Sebis Study: Cloud Adoption and Strategy 2013

This publication can be cited as: Monahov, Ivan; Shumaiev, Klym; Matthes, Florian: Sebis Study: Cloud Adoption and Strategy 2013, version 0.9, December, 2013. Ivan Monahov, Klym Shumaiev, Florian Matthes Sebis Study: Cloud Adoption and Strategy 2013 Impact on the Enterprise Architecture and Future Challenges for Research and Industry Version 0.9, December 2013

Contents Contents... ii 1. Motivation... 4 2. Interviews Setup and Process... 6 2.1 Identification of Experts for the Interviews... 6 2.2 Guidelines for the Interviews... 6 2.3 Interviews Planning... 6 2.4 Interview Process... 7 3. Analysis of the Interviews... 8 3.1 Current Cloud Service Models Usage... 9 3.2 Current Cloud Deployment Models Usage... 10 3.3 Cloud Management Structures and Team Setups... 11 3.4 Typical Cloud Usage Scenarios... 13 3.5 Typical Cloud Adoption Strategies... 13 3.6 Typical Drivers and Goals for Cloud Adoption... 15 3.7 Typical Cloud Adoption Challenges... 16 3.8 Typical Information Sources... 17 3.9 Impact of Cloud Adoption on the Overall EA Structure... 18 3.10 Possible Topics for Future Research... 20 4. Summary and Outlook... 22 5. References... 24 6. Appendix A: Interview Guidelines... 25 ii

iii

1. Motivation The existing scientific and practitioner literature, e.g., (NIST, 2011a) provides extensive information regarding different Cloud service models, e.g., Infrastructure as a Service (IaaS) and Software as a Service (SaaS), different Cloud deployment models, e.g., private Cloud and public Cloud as well as various security and legal aspects. However the perspective of enterprises as Cloud solution consumers remains underrepresented in literature. More precisely, there is yet no clear overall picture of the current Cloud adoption and strategy of German large-sized and internationally operating organizations and thus no coherent description of current and future challenges. To close this gap, we designed and started this study on Cloud Adoption and Strategy 2013, see Figure 1. For this purpose, we defined following four research questions guiding our research: RQ 1: What is the current Cloud adoption in German large-sized and internationally operating organizations? This research question is refined by following four sub questions: o o o o o o o RQ 1.1: What Cloud service models are used? RQ 1.2: What Cloud deployment models are used? RQ 1.3: What are the existing Cloud management structures and team setups? RQ 1.4: What are typical Cloud usage scenarios from an enterprise perspective? RQ 1.5: What are typical Cloud adoption strategies from an enterprise perspective? RQ 1.6: What are typical drivers and goals for Cloud adoption? RQ 1.7: What are typical information sources in the area? RQ 2: What are current and future challenges related to Cloud adoption from an enterprise perspective? Answering the first research question, we are able to provide a coherent overview of the current Cloud adoption in Germany. This supports the further investigation of current and future Cloud related challenges for enterprises and enables prioritization of these challenges. RQ 3: What is the impact of Cloud adoption on the overall Enterprise Architecture (EA) structure? According to practitioners literature, many organizations from our target group already are using Cloud solution in their daily business in terms of IT support for specific business processes. However, the usage of Cloud solutions has an impact on the IT architecture of the organizations and therefore needs to be architected to ensure the alignment of business and IT architectures and thus an effective, efficient IT support for the business. As a commonly accepted technique to achieve this alignment (Aier, et al., 2008), organizations employ Enterprise Architecture (EA) management. It aims to provide a holistic perspective on the enterprise covering business as well as IT elements, to ensure a common language for a multitude of stakeholders and to collect information from different sources to provide a consistent decision base. Answering this question, we are able to formulate hypotheses regarding the impact of Cloud adoption on specific parts of the overall EA structure as defined by (Buckl, 2011). RQ 4: What are possible research topics in the area of Cloud adoption? Answering the previous introduced tree research questions, we could identify gaps in existing literature, approaches and frameworks from the perspective of German large-sized and internationally operating organizations as Cloud solutions customers. Consequently, we could propose concrete research topics which may be addressed by future research. 4

Due to the limited number of existing literature, we designed our research according to the expert interviews process proposed by (Mieg, et al., 2005) for the field of qualitative empirical research. Thereby, originating from social science, expert interviews are used to collect reliable data for the research. According to the authors, scientists involved in qualitative empirical research have to study first the existing literature and to build up their own expertise in the given field of interest. Thereafter, well-designed interviews based on the existing body of knowledge with appropriate experts can provide additional data for the research process. Figure 1: Overview of the applied research process and created research artifacts based on (Mieg, et al., 2005) Figure 1 illustrates our research process and describes the structure of this report. In the first step Define research questions we define and document the four research questions introduced above. The next four steps Identify experts for interviews, Create interview guidelines, Plan interviews, and Conduct interviews, as well as all related artifacts created during these steps, are described in Chapter 2. The step Analyze interviews is described in detail in Chapter 3 and the initial hypotheses regarding the impact of Cloud adoption on the overall EA structure based on the preliminary results of our survey are presented. The last step Publish results is covered by this technical report. This document is available for download on the home page of our chair. In Chapter 2, we provide a detailed description of the interview process and its setup. Thereby, we describe the identification of appropriate experts for the intended interviews, the created interview guidelines and the interview schedule. 5

