A quarterly, iT strategy special report from the experts at iT Pro

WINTER 2011

Cloud Computing
in 2012

an PUBLIcatIon 11 CLOUD IN 2012

In assocIatIon wIth
www.itpro.co.uk

Contents Winter 2011

er Max Coot Column

CIO

ing a CIO Everyth

d to the clou Peering in ll xxxxxx crystal ba ow mputing: s to kn Cloud co ng a CIO need fb;o ;oshfb ;oshb;o ho;sfb osh h;oshb fbh ;o sob Everythi b;osfh
know needs to
difficulties. is fraught with the future Metcalfe who Predicting inventor Bob Just ask Ethernet d that the internet would publicly famously predicte volume of traffic (and the it did no collapse under e column when his magazin seven years had to eat Gates who, a Just ask Bill

to hs;o would disappear within WINTER 2011 conditions. such thing). organisations rary, or . hb ;sfhb; that spamsf ;o bhsf;oh market tempochanges major ago, said fboh quicker to either to lead toeither spikes ines were that are some bhsf;lh b;sf of b;ohsyears. of the cloud projects This is going ant in small business t signific Hl ihbfshfs bh slfkhb;osfhcoupletrying to predict the shapeor longer is not . spread rapidly So, really a v It will that exhibi so its not e needsradical years hsfk the next five this or storag the cloud to years ago, oshfb;o As cloud processing will accelerate and well market over already seeing clouds A couple of scope for that

is the of tasks. have ised, tion. The trend Head in ball and stated the simplest suggestion.There attention to custom the less virtualisa capabilitiescrystalfour into its more e ting is have no IT of IT, via computings the last three to accommodat t,be deliveredsays Gartner gazed see SMEs pay loud compu hype, and will parts over companies would ing here we are deploy ng r in the IT less resilien from matured cent of andsoftware ents for 2012. But 20 per v Nearly all a this is happeni moving ty of again, partne the the argum end of long way Cassidy Winstanley, These are tion model . A majori years, so ents by er departm ened. the face and were a Steve te. is a subscrip John to reality s, in ial to Steve Cassidy Max Coot e at Deloit d service now report g clouds as it have broad dateor the potent staring that s already. practic businesses true. , commoditise consultant specialisin shift to hybrid you some of Cost saving beingditure on IT from Cisco, re-engineering There will be a big g at least standardised only buying what from that one smarter about in v l expen g to a survey are runnin are of all scales of become much ss. cloud. that they networks at reduce capita motivation for the around half Indeed, accordin 2011, just where you organisations s in the cloud. the IT move to the er s a key businesses. ions theybusine done on for your in Septemb Aron, an ions into the their IT system ComputaCenter, remain need released ing to Daveany applicat which applicat work of er, by put to cloud only be much more the CIO, howev A study 72 per cent in found cloud, accord have d access to organisations r. The move v There will s For found that Gartne cloud more, the research also ment for improve ant cloud res, but integrator, manager cloud ing security. analyst at y use the Darke cloud. Whats cost pressu the move to signific identity thatilities to s alread n to maintain ting, can be some a reactio emerging. organisation the range of cloud is isseven per cent thought therewill cloud compu cloud services align IT capab But s toity clouds need to more commun the cloud some form. cloud applications to thecritical. es, he says. disadvantage s for different is Gartners was to v Well see easy then fromhave reason for and volum way the move sses cloud platform services business a long businebut thats no Were it is not always a There are unless common interests and r care. some a result, ITs have tucking in the with with coming true But whilst broad. As managed ps and smalle ments to prediction cloud to reducecutlery and organisations the start-uwn example out their the IT depart The most well-kno y making but which assets Although even for moved to pullingl expenditure, the analysts capita just yet. objectives. alread initiative from of exactly ption areG-Cloud on the n in the Government clear picture running demandspredictio go consum already that companies of cloud offerings into the pay-as-youof indications s UK was the oft ations are le to According e, Micros t as follow.ive use be suitab and applic switch to are plenty r cost saving There others willextens ack willas Googl prevalen deliveto continue apace. be more which might near future. set public chargeb such cloud, or will not always is companies as welltime and usage as longin the move to cloud term. IDC, the value for v Accurate st ents IT the cloud the longer tes sugge Amazon, cloud with , move to over 2011 report from anddepartm t hosting ry estima to show a massive to a organisations ty of the d 25 measured. is market ished Interne sses are using tres The diversi Several industexpecte around re as a service accurately cloud services can save years, with the gets more establ busine datacen from sses next four through andin where such as softwainfrastructure gs be a change office and , formats that busine theIT outgoings2010 to $72.9 billion providers, e offerin increase over v There will be near head their as a service billion in s depend to -servic rce. of will . The need public and platforms per cent from $21.5 saving software-as-a ar. Latency growing the actual ite and Salesfo t is are situated of , and both at will disappe it hard to maturity ion of NetSu marke as a service clouds, but the likes ncy and which looks solely can make by 2015. areas of populat issue. rise cloud clouds -atch IT, and will not, on the efficie report, also the an enterp of private what both CloudW com, the g than seeing British The become less will, and . the ss existinper cent of from term, rather e. 74 it define what cloud environment the busine that isationgoneeds the cloud route we but less longer want flexibility,have In the much matur the UK, finds down is commuting in a custom looking to rush from during CIOs may in small long-distance work well sation that degree of time, the organisations organiin the technology the sort of es working s. An by see employe At the same ce cloud ntly may percent of its system to invest but shared are planning g IT efficie only seven now, we could while with less or 60 people to embra positive this is year. vendors housing 50 , you may already runnin And the coming gain, than one in the cloud, whilst largely local hubs is reside cases, So, for example to e technologies, s point of view, companies. have less currently e. In some to someon years. applications maybe 30 next e and sit next IT buyer infrastructur two ion more e in insuranc from an modern over the s with a high of confus set to triple sationhave become so much be working opposite someon and a degree to ilities a bookies and leading larger organi we Why is it that ation and There are levels, capab working for autom services? not r. cloud more, a publishe about service degree of virtually and ready to adopt will spend There is a growing working for be allocated isation reasons. the cloud. exity Faceook could costs. virtual and to compl Resources probably several movewhat cloud means. nferencing r layer of ha A furthe the idea use of videoco that cloud less, throug about pressures, would be quickly understanding the costhave got used to t with greater the way e, as As well the world more flexibl ere else. software, workers es. comes from over can be bough users all a desire to be collaboration services employe shift hosted somewh even ft financial computing to their fellow there is ions being sometimes in of applicat There is the by Apple, Microso connected our current quickly, cloud is also controls to a change but the easily and says Aron. word but there Without commuting Its a radical The use of opex card. workers ration capex to y helped too.to scale concerns practice of with a credit lead to a prolife able al has etfrom probabl beingin which initial employment can by IT on of place, this the questi the way inhibitor used to purchases, Theres also and down. IT cale cloud up, d. A major tunity singly, by oppor of small-s capacity dismisse have been is certainly an and increa Whilst a There department ss itself. their less IT not the busine to move users in for CIOs customised, e Docs might 2012 less and to of Googl CLOUD IN as well as and 21 demanding, few seats to the cloud, many policy departments, rt areas .uk cause too workloads to suppo for IT logy issues of www.itpro.co , or trolled use compliance use the techno development and cale, uncon 11 CLOUD IN 2012 the wide-s such as test business across the the cloud will. certainly
 CLOUD IN 2012

