An introduction and guide to buying Cloud Services

Transcription

1 An introduction and guide to buying Cloud Services

2 DEFINITION Cloud Computing definition Cloud Computing is a term that relates to the IT infrastructure and environment required to develop/ host/run IT services and applications, on demand, with consumption based pricing, as a resilient service. It provides resource and services to store data and run applications, from many devices, anytime, anywhere, as a service over the internet. The services can in turn be scaled up and down as needed to meet a customer s variable operational needs, ensuring maximum cost efficiency. Contents Page Introduction 3 SECTION 1 Why Cloud Services for IT delivery? 4 SECTION 2 How to access different Cloud models 10 SECTION 3 How to review contracts 16 SECTION 4 Seeking and obtaining Governance 21 Conclusion 25 2 Cloud Forum IP Ltd 2012

3 Introduction In the UK today over 60 per cent of organisations have formally utilised at least one Cloud Service and satisfaction levels relating to that experience sit at an astonishing 92 per cent. In terms of future adoption, three out of four of those who have already purchased a Cloud Service believe they will purchase further services for their organisation within the next year. Of those that have yet to adopt their first Cloud Service, 26 per cent expect to do so in 2012, and a further 13 per cent of UK businesses intend to within the next three years. INTRODUCTION However, as the number of Cloud adopters increases, so too does the number of Cloud Service Providers (CSPs) and service models in the market, resulting in a diverse and complex supply chain. Many established suppliers have altered their business models to include Cloud Services within their portfolio; 66 per cent of end users have expressed an increasing expectation of self service in light of the new service models enabled by Cloud Computing; and, a new breed of Cloud brokerages and aggregators are forming to provide commercial guidance and a single point of contact to customers. Whether buying direct online or via a third party it is essential that an organisation can establish confidence in the Service Provider/s so that they can be ultimately confident in both their expectations; in the nature of service provided; the responsibilities of the parties, and, the important issues to consider in entering, managing and ultimately exiting a contract. As with all new markets, there are entrants who are credible, well-intentioned, capable and professional and there are also unfortunately those that are looking to make a quick profit and whose public claims will not pass the test of scrutiny. Coupled with this is the increasing prevalence of online clickthrough agreements, which were originally designed to make procurement easier, but are often littered with unfair clauses and use agreements. To this end, the Cloud Industry Forum (CIF) has produced this Guide to Buying Cloud Services, which outlines a number of key issues that end users should consider when migrating to the Cloud. Cloud Forum IP Ltd

4 SECTION 1 SECTION 1 Why Cloud Services for IT delivery? Introduction When it comes down to basics, the Cloud is about resolving a fundamental paradox: IT systems are amongst the most adaptable tools available to businesses, particularly in meeting fast changing business requirements, but they are expensive to acquire and maintain, typically absorbing some per cent of any business annual IT budget. Meeting that cost becomes a major inhibitor on companies making rapid changes to the way they do business. Yet we live in times when the ability to make rapid changes to business plans and processes is becoming ever-more vital. Cloud-based applications and services can deliver that rapid change by providing the essential IT resources without companies having to own or maintain them. The resources, or solutions, are delivered via the Internet in the form of contracted services, and their nature means that contracts can be set to meet the level of flexibility a business requires. It can be for a pre-defined and fixed level of service, resources or users; but it can also allow a business to add additional resources as and when required. It could, for example, to meet a specific requirement such as a large but short-term marketing project. The business user gets access to the solutions required, when they are required, without the related issues associated with owning the systems themselves. Indeed, the Cloud makes it possible for those responsible for delivering IT services within businesses to increase business agility. They can build and adapt services in keeping with the needs of the business. 4 Cloud Forum IP Ltd 2012

5 Business justifications for Cloud adoption SECTION 1 Business agility: new ways of doing business! When markets and product categories can change seemingly overnight for example, who now wants an ordinary mobile phone when you can have a smartphone loaded with hundreds of Apps the value and competitive edge achieved by those organisations that can adapt and make changes becomes a crucial business imperative. That is what business agility is all about: as markets change and they do with increasing speed companies selling into, or relying upon, those markets need to be ready, willing and able to change themselves to meet the new demands. The need for business agility is becoming more widely understood it is about meeting the need for a company to redirect its lines of business as markets develop and change, rather than some time after the market has moved on. Making this happen, however, is often unachievable from the perspective of a company s existing IT infrastructure, while the changes needed to make it achievable on a repeatable basis can look, at the very least, extremely risky steps to take. But they need not be risky, and the benefits in business terms can be significant. Using Cloud Services means companies gain the ability to add and remove applications, services and resources as necessitated by changing business needs. These changes can be temporary or permanent, making it possible for a company to adapt in many different ways both quickly and cost-effectively. The key to agility lies in the IT services the company has available, which means having affordable access to far more IT resources than most companies could contemplate purchasing. In addition, such access needs to be available not just for a baseline IT operations, but also for specific business requirements, such as short-term projects. This is a capability that very few businesses can justify if they are acquiring the resources themselves. Here it can take several months to define, approve, order, install and commission new systems ready for day-to-day use. So what the Cloud offers is the ability to access new IT resources much faster than by acquisition. It means companies can pay for the access and use of resources as required, with the ability to change the usage pattern much faster, and far more drastically, than is possible with traditional acquisition. It is similar in principle to buying a ticket for a train, you don t need to build the railroad first. 61 per cent of UK companies use at least one Cloud Service The Cloud also allows whole new approaches to business to be developed through linking the company s own operations together with services provided by third parties. For example, it is now possible to use third parties providing secure credit card payment services, rather than attempting to set up such a service from scratch. Another topical example is directly linking the company s services with the increasingly popular social media world. This can establish a direct link to individual customers and is already proving valuable to businesses serving consumers directly. It uses social media as the vehicle to build customer communities, and feeds the community input directly into business planning and management services. Cloud Forum IP Ltd