2. Interviews Setup and Process In this chapter of our report, we describe the setup of our interview process, covering the phases Identify experts for interviews, Create interview guidelines, Plan interviews, and Conduct interviews of our research process according to Figure 1. 2.1 Identification of Experts for the Interviews According to (Mieg, et al., 2005), the selection of appropriate experts for interviews in terms of data collection for qualitative empirical research is essential. The authors define the term expert as a person with fundamental knowledge of a specific area based on several years of working experience. More precisely, the authors recommend selecting experts with more than 10 years of relevant working experience. According to the previously described expert selection criteria, we identified a set of 49 C-level and upper-level IT managers from a list of over 700 contacts in IT management positions known to our chair. All of these 49 experts are currently working for internationally operating German enterprises and thus represent the companies which are the focus of our research. The experts were invited to participate in the study by personalized invitation letters. Thereby, the invitations contained next to the description of our research initiative, the options to either participate personally as interviewee if suitable, or to forward to us the contact data of the right experts for the intended interviews within the organization. 2.2 Guidelines for the Interviews To support structured expert interviews according to (Mieg, et al., 2005), we prepared interview guidelines based on the findings in literature and consisting of 26 mostly open questions. For the majority of the questions, possible answers based on literature were prepared. However, the capability to document also unexpected answers by the experts was ensured. The questions from the catalog weren t shown or communicated to the interviewees in advance or during the interviews to avoid influencing their responses and to be open to new thoughts. This approach supported the identification of surprising (unexpected) results as documented in Chapter 3. The complete interview guidelines can be found in Appendix A: Interview Guidelines of this report. 2.3 Interviews Planning Until the end of December 2013, we received eight positive responses for participation in our study. Thereby, we were able to conduct already five interviews and other three will take place in the first quarter of 2014. In two cases, we received new contacts forwarded as the right interview partners for our research, in three cases the invited experts participated personally in the study. In two cases, we had two participants during an interview since our contact person invited also a colleague involved in related activities within their organization. The participating interviewees stated to have following positions at the time of the interviews: Head of technology architecture Junior architect Solution architect consultant IT strategist Managing director & vice president Enterprise architect Chief architect 6

The five interviews took place on October 8 th, October 14 th, October 17 th, October 23 rd, and October 29 th in 2013. All interviews were conducted without interruptions. During the interview on 8 th of October 2013, we realized that the interviewed two experts can provide more and detailed information as initially expected. Therefore, we conducted a second phone call for approximately one and a half hours in the afternoon during the same day to collect further information and input. 2.4 Interview Process All interviews were conducted live either in a phone call (80%) or in a personal meeting (20%). The average duration of the interviews was 1h 10min. During each interview, our chair was always represented by two members. One conducted the interviews and moderated the talks. The other one took notes of the talk and recorded the interview (having the goal to simplify the transcription phase afterwards). Thereafter, we created a transcript of the interview based on the notes and recordings. The results of the analysis of the collected input are described in detail in Chapter 3. 7

3. Analysis of the Interviews To answer our research questions, we use following structure for organizing the sections of this chapter as illustrated in Figure 2. Thereby, every section summarizes the feedback from the conducted expert interviews for each of our research (sub) questions in respect to their order as presented in Chapter 1. Figure 2: Mapping of the research questions to the sections of this chapter. To provide a comprehensive and uniform description of both general and surprising findings for each of the sections bellow, we apply following description structure: 1. Short title as recommended by literature (Kütz, 2009), a short and unique title will enforce readers to easily decide whether they want to continue reading the given finding category, or to continue with the next one. Further, the title supports searching in the document and provides a terminology base for discussions regarding the findings with interested experts in future workshops. 2. List of related interview questions supports readers in understanding the scope of the interview. 3. Description provides a detailed overview of the collected input. In these parts of the report different opinions, understandings are documented, based on the provided input from the participating experts. Hereby, we aim to document the full range of answers and not to synthesize a shared understanding. Consequently, some of the documented opinions given by the interviewees are conflicting. 8

3.1 Current Cloud Service Models Usage Interview Questions: Is your organization currently using or planning to use Cloud solutions? Which type of Cloud service models do you use? Analysis of the Answers In this part of our survey, we focused on getting a general understanding of the actual Cloud service models usage in large German enterprises. Thereby, we used the commonly accepted NIST (NIST, 2011a) definitions of following three Cloud service models: Infrastructure as a Service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying Cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls) Software as a Service (SaaS): The capability provided to the consumer is to use the provider s applications running on a Cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying Cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Platform as a Service (PaaS): The capability provided to the consumer is to deploy onto the Cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying Cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment. All interviewed organizations confirmed, that they use at least one type of these service models. To be more precise, we gained the following feedback from the participants: IaaS is used by 5/5 of the enterprises, SaaS is used by 5/5 of the enterprises, and PaaS is used by 1/5 of the enterprises. Based on these finding, we highly recommend to all interested enterprise architects to reflect the current situation of their enterprises regarding this aspect. As long as PaaS solutions seem to be still not very prevalent, IaaS and SaaS solutions seem to be used by many enterprises from different industry sectors. Asked for a brief outlook on future developments in this area, one participant stated that PaaS solutions usage will be a part of their Cloud strategy, that currently under development. One other participant confirmed that PaaS solutions will play a bigger role in the future for their Cloud initiative. 9

