ITIL Castles In the Cloud
Launching A Cloud Computing Strategy Means Outsourcing Multiple Slivers of Your IT Service Value Chain
[Young Cosette - Les Miserables]
There is a castle on a cloud,
I like to go there in my sleep,
Aren’t any floors for me to sweep,
Not in my castle on a cloud.
Rhetorical Question: But wait I thought that cloud computing strategies are meant to simplify IT service provisioning? I cut the supplier a check and they take care of rest right?
Response: In one sense this is a correct, since you are paying an external supplier to provide a complete service outcome. The service can come in the form of an account for a hosted software service, a development platform or a set of virtual infrastructure components without you having to own or manage the physical assets. However, on the other side of coin it is critical to understand that what you are also doing is introducing a new set of players into your existing IT management processes. Just as Young Cosette discovered in the musical Les-Miserables we still have to sweep the floors and take care of business even when we live in the clouds.
[At The End Of The Day - Les Miserables]
At the end of the day you get nothing for nothing
Sitting flat on your butt doesn’t buy any bread
What the IT Community is quickly coming to realize is that to deploy a cloud strategy within their organization successfully a number of processes and IT Service Management elements have to be defined - and better yet - automated from request through verified provisioning and then keep running as long as needed.
Take the following list as an example:
- Service Catalog: The cloud based service needs to be documented, managed and published in an actionable service catalog for IT customers to order from.
- Request Fulfillment: The cloud service has requestable components which require a process to support request approval and integrated workflow automation for request provisioning.
- Change Management: The infrastructure service is now a component service to other business services and changes to the virtual infrastructure must go through Change Management whether you or the cloud supplier makes the change.
- Service Asset and Configuration Management: While you may not choose to model a SaaS service within your CMDB, the infrastructure-as-a-service components play a critical dependency role in understanding component failure impact analysis and provides key information to many other processes.
- Incident & Problem Management: Congratulations! By outsourcing your IT services to a cloud provider they have now become part of your 2nd and 3rd level support organization and need to be integrated into your support agreements and internal operational level agreements.
- Release and Deployment Management: Many cloud providers make scheduled and unschedule releases to their offerings on a regular basis. This requires you to manage these new releases to your customers in a formal maner since the user interface, service functionality and underlying integrations can change at any point.
- Access Management: Just because your service is in the cloud does not mean you don’t have to be concerned about who can order a service component, what level of access / role the requestor / approver has to have, or support your employee on boarding and off boarding processes.
- Event Management: Your sourced cloud services need to be monitored and integrated into your NOC processes.
- Service Level Management: The SLA you negotiate with your cloud provider will need to support your customer SLA’s (This will be particularly interesting if your customer has executed a business process outsourcing arrangement based on SaaS/cloud and then turns to you to “manage” and integrate with the remaining IT infrastructure, data, and applications).
- Supplier Management: Using multiple cloud providers means managing a growing set of external suppliers as part of your internal IT value chain that all need to follow your established policies and processes to ensure consistent delivery of IT services. (see SLM)
- Financial Management: Thanks to the ease of use ordering up new cloud service units many organizations receive a shocking bill quite quickly. Keeping track of your financial obligations around accounts payable is critical. Else beware of “Cloud Sprawl”. Just because a cloud service has been purchased, doesn’t remove your old hardware and software or the lease payments, remaining maintenance, or book value associated with them.
- Availability & Capacity Management:Thanks to elastic capacity and cloud support for failover and dynamic routing you can use cloud services to enhance both of these processes for service design, just be aware of the true external as well as internal costs. And what about that link you have to the cloud? How diverse/redundant is it? How dynamic is it’s routing and capacity?
- IT Service Continuity: Cloud services offer a great opportunity to support Disaster Recovery and off site storage requirements. However your strategy and process needs to be defined in order to use these services strategically (see Availability and Capacity)
- Information Security: Public or Private Cloud does not matter, Information Security remains a concern regardless of where your data resides. (Won’t even touch legislation and privacy laws)
- Etc. Etc. Etc…...
The key message I believe you may be picking up from this post is that the more complex your value chain of suppliers becomes, the more necessary it is to have defined, repeatable processes to support them. In the end moving to Cloud Services is a form of strategic outsourcing and comes with all the challenges and benefits of what that means.
Don’t make the classic mistake of believing that once you outsource something you no longer have to worry about it (You are still concerned that the floors get swept). The old model of outsourcing your problem’s does not work in this model either.
By all means look strategically at integrating alternative suppliers into your IT value chain, just be aware of what that means. For more thoughts on integrating external suppliers successfully take a look t the article I wrote: Your IT Outsourcer - A Brother of Another Mother
[Finale - Les Miserables]
Do you hear the people sing
Lost in the valley of the night?
It is the music of a people
Who are climbing to the light.
Will you join in our crusade?
