Our latest survey shows double-digit increases in cloud adoption. But ignore integration, security, connectivity, and three other factors at your peril.
Our 2011 InformationWeek Analytics State of Cloud Computing Survey shows a 67% increase in the number of companies using cloud services, up from 18% in February 2009 and 30% in October 2010. IT now has a choice: Grab ownership of what's poised to be a core part of the enterprise technology toolset, or shortchange key functions and set ourselves up for disaster.
This shouldn't be a hard call, yet over and over we see CIOs underfund or ignore six major areas: integration, security, connectivity, monitoring, continuity planning, and long-term staffing. Only 29% of companies using or planning to use the cloud have evaluated its impact on their architectures. Just 20% implement monitoring of applications and throughput; 40% don't have any monitoring in place. Talk about blind trust.
There's a misperception that it's smaller companies driving the cloud usage upswing. But don't write off management shortfalls as an SMB problem; we saw almost the same rates of use and planned use regardless of company size, once we delved into the data. There are now viable cloud options for almost every layer of the technology stack--from raw computing, storage, databases, and utilities to e-mail to the spectrum of enterprise applications, all with a "point, click, go" functionality that has maverick business units everywhere rejoicing. Ignore management at your peril.
Integration: New Twists
Cloud vendors Boomi, Cast Iron, and Jitterbit are focused solely on offering integration services for less money and in less time, and they're shaking up established firms like Informatica and Oracle-SAP as well as EDI players like Ariba, Hubspan, and Sterling Commerce. Boomi and Cast Iron have been acquired by Dell and IBM, respectively. Both buyers cited the benefits of offering streamlined integration connections across the enterprise. Earlier last year, IBM, acknowledging gaps in its cloud integration, also bought Sterling, one of the larger EDI players.
This is a new twist to interoperability that is available only within the cloud. Previously, there just wasn't scale to build multitenant integration services. But now, integration services have become clouds themselves--middleware as a service, if you will. The more options and connections they have, the more competitive they become and the more monthly subscriptions they get. Will they make it? Yes. There's a fortune in margins in integration, especially if you have scale, and the financial performance of these vendors is impressive.
Security: Safety First
"We won't be involving our security team in this project until the last possible moment, because the answer will be 'no.'" That from a VP at one of the largest retailers in the world. He's evaluating a cloud-centric initiative that could dramatically improve the company's operations and went on to say that bringing the CISO in without building the entire plan beforehand is a death knell for any project.
Think this isn't going on in your shop? Keep sipping the happy juice. This VP guaranteed that end runs are standard practice among his peers. And the standard mantra of "it's against compliance rules" won't only make you seem out of touch--you may well be wrong. PCI 2.0, the rules that govern the security of credit and debit card data, was just released and has little specific guidance for cloud computing per se, but it does lay out clearer rules relating to off-premises transactions. In addition, Amazon recently announced that its Elastic Compute Cloud is certified for conducting Level 1 transactions; the company will begin offering that service this year. The next official PCI standard will likely have in-depth rules for cloud computing, but it won't be released until 2013.
Security teams take note: There's a new set of guidelines, and a major cloud vendor has a platform certified for some level of transactions that are subject to PCI rules. If you think saying "Wait until 2013" is a good move for your business, consider polishing up your resumé.
The better answer is providing forward-thinking security and connectivity guidelines that people outside IT can understand and use. Make sure your guide covers all the policies you've established and explains the outside compliance areas you're forced to adhere to. We discuss the seven key areas that must be included in a cloud policy in our full Analytics Report.
Connectivity: The Right Connections
Just 29% of those using or planning to use a cloud service have scoped out the architectural impact on their Internet infrastructures. You should be running these numbers before engaging any cloud provider.
"It's the biggest miss we see," says Tom Elowson, president of virtualization cloud provider Acxess. "We have the bandwidth conversation with potential clients every day. If they haven't analyzed their existing usage and started to calculate the potential impact, we usually push back."
Start with the outbound volume to reach the resource, and take into account back-end traffic to update data. Bandwidth calculations also need to factor in data and user growth over a five-year period, same as ROI calculations. Get solid trending stats on usage and volume over the course of several weeks. If you don't, you could be looking at a major fumble.
Monitoring: Watch And Learn
Thirty-nine percent of poll respondents say they don't monitor their cloud vendors, while an additional 40% rely on basic "up/down" tools that are no better than a periodic ping. The latter group's sole advantage is they'll have a 30-second warning before the complaints start rolling in.
How to stay on track? First, invest in data flow monitoring internally. Less than 15% of respondents have systems in place that monitor application and transactional throughput. Basic status alerting is nice, but you need to be watching your network data flows and have established performance levels for every application before you add an external cloud.
Once your house is in order, connect with your bandwidth provider and establish ground rules around monitoring of traffic, your lines, and how you share data. Set up remote monitoring points outside of your main office. Assemble a set of cloud-based monitoring tools. Yes, a cloud app to watch your cloud apps. Go beyond the basic utilities that Amazon, GoGrid, Google, and others provide to add overall monitoring of all Internet traffic.
Continuity: Get Backup
All companies ask their cloud vendors, "Do you back up our data?" The answer is always some variant of yes. However, the majority of cloud designs focus on backup and point-in-time failover--not archiving.
Always establish a cloud service backup and archiving schedule the same way you would for any internal resource. Start with your current vendor. Many, like CommVault and Symantec, are working to establish options for extending internal backup and archiving systems to manage cloud-based data.
All systems have outages, whether they're in house or in the cloud. Focus on what vendors will agree to in their service-level agreements vs. what your internal teams will commit to for their in-house SLAs. The "five-nines" mantra (99.999%) that dominates discussion among Tier 1 data vendors simply isn't heard in the cloud. At best, your uptime will be between 99.9% and 99.95%. Decide: What is the plan for the business if there's an outage? When do you implement the failover plan? Who makes the call? These are all familiar themes to business continuity pros, but with an external twist.
Software as a service should have, at minimum, manual processes documented for users. In the case of a CRM or project management application, you may want a separate cloud or in-house system that could be activated in the event of a major failure. For high-volume services, such as e-mail or EDI transactions, design a system that not only queues ongoing transactions for short outages but has the ability to fail over completely. These aren't small projects; plan to devote engineering time and funding.
Staffing: Build Your Bench
IT as a profession is at a turning point. While the cloud may be hot, there hasn't been a boom in hiring by these vendors, according to the most recent U.S. Department of Labor stats. Cloud and related hosting services companies have had flat job growth for the past year. Blame economies of scale. But just because the quantity of jobs is down doesn't mean you'll easily find IT pros who can deftly manage vendor relationships, not just technology platforms.
Our 2010 State of Outsourcing Survey showed that nearly six of 10 IT shops outsource some critical function--management, engineering, or development. So you can see the staffing challenge CIOs face. This is a major gap that won't necessarily go away through market forces attracting additional talent to meet your needs. You need to start building your own talent bench.
Get ready for a wild ride. Capital expenditures used to provide a brake, regulating the pace of internal service adoption. That's come off with the cloud, so IT teams need to build new policies and platform models that will protect the company as business activity gets rolling. That's because, once cloud apps become part of the fabric, there'll be no slowing down to make adjustments.
Michael Healey is president of consulting firm Yeoman Technologies. Write to us at firstname.lastname@example.org.
IT Service Management Must EvolveThe idea of technology being delivered as a service appeals to the 409 IT pros responding to our Service-Oriented IT Survey. But cloud providers are competing for that work, and CIOs are being selective.