3.2 Current Cloud Deployment Models Usage Interview Questions: Which type of Cloud deployment models does your organization use? Analysis of the Answers Next to the service models, we asked the interviewees to provide concrete insights in the usage of different Cloud deployment models. Thereby, we used the NIST (NIST, 2011a) definitions of following four Cloud deployment models: Private Cloud: The Cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises, Community Cloud: The Cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises, Public Cloud: The Cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the Cloud provider, and Hybrid Cloud: The Cloud infrastructure is a composition of two or more distinct Cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., Cloud bursting for load balancing between Clouds). Based on the feedback of the participants, we could observe the following usage of different Cloud deployment models: Private Cloud is used by 5/5 of the enterprises, Community Cloud is currently not used by any of participating enterprises (0/5), Public Cloud is used by 4/5 of the enterprises, and Hybrid Cloud is currently not used by the participating enterprises (0/5). These findings weren t too surprising and are in line with recent reports in practitioners literature. We could get the impression, that due to several legal issues enterprises are forced to use mostly private Cloud deployment models. For certain use cases however, public Clouds are also used. The two deployment models community and hybrid Cloud seem to be still not as widely used as public and private Clouds. Four of the participants also confirmed, that units from the US do use significantly higher number of Cloud solutions than units located in Europe (especially Germany) and China. The provided explanations for this phenomenon were: 1. A general more Cloud-friendly company culture in the US, and 2. Less restrictive data laws in the US compared to Europe and China. The first surprising finding in this section of the interviews was the interest in using so-called Business-Process-as-a-Service (BPaaS) Cloud service models. In terms of Garner (Gartner Research), BPaaS describes the delivery of business process outsourcing (BPO) services that are sourced from the Cloud and constructed for multitenancy. Services are often automated, and where human process actors are required, there is no overtly dedicated labor pool per client. The pricing models are consumption-based or subscription-based commercial terms. As a Cloud service, the BPaaS model is 10

accessed via Internet-based technologies. During the interviews, two of the participants mentioned this aspect independently from each other and without explicit questions from our side. Both stated that such Cloud service models (e.g., travel expenses management) will be gaining important in future and thus should be a subject of interest for Cloud providers, consultancies and enterprises. The second surprising finding in this part of the interviews was the interest in using so-called Database-as-a-Service (DBaaS) Cloud service models. In terms of Oracle (Oracle, 2011), DBaaS is an architectural and operational approach enabling IT providers to deliver database functionality as a service to one or more consumers. One of the participants mentioned this service model without any questions from our side and even confirmed interest and concrete plans for initial prototypical usage. After explicitly asking the other four interviewees about this Cloud model, two stated they were not aware of the concept. Two others stated they are aware of the concept, but they don t see any advantages for their enterprises by using this service model. The provided justification was the same in both cases leaving the business applications as-is and migrating only the underlying databases in the Cloud will lead to unnecessary increase of the complexity of their application landscapes without providing any clear benefits. Last but not least, we were surprised, that the participating consultancy and Cloud provider confirmed they are both separately working on new concepts and solutions targeting the integration ( orchestration ) of Cloud solutions for enterprises as target group. Obviously, their customers require more support and guidance for integration aspects, which existing frameworks currently don t provide. 3.3 Cloud Management Structures and Team Setups Interview Questions What is your the position? What is your organizational unit? Who are other people in your unit? If yes: How many? Which roles do they have? What are their responsibilities, background & focus? What is the role of your organizational unit / team? Is there a Cloud center of competence in your organization? What are important links to other IT management functions from the perspective of Cloud solutions management? Analysis of the Answers As expected, the picture drawn in this finding category is very divergent. By asking five different experts we got five different team setups regarding the question of responsibility Cloud solutions within the enterprises. The first enterprise stated they have a dedicated Cloud team within company consisting of seven employees with different backgrounds, experiences and positions. More precisely, the team consists of following members: Two experts from the IT strategy department, Two experts from the Architecture department, Two experts from the Cross-Functional Applications department, and One expert from the Global Security department. The motivation behind this setup is to ensure a high degree of orthogonal but relevant views within the team. The strategists focus on the alignment of the Cloud initiative to the defined and 11

documented overall IT strategy. The architects focus on ensuring the right architecture scope of the initiative by defining constraints to ensure financial benefits, transparency and homogeneity. The experts from Cross-Functional-Applications focus on the integration of Cloud solutions with existing services, applications, and infrastructure environment. The Global Security member focuses on integrating Cloud solution within the existing security architecture and providing answers to all related questions. The two participants representing the company during the interview also confirmed that the Cloud team is working in close collaboration with the legal department in terms of receiving clarification for emerging legal questions regarding data laws and other regulatory restrictions. This company can be considered as one of the big and internationally operating German energy enterprises. The second enterprise stated, that there is currently a dedicated Cloud team, however the setup is not final and still in improvement. The enterprise can be considered as internationally operating consultancy organization. The Cloud team is currently elaborating and defining different ideas and strategies from the consultant perspective for their international operating customers with the goal to support Cloud solutions integration, orchestration and increasing the value proposition. For this propose, the organization works with many of their customers as well as with several Cloud providers to establish a common vision, understanding and service offerings portfolio. The third interviewed company was an internationally acting Cloud provider, who answered our questions from the perspective of one of their major customers an internationally operating healthcare company. In this context, the interviewee confirmed, that their customer has a welldefined Cloud team responsible for developing and optimizing Cloud solutions. However, due to confidentiality agreements, the interviewee was not able to provide more details regarding the team size and exact team setup. The forth company can be considered as one of the major German engineering companies. The participating two experts during the interview belong to a central IT strategy and architecture unit with more than 15 team members. They confirmed that at the given point in time there is no dedicated Cloud team required and existing within the organization. The interviewees stated, that Cloud solutions can be generally used, if a business unit has concrete requirements, budget and permission by the legal department. The Cloud solutions are to be tailored to the specific needs of the concrete business unit and are developed, introduced and maintained by corresponding projects, which are audited as every other IT project by the IT architecture unit. Thereby, the responsibility for these projects is taken by the corresponding IT organization responsible for the business line. The fifth enterprise is a large German and internationally operating logistic service provider. The interviewee confirmed that to the given point in time no explicit Cloud team is defined and existing, but there is an ongoing initiative to setup such a team in the future. Currently, the responsibility for Cloud solutions is within the EA team consisting of about ten enterprise architects. According to our preliminary results, there is currently no common Cloud team setup identifiable in German industry for this point in time. However, we see a clear trend of involving experts from different units to ensure the right integration of Cloud solutions within the enterprise under consideration of the existing architectures, strategies and legal questions. In addition, enterprise architects guide, support and assess Cloud solutions from architectural and IT strategy perspective. 12

