Cloud services provide many clear benefits from the outset such as reductions in infrastructure costs, the ability to switch services on and off when required, and access to a secure environment and high level IT management skills.
But as Australian organisations increasingly turn to multiple clouds to meet their business needs, an important question needs to be asked: How do they ensure that the increasing investment in IT 'as-a-service' continues to provide the best value over time?
Executives at recent forum - hosted by Equinix and CIO Australia - discussed the best ways to capture requirements and decide which cloud services were the right fit for their organisations to connect with.
Jack Bajic, senior infrastructure architect at QBE, said the level of scrutiny around non-functional requirements is higher when assessing cloud services than systems which are run on-premise.
“We need to pay more attention to security and risk … when it comes to doing the assessment around should or shouldn’t we move [services] to the cloud.”
“So if I take location and availability – we previously had a couple of simple patterns. If we wanted a [service] to be highly available, we would run it ‘active-active’ across two data centres. If we had something that didn’t require that level of availability, we would run it as a cold standby.
With cloud infrastructure, this has changed substantially as QBE can now choose to run its workloads in the cloud and on-premise under a hybrid model or across a number of locations, Bajic said.
“We now have to start making these considerations as part of our architecture and design. We can even start looking at apps that would span across two different cloud providers.”
Move to the cloud with clear intentions
Michael Huxley, solution architect at Kloud Solutions, agreed that it is important for organisations to have a clear idea of what they want to achieve before rolling out cloud services, such as timeline, budget, risk profile and the compatibility of interconnected solutions.
Many companies adopting an infrastructure-as-a-service model are moving small, discrete workloads to the cloud and learning as they go, he said.
At the other end of the spectrum, Huxley said, organisations are moving everything out of the data centre and into the cloud over 12 to 24 months.
“They try to do all the analysis for every application, database and every piece of infrastructure and hardware appliance – and work out how they are going to architect a public cloud environment to run everything,’” Huxley said.
“When you show people all the features and products that are available in Azure for example, customers are trying to expand their product and solution set as well as trying to adopt cloud all in one go. It just simply doesn’t work.”
“Take something simple like charge back,” he said. “If you have calculated the cost of a virtual machine running on premise to be $400 to $500 per month – don't calculate a full charge back at the same time as adopting a public cloud strategy and try to push all of those individual items for storage, network and compute back to your business on day one," he said.
Huxley said organisations need to take what they know – a discrete workload – and move it into the cloud for a month without ‘boiling the ocean.’
“Learn how it runs, how to operate it, what worked in the migration, what needed to be re-architected – make sure things like tooling, monitoring, and backup work.”
“Once those small lessons are learnt, move onto the next and really go through that lessons learnt cycle so it’s a nice progressive journey – 6 to 12 months in there is going to be a lot of progress made than if we sit up front and try to find a future state,” he said.
Peter Prowse, general manager of Dimension Data’s data centre business unit, added that the hybrid cloud conversation is really about how the IT group understands the company’s workload and application profile and how it can be delivered ‘as-a-service.’
“It’s important to then focus on your organisational IP and how you manage across those cloud environments and provide that level of service back to the business.
“The location of the data, the infrastructure, the applications become less relevant than the business outcome and what you are delivering to the end user.
“When we start talking to companies about what they are looking for from a capability point of view, we never start with ‘move everything to the cloud’. It’s about ‘what’s the workload, what’s the attributes, what’s the outcome that you are looking for and what’s the best place to run that?’” he said.
When deciding whether or not to move services to public clouds or run hybrid models, organisations need to ask themselves the following questions:
- Should services be run on premise because of security or cost implications?
- How do you interconnect your private and public services to ensure best operation?
- What is the nature of a workload? Is it highly variable and elastic and therefore makes more sense to run it using a consumption model? If it is fairly static in production therefore it would make more sense economically to run it on premise?
Sam Johnston, CTO at CSC, added that when measuring the effectiveness of cloud services, IT departments need to look at outcomes and experience provided to end users.
“We talk a lot about security – if your app doesn’t perform well then it may as well not be available,” said Johnston. “We know from the large e-commerce sites that even small increase in latency will significantly affect the business.
“Different applications are measured in different ways and when delivering a desktop, you want to be delivering in milliseconds. If you’ve got responsive web applications, [response times] need to be in the hundreds of milliseconds,” he said.
“We [CSC] refer to ourselves more as a services integrator rather than a systems integrator, and a lot of our customers are asking about specific outcomes per month ... which turns our model on its head,” he said.
Dealing with the data sovereignty issue
Edward Snowden’s revelations in 2013 about the amount of data that is collected and scrutinised by the United States’ National Security Agency has fuelled fears around sending and storing information offshore with US-based cloud providers.
New privacy rules, which came into effect in March 2014, have also shone a light on the issue of offshore data hosting.
Dimension Data’s Prowse highlighted that the data sovereignty issue is not solved by placing company information in data centres onshore.
Making sure that data is ‘geo-fenced’ – where alerts are triggered when information crosses an administrator-defined boundary – is vital from a regulatory point of view, said Prowse.
Healthcare organisation, Mercy Health, was particularly cautious about where patient records were going to be stored.
“They were looking for a level of certainty about geo-fencing data within state-based, not just country locations,” he said.
“A bank that we are working with was very clear that data needed to be geo-fenced in within the Australian region with no access offshore due to regulations set out by APRA (the Australian Prudential Regulation Authority).”
Speaking of regulations, it is vital that as an APRA-regulated organisation, QBE, ensures that certain processes aren’t affected by the introduction of cloud services and risks are adequately mitigated.
“From a security perspective, it is imperative that we consider risks quite carefully so they don’t affect business processes in a negative way,” said QBE’s Bajic.
“The reality is that ….if we are talking about something that doesn’t touch our core business processes, then [the regulators] don’t have a large interest in that,” he said.
QBE’s current cloud strategy focuses mostly on development workloads that do not contain sensitive or private information, said Bajic.
“The regulator [APRA] is being proactive and issuing a guidance around how to move to cloud safely. I think they expect people to be moving workloads to the cloud and do that in a well-managed way.
“What they are saying in their latest information paper is [move to cloud] but make sure you have an exit strategy. Have a plan for using an implementer.
“There’s a misconception about APRA saying that you shouldn’t go to the cloud. I don’t share that view, I think they are providing good guidance,” he said.