6 SECTION 1 Operational flexibility A consequence of increased business agility is a corresponding increase for operational flexibility in providing IT resources. Here the Cloud can provide some significant advantages, whether a company decides it wishes to use as many third party services and applications as possible, or it decides it needs to develop its own applications. When it comes to third party services the Cloud provides several specific advantages. For example, Cloud Services are delivered via the Internet, which makes it as applicable to a company or individual in Australia as one in Accrington. By the same token it makes it just as easy for a company to deliver and support an application or a complete Cloud Service. This gives sed company the world to aim at as its marketplace. It also means that niche applications and services get a worthwhile market to pitch at if delivered as a Cloud Service. The corollary is that user companies can access and integrate an increasingly granular range of applications and services in order to build a suite of business IT services closely tailored to their specific requirements. Public Sector adoption in 2012 appears to be growing faster than Private Sector If end user organisations do need to develop their own applications, one of the problems can then be finding suitable systems on which to test any new development. This usually means buying hardware just for testing work, adding to the overall cost of development. With the Cloud, however, they get the flexibility to utilise remote resources as a service. This is often called `Sandbox Testing, where tightly specified resources can be requested of a service provider to be available at such a time and date, to be terminated after `N days or weeks. The immediate benefit for the development budget is a temporary opex cost which is used, as opposed to an inefficient capex purchase. This model is increasingly being extended to include pre-engineered Infrastructure-as-a-Service (IaaS), effectively a datacentre-on-demand, that is aimed at companies looking for as much operational flexibility as possible. It is already gaining a good track record in the market for remote storage services. Here, there is a growing demand not just for more raw data storage capacity, though that continues to grow rapidly. There are now strong demands on companies to structure their storage so that it maps on to current best business practices now being applied in many areas of business. The common call here is for tiered storage which separates out archive data from both regularly used and occasionally used data. These now require different storage strategies which are best provided by specialist service providers, giving companies the flexibility of having the best service without having to build it. The commercial side of a company is likely to be the primary driver on building greater business agility, but it is the IT side that will have the responsibility of delivering it. That is leading to the development of new tools that help IT build more comprehensive and tailored applications and services. A growing number of these extend the idea of a mashup already commonly used with services such as Google. This makes it possible to merge a growing number of the bigger applications and services in the Cloud market, again allowing IT the flexibility to create highly tailored services that meet specific business requirements. To this can be added the growing number of service providers that target specific types of user, typically those that use well known mixes of technologies in their existing on-premise IT infrastructures, such as Microsoft, Cisco and Oracle. This approach creates a much more flexible environment for any company using such an infrastructure technology stack, as it is easier to integrate new Cloud applications with existing on-premise applications, and easier to port on-premise ones to the Cloud. 6 Cloud Forum IP Ltd 2012

7 The Cloud is also making it more flexible and easy and will make it even easier in future for IT departments to manage a range of tasks that help the business be as agile as possible. For example, scaling up the level of resources required, either permanently or as a temporary `Cloud Burst to meet a specific short-term need, becomes a simple task of entering the resource requirement, possibly together with the start and end times of when the resources are needed, into an on-screen, online form. Depending on the service, the additional resources can be available within a matter of minutes or hours. By delivering capability over the Internet, a wider range of devices can be integrated into the operational environment. For example, the growth of smartphones means that these are now a common client device that staff want or need to use. They are also one of the drivers behind the `Bring Your Own model, where staff wish to bring in and use their own clients, such as laptops and smartphones. The final piece in creating much greater flexibility is the availability of tools to help IT departments manage their specific Cloud and on-premise environments and to optimise them to give the best performance for the whole organisation. There are also growing ranges of system management monitoring tools that drive automated management control systems that ensure Cloud environments run correctly. The latest thing here is the development of autonomic management tools that are capable of `learning how a system is supposed to operate and ensuring that it does. very nature of the service. Maintaining the best levels of security and service reliability are part of the core business proposition of every Cloud Service Provider, for if they fail at that they have very little else of value to offer the marketplace. From the service provider s point of view, the majority of them will have invested heavily in certification to best practices such as the Cloud Industry Forum Code of Practice or to more generic standards such as ISO So evidence of relevant certifications and scope is something a customer should seek out from the service provider. Equally, the Cloud Security Alliance provides a wealth of relevant advice. One important difference the Cloud brings to security is a major change in its goals and how it sets out to achieve them. In a traditional, on-premise infrastructure the objective of security tools is to defend the integrity of devices and the network. There are firewalls to prevent as much unauthorised, malicious code getting into the corporate network as possible, and then each device is typically equipped with anti-virus and anti-malware tools and the like. 76 per cent of companies already invested in Cloud Services will expand use in 12 months SECTION 1 These tools allow the IT departments to define the policies that govern the operation of complex Cloud systems, while removing the increasingly difficult task of attempting to do that job manually. Security considerations When it comes to the Cloud, security is the most common issue that has people saying `don t use it. The underlying perception driving this opinion is that data simply cannot be secure if the system on which it runs cannot be seen and touched. And of course, the Cloud data could in theory be stored anywhere around the world raising concerns over data sovereignty and privacy. In general, however, this perception of Cloud having heightened security issues is unfounded. In fact, if it were a known and accepted truth about Cloud-based services it would already be dead and buried as an IT delivery model. The reason for that is because of the With the Cloud however, the emphasis is able to shift further to protecting the data, and one increasingly common way of doing this is using company-wide policies that are implemented by monitoring tools and automated management and control systems. In essence, this approach bases security on what is deemed as `normal behaviour for a given data item. It is then monitored, in real time, for that behaviour and only if something occurs outside of the parameters of the policy is action taken and taken instantly. The policies applied can then cover a wide range of options, such as unauthorised access, out of time reading or writing (i.e. someone is allowed to access the data but is doing it at an unusual time), being transmitted to unauthorised recipients, either inside or outside the company, and so on. Cloud Forum IP Ltd

