The Secrets of Successful Cloud Adoption: what they don’t tell you
Cloud has a seemingly unstoppable momentum behind it- but is it clear at the outset what the benefits of Cloud are beyond the shift from cap-ex to op-ex? What exactly are these benefits and how do we access them to adopt Cloud successfully?
To Microsoft Exchange
Security
Continutity
Archive
Bringing all the benefits of Google apps- horizontal scalability, reliability, etc
To Microsoft Exchange
What systems are your peers moving to the Cloud?- Present research from the Mimecast Cloud Survey
Look back to see how we viewed previous paradigm shifts
Mainframe – pc – ultimate benefits not forseen
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
2010 Gartner Hype Cycle for emerging technologies
2010 Gartner Hype Cycle for emerging technologies
What’s the problem?
How did I get here to be presenting in front of you about building the case for cloud?
Not by first great western
Or my brompton
It was many years crawling under desks
And fixing issues running a medium sized value added reseller. A VAR
To my understanding of the cloud and the benefits it brings
At the beginning of my journey I’m almost ashamed to say my attraction to Cloud was
About money. The shift from
Capital Expenditure, where the buyer took all the risk as to whether the software would work and fund the purchase, to
Operational Expenditure, where you paid for what you used, and if it didn’t work you stopped paying- or sometimes didn’t even pay at all.
But that only the first and probably the least important benefit of cloud- the real benefits are hidden
About money. The shift from
At a time of reinvention- it is really important to ask what IT is for?
What do we do for the business?
Or more specifically- what is the production function of IT???
http://blogs.gartner.com/mark_mcdonald/2010/06/27/what-is-the-production-function-of-it/
What is the Production Function of IT?
by Mark McDonald | June 27, 2010 | 1 Comment
Understanding IT’s role in the enterprise is complex and incomplete. IT is the subject of great debate as some see it as the source of competitive advantage and others see it as an enabling function. CIOs and IT professionals themselves have a tough time answering the question about IT’s role.
Why? because I believe we are asking the question in the wrong way.
We need to ask,
“What is the production function of IT?”
Production function, sounds kind of academic right, but its simply the output you get for all the combination of inputs. Its what you take and what you make.
Every part of your enterprise has a production function. So, when you ask different parts of the enterprise what they take and make you get answers like:
SALES
TOP LINE REVENUE: We take prospects and turn them into orders
SUPPLY CHAIN
PROFIT: We take orders and turn them into invoices
FINANCE
CASH: We take invoices and turn them into cash
IT
?????? Silence ??????
I know its silence because I have asked the question to dozens of IT leadership teams. They look at each other and cannot put IT’s contribution in a simple answer. It is not because IT is more complex than these other functions. No its more that IT professionals have thought of themselves as something apart for the enterprise, something special and therefore not falling under the same rules.
There are two production functions for IT that can be summarized in two words SPEED and SCALE.
SPEED: We take strategy plans and turn them into operational performance
IT’s production function is to deliver speed of execution against the company’s strategy and plans. Strategy execution involves change and change requires IT participation. The faster IT is able to execute its processes, deliver results and accelerate strategy execution the better.
IT drives speed when it concentrates on reducing its own internal cycle times for providing IT services, solution development and governance. Concentrating internal operations on speed of execution makes IT more responsive and innovative. IT organizations operating at speed give their business a steady stream of value that actually expands ITs role and enterprise flexibility.
Without speed, IT is a bottleneck to strategic execution and operational performance. It is the reason we cannot go faster. This is the reason why change is expensive. The reason why I have to control IT costs, because if they cannot go fast enough for me, then I had better make sure that they do not cost too much.
SCALE: We take operations and increase their capacity and reduce their average cost
IT’s other production function is to create scale of operation across the enterprise. Scale in this sense is the ability to IT to aggregate activities and deliver greater capacity at a lower average cost. IT creates scale through its infrastructure and operations activities that make the modern enterprise possible. IT is one of two scale functions in the enterprise. The supply chain is the other scale function.
