliance, Inc. ALL RIGHTS RESERVED. Such users are not permitted to revise, alter, modify, make any derivatives of, or otherwise amend this document in any way without the prior express written p ermission of the Alliance. NOTICE TO USERS WHO ARE OPEN DATA CENTER ALLIANCE PARTICIPANTS: Use of this document by Alliance Participants is subject to the Alliance s bylaws and its other policies and procedures. NOTICE TO USERS GENERALLY: Users of this document should not reference any initial or recommended methodology, metric, requirements, criteria, or other content that may be contained in this document or in any other document distributed by the Alliance ( Initial Models ) in any way that implies the user and/or its products or services are in compliance with, or have undergone any testing or certification to demonstrate compliance with, any of these Initial Models. The contents of this document are intended for informational purposes only. Any proposals, recommendations or other content contained in this document, including, without limitation, the scope or content of any methodology, metric, requirements, or other criteria disclosed in this document (collectively, Criteria ), does not constitute an endorsement or recommendation by Alliance of such Criteria and does not mean that the Alliance will in the future develop any certification or compliance or t esting programs to verify any future implementation or compliance with any of the Criteria. LEGAL DISCLAIMER: THIS DOCUMENT AND THE INFORMATION CONTAINED HEREIN IS PROVIDED ON AN AS IS BASIS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ALLIANCE (ALONG WITH THE CONTRIBUTORS TO THIS DOCUMENT) HEREBY DISCLAIM ALL REPRESENTATIONS, WARRANTIES AND/OR COVENANTS, EITHER EXPRESS OR IMPLIED, STATUTORY OR AT COMMON LAW, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, VALIDITY, AND/OR NONINFRINGEMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY AND THE ALLIANCE MAKES NO REPRESENTATIONS, WARRANTIES AND/OR COVENANTS AS TO THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF, OR RELIANCE ON, ANY INFORMATION SET FORTH IN THIS DOCUMENT, OR AS TO THE ACCURACY OR RELIABILITY OF SUCH INFORMATION. EXCEPT AS OTHERWISE EXPRESSLY SET FORTH HEREIN, NOTHING CONTAINED IN THIS DOCUMENT SHALL BE DEEMED AS GRANTING YOU ANY KIND OF LICENSE IN THE DOCUMENT, OR ANY OF ITS CONTENTS, EITHER EXPRESSLY OR IMPLIEDLY, OR TO ANY INTELLECTUAL PROPERTY OWNED OR CONTROLLED BY THE ALLIANCE, INCLUDING, WITHOUT LIMITATION, ANY TRADEMARKS OF THE ALLIANCE. TRADEMARKS: OPEN CENTER DATA ALLIANCE SM, ODCA SM, and the OPEN DATA CENTER ALLIANCE logo are trade names, trademarks, and/or service marks (collectively Marks ) owned by Open Data Center Alliance, Inc. and all rights are reserved therein. Unauthorized use is strictly prohibited. This document does not grant any user of this document any rights to use an y of the ODCA s Marks. All other service marks, trademarks and trade names reference herein are those of their respective owners.

4 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 4 of 17 OPEN DATA CENTER ALLIANCE SM USAGE MODEL: Cloud Maturity Model REV. 2.5 Executive Summary The Open Data Center Alliance has identified the need for a Cloud Maturity Model (CMM), which organizations can apply in order to: 1. Support the development of a balanced cloud strategy in any organization 2. Enable the understanding of all dimensions that constitute cloud maturity, from the perspective of both the consumers and the provider of cloud services 3. Enable the development of focused investment initiatives, to move selected cloud capabilities to target maturity levels 4. Steer inputs and priorities relating to cloud service usage and adoption 5. Update the usage models to identify characteristics and artifacts that enable an organization to increase their cloud maturity and service success through cloud service adoption 6. Maximise their potential to achieve the expected benefits of Cloud, to an acceptable degree The ODCA Cloud Maturity Model maps cloud maturity from two key perspectives: business capabilities and technology capabilities. It also maps maturity levels for the individual cloud service models: SaaS, PaaS, IaaS, and Information -as a Service. The business capabilities perspective of the CMM provides a comprehensive view of the maturity model's stages through the lens of "business use of the cloud." This perspective includes a mix of cloud service models, cloud deployment models, and cl oud capabilities across four business categories: governance and strategy, organization, project skills, and portfolios and services. The technology capability perspective of the CMM provides a similar comprehensive view of an organization's cloud maturity, but does so through the lens of cloud and ICT technology. The cloud service model perspective explores an organization's maturity across each of the individual cloud service models: S aas, PaaS, IaaS, and Info-aaS. These perspectives on cloud maturity offer a way for each unique organization to plot its maturity across the perspective (or perspectives) that best suits its business needs. Some organizations are staffed and organized (or targeted toward business models) where one or more of the cloud service models are of little value or produce an inverse total cost of ownership. These organizations can assess their maturity across the cloud service model that is applicable to their organization, without the added complexity of the service models that do not apply. In cases where an organization will use two or three cloud service models in combination, the model offers an opportunity to plot maturity across SaaS, PaaS, IaaS, and Info-aaS independently. The ODCA Cloud Maturity Model supports multiple perspectives in order to accommodate the variety of cloud adoption patterns that different organizations will encounter. The objective of the Maturity Model is to ensure that the necessary elements to support the achievement of the expected cloud benefits are in place. For example, if one is looking to achieve "speed", then a fair degree of automation and process integration need to be in place - the Maturity model addresses these areas directly. Other benefits arising from the use of cloud technology include: - new features and functions for the business that don't have to be self-developed - re-use of standard designs and solutions with co-ordinated development, operations and support - ability to change and deploy services in near-real time - ability to scale and change services to align to dynamic business needs