8 SECTION 1 Costs and economics: capital expenditure The `poster child message usually attached to the Cloud is its ability to reduce capital expenditure. This will in practice depend on what type of Cloud Service the user requires (See Section 2: `How to assess different Cloud models on `Private Clouds ) but in general it does hold true. For many smaller businesses it is now fair to suggest that their entire IT infrastructure will consist of a suitable connection to the Internet with enough ports to the (usually small) number of PC clients required. But the resources provided to the company by the service provider will be beyond the dreams of the finance and IT directors. This makes the Cloud an important option for most small to medium sized businesses. The key feature of the Cloud is that the business users do not have to own the IT infrastructure they are using, dramatically cutting capital expenditure on the acquisition of new systems, applications and systems software. In addition, they have the potential to save on the costs of real estate to house the equipment and the costs of air-conditioning systems. They can also save on the cost of staff training as well as avoiding the costs of teething problems and fingertrouble new installations bring with them. Operational expenditure By effectively off-loading the responsibility for the provision of IT resources to a service provider, the user is also able to reduce operational expenditure, often significantly. This is an area which normally consumes the majority of most companies IT budgets with most estimates suggesting 70 per cent or more being used up just `keeping the lights on. Tasks such as routine maintenance of systems and software, the patching of applications and ensuring all users have the latest updates and a hundred other tasks, all become the responsibility of the service provider. The cost of those tasks is then shared between the service provider s customers. Cloud Services also free up internal IT staff for more productive work, such as developing new applications and services, while reducing the time and costs of functions such as training on tasks now taken by the service provider. Better budget management Using Cloud Services gives users tighter cost control, coupled with the ability to define long term, predictable budgets. This is based on a switch to the annuity payment model where there are two basic models: either a regular, periodic subscription payment, or a pay-per-use model. Subscription model This is where the customer pays a fixed amount for the delivery of a fixed service level over a fixed period of time. Typically the payments are monthly and the contract term is yearly, although this is usually just one of several options. The one downside here is that there may be occasions when the demand level exceeds the contracted limits, so management of this possibility should be covered, in advance, in the contract terms. It does however provide a good basis for long-term budget planning and management, and is well suited to business models where the workload is fairly regular and predictable. Pay-per-use This is becoming an increasingly common approach to payment, particularly where Public Cloud or Infrastructure-as-a-Service or Softwareas-a-Service solutions are being used. This is analogous to the typical telephone service, where the resources used are metered on a cost per minute per resource `unit consumed model. It is particularly useful for services that have variable usage patterns, such as applications development and testing, and can save money compared to the subscription model if the usage is low or sporadic. It can have the disadvantage of allowing possible cost runaways if not properly managed, of course and many organisations still prefer to have a fixed price-per-month, even if they do not have a longterm contract. 8 Cloud Forum IP Ltd 2012

9 Energy management Your contribution to the overall energy costs of the service provider are covered as part of the annuity payment model. So you save on the energy costs no longer needed for either most on-premise IT resources (if going fully to the Cloud) or additional resources if upgrading existing infrastructure (and don t say you d turn off the old kit it nearly always finds a new use, even if it is not kept going running its original workload). Business transformation Finally, there is an underlying reason for just about every company to have an interest in moving to the Cloud, and that is Business Transformation. In a global marketplace where the next competitor, or major change in your marketplace, can come from a country you have never heard of, and when these changes are coming ever-faster, every business now needs to be in a state of constant transformation or at the very least readiness to transform itself. SECTION 1 You will also be contributing to a greater overall reduction in energy consumption as there is an advantage to be gained in datacentre size, at least up to a point. There are two issues here: one is the temperature management of the systems, which can require complex computer-controlled air conditioning technology, coupled with equally complex workload management systems. Even a one-rack on-premise `datacentre is likely to need careful temperature control and some managed air conditioning capability. So the bigger the datacentre the more systems there will be to share the energy management costs. The second is that the service provider s business makes them obliged to purchase the latest IT resources, and not just because they offer more capacity or faster performance, but also because better energy use is now a core part of the design of these new machines as governments push for Carbon reductions. Every upgrade of server they introduce is liable to allow them to serve more customers with at least the same level of service per customer, at the same level of energy consumption, and quite possibly less. 92 per cent of companies using Cloud Services are satisfied with their experience IT now plays a role in most aspects of business management, from product definition and design, through project management and onto marketing, sales and the final accounting. So, if the markets, the competition and the technologies and products are changing faster and faster, the IT systems needed to ensure a company stays in play will have to change and adapt just as fast. The fastest, most flexible and cost-effective way of providing the agility companies will need to transform themselves to meet these needs, is now through the use of Cloud delivered services. The Cloud is also becoming an excellent vehicle for an increasingly effective form of transformation, the building of collaborative services. There are growing opportunities for businesses both large and small to collaborate on projects that none of them could contemplate on their own. Cloud-based services make it easy to build collective, project-specific partnerships where the company with the most appropriate brand for the customer takes the `lead. Cloud Forum IP Ltd