IT drives scale through the infrastructure by constantly aggregating operations, virtualization and active contract management to gain the benefits of being bigger. Without this scale, growing transaction volumes and the cost of operating disparate infrastructures would literally consume the company’s profit.
Without scale, operations drown in a combination of complexity, duplicate cost and faltering service levels. You see this with high growth companies that are heroes that suddenly fail – because they do not have scale.
***
What is IT’s production function? To deliver speed and scale to the enterprise.
Speed and scale can seem as two different things, and that can be part of the reason why they are difficult for CIOs and IT leaders to articulate. Most go “ah ha” when they think about their role in speed and scale.
But, when you boil it down, we know why an enterprise has a sales function, a supply chain, a finance function, etc. We had thought that IT existed to manage the technologies that these functions depend on.
That is true in terms of the activities IT provides, but ‘to what end’
Speed of execution and
Scale of operation.
But it’s a question I didn’t ask myself seriously enough until recently- sounds academic though doesn’t it?
It is a bit- but hopefully it’ll help you understand what we’re here for, just like it helped me. What does production function mean?
It’s the combination of all the inputs
Which create the outputs.
The problem is, that in IT, they’re hidden. Hard to find.
Let me contextualise it for you- What do Sales do?
They turn prospects into orders.
What does the supply chain do?
They turn orders into invoices.
What does finance do?
The turn invoices into cash.
So what does IT do?
What do we do for the business?
Or more specifically- what is the production function of IT???
http://blogs.gartner.com/mark_mcdonald/2010/06/27/what-is-the-production-function-of-it/
What is the Production Function of IT?
by Mark McDonald | June 27, 2010 | 1 Comment
Understanding IT’s role in the enterprise is complex and incomplete. IT is the subject of great debate as some see it as the source of competitive advantage and others see it as an enabling function. CIOs and IT professionals themselves have a tough time answering the question about IT’s role.
Why? because I believe we are asking the question in the wrong way.
We need to ask,
“What is the production function of IT?”
Production function, sounds kind of academic right, but its simply the output you get for all the combination of inputs. Its what you take and what you make.
Every part of your enterprise has a production function. So, when you ask different parts of the enterprise what they take and make you get answers like:
SALES
TOP LINE REVENUE: We take prospects and turn them into orders
SUPPLY CHAIN
PROFIT: We take orders and turn them into invoices
FINANCE
CASH: We take invoices and turn them into cash
IT
?????? Silence ??????
I know its silence because I have asked the question to dozens of IT leadership teams. They look at each other and cannot put IT’s contribution in a simple answer. It is not because IT is more complex than these other functions. No its more that IT professionals have thought of themselves as something apart for the enterprise, something special and therefore not falling under the same rules.
There are two production functions for IT that can be summarized in two words SPEED and SCALE.
SPEED: We take strategy plans and turn them into operational performance
IT’s production function is to deliver speed of execution against the company’s strategy and plans. Strategy execution involves change and change requires IT participation. The faster IT is able to execute its processes, deliver results and accelerate strategy execution the better.
IT drives speed when it concentrates on reducing its own internal cycle times for providing IT services, solution development and governance. Concentrating internal operations on speed of execution makes IT more responsive and innovative. IT organizations operating at speed give their business a steady stream of value that actually expands ITs role and enterprise flexibility.
Without speed, IT is a bottleneck to strategic execution and operational performance. It is the reason we cannot go faster. This is the reason why change is expensive. The reason why I have to control IT costs, because if they cannot go fast enough for me, then I had better make sure that they do not cost too much.
SCALE: We take operations and increase their capacity and reduce their average cost
IT’s other production function is to create scale of operation across the enterprise. Scale in this sense is the ability to IT to aggregate activities and deliver greater capacity at a lower average cost. IT creates scale through its infrastructure and operations activities that make the modern enterprise possible. IT is one of two scale functions in the enterprise. The supply chain is the other scale function.