Who will be strong and stand with me?
Somewhere beyond the barricade
Is there a world you long to see?
Do you hear the people sing?
Say, do you hear the distant drums?
It is the future that they bring
When tomorrow comes!
Troy’s Thoughts What Are Yours?
“Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it.” ~Alan Perlis
[Somwhere in the middle of Les Mis - Valjean]
God on high, hear my prayer.
In my need you have always been there.
In many ways I agree about your comments that you need to managed your outcomes (vendor supplied or not). However, I really think that the level of interaction and management you suggesting for each process is over-kill. Part of the beauty of the cloud is the ability to put the consumer in direct contact with the service. Part of my desire to utilize cloud services is to eliminate IT from the mix all together. The levels of checks and balances you suggest would require quite a bit of digging on IT’s part. Frankly, I think it would only cause IT to be viewed as sticking their nose where it doesn’t belong in the never-ending attempt to build empires and be control freaks. However, with that said, I think your point on SLM is the most profound. Too many cloud service deployments by IT are not taking into consideration the existing and underlying service levels. SaaS is provisioned to a site with bad networks and workstations that were never intended to handle the rich-media or highly interactive interfaces. Thus in these situations the cloud vendor and internal IT get a bad wrap.Posted by Matthew Hooper on 12/10 at 06:01 PM
[Master of House - Les Miserables]
“Master of the house, doling out the charm
Ready with a handshake and an open palm
Tells a saucy tale, makes a little stir
Customers appreciate a bon-viveur
Glad to do a friend a favor
Doesn’t cost me to be nice
But nothing gets you nothing
Everything has got a little price!”
I love a good debate, the challenge I see with your assumption is that it sounds a lot like the classic Out Sourcing promise of the last decade. Don’t Worry Be Happy! We will Take Care of All the Details and Your Problems!
I contend that while moving to a cloud strategy is a very solid alternative for segments of your IT Strategy, it is not a pay and forget solution.
The other interesting angle to this discussion is that often the business will contract directly with the SaaS or cloud provider and by-pass IT altogether and then hold the IT Function accountable for managing the outcome.
Love to hear other’s thoughts on this discussion.
TroyPosted by Troy DuMoulin on 12/11 at 11:28 AM
You can outsource execution. You can outsource management. You can never outsource governance because you can never outsource accountability.
If you “eliminate IT from the mix all together” you lose your governance instrumentation. It is IT’s responsibility to serve the governors by applying IT expertise to provide governance saupport. Governors set goals, policy and bounds. IT has the expertise to determien whether service providers are capable of meeting goals and policy within the bounds.
Governors monitor so as to be able to evaluate. IT has the expertise to measure and report on service providers in order to provide useful monitoring information to the governors so that governors can meet their accountability obligations.
Cloud vendors are just another external service provider. Outsourcing goverance support always ends in tears: the wolf is guarding the sheep and reporting back on flock numbers.Posted by The IT Skeptic on 12/11 at 03:20 PM
Troy, your last point is a great one, but is that really the crux of the problem or is that an organizational/managerial issue. I think the same results can be achieved by IT by being more of a consultant to the business and less of a policeman. Reality is what would that accountability even look like. Business purchases App that kills network, blames IT and what… purchases wireless broadband for every user. While your points are good things to think about, I think it needs to be balanced with the risk AND the ALTERNATIVE. I’d rather encourage my staff to spend more being opportunistic.
Hey Skep, well said, but someone should tell the American taxpayer that you can’t oursource accountability. (I’m sure New Zealand has the same bag).
Reality again is you can’t control your outsources. You determine how you will measure their success and when the contract is up you decide if they met your other “perception” based metrics and renew or can them. If they fail to live up to the agreed metrics, then you can them. This is a Vendor review process. I clearly make a distinction between review and governance.
Here is an example. Saleforce.com sending my Change Review board a notice for every change they are making. Why would I bog down my IT processes and staff with that level of interjection of governance. Rather I would trace the number incident my service desk handled that were Salesforce.com related (sorry for picking on SF, we are actually very happy with them) and consult with the business on whether the pain of incidents is exceeding the benefits and features. I would consider this as part of my overall vendor review strategy.
To me, if you can’t automate the detection and compliance, you can’t govern it.
This is a great topic, we are living in layers of outsourcing, and it’s a real challenge. See you guys in Vegas.
-MattPosted by Matthew Hooper on 12/11 at 03:54 PM
Yes v interesting. Doubly so for me: I’m in the midst of consulting to a client on it right now so excuse me if I consider it further…
i think there are three outsource governance support activities: vendor selection, vendor monitoring and vendor review.