3.4 Typical Cloud Usage Scenarios Interview Questions What are concrete Cloud solutions currently in use in your organization? What are the typical use-cases for Cloud adoption within your organization? Analysis of the Answers After collecting input for the usage of different Cloud service and deployment models, we focused in this section of the interviews on identifying typical Cloud usage scenarios. Based on the provided information from the interviewees, we could identify the following four main scenarios: SaaS solution usage for the domain of human resources (HR) was confirmed by 5/5 enterprises. Thereby, 3/5 participants stated, they are using SAP SuccessFactors (with integration to existing SAP applications in their application landscapes). SaaS usage for the domain of customer relationship management (CRM) was confirmed by 3/5 participants. Thereby, two participants stated they are using Salesforce.com. One stated to use currently a Microsoft SaaS solution (initially used Salesforce.com but migrated to Microsoft based on their strategy) IaaS usage in terms of infrastructure hosting was confirmed used by 5/5 participants. All clearly stated, that infrastructure outsourcing is already done since many years and is well understood and managed in their enterprises. Three participants confirmed usage of Cloud solution also for the domain of software engineering. Thereby, all three stated, that Cloud solutions are used for both software development, as well as testing purposes Last but not least, 4/5 confirmed Cloud solutions are also used in terms of information management using mobile applications. Next to the previous general findings, we could document following four surprising findings in this category: One of the participants stated that certain businesses consume a so-called external IT service model. Thereby, these businesses are located mainly in the public sector, e.g., Olympic Games and marathons. These organizations typically have to ensure high availability only for a very limited period of time, whereas usually they have only at very load and little changes. Regarding to the interviewee, Cloud providers are interested in increasing the usage numbers of this service model. One of the participants confirmed rapid elasticity as a usage scenario for their enterprise. Thereby, Cloud solutions are used to provide decision support based on calculations of realtime stock-exchange prices having a very high speed of changes. Usage of measured services was confirmed by 5/5 participants. All interviewees stated they are using well-defined and customized service level agreements (SLAs) and monitoring techniques on both sides (provider and consumer) to measure and ensure the achievement of predefined quality goals. However, no one provided us a concrete example of such SLAs. The usage of broad network access was confirmed by 2/5 participants. Thereby, depending on the current location (country, place) and network connection of an employee, different Cloud solutions and applications are offered in combination with mobility services. One other participant stated this model raises a series of questions for the identity management within the organization. 3.5 Typical Cloud Adoption Strategies Interview Questions How important is Cloud right now for the IT strategy of your organization? How important it will be in the next 5 years? How important it will be in the next 10 years? 13

How do you manage your existing Cloud solutions? Do you have a defined Cloud strategy? What are existing / useful guidelines and best practices for Cloud solution? Analysis of the Answers In this part of the survey, we focused on understand the strategic role of Cloud for the participating enterprises. Firstly, we found that three of the participating enterprises intend to establish long-term relationships to Cloud providers. Thereby, the three experts stated that reliable Cloud provider partners are required since the intended Cloud solutions will support also critical business processes. Consequently, three of five experts stated that Cloud provider assessments do partially already exist in their enterprises. However, they all criticized missing documentation and guidelines for defining and designing such assessments in existing literature and frameworks. Secondly, we were surprised by the fact that currently none of the interviewees confirmed to have a documented Cloud strategy at present. Here we also got two conflicting answers. One of the participants stated, that Cloud solutions are currently not part of their IT strategy and will remain a non-strategic topics for the next couple of years. One other participant stated in contrast, that Cloud solutions will be an essential part of their future Cloud strategy and will even gain importance over time. In total, two of the five participants confirmed, that they are currently working on defining and documenting a concrete Cloud strategy for their enterprises. Thirdly, no expert confirmed having problems with so-called shadow IT using Cloud solutions. According to literature, due to time-to-market issues in enterprises, business units can start using their own Cloud solutions without informing the central IT. However, all participants were very convenient this is not the case for their enterprises, at least not on big scale. All provided the following argument since reduction of costs is an important goal for both the business and the IT, no big Cloud solutions can be paid by business units without getting discovered by the internal controlling audits. Fourthly, none of the participants confirmed interest in migrating their entire application landscape and infrastructure to the Cloud. However, two of the participants confirmed to be working on the identification of certain parts of the application landscape, which could be migrated to the Cloud, since this is interlinked with related goals increased transparency, increased homogeneity, improved availability and partially cost reduction. Last but not least, all participants confirmed they see a clear link between Cloud solutions and enterprise architecture on the one hand and between Cloud solutions and IT strategy on the other hand. According to the input, Cloud initiatives should always be aligned with the overall IT strategy and defined enterprise architecture. 14

