What is Cloud?
In general, when we talk about Cloud, we’re talking about an infrastructure, software or platform as a service use case (IaaS, SaaS, PaaS) with data storage and applications running in a remote data center. The key to Cloud offerings is an intelligent management layer that sits above the servers allowing flexible configuration and provisioning. For the largest companies, in-house Cloud is a viable if unlikely solution for IaaS that must be formally considered in a defensible selection process. Some solutions are accessed via a Private Cloud, where the client has exclusive access to a remote data center, but by far the most common offerings are found in the Public Cloud.
The Advantages of Cloud
There are value drivers in Cloud that don’t exist on premise. Cloud computing means moving from the era of the upgrade to the age of the update, and regular incremental improvements. Office 365 is Office 365, there will never be an Office 366, just regular enhancements and patches. With a third-party Public Cloud solution, you only pay for what you use, and the flexibility exists to provision new users or remove off-boarded users with just a few clicks. This means there is a low cost of operation as capacity is carefully managed and routine administration is performed by the provider. Provisioning can be performed at the client site by a low-level admin or even by users themselves. The scale of some Cloud providers allows (if not demands) them to employ large security teams who can work full-time on threat protection at a level that even some large corporations would fail to match. We have found that most companies can be rapidly convinced of the security benefits of working with a good Cloud provider, although concerns must always be addressed.
As with any enterprise selection process, you must consider the immediate and strategic factors that are most relevant and important to your organization. You need to aim for a solution that adds value; if the issues that you aim to solve are of an internal nature then migrating core infrastructure or services to a new external vendor may exacerbate rather than relieve them. Specialist vendors will assist with the migration process, but companies must make every effort to be Cloud ready. When done properly it will allow the new solution to simplify operations rather than complicate them.
Avoid browsing the bewildering array of the Cloud market unprepared. It’s wiser to draw up your core requirements, priorities and preferences before the vendor research begins. Different internal stakeholders will contribute to a list in order to cover key considerations. Once again, take an objective view and make sure the requirements are framed for a Cloud paradigm, don’t try to migrate organizational baggage. A thorough set of selection criteria will enable you to establish a qualified shortlist before engaging in the stepwise refinement process that we advise for vendor selection. Any previously unspecified differentiators that arise will do so only for shortlisted vendors and will therefore be less likely to confuse the decision-making process.
Cloud environments allow for continuous improvements to be made and any vendor should be able to demonstrate how they will achieve this through investment and innovation. From security to certifications, and user experience to third-party integrations, there needs to be a roadmap in place for proactive development. Any presentation that is too focused on the current state would suggest complacency and be a cause for concern. What is being done to maintain that ISO 27001 certification? Will there be further integration with key application vendors? How will the testing environment develop? A future focus is essential.
Data Security and Governance
For any company making a first significant Cloud investment, security is a key area of concern, and in regulated industries this requirement becomes even more critical. Your company will have its own policies for data classification and maybe data residency. A good Cloud provider will be transparent about its data locations so you can establish any issues around local or national jurisdictions, external risks or even access.
Most JP Reis clients are subject to regulatory controls, have extremely high levels of data and information security, and may have invested in achieving standards like ISO 27001. Whatever policies you have in place your vendor must be able to support them and they should be able to demonstrate a mature level of risk focused security operations and governance processes. It is worth checking on encryption of data in transit and in some storage scenarios. There should also be demonstrable levels of resilience with multiple layers of redundancy for disaster situations and policy clearly defined for the notification of security breaches or information loss by any means.
Avoiding client disruption during migration is a big part of what we do at JP Reis. In risk management terms, migration is a critical moment. You need to select a provider whose architecture suits your workloads, applications and practices, preferably without needing too much customization or recoding. In a recent project, we recommended a Cloud vendor that specialized in supporting the software supplier that our client used. Not only was there good match, there was also a roadmap of new features and integrations, and a track record of implementing the same, and the level of migration planning, even at proposal stage, was comprehensive and well thought through.
You may have started the preparation work yourself, but you need to know who will perform application and workflow assessments, who will approve the proof of concept, prepare and configure the network architecture and perform testing. The more detail a vendor can provide, the better.
Contract and Commercials
The wider enterprise migration to Cloud over the next five years will be a threshold moment and see contracts signed that are likely to stay in place for a very long time. If the contract proves to be mutually beneficial then there’s no huge cause for concern but “lock-in” remains an issue that should be discussed during negotiations. With lock-in avoided it is easier to switch between Cloud providers than it is to make the initial migration, you shouldn’t be scared to negotiate from this standpoint. Pricing should be assessed over a medium-term timeframe and there needs to be absolute clarity about what’s included in terms of customer support, migration management, storage and security – beware the added extras.
It also pays to establish the vendor’s track record for reliability, financial health, innovation, performance and resilience. If the contract were terminated or the vendor were to fail, how is data access guaranteed? You may also want to dig further into certifications, especially if you achieved relevant standards internally.
The key takeaways are to work on readiness, create your own selection criteria based on internal requirements – potentially assisted by an independent consultancy – and to identify a solution that is as specific as possible to your use case. Look for a track record and road map of reliable service, innovation and high security. Provided that value is being generated and pricing is roughly in line then you can reach a defensible decision and select a provider to help take your company into the next generation of IT infrastructure.