IT drives scale through the infrastructure by constantly aggregating operations, virtualization and active contract management to gain the benefits of being bigger. Without this scale, growing transaction volumes and the cost of operating disparate infrastructures would literally consume the company’s profit.
Without scale, operations drown in a combination of complexity, duplicate cost and faltering service levels. You see this with high growth companies that are heroes that suddenly fail – because they do not have scale.
***
What is IT’s production function? To deliver speed and scale to the enterprise.
Speed and scale can seem as two different things, and that can be part of the reason why they are difficult for CIOs and IT leaders to articulate. Most go “ah ha” when they think about their role in speed and scale.
But, when you boil it down, we know why an enterprise has a sales function, a supply chain, a finance function, etc. We had thought that IT existed to manage the technologies that these functions depend on.
That is true in terms of the activities IT provides, but ‘to what end’
Speed of execution and
Scale of operation.
IT’s production value number 1 is Speed.
Turning organisational strategy into execution
As Fast as possible- to deliver results to the business
And to do that IT has to be as responsive as possible
Because without speed IT is a bottleneck to operational performance.
Take operations
increase their capacity and reduce their average cost to again deliver operational performance.
IT should equal agility. Yet when we’re purchasing systems, rarely does agility factor heavily enough.
Traditional IT departmentIn the past, the only way for a company to maintain control of their business process was to completely own the technology supporting the process. The rationale was that a company's most strategic, differentiating processes are unique and therefore have to built by the company either from scratch or by heavily customizing packaged applications. This also meant owning the entire technology stack supporting the process and the application. So, while the intent was to create differentiated processes that were agile and differentiating, the reality has become that the technology stack is an albatross around the IT team's neck that prevents them from moving as quickly and as efficiently as they would like to.
The result is that while IT organizations are keen to support the business, they are unable to go much beyond providing basic services. The solution to the problem of managing the entire stack was traditionally either hosted/managed server services or outsourcing, but each introduces its own problems.
http://blog.appirio.com/2009/05/do-your-most-strategic-apps-belong-in.html
OutsourcingIn the case of outsourcing, the enterprise gains cost savings but relinquishes control of their business process and has to adhere to the provider's "best-practice" process. This clearly means that outsourcing can only be applied to commodity processes rather than any differentiating processes or processes where innovation is needed. The IT team's role shifts to primarily vendor management with little ability to innovate or drive the business.
Hosted/Managed ServersHosting gets a bit closer to solving the problem because it reduces some of the IT team's pain in terms of managing infrastructure. However, the IT team still needs to spend a lot of their time maintaining the application and the middleware stack, i.e., applying patches and bug fixes, implementing upgrades, maintaining integrations, etc. In addition, the team also needs to manage their relationship with the hosting vendor. So, again, the main impact is some cost savings but no real gains in terms of agility or ability to innovate or support the business.
IT department in the cloudCloud computing changes the decision process completely. No longer do companies face a choice between relinquishing all control of their business process for cost savings or dealing with the high costs and complexity of supporting an entire software stack.Platforms like Force.com and Google App Engine give companies a way to control the parts of the stack that matter most, the application and business process layer and abstract away the management of the infrastructure. This means that the IT team can focus their energies on driving innovation and supporting the business.
#1 Not having to worry about scaling- the provider does
Less meetings
. #3 The provider is constantly updating its software,
No more upgrades or migrations
which means you get Richer functionality- for very little effort
#4 Creating Loosely coupled systems enables greater integration for less cost and dependency
. #2 By separating configuration and code, it enables IT to rapidly reconfigure operations
Less dependencies
Means you can Reconfigure faster
Aligns cost to value- Which means time to value is much quicker
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
From the Mimecast Cloud Adoption Survey http://www.mimecast.com/events-press/press-releases/article/view/cloud-computing-delivering-on-its-promise-but-doubts-still-hold-back-adoption/462/
Why are some People are unsure about Cloud Security
Security is often presented as a binary object. It’s not.
It’s much more complex than that.