3.6 Typical Drivers and Goals for Cloud Adoption Interview Questions What is the motivation for Cloud adoption in your organization? What are typical goals for Cloud adoption in your organization? What are obstructions for Cloud adoption in your organization? Who drives or prevents Cloud adoption in your organization? Analysis of the Answers In this part of the interview we were interested in gaining insight into the real goals and drivers for Cloud adoption by German industry. Consequently, this section contains a couple of expected findings in line with existing literature in the field. Nevertheless, we received also four surprising results, which we also describe in detail in the following paragraphs. The expected general findings for this finding category can be summarized as follows: All interviewees confirmed improved time-to-market ratio to be the most important goal of Cloud adoption for both business & IT. Thereby, the time-to-market ratio describes the ability of IT organizations to provide required IT services to a business unit ranging from the specification of the requested services, over the development to its deployment in a productive environment for business use. All participants confirmed business units to be a significant driver for Cloud adoption as supported by the previous findings for typical Cloud usage scenarios, e.g., HR and CRM. More surprising was a statement given by three of the participants, describing the demand and interest for SaaS solutions from business side as a response to the increased need for collaboration on the business level. Thereby, business units need to facilitate additional collaboration channels to partners and customers. One example given by an interviewee was the benefit of using sentiment analyses for marketing purposes based on data from different social media platforms. All participants confirmed IT to be a driver for Cloud adoption. Driven in by cost reduction and standardization initiatives e.g., on the infrastructure level, Cloud solutions are been forced by IT for a long period time. This finding is in line with the previous finding of IaaS solutions usage and high maturity level regarding this aspect in all of the participating enterprises. Three of the participants confirmed pressure from Cloud providers and consultants to be a driver for Cloud adaption. As the three interviewees confirmed, the pressure is left on both levels business as well as IT. Two of the participants confirmed C-level management pressure to be a driver for Cloud adoption. These participants described, that their C-level managers requested a concrete evaluation of possible cost savings in short-, mid- and long-term as a result of a migration of suitable parts of the application landscape, data and infrastructure in the Cloud. Next to these expected result, we were able to identify following surprising findings: Cost reduction was not considered as an important goal by the interviewees. Even in the two cases, where C-level managers were considered drivers for Cloud adoption, this goal was explicitly rated significantly lower than improved time-to-market. In addition, one of the participants stated that operational costs will even significantly increase during an initial 15

migration phase (short-term), but cost savings might be achieved in mid- and long-term as result of a concrete underlying business cases motivating the migration. Complexity reduction was not confirmed by the interviewees. Three experts even stated depending on the fact that they will not migrate completely, Cloud solutions will clearly increase the complexity of the IT environment and its management. Three of the participants confirmed scalability and availability to be only minor goals from their enterprise point of view. According to one of the interviewees, Cloud concepts will support IT departments to precisely express the cost of high availability to business units and thus to find the right availability model for the supported business processes. On the other hand, if high availability is really required for a given scenario, enterprises expect the same SLAs fulfillment ratio from Cloud providers as by any other outsourcing partner or their own IT department. Two participants confirmed that the CAPEX to OPEX shifting trend (capital expenses are shifted to operational expenses) is a relevant driver for Cloud adoption. 3.7 Typical Cloud Adoption Challenges Interview Questions What are your most important lessons learned? What are known integration issues? Analysis of the Answers This part of the interviews was the most interactive one and revealed a big range of questions, challenges and uncertainties in respect to the usage of Cloud solutions. The most prominent aspect mentioned by all interviewees was the very high uncertainty with data laws and regulations. All participants confirmed that different countries have very different data laws and regulations, therefore Cloud solutions can t be always used in uniform manner in all countries. As already described in section Current Cloud Service Models Usage, US units usually use a higher amount of Cloud solutions compared to Europe or China. Two participants confirmed a case in their organization, where the same business process is supported by a Cloud solution in the US and by a commodity solution in Germany as a consequence of regulatory restrictions. Additionally, it was also reported, that usually lawyers and experts from legal departments are consulted whenever a Cloud solution for a given problem is assessed, which significantly complicates the architecture design process. Secondly, four of the participants confirmed, that enterprises require a documented Cloud strategy. In addition, three participants reported missing standards and guidelines regarding the development of a Cloud strategy tailored to the needs of the enterprise and aligned with the overall IT strategy. One participant even stated that current legal regulations in Germany are too strict and basically prevent nearly every significant migration to the Cloud. For this purpose a simplification of security guidelines should be performed also by politics in Germany, as well as in the EU and other countries. Surprisingly, three interviewees reported they require more support and input from their Cloud providers and consultants regarding the integration of Cloud solutions. This finding however corresponds well to the previous one describing ongoing activities of Cloud providers and consultancies in this field. 16

Finally, three of the participants reported they were asked by CIOs to create a so-called Cloudservice-catalog, providing information of possible Cloud solutions and corresponding usage costs. However, the same three participants criticized missing related literature and guidelines describing how to develop such a catalog and how to organize its content. 3.8 Typical Information Sources Interview Questions Which external support do you use? Are there any internal events or training for Cloud solutions? What relevant literature sources do you recommend us to analyze? Analysis of the Answers In this final section of the interviews, we wanted to gain a broad picture of the current conferences, events and working groups where practitioners have the opportunity to learn about new developments in the area of Cloud computing, and to have exchanges and discussions with other experts. The first finding was that every participant reported to have understanding of Cloud and related areas. The participants well-informed about different trends and ideas, and were able to provide input to the majority of our questions. As expected, all interviewees were familiar with the basic term definitions provided by (NIST, 2011a). All participants confirmed as well additional detailed knowledge in at least one further Cloud reference model, e.g., the IBM Cloud reference model (IBM, 2011). Surprisingly, all participants reported a missing well-established Cloud conference in Germany. Thereby, three of the participants explicitly stated they require a forum for exchange with colleagues from other enterprises to exchange ideas and experiences from completed Cloud initiatives from the enterprise consumer perspective and where the Cloud providers are explicitly excluded. All participants confirmed that major Cloud events and conferences are usually hosted in the US by the Cloud providers. Thereby, the target group is upper-level IT managers, who in turn spread the knowledge and experiences gained in their enterprises. Last but not least, one participant reported about a Cloud working group as part of the SOA Innovation Labs (SOA innovation lab, 2013). This group was launched by several large German enterprises from different industry sectors to join forces and to influence the offerings of Cloud providers. This group has recently finished a guideline regarding the structure and a design method for Cloud strategies tailored to a predefined IT strategy. However, the group is a closed member organization and therefore the results are currently available only to their members. The results will be published in several steps to the public according to the rules of this organization. 17