5 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 5 of 17 - increased focus on standardized services, engineered, operated and supported consistently across the enterprise The CMM identifies five levels of cloud maturity. It is not necessary for an organization to aspire to CMM Level 5 in all casesdifferent levels in the different capability areas may be quite acceptable and may meet that organization's requirements adequately. It is up to each organization to determine for itself where it wants to be, and what actions and enablers will take it there, per capability. In addition, a mix of legacy, private and hybrid clouds providing infrastructure as a service (IaaS), platform as a service ( PaaS), or software as a service (SaaS) is quite acceptable. The same is true for IaaS, PaaS, and SaaS. CMM 5 does NOT dictate pure public or SaaS-based systems. It describes a managed set of controls, processes, and systems to help to consistently manage cloud services in line with business priorities, with sustained and organizationally aligned processes. As an organization progresses through introspection in regard to the above, it is common to identify islands of excellence, i n contrast to other areas that have lower maturity. This is normal and an indication of being at CMM 1. A consolidated, cohesive organizational cloud strategy will enable consistent measurement and rating of the whole organization. Legacy environments will not go away. They add value for many years and should not detract from an organization having a cohesive and effective cloud strategy and strong cloud maturity achievement. Everything does NOT have to be on a federated cloud for an organization to be in the more mature rating levels. Having identified consistent frameworks and controls that enable selected business systems, according to a defined set of categorization, to be run according to a defined strategy in the cloud, representing the characteristics and artifacts identified in the CMM model, could also result in a high CMM rating. Overview of the Cloud Maturity Model The CMM provides an end-to-end visualization for how the use of cloud in the enterprise develops over time (adoption roadmap) and how the enterprise s ability to adopt cloud-based services within defined governance and control parameters increases. As it matures, the use of cloud becomes more sophisticated, comprehensive, and optimized. The CMM plots the progression of structured cloud service integration from a baseline of no cloud use through five progressive levels of maturity, as shown in Figure 1. Figure 1. The cloud maturity model has five progressive levels of maturity. Description of the Cloud Maturity Model Figure 2 gives a summary description of each maturity level. It does not differentiate between the various types of cloud technology, cloud methodologies, or cloud deployment models. Each of these factors will be taken into account as the progressive levels of cloud maturity are explored in detail.

6 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 6 of 17 Figure 2. Descriptions of each level of the cloud maturity model.

7 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 7 of 17 Terminology Table 1 lists the standard terms and corresponding descriptions that are used in this document. Table 1. Terms and descriptions. Term Benefits Description Architecture Compliance A defined architecture for public and private clouds, through all layers, including business processes. Classification Compliance Data - Defined requirements for handling data throughout its lifecycle according to business value. Applications - Defined requirements for handling data throughout its lifecycle according to business value. Federation Security - Security domain is structured to include public- and private-based infrastructure as a service or platform as a service. Data - Organization s data is distributed in a structured, consistently managed way across multiple clouds. es - Organization s data is distributed in a structured, consistently managed way across multiple clouds. Identity and Access Management Simplify Security domain is structured to enable public- and private-based user access in a managed standard way. Information as a Service (Info-aaS) Metadata and defined access, which enables data to be used to support business decision making, new product identification, and other important Big Answers for business. Infrastructure as a Service (IaaS) Cost Simple - Single standalone virtual machine (VM). Complex - Multi-VM system with network elements; for example, load balancing and firewalls. Integrated Simplified Core design process and standard for all system elements. Orchestration Automated A tooling layer for handling service deployments, consisting of workflows and work packages. Platform as a Service (PaaS) Simple - Single app on a single VM. Complex - Multi-VM based app with network load balancing, clustering, disaster recovery (DR). Policies Compliance A defined set of policies for handling all aspects of cloud usage, including data protection, applications, risks, and requirements. es Compliance A defined set of processes for handling all aspects of cloud usage, including migrations, data lifecycle, risks, and exceptions. Risk Management Compliance Risk Corporate - Company-specific requirements defined in the context of cloud. Country - Country-specific requirements defined in the context of cloud. Industry - Industry-specific requirements defined in the context of cloud. Security Compliance Security domain is structured to enable public- and private-based service access in a managed standard way.