There need to be clear goals, policies and bounds for selecting outsource providers. it is not an IT function to set these - it is a business function. It is IT’s job to inform the company governors of their accountability, and risk/exposure (privacy, compliance, data ownership, sovereignty and applicable law, escrow, security, architectural integration…). And then it is IT’s job to consult on setting goals, policy and bounds. Any part of the business should be subject to them not just IT. the governors should come down on any business unit that selects an outsourcer outside of governor directives. Right now this rarely happens. Company governors are unaware of the issue and make no directives - vendor selection needs to be brought under company control with IT expertise.
Then contrary to what you suggest Matt, outsourcing is not ‘set and forget”. Governors need to constantly monitor (or rather have IT experts monitor on their behalf) to ensure that the outsourcer is delivering to SLAs; that any change of terms and conditions of the outsourcer stay within governance policy and bounds; that the vendor remains a good risk; that events in the industry do not raise alerts to new or previosuly unknown risks…
And then finally vendor review as you describe.Posted by The IT Skeptic on 12/11 at 04:30 PM
I actually own 2 Ronco IT Cloud services.
1 Fries our sales, the other cooks our books. ;D
I actually don’t think I suggested set it and forget it. What I am saying is reasonable moderating and oversight. I think we have all gone a little compliance crazy. We should spend more time on valuable solutions like creating Configuration Management Systems. (ahh… I know I read your blog as well.)Posted by Matthew Hooper on 12/11 at 05:41 PM
Great discussion guys.
I’m in violent agreement with all of you.
I’ve written about this topic before
and it’s a doozy.
But there are differences worth thinking about with cloudcomputing. As a user of Amazon EC2, I’m running about 81 instances, several hundred gig of data, and multiple vlans.
And it’s forced me to think differently about systems. For example, lifecycle management has become way more important than standard system configuration. We have one image, we test the hell out of it, but then the next 80 servers are all the same image. Traditional cms would have me monitor the internals of 80 servers.
Assets are not that useful, because the real issue becomes subscription lifecycle management because of the liability issue. As long as it’s on, Amazon bills me.
Capacity management is a non-issue because of the elasticity, but I better have a good contact at the provider.
Monitoring also becomes different. My cloud is a black box beyond a certain point, but I can monitor uptime, performance. But really, I can’t do anything about the machine, OS, Storage and Network. In fact, I build that lack of knowledge into the app architecture—an instance will fail, so I build that assumption and not worry when it does fail. I report no problem and do no root cause analysis on that part of the infrastructure. I do it on my application, of course.
So my take is: the old stuff applies but the emphasis will be very different than in-house IT.Posted by Rodrigo Flores on 12/11 at 07:03 PM
that stuff is all very operational. None of it need trouble a governor. “very good. carry on”.
The governance level issues include privacy, compliance, data ownership, sovereignty and applicable law, escrow, and security risk.
Does New Zealand law allow me to put client data on an Amazon server?
When Amazon overstretches themselves on their acquisition of Microsoft and goes bust, can i get my data back after the receivers padlock the doors? etcPosted by The IT Skeptic on 12/12 at 04:19 AM
sorry gov’nor. We got dudes here.
I don’t disagree that governance levels need to include privacy, data ownership, sovereignity, etc, etc. But why is this a cloud issue?
These were issues with dedicated hosting, or with internal hosting my multinationals.
As for New Zealand’s law, it applies, but it has nothing to do with Amazon. Heck, can you put it on box.net? Myspace? Facebook?
By the way, Amazon is coming to your region Q1 2010, so even that issue disappears.
As for Amazon going bust, as for the data, you always have the data. At all times. It might seem very operational, but it’s from these facts that we build our governance.
In my cloud, I ran US and EU instances. I have access to 5 data centers for DR. The data can be backed up across different providers—as long as I use standard infrastructure components. This is important, it allows me to switch providers.
I’m all for figuring it out what’s relevant in the cloud for the ITSM community. I’m not so interested in leaving it foggy and fud-dy.Posted by Rodrigo on 12/14 at 02:30 PM
Maybe the cloud isn’t qualitatively different to outsourcing (I’m not sure yet) but it is quantitatively different.
An outsourcing arrangement is thrashed out mano-a-mano by two orgs with lawyers. The cloud is a take-it-or-leave-it commodity service sourced online.Posted by The IT Skeptic on 12/14 at 04:00 PM
Interesting discussion, thanks for all your input.
What it shows to me is, that there is still a lot of fog out there regarding clouds. Not only in terms of governance (thanks to Skep) but even in terms of contracting (have you ever read all those amazon/google/... SLAs and do they fit your need????) and licencing as still more than 90 % of all software vendors do not offer me a licence which best fits into cloud idea.
So if you use your elastic cloud like you do now how do you do all the capacity without the right underluying licence layer?
Even more, especially in Europe there is a lot of doubt and fear regarding the business data, the infomation integrity and how it complies to the multi-tenant idea of all those clouds out there and as you already mentioned, what happens if your cloud partner comes into financial trouble? Have a look at the enisa study and CSA papers regarding that topic.