3.9 Impact of Cloud Adoption on the Overall EA Structure Interview Questions How do you assess the maturity of your company in terms of Cloud architectures? What is the target maturity level for Cloud architectures you plan to achieve? Do you have a service fact sheet for the supported / offered Cloud solutions? Do you enforce Architectures principles? Do you have a defined Cloud reference architecture? What reference architecture blueprints are you using? How do you perform value tracking? When? By whom is it done? Do you use standard architectures? (Cloud Stack, Open Cloud, EC2) Analysis of the Answers According to all participants, every decision for using a Cloud solution, every negotiation of Cloud related SLAs, every movement of enterprise data to the Cloud has to be compliant with specific legal criteria. Depending on this fact, different countries may have to use different Cloud solutions and deployment models, or even have to stick to commodity solutions to provide IT support for specific business processes since the intended Cloud support may not be possible without violating laws. Legal aspects cover the entire range from business processes, over applications to infrastructure elements and thus have to be considered as a cross-cutting aspect. In analogy, security aspects are relevant for business processes, over applications to infrastructure elements business processes and should be considered another important cross-cutting aspect. Figure 3 provides an overview of the EA layers and cross-cutting as defined (Buckl, 2011) (all colored in white). Thereby, the EA structure consists of the architectural layers Organization & Processes, Applications & Databases, and Infrastructure Elements providing a white-box view on the underlying EA elements. These layers are augmented by the black-box views as abstraction layers Business Capabilities, Business Services, and Infrastructure Services. Finally, the structure is complemented by the cross-cutting aspects Visions & Goals, Questions & KPIs, Principle & Standards, and Strategies & Projects. Cross-cutting aspects affect all EA elements on the architectural layers. Therefore, we assume that the general EA structure has to be extended by the newly identified two cross-cutting aspects Legal Aspects and Security as illustrated by the two the shadowed blocks in Figure 2. Figure 3 Affected layers and cross-cutting aspects of the overall EA structure (Buckl, 2011) by Cloud adoption 18

In the remainder of this section we briefly describe how different EA layers and crosscutting aspects are affected by Cloud solutions based on the knowledge gathered. Visions & Goals Several answers to the interview questions indicate that this layer is affected by Cloud adoption. First, Cloud solutions support the achievement of manifold business and IT goals. Business units, e.g., marketing and sales require Cloud solution to improve their processes in terms of increased collaboration with customers and partners. Furthermore, Cloud solutions support integration and interconnection of different existing data sources within the enterprise (e.g., SAP SuccessFactors) and provide in addition transparency regarding the current state of related activities. Second, Cloud solutions also support the achievement of different IT related goals, e.g., reduced time-to-market, increased transparency over operational cost, improved usage information for services and applications, and higher standardization to just mention a few examples. In addition, based on the gathered feedback from the interviews, we assume that some organizations see Cloud adoption as part of their vision in terms of innovation and improved public image in respect to customers and partners. Questions & KPIs The usage of Cloud solutions is interlinked with many different questions and requires precise, welldefined and reliable monitoring. For example, enterprises have to answer following questions, when Cloud solutions are being used: Are the Cloud solutions compliant to laws and other regulatory restrictions? Are the Cloud solutions well-integrated into the existing application, service and infrastructure landscapes? Do the Cloud solutions provide the attended added value for their customers? How to adapt standardized Cloud solutions to specific needs of an enterprise? As indicated by the questions above, Cloud solutions require precise monitoring to support efficient and effective management. As stated by all interviewees, reliable SLAs are the backbone for trust between Cloud providers and enterprises. Obviously, availability and costs are monitored by both sides. However, we were not able to document further KPIs during the initial phase of our study. We hope that future interviewees will share more information regarding concrete KPIs. Principles & Standards This layer is affected in manifold ways by different findings. First, several software development processes, e.g., development, testing and hosting are affected by using Cloud solutions. Therefore, existing principles and standards are to be adjusted to ensure that expected benefits can be realized. For example, the replacement of a commodity application by a SaaS solution will have to be aligned with release management, deployment management, support and test processes. The usage of Cloud infrastructure for software development processes requires concrete guidelines and standards to ensure that distributed teams develop and test in a uniform manner. Strategies & Projects According to the collected input, enterprises are currently working on the documentation of concrete Cloud strategies. As we learned, these strategies have to be aligned to the overall IT strategy of the enterprises and have to be supported by related principles and standards. Currently, there is not much literature available regarding this issue, however practitioners, e.g., SOA Innovation Labs do already have some preliminary results which sooner or later will be made available to the public. According to the strategies, principles and standards projects are also affected by Cloud solutions usage in different ways. Business projects can benefit from using certain Cloud solutions as well as IT 19

development projects. Architecture projects, targeting the optimization of the IT landscape to achieve better integration, increased homogeneity, increased standardization, and improved timeto-market, have to ensure compliance to predefined principles and standards in case of violations to have the organizational empowerment to force changes in order to ensure compliance. Organization & Processes layer As mentioned before, several IT processes, e.g., development, testing, deployment, release management and support are affected by using Cloud solutions. In addition, different business processes are supported by Cloud solutions to improve or enable new business capabilities. According to our findings, CRM, HR and to some extent ERP can be considered typical examples. Applications & Databases This EA layer can also be considered strongly affected by introducing Cloud solutions in enterprises. First, all SaaS solutions used by enterprises can be considered equal to the classical business applications in terms of elements of the application landscape. In addition, new data sources are to be documented and managed according to the predefined principle, standards, legal aspects and security requirements. The integration and management of these new elements within this layer can be considered as very important and mission critical factor for the success of a Cloud initiative. The concept of DBaaS is currently somehow unclear and unknown to some experts, but a possible usage in the future will introduce additional challenges in the management of this layer. Infrastructure Elements From a black-box perspective, Cloud solutions can complement and improve the offered infrastructure services, e.g., different hosting options, and can improve the time-to-market, the availability of the infrastructure services and to reduce operational costs. However, having a focus on mobility issues, different identity and security management challenges arise and require solutions. In this sense, security aspects are also to be taken into account whenever existing in-house infrastructure elements are migrated to the Cloud and later integrated with other in-house elements. 3.10 Possible Topics for Future Research Interview Questions What are future challenges, where research should focus on? Would you participate in working groups to actively support research activities? What is your general feedback regarding the goal of our study? Analysis of the Answers During this last interview section, all interviewees encouraged us to conduct more research in this area and to investigate the consumer side of Cloud solutions from an enterprise perspective in more detail. Thereby, following concrete future research questions were suggested: What is the impact of Cloud adoption on the EA? What architectural restrictions are required, what degrees of freedom should be ensured? Are there any differences in Cloud solutions and their maturity levels in different industries? Is the idea of the Cloud Service Broker (CSB) (NIST, 2011b) implemented in practice? How to deal with different data related laws in different locations from EA perspective? Finally, all participants confirmed that universities are a good possible host for the required exchange forum and corresponding working groups. 20