8 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 8 of 17 Term Benefits Description Service Delivery Management Managed Human interfaces are appointed, with supporting governance and processes, to manage the interface between business users and cloud providers, taking care of translating service detail and other incidents, problems, and reporting between the parties. Software as a Service (SaaS) Simple - Single app on a single VM. Complex - Multi-VM-based app with network load balancing, clustering, DR. Transition and Transformation Cost Transition - Migration from a legacy platform onto cloud. Transformation - Migration from a legacy design to take advantage of cloud benefits. Cloud Maturity Model Progression (Overall) Progression through the various maturity levels is based on the evolution of a number of parallel capabilities, as described in the following figures. The result is represented by an inferred resulting maturity, roughly mapped as follows: CMM 1. The existing environment is analyzed and documented for initial cloud potential. Pockets of virtualized systems exist, for limited systems, without automation tooling, operated under the traditional IT and procurement processes. Most of the landscape still runs on physical infrastructure. The focus is on the private cloud, although the public cloud is used for niche applications. CMM 2. IT and procurement processes and controls are updated specifically to deal with cloud and who may order services and service elements and how. Private cloud is fully embraced with physical-to-virtual movement of apps and the emergence of cloud-aware apps. CMM 3. Tooling is introduced and updated to facilitate the ordering, control, and management of cloud services. Risk and governance controls are integrated into this control layer, ensuring adherence to corporate and country requirements. Complementary service management interfaces are operational. More sophisticated use of SaaS is evident, and private PaaS emerges. CMM 4. Online controls exist to manage federated system landscapes, distributed data and data movement, federated and distributed application transactions, and the cross-boundary transitions and interactions. Defined partners and integration exist, enabling dynamic movement of systems and data, with supporting tool layer integration (for example, service desk, alerting, commercial systems, governances). Cloud-aware apps are the norm and PaaS is pervasive. Hybrid apps develop across cloud delivery models. CMM 5. All service and application deployments are automated, with orchestration systems automatically locating data and applications in the appropriate cloud location and migrating them according to business requirements, transparently (for example, to take advantage of carbon targets, cost opportunities, quality, or functionality). The CMM levels enable the realization of a number of cloud characteristics described below, which in turn translate into the enablement of business functionality and value. These business outcomes are the recommended results of positioning capabilities within the various CMM levels: capability gains, efficiency gains, quality gains, and velocity gains, which ultimately result in powerful business strategy enablement. Federated. Federation refers to the ability of identity and access management software to be able to securely share user identities and profiles. This ability allows users within a specific organization to utilize resources located in multiple cl ouds without having to generate separate credentials in each cloud individually. IT is able to manage one set of identities, authorizations, and set of security review processes. From the user perspective, this enables seamless integration with syste ms and applications. Interoperable. There are two key concepts of interoperability: (1) The ability to connect two systems that are concurrently running in cloud environments, and (2) the ability to easily port a system from one cloud to another. Both involve the use of standard mechanisms for service orchestration and management, enabling elastic operation and flexibility for dynamic business models, while minimizing vendor lock-in.

9 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 9 of 17 Open Standards. The term open refers to both software and standards. Open source software operates at a fast rate of change supported by diverse, vibrant community updates. These frequent update cycles provide access to the latest features and capabilities, including performance and efficiency improvements. The use of common APIs or abstraction layers makes it easier for end users to rapidly consume cloud services from different providers to meet business requirements. Even if the software is not open source, it should adhere to open standards, in order to maximize the benefits of cloud deployment. Cloud Maturity Model Business Perspective The business capabilities perspective, shown in Figure 3, plots cloud maturity across the five maturity levels through four business capabilities. Business strategy. Contains capabilities such as business motivation, expected benefits, guiding principles, expected costs, and funding models. Capabilities such as service selection and service-level agreements (SLAs) also gain relevance in cloud initiatives. Organization and skills. Contains capabilities related to the development of organizational competency around cloud computing, including organizational structure and skills development, as well as executive sponsorship and organizational authority. Governance. Contains capabilities related to the governance structures and processes that support and guide the cloud efforts. These capabilities include policy management, risk management, and auditing capabilities. The maturity and adoption of adequate governance is a leading indicator of the overall success of a cloud computing strategy. Projects, portfolios, and services. Contains capabilities related to the planning and building of cloud services, and the management of the portfolio of services. Figure 3. The business capabilities perspective of the cloud maturity model. Cloud Maturity Model Perspective The technology capabilities perspective, shown in Figure 4, plots cloud maturity across the five maturity levels through four technology capabilities: Operations, administration, and governance. Contains capabilities related to the post-deployment aspects of cloud service: the operations, administration, and management aspects of the cloud environment. This technology capability includes capabilities for the delivery of self-service functions and change management.

10 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 10 of 17 Information. Contains capabilities related to the information aspects of cloud, such as metadata management, as well as customer entitlements and data durability. Infrastructure. Contains capabilities related to the service infrastructure and tools that provide the technical foundation for the cloud initiative. Shared services, provisioning, and model packaging are particularly important in cloud infrastructure. Architecture. Contains capabilities related to the definitions of the overall architecture and guidelines for various practitioners to ensure adherence to the architecture. Capabilities fundamental to cloud architectures such as resource pooling, interoperability, and self-service are considered in the model. Figure 4. The technology capabilities perspective of the cloud maturity model. Cloud Maturity Model Progression (Service Model-based) Iaas Maturity Not all organizations will use IaaS at the same rate of adoption (see Figure 5). There will be organization -centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization s maturity level, the regulatory landscape, and strategic considerations. The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization s needs. CMM 1 - Internal organization-based virtualization. CMM 2 - Selected business processes and functions leverage IaaS facilities from service providers, with early and developing focus on managed services. CMM 3 - Deployment of complex IaaS services across managed service providers and internal private clouds providing IaaS services. CMM 4 - Hybrid cloud environments for IaaS are maturing, and business demand drives an effective use of hybrid clouds in a dynamic and seamless fashion. CMM 5 - IaaS services across private clouds and public clouds are leveraged through high maturity within interoperability, federation, and open standards. The focus is on multi-provider SLAs for reliability, meeting business demand, interoperability, and business benefits through selection of the appropriate services based on cost, capacity, need, and control requirements.