Cloud Computing
Do odolum velenibh eum ssim digna feui dolesectem sed nulputpat, t dolortin utpa tat ulla faci

were not happy customers - potential Theres now be security third-party. data with a service with leaving that cloud keeping acceptance interest in a growing a very strong providers have have the whats more, data safe, and do so. in place to need for of all is the infrastructure biggest driver and to react Perhaps the be more flexible

www.itpro.co.uk

www.itpro.co.uk

Contents
WINTER 2011
Prologue
An introduction to this special report by IT Pro editor Maggie Holland

P3 P5

CIOs top cloud concerns

An infographic detailing the main issues facing CIOs when it comes to cloud computing

What every CEO needs to know about the cloud

Steve Cassidy avoids the jargon to tell leaders what they really need to know about the cloud

P6

What every CIO needs to know about the cloud

Is information more difficult to manage in the cloud? Stephen Pritchard looks at how CIOs can do what they do best when it comes to cloud-based data

P8

Case study: UKFast and Building Blocks

Manchester-based design and technical agency worked with UKFast to implement a private cloud-based solution

P10

Security and the cloud

Is the cloud more or less secure than traditional tech delivery models? Adrian Bridgwater tries to answer those questions and more

P12

Building the economic case for the cloud

Cost is just one benefit associated with cloud computing, but how do you build the right business case? Max Cooter finds out