21

4. Summary and Outlook In this technical report we present the preliminary results of our study on the topic of Cloud adoption in internationally operating large German organizations. As confirmed by literature, the perspective of Cloud adoption from the view point of enterprises as Cloud consumers is not well described and investigated yet. However, as our preliminary results confirm, various Cloud solutions are used by different organizations. Therefore, the goal of our study is to first provide a comprehensive picture on the current Cloud adoption in German organizations and thereafter to identify challenges and to develop concrete solutions in research collaboration with interested organizations. In this early phase of our qualitative empirical research, we present the initial findings, highlights and preliminary conclusions from five expert interviews we were able to conduct in the last quarter of 2013. Thereby, all interviewed experts were C-level and upper-level IT managers within the IT departments of their organizations at the time the interviews took place. The first important finding of the study is that every participating organization, independently from its industry sector, uses different Cloud solutions in 2013. Thereby, all organizations consume Infrastructure as a Service (IaaS) and Software as a Service (SaaS) solutions, whereas PaaS seems not to be broadly used. We also observed that the domains of human resources (HR), customer relationship management (CRM) and enterprise resource planning (ERP) seem to be typical Cloud usage scenarios SaaS solutions. Further, in regards of Cloud deployment models, we could observe that private Clouds are used by all participating enterprises, public Clouds are used for specific areas by the majority of the enterprises, whereas community and hybrid Clouds doesn t seem to be widely accepted yet. One further interesting finding is that the majority of the participating organizations see Cloud adoption as a strategic factor. However, no organization has a defined Cloud strategy at the point of time of the study. Some organizations are currently working on defining a Cloud strategy, but they criticized missing guidance and support for this purpose by literature and existing frameworks. Last but not least, we observe, that currently Cloud responsibilities are assigned to teams which are staffed by a mixture of members with different backgrounds, e.g., architecture, strategy, security, integration and infrastructure. In addition, Cloud responsible teams seem to be working in close cooperation with legal departments in order to clarify low related issues. In particular, one central part of the findings is represented by the identified challenges from an enterprise perspective. The by far most important challenge is the high uncertainty regarding compliance with different data related laws and regulatory restrictions. All experts confirmed that Cloud solutions are always a subject of collaboration with legal offices and lawyers. We are also able to observe, that US units use a significantly higher number of Cloud services, whereas units located in Germany are often forced to stick to existing commodity solutions. This situation leads to higher heterogeneity within the application, service and infrastructure layers of the overall EA structure and should be addressed by the EA management function. Further, to ensure the fulfillment of several security requirements, the alignment of Cloud strategies with IT strategies and the integration of Cloud solutions with existing solutions are considered additional important future challenges. One of the initial conclusions of this study is the need to understand the impact of Cloud adoption on the overall EA structure in more detail. Currently, we observe that all classical layers and crosscutting functions of EA layers are affected to a different extent by Cloud adoption and that the legal and security aspects need to be explicitly modeled as independent cross-cutting aspects, c.f. Figure 3. However, further input from experts is required to validate these initial findings. 22

Finally, all participating experts confirmed interest in participating in future research collaboration with our chair focusing on developing and evaluating solutions for the identified challenges. Therefore, we intend to first conduct further interviews in the beginning of 2014 in order to refine and, if necessary, adjust our preliminary findings. Thereafter, we plan to establish a dedicated Cloud working group at our chair to provide the right environment for the desired research collaboration with interested practitioners. 23

5. References Aier, S., Riege, C. and Winter, R. 2008. Classification of Enterprise Architecture Scenarios. Enterprise Modelling and Information Systems Architectures. 2008, Vol. 3, pp. 14 23. Buckl, Sabine M. 2011. Developing Organization-Specific Enterprise Architecture Management Functions Using a Method Base. Garching bei Muenchen : Technische Universität München, 2011. Gartner Research. Business Process as a Service (BPaaS). [Online] Garner. [Cited: December 18, 2013.] http://www.gartner.com/it-glossary/business-process-as-a-service-bpaas. IBM. 2011. IBM Cloud Computing Reference Architecture 2.0. [Online] 2011. [Cited: December 18, 2013.] http://www.opengroup.org/cloudcomputing/uploads/40/23840/ccra.ibmsubmission.02282011.doc. Kütz, Martin. 2009. Kennzahlen in der IT. 3. Auflage. Heidelberg : dpunkt.verlag, 2009. Mieg, Harald A. and Näf, Matthias. 2005. Experteninterviews (2. Aufl.). Zürich : Institut für Mensch- Umwelt-Systeme, ETH Zürich, 2005. NIST. 2011b. NIST Cloud Computing Reference Architecture. Gaithersburg : s.n., 2011b. NIST. 2011a. The NIST Definition of Cloud Computing. Gaithersburg : National Institute of Standards and Technology, 2011a. Oracle. 2011. Database as a Service: Reference Architecture An Overview. [Online] September 2011. [Cited: December 18, 2013.] http://www.oracle.com/technetwork/topics/entarch/oes-refarchdbaas-508111.pdf. SOA innovation lab. 2013. SOA Cloud Computing. [Online] 2013. [Cited: December 18, 2013.] http://soa-lab.de/themen/cloud-computing-guide/. 24