11 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 11 of 17 Figure 5. Infrastructure-as-a-service adoption based on the cloud maturity model. PaaS Maturity Not all organizations will use PaaS at the same rate of adoption (see Figure 6). There will be organization -centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization s maturity level, the regulatory landscape, and strategic considerations. The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization s needs. CMM 1 - Internal use of simple PaaS services within an organization. CMM 2 - Rapid and deep use of PaaS within the organization, with multiple departments using the services. St andards are developing and maturity. CMM 3 - Complex PaaS within the organization and through the use of PaaS provided by service providers. CMM 4 - Existing applications and architectures are modified and streamlined to leverage the benefits of PaaS mod els. CMM 5 - All application and service deployments are automated, with orchestration systems automatically locating data and applications in the appropriate cloud location, and migrating them according to business requirements, transparently (for example, to take advantage of carbon targets, cost opportunities, quality or functionality).

12 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 12 of 17 Figure 6. Platform-as-a-service adoption based on the cloud maturity model. SaaS Maturity Not all organizations will use SaaS at the same rate of adoption (see Figure 7). There will be organization-centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization s maturity lev el, the regulatory landscape, and strategic considerations. The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization s needs. CMM 1 - Organization makes opportunistic use of SaaS for tactical needs. The service-oriented architecture is basic and developing. CMM 2 - Depth of SaaS penetration increases, with further business value gained from the use of applications that go across cross-functional roles and departmental boundaries. CMM 3 - Organizations deploy SaaS for mission-critical business, functional value chain across internal needs, and customerfacing business use cases. CMM 4 - Value is derived from the integration between SaaS applications, creating end-to-end business processes that generate value across SaaS applications and functions. CMM 5 - Integration across business partners is based on federated, open, and interoperable cloud environments. All service and application deployments are automated, with orchestration systems automatically locating data and applications in the appropriate cloud location and migrating them according to business requirements, transparently (for example, to take advantage of carbon targets, cost opportunities, quality, or functionality.) The SaaS environment is managed across the lifecycle of selection, provisioning, integration, operation, and decommissioning.

13 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 13 of 17 Figure 7. Software-as-a-service adoption based on the cloud maturity model. Information-as-a-Service Maturity Not all organizations will use Info-aaS at the same rate of adoption (see Figure 8). There will be organization-centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization s maturity level, the regulatory landscape, and strategic considerations. The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization s needs. CMM 1 Organization explores information-as-a-service concepts, but remains largely on traditional data and information systems. CMM 2 An information-as-a-service architecture is defined, with a focus on enterprise services and an understanding of data across the enterprise. CMM 3 Enterprise governance plays an increasing role, master data management and data quality are matured, and analytics progress to advanced stages. CMM 4 Interfaces and enterprise collaboration allow federated query capabilities, private internal data supp ly chains emerge. CMM 5 Organization reaches a state of mature information-as-a-service, with advanced semantic capabilities, internal/external data supply chains, a catalog-driven workload, governance-driven orchestration, and self-healing data processing capabilities.

14 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 14 of 17 Figure 8. Information-as-a-service adoption based on the cloud maturity model. Maturity and In context of Maturity, it is important to keep in mind that Maturity is different to. Increased Maturity does not necessarily mean increased quality one can buy a service or product that are rated on high or low qualities but which are appropriate to the business need. Having increased maturity allows one to maximize the advantage and benefits gained from such services. Typically Maturity relates to processes, governance, integration levels, blueprint prevalence, and these all lead to sustainability and repeatability, along with effectiveness. The differences are represented by means of the following table, with Bronze/Silver/Gold/Platinum quality levels representing a particular service quality, which may relate to additional functions and features built into the service: The X s identify that there is potentially some correlation in terms of a relationship between quali ty and maturity. Self-Assessment: In order to assist organizations to assess their own maturity and identify potential development areas (which lead to potential investments), the ODCA has developed a questionnaire which addresses with the various areas with a question, and 5 potential answers. The questionnaire identifies appropriate target states for the realization of specific benefits, in context of the specific business. One can then assess the real state of the organization, and represent the development gaps where investment is required. Such an example is as follows:

15 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 15 of 17 The maturity level is usually set in context of business objectives, and the resulting benefits sought. These objectives are often in context of the following: Business Context Typical Responses to Business Context Growing OR Maintaining a flat line, but preparing new products to innovate past the competition Identify new opportunities and existing problems and adopt innovative new services and solutions to address these. Services could be contracted with external providers or adopted through mergers and acquisitions. Create additional capacity for new business and products by investing in additional infrastructure (typically achieved through adding CAPEX). Create additional capacity for new business and products by using existing infrastructure (that is, improve OPEX). Maintaining a flat business line Reduce costs by optimizing existing systems and thereby reducing existing operational costs. Decide to maintain all systems and operational costs as-is (this is rare). Losing business Reduce costs by optimizing existing systems and thereby reducing existing operational costs. Identify non-core systems and consolidate or optimize them. Also reduce non-essential functionality as necessary, to reduce operational and infrastructure costs. Outsource non-core systems and convert to a pay-as-you-go system, with flexibility for rapid capacity changes (up or down)