P16

Cloud computing small print

EDITORIAL Editor Maggie Holland [email protected] 020 7907 6837 Contributors Tom Brewster, Adrian Bridgwater, Max Cooter, Steve Cassidy, Lesley Meall, Stephen Pritchard Design & layout Sarah Ratcliffe Sub Editor Jo Halpin Editorial Director Tim Danton Publishing Director Jon Westnedge ADVERTISING & REPRINTS Advertising Manager Paul Franklin [email protected] 020 7907 6841 LICENSING & SYNDICATION International Licensing Dharmesh Mistry +44 20 7907 6100 MANAGEMENT Group Managing Director Ian Westwood Managing Director John Garewal MD of Advertising Julian Lloyd-Evans Chief Operating Officer Brett Reynolds Group Finance Director Ian Leggett Chief Executive James Tye Chairman Felix Dennis All material Dennis Publishing Ltd, licensed by Felden 2011, and may not be reproduced in whole or part without the consent of the publishers. Liability While every care has been taken in the preparation of this magazine, the publishers cannot be held responsible for the accuracy of the information herein, or any consequence arising from it. Please note that all judgments have been made in the context of equipment available to ICT Reviews at time of review, and that value for money comments are based on UK prices at the time of review, which are subject to fluctuation and are only applicable to the UK market.

SLAs and other fine print can make or break a cloud implementation. Lesley Meall guides you through the pitfalls

P18

Cloud computing market insight: Where are we now and where are we going?
Ovums Laurent Lachal describes how the analyst firm views the market now and in the future

P20

CIO profile: Phil Richards, Loughborough University

Academic tech challenges are unique but this CIO is solving them with a hybrid cloud and gaining benefits attractive to businesses of all shapes and sizes

P22

CIO profile: Simon Bulleyment, haysmacintyre

This accountancy firms CIO doesnt believe in implementing tech for techs sake, but he does believe in the benefits cloud computing has to offer

P24

Column: Where next for the cloud?

Cloud Pro editor Max Cooter looks forward to what changes the cloud will bring about in the coming years

P26

Dennis Publishing Ltd,

CLOUD IN 2012

www.itpro.co.uk

Prologue Maggie Holland

Go from head in the sand to head in the cloud

WINTER 2011

Cloud Comput ing

www.itpro.co.uk 11 CLOUD IN 2012

IOs and other senior business and technology decision makers are time poor, yet suffer from increasing levels of information overload. Rather than add to that sea of data, every quarter we will produce the IT Pro Report. Our aim is to bring together the key information and insight you need to help make strategic business decisions. You can view it on your PC, read it at your leisure on a Kindle, or simply print it out. In this first report, we focus on cloud computing. What is it? What do you need to know? How can it impact your business? With so much noise in the industry about the cloud, this report seeks to highlight what you really need to know and how to ensure your business gets maximum reward with

minimum risk. There is no escaping cloud computing, which is expected to boost the UK economy by around 25 billion a year, according to data from the Centre for Economics and Business Research (CEBR). An IBM study also suggests 70 per cent of midsize organisations will spend some of their tech budget on the cloud in 2011. To explain how this change will affect your business, a range of experts from IT Pro, sister title Cloud Pro and the wider industry have contributed to this report, drawing on their breadth of experience to ensure your questions about cloud computing are answered in detail. Whether youre just starting out, have already explored some cloud-based solutions or have had a bad cloud experience, we hope this report will inform and support your next steps. IT Pro contributing editors Stephen Pritchard and Steve Cassidy bring their expertise to bear, detailing what every companys CEO and CIO needs to know about the new technology. Ovum analyst Laurent Lachal also looks at the state of the market and makes some predictions about where things are headed. What we know for certain is this: the cloud will touch most businesses in some way in the future. Whether that will be a positive or painful experience depends on the way in which those making the decisions choose to leverage their cloud computing knowledge. Hopefully this report will provide a useful starting point for those conversations, debates and business cases. Thanks for reading.

Maggie Holland
For further comment and insight on cloud computing go to www.itpro.co.uk/cloud

There is no escaping cloud computing. It will touch most businesses in some way in the future.