But coming back to troys original post: Yes, in an ideal world we will have answers for all the ITSM management tasks, potentially spacl could be one, but just for a part of it. As we know, a structured and well understood chaos is a good eco system so potentially we have much more to think about: If we believe in clouds and believe that they will become a major part of our day2day IT living how can we get a transformation plan to move all the good of ITSM (and only the good please ...) to a that defraged IT landscape consisting of tons of different vendors for different pieces of IT Service Fulfillment.
And if you do this start thinking about what has to change in the view of Business Process Management.
Last a question of mine: If you are not an Online Company, would you move business critical workflow fulfillment on a public cloud?
TomPosted by Tom Peruzzi on 12/16 at 05:16 AM
Tom I’d move tomorrow with the right assurance.
You guys are right about cloud being nothing new. I just read the ISACA discussion paper on the topic and they have identified zero issues that don’t already exist with outsourcing.
It confirms what I said before: the difference is just a matter of degree, and especially is a matter of assurance of the outsourcer.
Cloud providers like Amazon are addressing issues as fast as they can: they will offer individual contracts, they will restrict the country the data is in, they will get compliance certification etc (if you are big enough)Posted by The IT Skeptic on 12/16 at 03:29 PM
I’m interested in your assurance ^^ keep me updated please.
Ad Amazon (and all the rest), we currently do talk a lot for large (media) customers in Europe and it looks like there is a hard barrier, comodity service (as clouds intend to be) highly automated are only reachable by standardized (and for all the same) SLAs, reducing their operational and economical risks. So drilling costs down does not automatically mean by same service level.
We see others coming up and hopefully market will change, especially private clouds or hybrids will change the market for the business case cloud computing.
And yes, there is - in terms of service delivery - not that much difference between outsourcing, managed services , out tasking, transformational outsourcing and clouds. Different flavours, behaviours, risks and potential benefits. The orchestration (+governance and compliance) is still the local IT’s task.
TomPosted by Tom Peruzzi on 12/16 at 04:03 PM
Not sure if any of you are familiar with this group: TMFORUM.ORG The Telemanagement Forum has sponsored this council called the Enterprise Cloud Buyers Council (ECBC). Anyway, part fo their charter is to take on the following actions:
•Common Cloud Services Product Definitions
•Cloud Security Issues
•Cloud-to-Cloud Interoperability, Data Portability and APIs
•Service Provider Benchmarking
•Federated Cloud Stores
•Cloud Service Level Agreement Process Management
•Cloud Network Performance and Latency Issues
I’m excited about this, as the forum behind this is mostly telco folks. The ones who have been playing in shared services since… well maybe Alex Bell.
Here is more on them: http://www.tmforum.org/TMForumPressReleases/TMForumRalliesIndustry/40561/article.html
-MattPosted by Matthew Hooper on 12/16 at 04:30 PM
their announcement is just a few days old. Despite the good work of TMF in the past it will take some time to get first - useable - results.
In terms of security use CSA (cloud security aliance) or ENISA, in terms of cloud description I hope SPACL will help soon (even in terms of portability), another project that potentially could help is the Cloud Cube from Jericho Group and much others. Even if I’m not a friend of them, have a look at Microsofts Azure, which is potentially the most complete cloud offer out there now or have a look at unisys secure cloud which claims to be fully SOX and SAS compliant ... There is much professional rumour out there beside amazon and google.
TomPosted by Tom Peruzzi on 12/16 at 05:54 PM
Concerning mitigating the risk that the cloud from your rain-making partner “evaporates”: (Do we need to add meteorology to the IT Management skillset?)
If the supplier evaporates, and you can get the data (probably more than you started with) and the applications “back.” Where are you going to put them?
You surely don’t have the old infrastructure. You sold/discarded that and the ops folks to hasten realization of the ROI/NPV on the 3rd party Cloud move, right? Lets say you can turn the old infrastructure back on (because no one wanted that old gear anyway). Do the OS and app images work on this old hardware? Is there enough network, storage and processing capacity given the growth of the last x months/years in that infinite-capacity cloud? Are there any people around to run these old boxes?
If you can’t run it at home, can you shift it to another rain-maker’s cloud? How long will it take to negotiate another contract? To move the data?
One thing is certain. If the cloud evaporates, the lawyers will not go thirsty.
Tom, CMDBf took two years to show anything and three to produce a standard. And they only defined an abstraction-layer query protocol and completely wimped out on the underlying semantics.
SPACL will have to do the same, as all the vendors have their own proprietary data models and object semantics alreadyPosted by The IT Skeptic on 12/16 at 06:26 PM
It seems to me that all of your ideas can really help. Here, in Ukraine we have lack of information in this spheres of managing. Thanks for your materials.Posted by Martin on 08/25 at 08:38 AM