16 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 16 of 17 Selling assets to reinvent itself out of a downward spiral Identify non-core systems and consolidate or optimize them. Also reduce non-essential functionality as necessary, to reduce operational and infrastructure costs. Outsource non-core systems and convert to a pay-as-you-go system, with flexibility for rapid capacity changes (up or down) Eliminate all spare unused capacity. Modularize non-core functionality into sellable or outsourceable units. Test company rules or restrictions against using alternative pay-as-you-go options such as public cloud for and web services Refinance assets for a short term CAPEX injection, through an outsource or lease-back arrangement. The Questionnaire mentioned previously, is a sample to support organizations in performing self-assessments of their cloud readiness levels, and ability to achieve maximum value from cloud based services. It must be noted though sampling one department or just the IT organization is not a true representation of the companies cloud maturity or readiness to maximize cloud benefits some complexity lies in analyzing how and why the business will apply cloud services, mapping the various involved departments, and then assessing each of them using appropriate questions from th e questionnaire from the business unit, through finance, procurement, risk management, project organization, IT, and the partner services. Cloud Adoption Roadmap The cloud adoption roadmap provides an end-to-end visualization for how the technical use of cloud technologies in the enterprise develops over time. As technical implementation matures, the use of cloud becomes more sophisticated, comprehensive, and optimized. Based on ODCA industry experience, many large enterprises are progressing using the same overall trajectory but at different rates of adoption. A typical technical adoption roadmap is represented in Figure 9 below. Figure 9. A typical technical adoption roadmap. This adoption roadmap gives context to technical planning and assists organizations in quantifying existing deployments and the steps that following from that point. Conclusion When an organization s technology and business strategies align to meet the objective cloud maturity level for that organization, an organization should achieve a federated, interoperable, and open cloud environment that delivers the expected benefits. This in turn will enable the expected business value that cloud services should represent to that organization: capability gains,

17 OPEN DATA CENTER ALLIANCE SM : Cloud Maturity Model Rev. 2.5 Page 17 of 17 efficiency gains, quality gains, flexibility increase, and velocity gains, which ultimately result in powerful business strategy enablement.

18 Cloud Service Level Tier Bronze Silver Gold Platinum Description Description Represents the lowerend enterprize security requirement and may equate to a higher level for a small to medium business customer Represents a standard level of enterprize security likely to be evident in many enterprises Represents a stronger level of security that would normally be associated with the processing of sensitive enterprize data. Represents the highest level of contemplated enterprize requirements Example Development environment Test environment; out-of-the box production environment Financial Services sector production environment Special purpose, high-end security requirement (e.g. military) NOTE: Every following level assumes ALL characteristics of previous level are already in place, starting with Bronze, and graduating up to Platinum Every following CMM Level assumes that all characteristics of the previous CMM Levels have been fulfilled already, starting with CMM 2, and graduating up to CMM 5 Bronze level: segregation of data through access rights (database privileges) within shared resources (e.g. applications, databases) Silver level: additional segregation through multi-tenancy of resource structures (e.g. own database plan/schema on database server) on a shared virtual machine (VM). Gold level: separate runtime instances and virtual machines (e.g. own Operating System (OS), databases, applications) on shared hardware, but all tenants at Gold level Platinum level: physically separated instances of hardware, VMs, OS, databases and applications per cloud subscriber. The CMM Levels are based on the following concepts: Cloud Service Maturity Level CMM Level CMM 1 CMM 2 CMM 3 CMM 4 CMM 5 Description Initial Repeatable Defined Managed Optimized Result Initial efficiency gains gains gains Increased, Increased Cloud based systems aligned to and enabling Business Strategy, pro-actively These are then combined as follows: Maturity CMM 1 CMM 2 CMM 3 CMM 4 CMM 5 Bronze Silver Gold Platinum Describes the characteristics of this Level Describes the characteristics of this Level Describes the characteristics of this Level Describes the characteristics of this Level Action plan to graduate to next CMM Level Describes the actions to get from this, to the next CMM level Describes the actions to get from this, to the next CMM level Describes the actions to get from this, to the next CMM level Describes the actions to get from this, to the next CMM level An additional possibility, but NOT prescriptive, could be as follows with respect to applicability CMM 1 CMM 2 CMM 3 CMM 4 CMM 5 Bronze X X X X Silver X X X X X Gold X X X X