10 SECTION 2 How to assess different Cloud models SECTION 2 Introduction One problem for any company looking to move to the Cloud for its IT services is that there are just so many different interpretations of the phrase Cloud. It seems, even to seasoned observers of the business, that there are as many versions as there are vendors claiming to be in the market. To an extent this is close to the truth, but some broad categories and definitions are starting to appear. As with any growth market, in the end many of these uses will start to disappear, and it will all become known as Cloud Services or just a model of IT Service Delivery. In the meantime, however, potential customers for Cloud Services need to be able to make sense of the terms currently being used within and around the Cloud `industry. What follows are some explanations of what the different categories of Cloud offer, and what they can be used for. this simile there are two key Families that exist in the Cloud Order, those that relate to how Cloud is commercially delivered (the Service Delivery Models), and those that relate to how the Cloud is technically deployed (the Cloud Deployment Models). The phrase Cloud should be considered in a similar context to that of a biological taxonomy of an Order under which a number of Families, Genus and Species exist and continue to evolve. Following 10 Cloud Forum IP Ltd 2012

11 Cloud deployment models Private Cloud This uses Cloud architectures to build a Cloud Service that is private (i.e. accessible only to) the business or its authorised users. It s objective is to provide the flexible benefits of Cloud Computing but for an organisation specific capability. Private Clouds can be established in-house (on-premise) or be accessed as a hosted service from a third party. They can be physical (i.e. utilise dedicated hardware and networks) or can be isolated as a virtual Private Cloud. Private Clouds tend to follow on from a decision made by a company to consolidate and virtualise its existing IT resources. This can mean upgrading the existing hardware to the latest, more powerful servers and higher capacity storage while using software tools that allow multiple virtual servers to be run on one physical machine or accessing a third party hosted IaaS solution. This provides the systems infrastructure that allows Cloud Services to be developed and deployed. Like all Cloud Services, the Private Cloud offers a compromise between services, security and cost. These systems are normally favoured by larger enterprises that already have extensive IT resources and well-established applications. Here, the existing IT management team will be tasked with the job of establishing and managing the services. Cloud Service Providers who offer Private Cloud capability as an IaaS solution enable the customer s IT team to manage the solution and maintain security but located in datacentres that specialise in providing just the facilities. The advantage here is the ability to off-load the cost of providing and managing the facilities component, coupled with location in a specialist centre where such costs can be shared. They therefore make good locations for those applications that do not require much management intervention. The primary trade off with Private Clouds is between security and cost. The biggest fear most companies have about the Cloud is that their data no longer appears to be under their direct control. Instead it is at the perceived `mercy of a third party service provider. For many businesses this is still considered an untenable situation, so having Cloud Services that are private to that company alone increases at least the perception of security. In practice it does also allow companies to apply their own specific levels of security, which may well exceed anything available from the service provider community. Set against this, however, is the fact that if a Private Cloud Service is delivered on-premise, and therefore still a capital project and the full responsibility of the company. It will therefore not gain any of the benefits of reduced capital and operational expenditures which are amongst the Cloud s key selling points. Indeed, because on-premise (as opposed to third party hosted) Private Cloud Services are likely to be additional to existing on-premise applications, not all of which will necessarily be replaced by the Private Cloud, use of this approach is in fact likely to increase the overall cost of providing IT services. Demand for third party hosted Private Clouds is growing, however, with service providers offering more full service models that give users far greater control over specifying the environment they require from resources that are run and managed by the service providers. This is, in effect, providing full Private Cloud capabilities on remote resources. SECTION 2 Cloud Forum IP Ltd