6. Appendix A: Interview Guidelines Date of the interview Name of the interviewee Company name of the interviewee 1. Position of the interviewee 1.1. What is your the position? 1.2. What is your organizational unit? 1.3. Who are other people in your unit? How many? Which roles do they have? What are their responsibilities, background & focus? o Technical o Financial o Legal o Security o Other? What is the role of your organizational unit / team? Is there a Cloud center of competence in your organization? 2. Is your organization currently using or planning to use Cloud solutions? No Not yet (If selected: When planned?) Never Yes (Which type of Cloud deployment models do you use? - private, public, community, or hybrid? Which type of Cloud deployment models does your organization use? IaaS, SaaS, PaaS?) Other 3. How important is Cloud right now for the IT strategy of your organization? Early adopter Experimental stage Initial production use Formulated Cloud strategy Other 3.1. How important it will be in the next 5 years? 3.2. How important it will be in the next 10 years? 4. What is the motivation for Cloud adoption in your organization? 5. What are typical goals for Cloud adoption in your organization? Is the reduction of capital expenses (CAPEX) and movement to operational expenses (OPEX) a driver for Cloud adoption? Is cost reduction a driver for Cloud adoption? Is improved time to market a driver for Cloud adoption? Is pressure from users a driver for Cloud adoption? Is avoiding a so-called shadow IT (use of Cloud solutions by business units without coordination with the IT department) a driver for Cloud adoption? Is pressure from vendors (e.g. CMS, CRM, ERP, Office solution vendors) a driver for Cloud adoption? 25

Is improve standardization a driver for Cloud adoption? Is reduction of complexity a driver for Cloud adoption? Is improved usability a driver for Cloud adoption? Is elasticity / scalability (e.g., spikey load respond, big data capabilities) a driver for Cloud adoption? Is higher availability a driver for Cloud adoption? Is mobile accessibility a driver for Cloud adoption? Is cross-enterprise accessibility a driver for Cloud adoption? 6. What are obstructions for Cloud adoption in your organization? Are specific security issues obstructions for Cloud adoption? Are privacy issues (regulatory requirements regarding person related data) obstructions for Cloud adoption? Is internet connectivity (network as bottleneck, network costs) an obstruction for Cloud adoption? Is loss / lack of control (service management by external vendors and their deployment and release strategies) an obstruction for Cloud adoption? Is a possible vendor lock-in an obstruction for Cloud adoption? Are immature technologies obstructions for Cloud adoption? Is an unclear market situation an obstruction for Cloud adoption? Is a lack of own competencies an obstruction for Cloud adoption? Are possible negative effects on existing the MDM initiatives obstructions for Cloud adoption? 7. Who drives or prevents Cloud adoption in your organization? 8. How do you assess the maturity of your company in terms of Cloud architectures? 9. What is the target maturity level for Cloud architectures you plan to achieve? 10. Which external support do you use? (Consultants, vendors, conferences, books, lectures, university projects, organizations) 11. What are concrete Cloud solutions currently in use in your organization? (Services, use cases, examples, projects) For each of them what is it status, objective, impact for the supported business unit? 12. What are the typical use-cases for Cloud adoption within your organization? New application developments Test environments Transient processes (e.g. data migration, bulk information conversion) Application migration VM migration 13. For your SaaS solutions: Which Business domain is supported? Which business services are supported? Which business processes are supported? What data is used (roughly)? Are specific software architectures / technologies used? Are there any SaaS standards defined? Who are the vendors/providers? What are known identity management issues and how are these solved? 26

Is there middleware support required (file storage, search engines, message queues)? 14. Do you have a service fact sheet for the supported / offered Cloud solutions? If yes, are these similar to common description documents / templates (applications, services, architectures) 15. What are your most important lessons learned? 16. What are known Integration issues? Identity Management Shared / remote database access Message infrastructure Remote service access Orchestration Firewalls geographical distribution? 17. How do you manage your existing Cloud solutions? Who pays from which budget? Who does controlling? Which chargeback models do you use? Is there a Cloud solutions catalog for interested business users? Is there a Cloud Service Broker (internal, external) defined in your organization or do the Cloud interested users directly interact with the Cloud providers? What is the extent of self-service / provisioning? 18. Do you have a defined Cloud strategy? 19. How do you acquire new Cloud solutions? (Governance perspective) Do you enforce Architectures principles? Do you have a defined Cloud reference architecture? What reference architecture blueprints are you using? Is there any centralized Cloud demand management? How do you perform value tracking? When? By whom is it done? Do you require a standardized infrastructure? Do you use standard architectures? (Cloud Stack, Open Cloud, EC2) 20. What are existing / useful guidelines and best practices for Cloud solution? Do you offer support to business units interested in Cloud solutions? Do you have a checklist / assessment of Cloud-readiness of applications? o Which criteria do you use? o What are the assets as unit of selection? Are there any internal events or training for Cloud solutions? 21. What are important links to other IT management functions from the perspective of Cloud solutions management? (Governance perspective, exchanged artifacts, management processes and decision rights) EAM Portfolio Management Innovation Management Strategy Management Multi-Project Management Project Management 27

Change management Software development Other 22. Who else should we contact as interviewee for our study? In your company In other companies 23. What relevant literature sources do you recommend us to analyze? 24. What are future challenges, where research should focus on? 25. Would you participate in working groups to actively support research activities? 26. What is your general feedback regarding the goal of our study? 28