19 Platinum X X X

20 Cloud Maturity Model (CMM): Analysis Governance Organisation Strategy Area enterprize Strategy Governance Structure Procurement Assessment question CMM 1: (Initial) Initial efficiency gain CMM 2: (Repeatable) gains Does a formal enterprize level strategy exist positioning the use of cloud based services? No Yes, but with ad-hoc adoption Incentive System for Cloud adoption Is there a Cloud Adoption Framework Is Organisational Change planned, in order to enable cloud effectiveness? Do Key Performance Indicators exist for cloud based services? General innovation framework exists, but does not address cloud concepts specifically The current application landscape has been analyzed for possible cloud migration. Impacts on some affected teams have been identified Success of cloudservices is evaluated by different users.there is no common definition of success. Ideas are evaluated, by the experts, without management support. Employees receive responses to their idea. Classification framework for all Business Applications & Data, with all apps considered for cloud, classified Planning and design of structure updates done, to improve cloud adoption KPI's are defined to measure the success of the cloud strategy Has the organisational structure been updated to enable Cloud based Service delivery No Structure defined Is formal Cloud Training planned Role of Internal IT Are the right controls in place to identify, assess and manage risk and compliance, and alignment to business objectives? Does a formal Communication plan exist, positioning cloud and the impacts? Is Enterprise Architecture Cloudaware and focussed? Is Risk Management updated for Cloud? Is there a formal Compliance framework for Cloud? Is the Procurement es cloud aware? Is the Procurement Tooling cloud aware Incidental, Training in new topics is done by individual employees with personal commitment or interest Continues handling internal IT and internal data center / outsourcing topics Ad-hoc deployments leveraging "non virtualised" definitions and interpretations Governance, risk and compliance requirements are available for those who look for them, for cloud services, documented in an enterprise repository Cloud design is handled completely and seperately by lines of business Training on new topics is discussed in teams with some organisational support. A cloud capability exists, and IT participates in Cloud deployments Defined system and service classes for cloud use, with rules, policies and guidelines, communicated to the organisation and deployed manually by projects Limited positioning of cloud with respect to requirements and compliance are communicated to islands of adoption Written enterprise architecture charter and operating documents outlining scope of responsibility and strategy (charter, RACI's, decision process guidelines, standards processes) CMM 3: (Defined) gains Well communicated throughout the organisation and signed off by all key stakeholders An idea management process exists which is orientated towards cloud, with an incentive scheme for employees. A cloud service adoption plan exists, with Milestones defined, planning, and budget. Structured implementation plan for updated organisation KPI's are argeed to measure the success of the cloud strategy Teams created. Cloud KPI's per team identified A training and development plan exists and is implemented, defined per impacted business unit Clear positioning as a Cloud Provider or as a facilitator or broker, with updated skills and roles Defined and communicated / signed off by all business units, with manual ad-hoc auditing A communication plan exists relating to cloud services, and detailed follow through activities with the impacted business units is ongoing, including a feeedback mechanism, and regular progress reports, possibly via the enterprize communications vehicles. A centralized cloud service selection process has been established. Risks may be evaluated in project situations. No general risk definition Risks are discussed (4-eyes principle) Risks are known and documented. Standard original compliance framework carries forward, without cloud awareness Ad-hoc approvals and business units ordering directly from cloud portals Each providers own Cloud Portal is used for ordering & configuring services A Compliance framework is defined and includes cloud appropriate dimensions Online service catalogue and approval process (via enterprize repository) Links exist from the enterprize Procurement Intranet to selected supplier's portals/catalogues Compliance framework is updated to include cross border legislation, data protection in transit and at rest in cloud environments, and data privacy requirements Operating in real time with real-time approvals and updates Providers Catalogues and approval workflows are integrated with the enterprize order portal and workflow system CMM 4: (Managed) Increased velocity, increased quality Guides all new system deployments and technology renewals as "the rule". The coverage is measured by means of tracked KPI's. CMM 5: (Optimised) Cloud based systems aligned to and enabling Business Strategy, pro-actively The cloud strategy enables the growth and optimisation of business outcomes across the Enterprise. The strategy is revised on a regular basis, according to a defined timeframe. An incentive scheme exists and employee measurement (where appropriate) aligns to the achievement of this strategy # of Ideas and success is measured. The process is evaluated on a regaular base. The use and success of the framework is managed by means of KPI's All partners integrated into organisational plan, with roles & responsibilities defined The KPI's are constantly measured, and the results are reviewed. Teams measured by KPI's. Active planning against gaps, and reviewed regularly The use and success of a enterprize training and development plan is ensured through product certifications, and other knowledge tests. Consults with Business on appropriate cloud