12 SECTION 2 Public Cloud Public Cloud Services have their lineage in the public information services that emerged not long after the World Wide Web started getting popular. Search engines such as Bing or Google and information directories such as Yell have naturally led demand for more user-interactive services such as Microsoft s Office 365 solution. Now it has developed in a number of directions, with two of the main ones being the provision of IT resources to companies and individuals looking to build Cloud Services, and the provision of pre-packaged services that can be signed up for and used as an alternative to building Cloud Services from scratch. The provision of fairly generic IT resources is already an extremely popular approach with many users. The business model is straight forward, as the service provider invests in establishing large fully equipped datacentres where customers can gain access to the resources on a pay-per-use basis. At its simplest, a customer can log on to the service, fill out an online form specifying the resources required and the time period they are needed i.e. `n virtual servers of `y specification, `XYZ operating system and applications, `n Gb of storage, and `ABC communications services for 14 hours starting at midnight and then just pay for it with a credit card. The service is built on highly virtualised computer resources, which means each server is capable of running multiple virtual servers. This is often referred to as a multi-tenanted infrastructure. Increased flexibility and faster access to IT are bigger drivers of Cloud adoption than pure cost savings The downside is that the users have no control over what specific resources are used, apart from the fact that they match the required specification. There is also no control over which other customers or applications are sharing the same physical resources (though from a security perspective each customers data and access is isolated), or which is given priority by the systems management tools. This approach is therefore often seen as presenting a high level of security risk. For companies that feel they need a high level of security and/or robustness of service levels this approach may be considered unsuitable. One important factor is that it does assume a minimum level of IT knowledge and skills in order to exploit it properly. In practice, it is perfectly possible to engineer suitable security services and upload them as part of the overall service they will only consume some storage and compute resources after all. But that does require the purchase of the right applications, or the employment of someone with the appropriate skills needed to build the applications, both of which increase the costs. There is now an alternative to this essentially DIY approach, and that is to use the pre-packaged services that are now available from the likes of Microsoft and Google. Here users can sign up to use the common applications that they already know, and the range of applications available is growing. Both offer the typical `Office set of applications and these can often fulfil the needs of the typical very small business. But now both can also source additional business applications, Microsoft with its rich portfolio of products starting to come through as Cloud Services, and Google with its Google Apps Marketplace. Both of these offer businesses the tools needed to rapidly and easily build applications and services that meet their needs and are available either as pay-peruse or small subscription basis. The upside of this are the cost benefits of scale based on generic feature sets. The user has no resources to pay for themselves, and only pays for the time the specified resources have been in use. This keeps operational costs to an absolute minimum. This approach does, therefore, fit well with the budget requirements of small businesses. While they look good from a commercial point of view, they do have the same perceptual challenges to overcome in demonstrating transparency and capability to end users, particularly around the typical about data security and service levels which need to be overcome and demonstrable. 12 Cloud Forum IP Ltd 2012

13 There can also be a problem for some users with the issue of data sovereignty when there is legislation in place as to where the data generated by the business is stored. It is not possible for users to specify where such data is stored, though if the service provider does not have a datacentre in the same country as the customer the latter can be reasonably certain that data sovereignty regulations will be broken. Such situations obviously need to be seriously considered by the customer company to determine if sovereignty is a material issue from a regulatory or legal perspective. One solution here can be found in the fact that these services are also attracting the interest of some of the major Cloud Service Providers, which have realised that they can partner with the likes of Microsoft and Google to provide additional specialist services to customers that want what Microsoft or Google offer but need more. The more will obviously come at a price, of course. Hybrid Cloud and Hybrid IT This, as the name implies an amalgam of both Private and Public Cloud approaches. In practice, it should be a totally flexible balance between the two approaches, with each user company having its own variation on the theme. So a Hybrid Cloud will be whatever service environment a company requires to ensure its business operates effectively, leveraging either Private or Public Clouds depended upon application types, locations and levels of integration and sensitivity of data. For the foreseeable future, many organisations will want to run a Hybrid IT environment, where it will be able to integrate existing legacy applications running on on-premise systems, Private Cloud environments that may have been established on-premise and/or running on systems in a third party facilities-management datacentre, or on third party fully managed resources. And to this will be added whatever components from the Public Cloud that are required, which could range from integrating maps with an application to a company-wide service. Service delivery models Infrastructure-as-a-Service (IaaS) This is generally accepted as the building blocks of Cloud Services, aimed at meeting the need of a customer company for some raw IT resources. The customer is then largely left to their own devices as to how those resources are configured, loaded, optimised, managed and all the other requirements of running any services. It will normally consist of the specified number of servers which will often be virtual systems rather than physical boxes as well as raw data storage facilities, virtual LAN and network connectivity and some basic software tools such as load balancers. In essence, this type of service is the provision of the IT components required to set up a Cloud-based service and as such will mean that the customer provides the majority of the skills needed to actually make the service work. So this can be a good option for tasks such as Private Clouds or application development and testing where a company s IT staff will have the skills required. The service provider is often only contracted to provide and sustain the infrastructure and enable efficient reconfiguration as needs dictate what is run on the infrastructure and how it is run is entirely down to the customer. Such service providers usually compete on the basis of price, or perhaps the granularity of time-slices that can be purchased or contractual commitment. Data security and privacy is the number one concern to address for most prospective Cloud users SECTION 2 In the end Cloud is an IT delivery model. Indeed, there are already people within the IT industry that would prefer to see the term `Cloud fade away, for what is really being talked about here is just a different delivery model for the IT services that companies require to run their businesses effectively. Cloud Forum IP Ltd