Technical details are abstracted
Probably because of the relative opacity of Cloud compared to the transparency of a private network and the control you can exert on it
Are it’s Achilles heel
Without revealing to much intellectual property- the main differentiator in Cloud
Standards are only just emerging
Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptor
Under the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.
Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
Which is why we in cloud feel like we’re being beaten up...
Independent Audit?
There are no standards...
There is not a best practice independent security methodology for cloud.
Clouds are opaque. Technical complexity is abstracted. Proper audit / DD requires transparency. But transparency would reveal IP.
Independent 3rd party is so important to validate claims in depth
SAS 70, CESG etc
Spot the missing one?
ISO 27001- ISO 27001 doesn’t fit the cloud- 5 year old standard currently- to be reviewed in 2012- CSA helping update controls for the Cloud
· Should you adopt ISO 20071? What sort of protection will it grant you?
Yes. Because it’s a framework for managing security. A process. Set of Documentation. Set of controls.
Working out how much acceptable risk
What risk are you exposed to
Which are greater than the accpectable risck
What controls do you need to manage- taken from annex A
Deploy the controls in an auditable way- constantly approve
Compliance- testing
Governance
Risk
Complaince- testing to make sure your controls
It Scales
Control and governance; what should be the basis of your Cloud Data Best Practice Policy- ENISA
· Investigating availability guarantees and penalties and examining your supplier’s disaster recovery strategy
Important- they do what they say the do
The bar to what you set that at needs to be relevant to what you have already- BASELINE!!! Realistic expectation
Based on the data you’re going to outsource
Look at historical performance- not a predictor for the future- but relevant
Look at their DR strategy- if you have 2 data centres- that should be the expectation
Map your requirements to the provider
· Data compliance; the importance of clarifying where your data will be stored and who will have access to your information
Jurisdiction
EU/ Patriot / RIPA / Safe Harbour
· Ultimately, who has control over your data?
When you save your data- need to understand
Look at service providers to the same extent
MBTF- encryption look at service providers
Cloud should be architected differently
People shouldn’t be fooled by “cloud” technology
See behind the fog
Often it’s really hard because of the opaqueness
Integretity of Data Critical
End to end vs middleware
Designed to hook together
Managing service provider obligations
Asses the risk- make sure the risk you’re willing to accept is related in the SLA
Review- annually?
Any deviation look for recompense or additional controls
Blunt instrument
Make sure compliance and information governance are involved early on in the process of negotiating SLA- lawyers don’t know about GRC
The key is to understand your current risks- baseline them
Ends up in a Permissions Nightmare- or a brittle infrastructure
How are we managing those risks today?
Are you given the budget / skills to do it?
“Quis custodiet ipsos custodes?”
Who will guard the guards themselves?
Decimus Iunius Iuvenalis
Cloud can be a way to become a guard’s guard, instead of the guard
Reasons to go Cloud Security
Reason to go Cloud security #1 It’s their business- and their reputation depends on it
#2 Money - they are held financially responsible
Reason #3 Scale- Cloud platforms have scale that customers could never achieve on their own- protecting against large scale attacks
Reason #4 Specialised Skills- employ specific people to do specialised job. Cumulative effect of multiple customers
Cumulative effect of multiple customers
Best Practice embedded in organisation and distributed. Not dependent on one person
Not just about competence and budget- but focus. It’s all they do.
Cloud can be a way to become a guard’s guard, instead of the guard
Buyer Beware- http://en.wikipedia.org/wiki/Caveat_emptor
Under the doctrine of caveat emptor, the buyer could not recover from the seller for defects on the property that rendered the property unfit for ordinary purposes. The only exception was if the seller actively concealed latent defects or otherwise made material misrepresentations amounting to fraud.
Before statutory law, the buyer had no warranty of the quality of goods. In many jurisdictions now, the law requires that goods must be of "merchantable quality". However, this implied warranty can be difficult to enforce and may not apply to all products. Hence, buyers are still advised to be cautious.
But make it proportional to risk- especially to CURRENT RISKS