Editor, IT Pro
Let us know your thoughts...
Were keen to hear your feedback on this report and find out what youd like to see included in the next one. Get in touch at [email protected]

CLOUD IN 2012

www.itpro.co.uk

Infographic Cloud concerns

CIOs Top Cloud Concerns

Data Security

coSt/uncertain SavingS

LoSS of controL
reLiabiLity

reguLatory or compLiance
Data portabiLity

Software compatibiLity

New technologies, old concerns, existing vendors

CIOs and other decision makers are undeniably concerned about cloud security. But its not the only cloud issue on their radars. Cost, ROI, control and reliability all feature high on the agenda too. Thankfully, they can look to their existing vendor relationships for peace of mind, according to Morgan Stanley. Companies are likely to turn to their trusted advisors to help them navigate cloud projects, in our view, and we doubt that the cloud (or new and unproven vendors) will supplant the existing IT services industry leaders, as some have argued, it states in its Cloud Computing Takes Off blue paper. Through their existing relationships, many IT services companies have also demonstrated their ability to address many of the top concerns that CIOs have about the cloud.

performance

Lock-in

Credit: Morgan Stanley Research

5 CLOUD IN 2012 www.itpro.co.uk

Everything a CEO needs to know

Cloud computing: Everything a CEO needs to know

Does the cloud sound like a great opportunity, but you feel swamped by the jargon? Steve Cassidy spells out the basics for bosses.

loud computing is a term used a lot in the technical press, but dont be put off by the jargon this is a topic that will have a big impact on your business. There will be shelfloads of books written on this topic: everything a CEO needs to know. Expect a plethora of seminars to attend, information overload and oodles of golfing trips filled with opinions. However, theres a reality check: this isnt going to be the last word on cloud computing. There are some basic directions to look in and things to focus on at chief executive level that your lowerlevel managers and direct reports wont necessarily have at the forefront of their minds. Terminology is one of those things. Your irritation

with technical types, babbling away using terms they dont define, no matter how well-intentioned they are, gets some real teeth when it comes to cloud computing. There is no body defining terminology quite literally, no body. So that old question to the nerds what does that really mean? has some bite to it when they start throwing around the C word. Your CEOs radar that alerts you when someone starts fibbing has probably been going off like mad when people have proposed a cloud computing product to you, mainly because theres no shortage of guys ready to wave the buzzword dictionary around while trying to sell you last years product heavily veneered with this years vocabulary. That may not mean they have a bad product, so

Steve Cassidy is a consultant specialising in reengineering networks at all scales of businesses. Hes also a contributing editor for IT Pro, Cloud Pro and PC Pro.

dont hesitate to ask that question: what do they really mean? If they cant explain it in a way that makes sense to you, and cant clearly define the business benefits the project will bring, dont sign the cheque. Legal matters When using the services of a company presiding over some of the cloud, dont let new-toy enthusiasm or open-ended promises about savings obscure traditional CEO concerns, such as recovery from chips-are-down disasters. What are the usable legal recourses for the day you discover your cloud computing provider has taken a bold stand on the WikiLeaks issue and is under attack by two-thirds of the planet? What stops your provider from moving your data to a jurisdiction that takes a dislike to you or them? Are they the definitive provider or last resort, or are they just reselling someone elses package? Due diligence isnt just a tick-box exercise when taking up services in the cloud, its a major component of the project time. Degree of lock-in Some cloud computing systems are just a neat way of responding to peaks in demand; others become as knowledgable about your affairs as your accounting firm; others want you to partner with them for life. The dream of many upsellers in the current wave of cloud hypesters is to pretend to be removable when, in fact, they intend to hook up with you for the forseeable future. Pricing independence is very much a CEO-level question, as is the exit

CLOUD IN 2012

www.itpro.co.uk

Everything a CEO needs to know

strategy and cloud computing is meant to be all about steering your work to an available resource, not watching it vanish behind someone elses security gates, hopefully holding a visiting-rights order. Impact If IT is worth doing its because it will bring some changes to your business. The IT companies are pretty confident cloud computing is the biggest change for their product ranges, work and development in 20 or 30 years. If thats the impact on them, what will be the impact on you? Having talked at some length here about the downsides of a hype-heavy market, lets look at the upsides. Most of the large-scale appraisals of cloud computing platforms say cloud is somewhere between the invention of the internet and the take-up of the

This is a topic that will have a big impact on your business.