14 SECTION 2 Platform-as-a-Service (PaaS) This is the next stage up from IaaS, and is the development platform for Independent Software Vendors and internal IT developers. Here, the objective is to provide the customer with a complete platform on which to build the services they require. This will, at a minimum, consist of a technology stack of server/storage/networking etc hardware together with an operating system and quite probably a couple of alternative operating systems some common programme language compilers and similar tools to ensure customer-specific applications will run, plus one or more popular database systems and a web server or two. The richness of the platform is in the way the applications can be built without the legacy constraints of individual servers as the platform manages the pool of infrastructure available to cope with scaling and flexibility. The costs here will obviously be more than for an IaaS solution but set against this is the fact that the services provided demand far less direct involvement by the customer company in establishing a working Cloud Service. The level of services provided is therefore becoming the ground on which the service providers are competing, either offering more support tools, such as additional security services, or specialisation in specific applications technologies (up to and including consultancy services). Over 80 per cent of UK businesses stated they wish to keep data stored in the UK either on-premise or in the Cloud This last option is arguably the most comprehensive approach to building Cloud Services, as it is likely to come with considerable support and consultancy services if they are required. Set against this, of course is the cost and, it has to be said, the possibility of at least a feeling of risk that much of the service creation is effectively out of the customer s hands. The answer here is to not only seek advice and recommendation but also to look for the existence of relevant Codes of Practice and the service providers ability to adhere to them. Software-as-a-Service (SaaS) SaaS is already a very popular route taken by companies looking to use Cloud-based services, for the objective is to provide everything that the customer company requires for a specific task. The service provider, normally with a strong background in a specific applications type, packages up that application in a generic form, whilst enabling some local configuration by the end user, together with a wide range of support tools and makes it available via web. The key difference, however, is that CSPs run the applications from their own datacentres, providing customers with the application s capabilities as a service. That means there is no requirement for the customer to build, run or maintain any IT resources beyond those which are required to connect and work with the online service. Signing up for an account gives the customer the rights to build their own implementation of the application, which can range from adding a company logo to standard processes through complete tailoring of the capabilities to meet the business needs. The service provider is responsible for providing all of the tools needed to perform the configuration tasks, as well as consultants capable of assisting the process at any level. There is also a growing trend towards service aggregation offerings where a service provider will target a specific, if reasonably broad, vertical market sector such as retail businesses. Here, the objective is to pull together and loosely integrate all the tools and applications that can play a role in any company building a service that fits their need. The customer then selects from a list the tools and applications that build the specific services that meet their business needs. The service provider is also responsible for all aspects of management and delivery of the service, which frees up the customer to concentrate on their core business. The most successful of them are also extending the reach and capabilities of their service offerings in a number of ways such as building comprehensive applications development suites that piggy-back off of their core service. 14 Cloud Forum IP Ltd 2012

15 The two key advantages for using the SaaS model for delivering Cloud Services are speed and cost. For a small business with relatively simple requirements it can be a matter of a few hours to set up a SaaS service and have it running. This makes it a highly suitable option for many small to medium sized businesses and start ups in particular as it requires no investment in any IT resources other than the client devices needed for the staff working with the service, and an appropriate Internet connection through which those staff connect. This also, of course, makes a good justification to use SaaS for running the specialised needs of departments in large enterprises or for generic solutions across the entire enterprise. Costs are cut for the same reasons. The removal of any need for investment, not only capital investment in systems, support tools and datacentre facilities but also in the staffing and management of such resources, gives the finance side a company a clear and simple budgetary picture with which to work. It does have to be borne in mind, however, that working with many SaaS providers can in effect be similar to a `lock-in for the customer. In practice, of course, this is nothing new in the way many traditional application software businesses have operated and customers are normally well-versed in such relationships. The one difference here is that, while users can continue to use traditional applications despite the demise of the vendor at least until it becomes totally unsupportable by the customer itself with SaaS the service itself could disappear, leaving the customer with nothing to work with and as such the path and timing off of a SaaS solution needs to be understood before embarking upon use of such solutions. This is, therefore, an important area about which to seek advice, recommendations and the like, and to seek out and exploit all relevant Codes of Practice. SECTION 2 One of the core considerations for SaaS, however, is the fact that not only is all the customer s data held by the service provider, but so are all of the business processes which run the customer s business day-to-day. The issue of customer data is relatively easy to resolve as part of any service contract to ensure title and portability, which can specify how often customer data is to be copied and sent to the customer. There will, of course, be a fee for this. However, interoperability between SaaS applications and other customer IT systems should not be assumed and should be validated prior to entering an agreement if this is a key consideration. The most sensitive areas of data cited by companies related to employees and accounts The issues surrounding business processes and their potential for portability in the event of either dispute between service provider and customer, or the failure of the service provider as a business can be less clear cut. This will, therefore, need to be a subject of detailed negotiation between the two parties. There are some escrow services that have been set up with this mind, aiming to act as repositories of copies the latest customer business processes and other operational details. Cloud Forum IP Ltd