platforms Automated deployment according to categorisation Partners, clients and suppliers are addressed and cloud based implications clearly defined at commerical, service and business impact level The cloud services are measured and the quality is evaluated. A Risk management framework is defined and contextualised for cloud. Risks are constantly monitored. Risk mitigation plans are in place Categorisation of requirements exists graded separately for Private, Hybrid, Public & Hosted cloud types. Monitoring and Management of compliance requirements is automated, sensitive per cloud category Cloud aware service agreements are established to support online real-time ordering, changes, cancellations, and data retrieval Provider Catalogue contents updates are synchronised, selected and published within the enterprize order portal based on application and data compliance requirements New opportunities offered by cloud services are evaluated and included in the Cloud Adoption Framework on a regular basis. Organisational culture includes high performance aspect, to take advantage of technology opportunities in all initiatives The definition of the KPI's are checked and reviewed regularly The organisational structure is able to bring tangible business benefits - and the operating model is an integral part of the culture, with defined KPI's A training concept exists, which is constantly updated to align to the changes of the cloud strategy of the company. Acts as a bridge between external providers, internal providers, and manages service definitions Automated exception reporting in real-time (e.g. by a data loss prevention system) Co-ordinated roadmap updates and communications are broadcast through the full eco-system, with feedback loops in place The company acts as a "Cloud Service Broker" according to Gartner's definition. A governance structure has been implemented to manage risks for the business. The risk mitigation plan is regulary updated. Computer Emergency Response Team (CERT) exists The compliance framework is regulary updated to reflect changes in cloud services and usage. Multiple providers selected, with commercial frameworks in place, and available via the portal, with automatic routing of appropriate service orders to appropriate clouds A generic catalogue is available on the enterprize portal, with transparent automated routing to the appropriate provider Desired Business level Benefit Benefit Rating (rate each in importance using numbers 1 to 5 (1 = most important, 5 = least important) CMM Curent Status Analysis Result CMM Target Level Recommended Action focus Sought Audience Benefits area to yourself Strategy department - a strategy gives guidance to the company - Measuring services which comply to the strategy ensures the usage and shows needed improvements to the strategy. - a revised strategy reacts to new cloud possibilities Strategy department - the employees with work on a topic have usually the best ideas how to improve it. - An incentive systems motivates additional effort. - KPI's document the success of the strategy People, Strategy department, Cloud - a common framework ensures efficient manageable services. Architects - only a clearly defined area of knowledge has to be developed. Strategy department, HR - Cloud benefits might change role definitions, and the work-scope Department of departments - updated job descriptions drive efficient use of ressources People enterprize strategy, IT strategy - KPI' are necessary to prove and track the success of the cloud strategy - Checking the KPI's enables a company to select the appropriate cloud services and focus areas enterprize Strategy, HR - Cloud benefits might change role definitions, and the work-scope Department of departments - updated job descriptions drive efficient use of ressources People IT Department, normal - Proven knowledge about a service ensures maximum benefit Management derived from the cloud service - Beside the IT resources, training for normal end users of the service might be necessary - IT Management - Use of cloud services enables the IT Department to offer fast, flexible support and services to the business. People -Data Security - Sensitive data is handled according to Security rules in the cloud - IT Strategy application - Clear definition helps to enable fast and compliant cloud adoption. - Late and expensive changes to cloud solutions are reduced. - Service Designer - Having a clear defined and functional communication structure is - Security Management important to ensure fast reaction to challenges and opportunities. - Clear communication of the risks supports a functional mitigation plan. People - IT Architecture - Using a common architecture approach: - IT Governance - ensures interoperability between cloud infrastructure and the business applications hosted on it - reduces training costs - reduces risks, because of limited elements which are heavily re-used - quality measures help all services at once. - reduced effort in Application Management - clear responsibilities for the different layers - reduced migration efforts when changing to or from a plattform. - IT Governance - Clear communication of the risks ensure a functional mitigation - Risk Management plan. - Active management of risks reduces the potential impact - a risk mitigation plan ensures a structured approach in the case of a breach - IT Governance - A defined framework provides guidence to the organisation, especially in new technologys (like cloud). - a fast review of new solutions and options is possible - IT Procurement - Well prepared Procurement and teams accelerates the - IT Service management implementation of (cloud) services for the business - Service Catalouge Mangement - Common order portal is the single point of contact for all order - IT Procurement processes. Cloud Services should be orderable in the same way as - IT Service Delivery other enterprize Services. - A fast, easy and common way to order services ensures than no shadow IT appears.