BlackBerry when it comes to impact on businesses. Seen from the CEOs chair, this kind of upheaval can seem like an almost God-given opportunity plenty of chances for new markets, cost reductions and shakings out but consider just how much of a new field this is. Bets are being made, the odds of which cant be properly calculated, and the proposed solution consists of someone telling you theyre happy to bet with your computing resources. Cloud computing presents the CEO with a major opportunity to reshape and reorganise their business. Its not just about IT, its about how to use, analyse and improve company data, and its about using IT to have an impact on business processes, a recent Cloud Pro white paper advised. Many organisations employ an If it aint broke... mentality. Theyre stuck in their ways, doing things the same way, time and again, without
 CLOUD IN 2012

reinventing the wheel. But cloud computing should be seen as an opportunity to change this way of thinking, and as a chance to really shake things up. This opportunity is being lapped up by many businesses. A recent

survey by the Cloud Industry Forum (CIF) found that half of organisations are at least dipping their corporate toes in the water when it comes to cloud computing. Flexibility, rather than cost savings alone, was cited as the primary driver by those responding to CIFs research questions. Im very encouraged by these results. The reality is that customers are trying the cloud, theyre doing it for a purpose and they are very happy with it, Andy Burton, CIFs chairman said. Its clear that cloud is on the increase and is part of a coherent IT strategy. How big the risks and rewards are depends on organisational specifics, but, clearly, the arrival of the cloud cannot be ignored. Cloud computing may not be for every business or for every CEO, but every CEO should be looking at the technology, continued Cloud Pros white paper. The best companies will be those in which the CEO, CFO and CIO/CTO look at the direction the organisation is headed over the next five years and the best means for getting there. If that involves cloud, now is the best time to be thinking about it. If you dont, your competitors will be.
www.itpro.co.uk

CIO Everything a CIO needs to know

Cloud computing: Everything a CIO needs to know

CIOs are guardians of a companys biggest asset. But how do they look after data in the cloud? Stephen Pritchard looks at what the CIO needs to know about cloud computing.

loud computing is moving from hype to reality. The majority of businesses now report they are running at least some of their IT systems in the cloud. A study carried out by IT integrator ComputaCenter found that 72 per cent of organisations already use the cloud in some form. But the range of cloud services and applications is broad. As a result, it is not always easy, even for IT departments, to have a clear picture of exactly which assets and applications are running in the cloud, or which might be suitable to move there in the future. The diversity of the cloud with formats such as software-as-a-service (SaaS), platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS) and public and private clouds can make it hard to define what will and will not work well in a cloud environment. At the same time, the rush by vendors to embrace cloud technologies, while largely positive from an IT buyers point of view, is leading to confusion about service levels, capabilities and costs. A further layer of complexity comes from the way cloud computing services can be bought easily and quickly, sometimes with a credit card. Without controls in place, this can lead to a proliferation of small-scale cloud purchases, by IT departments and, increasingly, by IT users in the business. While a few seats of Google Docs may not cause too many policy and compliance issues, widescale, uncontrolled use of the cloud across the business certainly will. Head in the clouds As cloud computings capabilities
 CLOUD IN 2012

have matured in recent years, so the arguments for deploying it have broadened. Cost savings or the potential to reduce capital expenditure on IT remains a key motivation for the cloud, according to Dave Aron, an analyst at Gartner. The move to cloud is a reaction to cost pressures, but also to the need to align IT capabilities to business volumes, he says. But while some businesses have moved to the cloud to reduce ITs demands on capital expenditure, the switch to pay-as-you go consumption will not always deliver cost savings over the longer term. Several industry estimates suggest businesses can save around 25 per cent of their IT outgoings through clouds, but the actual savings depend on the efficiency and maturity of the businesss existing IT, and also the degree of customisation it needs from its systems. An organisation that is already running IT efficiently may have less to gain than one with less modern infrastructure. In some cases, larger organisations with a high degree of automation and virtualisation will spend more, not less, through a move to the cloud. As well as the cost pressures, there is a desire to be more flexible, says Aron. There is the financial shift from capex to opex, but there is also the question of being able to scale capacity up and down. There is certainly an opportunity for CIOs to move less-demanding and less-customised IT workloads to the cloud, as well as to use the technology to support areas such as test and development, or projects that are either temporary or that exhibit

Stephen Pritchard has been a journalist since 1990. Today his main specialisms are business, technology and finance. He writes for a number of national and international titles, and is a contributing editor and columnist for IT Pro.