16 SECTION 3 How to review Cloud contracts Introduction The arrival of the Cloud-based IT delivery model not only changes the relationship between companies and the technology they use but also creates new relationships between customers and the companies that supply the IT services that are now consumed. This means there arise some significant changes in the responsibilities between the two parties, of which both need to be aware of and formally encapsulate within the supply contract. SECTION 3 The move is away from buying hardware systems, software licences and implementation services to consuming services that are run on systems and applications which are owned by a third party, which in the case of software might not even be the party that is actually providing the services. When it comes to the Cloud, therefore, the supply chain is fundamentally changed and the accountability of potentially multiple parties involved in the delivery of an IT service needs to be clearly established. There needs to be a service provision contract between the customer and service provider as the service provider is taking more direct responsibility for ensuring service delivery for the customer and as such their failure would have more direct consequences than the historical on-premise model where the end user is in control and accountable. Obvious, yes, but don t assume all CSP contracts are appropriately worded to reflect this shift in responsibilities. This means many old rules of behaviour will change for customers, bringing changes that will require clarity and potentially some serious negotiation between the customer and service provider if problems are to be avoided. As an obvious example, it is still quite typical for users both individuals and businesses to simply tick the `Yes box for accepting software licences or online services and in practice it is a rare if ever occurrence that a real problem or legal disagreement occurs. When it comes to the provision of Cloud Services, however, the level of service that might be delivered by any service provider has the potential to be anywhere between excellent and very poor, if only, by example, a service provider over-stretches its capabilities in some way. Then there is always the potential for a less professional CSP to have less-than-honourable intentions. There are really only two ways of protecting a business and ensuring it gets the best possible service. One is to use an external touchstone, such as the Cloud Industry Forum Code of Practice, which is adhered to by all service provider members of the Cloud Industry Forum. The other is to ensure that an appropriate contract is drawn up between the business and service provider that covers all the relevant operational components of the relationship between the two parties. This section, therefore, aims to identify the typical and relevant areas of agreements that would be customers need to consider and have settled as part of any contract negotiation. 16 Cloud Forum IP Ltd 2012

17 Key Areas For Contract Review and Negotiation Automatic renewals This is a classic example of the type of contract clause that passes many people by without challenge, not least because it runs so counter to the traditional pattern of making a single payment to buy a licence, followed by on-going payments for maintenance and support. Here, the risk is that the whole service is renewed at the end of the contract period, as is, with no reference to the customer. For many users, particularly those with a regular and unchanging set of business processes, this approach can be a reasonable practical solution. This is, however, a contract item that really should have a genuine cut-off point, with the objective of validating on-going requirements and enabling changes if needed before renewal takes place. This is actually in the user s interests. For a start it forces the user to consider their IT resource requirements in terms of what processes are currently being run and what might be required during the next contract period. It also forces them to consider the service being received is it reliable enough? Is it fast enough? Is it available when required? If not, what are the contract implications of upgrading the service? Other issues here concern cost. For example, assuming that the service requirement does not need to change reliability, availability and performance are all considered good and the business process and workload levels have not changed then it is certainly sensible for the customer to validate costs and current market rates. But for many customers the Cloud is going to mean expansion of their service requirement, particularly as they learn to exploit the flexibility and attack new markets with the business agility now available to them. Having a `formal sign off of a renewal in the contract gives customers a point where they can proactively negotiate service improvements, expansions and upgrades, rather than having cost increases determined by the service provider at the point of desperate customer need. Liability for data loss This is an obviously important subject for any business and really should be one of the most important components of any contract. A recent survey by the Cloud Industry Forum found that 34 per cent of end users said their service provider excluded liability for loss of data as part of the contract. What is of more concern, of course, is the fact that 37 per cent of end users did not know whether their service provider did or did not exclude data loss liability, which would tend to suggest that they had not even asked about the subject. 77 per cent of decision makers include Cloud as a viable option for consideration in new projects The most important question here for the customers is just how important their data is to the running of their business. It is hard to imagine any situation where such data would not be the life blood of the business, so either protecting it in some way, or establishing a compensation value for it where fault is directly attributable, will be a core part of contract negotiations. One of the best approaches is for customers to negotiate with the service providers on options that mitigate the impact of data loss. An example here is customers ensuring they have a relatively up-todate copy of their data in some form, or contract for a back-up solution. It will be up to the customer to determine the degree of `relativity here, as spooling off current data, or even just changed data since the last copy, will take time and therefore cost money. The customer must therefore decide whether an hourly, daily, weekly or whatever copying of the latest data is provided by the service provider, which will depend largely on the nature of their business. In addition it will be in the customer s interest to negotiate the level of Business Continuity and Disaster Recovery services available from the service provider. Again, this will be a trade-off between the cost of the additional service and the possible impact of service failure on the customer s business. SECTION 3 Cloud Forum IP Ltd

18 SECTION 3 Service resilience and termination There is always the chance that the best engineered and managed service will fail for some reason, so part of any contract negotiation will need to revolve around how such situations are managed. The survey conducted by the Cloud Industry Forum showed that overall, some 45 per cent of customers had established a plan with the service provider in the event of a sudden breach of service. This did rise to 51 per cent for customers with over 200 employees, but even that suggests that many more companies should be thinking about such factors. Customers do need to know what is possible for the service provider to achieve in order to keep customer services running. For example, do they have relationships with other service providers to which the service can be ported, or indeed is the service provider well-established enough to have multiple datacentres available? As an example of what is possible, Microsoft tells of how it was able to port much of its Japanese business overnight from its local datacentres to its datacentres on the west cost of the USA when earthquakes, Tsunami and after-shocks rocked that country. Customers will also need to look closely at service provider contracts for clauses allowing them to suspend services under certain circumstances, such as `emergencies. It will be in the customer s interests to negotiate specifically about the definitions of such terms to ensure there are no misunderstandings. Irrevocable loss of service is also a possibility that has to be considered. The most likely reason for this will be the failure of a service provider as a business; though it could also stem from a serious dispute between the parties. There will be a need to negotiate the procedures to be adopted under such circumstances. One possibility that might work with service providers using third party datacentres is to negotiate a contract that includes an agreement that the datacentre business takes over running the service in the event of the service provider s failure. This could be for a short period of time, say one month, giving the customer both continuity of business and sufficient headroom to negotiate a replacement service. One final option is to negotiate a contract clause that gives the customers the right, should the service provider become insolvent, to be able to get a copy of their application along with their data. This is effectively a form of the `source escrow already popular with traditional applications software. Again, CSPs should follow best practice such as is set out in the Cloud Industry Forum Code of Practice which CSPs can self-certify to. Service level agreement (SLA) SLAs are the day-to-day lifeblood of the relationship between the customer and the service provider, for they determine what the one side expects to receive, and informs the other side on the minimum level of service they are expected to receive. As such, negotiating the contents of SLAs is a vital part of the agreement between the two parties. What factors should be considered as part of any SLA will, of course, depend on the customer s type and size of business, so they are very much a subjective choice. In addition, using Cloud Services opens up the opportunity for the customer to specify them in two different ways. Again, the terms of reference for the SLAs and definitions of at least some of the terms used will be an essential part of such negotiations. It is something about which both parties need to be absolutely clear and in agreement. Options here include taking backup data to another provider, together with having a contingency plan for accessing it quickly, though another service provider may not be able to help a SaaS customer as it is the combination of data and system that is important. In most cases, one or the other in isolation doesn t really work. A useful step might be to request to see the financials of the company or at least enough data to understand how much cash they have on hand and how much cash they are burning. 18 Cloud Forum IP Ltd 2012