21 - IT Procurement - It is important for the Procurement Department to understand Is Training and Development performed for supporting organisations Procurement team are operate in CAPEX based ordering activities Procurement team are trained about cloud, and the commercial models Team is incentivised based on cloud strategy deployment Realtime authorisation and approval is operational, aligned to enterprize budgets Defined partners are elctronically integrated into the enterprize systems and processes cloud and the fast request and deployment cycles, to enable cloud benefits to be achieved by the business - IT Procurement - Frame Contracts are a common Procurement approach, so it is Business Governance Procurement Have Sourcing & Cloud ressources are ordered ad-hoc from contracting been updated undefined vendors. No partnering or to accommodate cloud? contract framing Hardcopy brochures used, with functions Does a specific Cloud and features defined per deployment, via a Service Catalogue exist? technically orientated portal Default frame contracts exist for cloud services, which are available to the organisational business units, and re-used consistently. A Cloud Portal includes a full integrated Catalogue of services, including technical functions and features, costs, and service level details, for IaaS Services Frame contracts are integrated in Active partner management with cloud procurement tools and standard cloud and quantity based performance vendors. Multiple vendor sourcing for vendors may be chosen reporting of cloud vendors identical cloud services A well defined set of standards for catalogue definitions are applied and communicated (e.g. CIMI). es are defined to enable entries in the consumer Included in the Service catalogue are detail All partnered or federated services are facing catalogue to be updated regularly, costs and calculations, detail rules mapped into a single well structured and for retirements to be performed associated to services, and automated links catalogue for the consumer, transparently, according to a defined roadmap process, and updates to contracts for changed wth back-end integration automated and without contract changes being needed services orcehstrated, based on consumer requests nomal to do the same in the cloud area to ease service contracting. - Every tool / methodology/process which speeds up the ability to start using cloud services adds momentum to the business. - Service Catalouge Mangement - A common order portal is the single point of contact for all order - IT Procurement processes. Cloud Services should be orderable in the same way as - IT Service Delivery other Services for business. - A fast, easy and common way to order services ensures than no shadow IT appears. - Having a service catalogue speeds up the cloud adoption, because the user does not need to search the web for the right solution and then determine their own appropriateness and compliancy crtieria on beahlf of the business Is Reporting updated to monitor and measure cloud services Basic management and Monitoring data is produced from systems within the companies' own control Integrated reporting and data sharing of Clear standard online contract and supply relevant data is enabled between preselected contracted suppliers and the cloud Standardised supplier contracts enable JIT management is integrated with supplier delivery, from pre-selected suppliers, with systems, to ensure that the cloud service provider, to ensure that pre-warning of Defined interfaces and reports exist, for defined reporting and source data avaialble never runs out of capactiy, by pre-warning Procuremnt events is possible, and that cloud providers to integrate to and supply according to pre-determined business suppliers of approaching order events service quality can be monitored and data, in real time criteria automatically managed pre-actively - IT Procurement - Easy to use reporting provides a base for future decisions. - Appropriate reporting shows which solutions are often used, and which ones need to be replaced or changed es - IT Procurement - Common templates make the complex cloud related service Do Cloud Contract templates exist? No, still using original templates Zero $ based framework contracts (agreements defining services and service level agreements, but with no volume commitments due to the nature of cloud services) are in place to enable service use, Leveraging contracts supplied by each and all roles and responsibilities and cloud provider, with slightly different terms remediations are clearly defined, including and conditions, and processes risk, compliance, and data related actions Contracts with multiple suppliers are synchronised to common terms and processes, enabling the business to scale, migrate and adopt services transparently All commercial terms are electronically integrated and linked to the service classes and qualities selected from the available catalogues, by the consumer levels, compliance, certifications, and risk management simple to navigate. - IT Management - IT Procurement - Cloud services need to be integrated into the common enterprize service management processes, and by doing this, one can identify what updates are necessary in the enterprize processes, and update them once for the whole company, to accommodate cloud based service delivery. Integrated reporting and data sharing of Commercial Are es updated to accommodate cloud Original internal IT processes are used, and service delivery? cloud is fitted to those, as applicable Defined manual handling of exceptions exists, where existing systems don't accommodate integration with cloud providers Clear standard online contract and supply relevant data is enabled between preselected contracted suppliers and the cloud management is integrated with supplier Standardised supplier contracts are systems, to ensure that the cloud service provider, to ensure that pre-warning of defined, enabling JIT delivery, from preselected suppliers, with electronic levels of suppliers of approaching order events service quality can be monitored and never runs out of capactiy, by pre-warning Procuremnt events is possible, and that integration consistently automatically managed pre-actively - IT Service Delivery Management - Defined measured KPI's form the base for every strategic decision for change, in order to motivate or justify the cost of change Do Key Performance Indicators exist for cloud based services? Infrastructure availability SLA's are used to measure services SLA's are in place for IaaS, PaaS & SaaS Clear KPI's for service delivery against KPI's are defined in context of the expected procurement events are defined and benefits of cloud, including avaialbility, automatically monitored in the system, in performance, cost, flexibility etc context of defined business objectives Each Business objective has a KPI mapped to it, and data is automatically collected to indicate status and progress in achieving the objective KPI Are Partner & Client Interactions updated for Cloud service delivery? Cloud provision is handled like any other supplier by the involved teams and processes Some Suppliers are integrated into the Procurement and Event management systems Clear Service Levels and KPI's are defined for all online services from partners Clients interact via defined shared cloud based interfaces, which adhere to strict SLA's Partners are integrated at contractual, electronic and process levels, transparently - IT Procurement - IT Service Management - Cloud services might not have direct service contacts, so it is important to have a defined, tested process and channels to approach., People Are the costs of a service billed to the consumer of the service? No, IT Costs are handled by a common IT budget Yes, costs are billed to the main departments (Production, Management, R&D, ), but only 1-2 times a year There is a constant process which monitors There is a capability for the consumer to Costs are constantly monitored, and billed the billing. Growing costs are proactively check ordered Services and their to the consumer, and unused ressources monitored and are constantly discussed corresponding costs. The costs are billed to are optimized or returned to the available with the consumer. There is a process the consumers costcenter once a month resource pool which terminates unused Services. - Financial Controlling - Pay per Use for cloud servcies enable constant cost optimisation - Costs need to be charged to the consumer of the service otherwise there is no motivation to terminate a service, so the pay per use value of the cloud makes no sense anymore -IT Service Management - Management - Knowledge Management - Usually there is a defined approach for handling a project in a company. The re-use of common cloud enabled templates in Project Management is as important and useful for cloud projects, as it is in normal IT Projects Do consistently defined templates, guidelines, best practices and blueprints for cloud based service & product Developed by each project manager on an deployments exist as-needed basis Use is made of centrally defined and published Blueprints, Best Practices, and Checklists for Cloud Service integration Comprehensive documentation exists, and is used by all projects: A clear framework exists and is used for classifying applications and data (protection) for Automated selection of platforms is projects (for mapping systems against cloud enabled (via a Cloud Portal) for placing platforms and services), prior to applications and data, based on business deployment, ranging from Development, rules and application calssification, all the Online tooling, tracking and reporting is in through Q&A, Pre-Production and into way through Orchestration and deployment place to support all project based Production to Production deployments - IT Service design - IT Programme Management - It Architecture - There are common design patterns which are useful for enabling cloud applications to be able to take advantage of cloud scaling, security models, and increase robustness of the service Standard training is available for the various Projects & Services Projects Is Project Initiation updated for Cloud? Are Project Tools updated to support Cloud projects involved organisational units, tailored to Leveraging existing templates, resources Ad-hoc projects developed by the project their needs, addressign important cloud Projects are planned in a cloud portfolio and methodologies for cloud use, high manager, developing own processes, Partial re-use of cloud methodologies, rules, policies, aspects and skills that they annually in advance, with clear budget, performance innovation is enabled, methodologies and frameworks for Cloud defined by certain new projects, and shared must develop and apply in their cloud scope and objectives towards enabling multiplying the organisations new product service integration for further enhancement service adoption cloud benefits realisation development by a defined factor Pre-defined elements are automatically Online project tool also integrates with and populated into the project plan by the tool, Online project tool with integrated triggers / invokes workflows and processes Each project is defined by the assigned Cloud based project templates are shared and consistent feedback loops exist to documentation is linked to selected cloud for partnered services, as part of the Cloud project manager, and built from scratch between project managers for re-use update approved steps deployments and reporting systems. Service landscape - IT Architecture - there are many elements which can be used across all cloud projects in a company, like Identity Management, Singe Sign On, Buisness Management, Data Orchestration Master Data Management, all of these elements can be pre-prepared already at the start of any new project.