19 The following are two suggestions for areas where setting out detailed service levels can be valuable to both parties. Up time This is a measure of the reliability of the service being provided. Naturally, every customer will want their service to be available to them every time they require it, so the first step will be for the customer to assess just when the service is being used. For example, does the business just work an eight-hour day/five-day week? Is there any requirement for night or weekend working? If so, how much and how important is that requirement? There can be a tendency for customers to want and expect a service level that they could never truly need or achieve on premise and as such focusing on the key issues and expectations is critical. Is a 100 per cent uptime guarantee needed, and if so what premium are you prepared to pay for such a service vs a 99.9 per cent guarantee? Also important is the actual workload during `working hours. This can vary widely of course, from also continuous key-entry types of job that are generally low on resource utilisation, through to sporadic, resource-intensive tasks such as risk analysis processing. This will require the customer to have a clear idea of what their time and resource requirements are likely to be. With such information the service provider can understand the workload the customer will deliver and when, allowing it to plan allocation of resources, planned downtimes for maintenance or upgrade and all the other management requirements. It also allows both parties to determine and negotiate what happens when unplanned down time occurs. For example, can the customer s business survive for five minutes, an hour, or even a day? It will also allow both parties to define and negotiate around the business impact of such a down time. Response time This is a measure of how the service performs and what the minimum performance the customer expects to receive. It can also set worst-case performance figures beyond which the service provider might be considered to be in default. There are a number of technical ways in which this can be measured, and it will be the customer s responsibility to make sure they understand the terms being used when determining the service level required. A typical measurement is the time taken for the service to respond to a specific input from the customer. That duration is a key factor which customers will need to work out, often quite precisely. For example, a database query on the credit-worthiness of a specific customer could take two seconds without affecting business, while failing to commit to a trade on the stock market in under a millisecond could easily lead to financial ruin. The key here is for the customer to determine what the worst case response time is it can live with, without causing damage to the business. For some of them, defining this in business terms will help them understand the importance of these issues. For example, a 10 per cent drop in online sales may be bearable for up to 30 minutes, but a 5 per cent drop in sales for half a day could be seriously damaging. Most service providers will, in most cases, be happy to work with customers to identify the most important services levels and set what they should be. It is essential for customers to ensure that they have the necessary network bandwidth for its users to access the Cloud Services as the service provider will be able to accept responsibility for, and accurately monitor, the performance of its services but it can take no responsibility for the external networks and internet where latency and congestion can arise. SECTION 3 59 per cent of organisations claim they trialled a Cloud Service before they contract for it Cloud Forum IP Ltd

20 It is essential CSP contracts are formally read and reviewed with the focus on the responsibility of parties being clearly understood. The culture of just clicking an online form to accept terms and conditions without review has to be discouraged, not because online acceptance is wrong, but rather to ensure both parties enter a relationship with clear understanding of each other s needs and expectations where relevant. The changes in responsibilities when embarking on contracting a first Cloud Service are manifold and subject to influence by industry sector, regulation, complexity and security to name but a few. Some of the more common issues to consider are: Jurisdiction: Under which countries laws is the agreement written and is this acceptable? For example, a UK business acquiring a US service under US laws may have greater restrictions on the CSPs liabilities compared to a UK or European supplier. Data sovereignty: Can the CSP commit if needed to ensure customer data is only ever held and maintained in a specific territory? SECTION 3 Data transfer: Is there a documented process, format, timeline and cost (if applicable) for the transfer of data on to the service at commencement and off of the service at the end of the contract (whether by natural end of forced termination)? Parties to the agreement: Does the CSP offer full accountability for the services it relies on to deliver the Cloud Service (e.g. if it uses a third party datacentre or application component). Is there a transparent path of accountability for all parties involved in the delivery of service and has the CSP confirmed its accountability or does it carve out exceptions? What is the impact upon service levels and escalation processes to ensure service levels are achieved if there is a failure at any point in the supply chain the CSP depends upon? 20 Cloud Forum IP Ltd 2012