significant spikes in processing or storage needs. There is scope for the cloud to accommodate the less customised and less resilient parts of IT, says John Winstanley, a partner in the IT practice at Deloitte. These are standardised, commoditised services, where you are only buying what you need for your business. Darker clouds For the CIO, however, there can be some significant disadvantages to cloud computing unless the move is managed with care. Although start-ups and smaller companies are already making extensive use of cloud offerings from companies such as Google, Microsoft and Amazon as well as longestablished internet hosting providers and businesses are using SaaS offerings from the likes of NetSuite and Salesforce.com, the enterprise cloud market is less mature. CIOs may want flexibility, but the traditional [enterprise] vendors offering trusted cloud environments

www.itpro.co.uk

CIO Everything a CIO needs to know

want their customers to commit to volumes and to a term. Without that commitment, the unit costs of cloud can be quite high, he cautions. IT vendors are struggling, he suggests, to move to the telco model of shared services that is needed to support full flexibility. Cloud deployments raise further considerations around governance and integration. Large businesses and public sector departments will look at private clouds to ensure security, privacy and reliability. Private cloud projects are typically driven by IT. Management-wise, they have much in common with other IT outsourcing contracts. But even in a large business with a policy of adopting private clouds, possibly through a single outsourcing contractor or systems integrator, the risk of a proliferation of cloud services is very real. 2011 has been a year in which a number of technology providers and vendors have made some fantastic sales pitches for the cloud, says John Rakowski, an analyst at Forrester Research. But the real headache for CIOs is that, without a strategy, they wont have the people and processes in place to derive the benefits from the cloud.

Formulating an effective cloud strategy goes beyond setting a central policy for cloud-related processes, although, as Deloittes Winstanley points out, this remains important to control cloud sprawl and, especially, the purchase of cloud services by IT-savvy business users. If you can provision new services in minutes, you need better controls over who does that, he says. An effective cloud strategy also needs to cover security, data privacy, application development environments and, especially, compatibility. This includes compatibility between cloud service providers offerings, and between the cloud and on-premise or legacy IT. From a legacy viewpoint, the first question is whether apps can move to a cloud platform, Rakowski says. Cloud-based environments can be a big challenge from a risk and security perspective. And there remain issues about where users data is stored. This is especially a concern for data controllers if they handle financial or personally identifiable data. CIOs also need to consider how data is shared between cloud platforms. There is work being done in this area, including by vendors such as Microsoft and Tibco, but there are

What not to do
Hasty cloud deployments can cause more problems than they solve. Here are some pitfalls to avoid. v One-sided contracts: cloud services are often one size fits all, but what recourse do you have if there is an outage? Also, watch out for unreasonable demands over intellectual property, code or even data. v Offering the business an SLA that is better than the cloud providers SLA, unless in-house IT can act as a backup. v Developing applications in environments that are not portable to other cloud services or able to run on in-house kit. v Using service providers that do not specify where data resides or that have data policies that would breach your companys rules. v Business users who sign up for cloud services outside a central framework (but do have a procedure in place to rapidly deploy services). v Overlooking the benefits from internal IT efficiencies as an alternative to the cloud, but keep in mind the IT workload involved in buying, managing and integrating cloud services.

Best practices for the cloud

Cloud computing can save money and allow businesses to be more agile, but IT departments need to follow best practice. Here are some key considerations: v Develop a cloud strategy, covering cloud purchases and deployments, by IT and by the lines of business. v Set clear policies for data privacy, security and governance. v Try, where possible, to ensure cloud providers adhere to open standards, and pay attention to compatibility and integration. v Ensure the IT organisation has

the right skills to manage cloud purchases, and to manage the demand for resources. v Attempt to build good working relationships with cloud providers, rather than viewing them simply as commodity service providers. v Consider whether a private cloud, or indeed a conventional outsourcing model, may work better for business-critical data or applications. Avoid pressure from business executives who think cloud is always best. v Help the business to express what it wants clearly from IT before designing an IT solution to a perceived business problem.

still few consistent ways to exchange cloud-based information. Cloud experts warn this, along with closely coupled hardware, operating and development environments in some cloud offerings, could lead to CIOs replacing one form of vendor lock-in with another. PaaS offerings will only succeed, says Rakowski, if they operate on an open-source, or at least an open-standards, basis. Riding the storm CIOs can exploit the cloud with the right planning and controls. Forrester, claims effective use of cloud computing is as much about people and process as it is about technology. As Winstanley suggests, the cloud may offer CIOs a once-in-a-generation opportunity for IT to re-engage with the business. It is not just about cost cutting or even agility; there are other ways to top that, he says, it is about a new way of providing IT services to the business.
www.itpro.co.uk

CLOUD IN 2012

Case study:

UKFast and Building Blocks

SITUATION
Building Blocks was founded in Manchester in 2007 by Jonathan Whiteside and Andy Iddon. Set up as a niche technical agency, it has grown into a specialist consultancy delivering design and technical services for large-scale web projects for clients including Warner Leisure Hotels and Butlins in the UK and Yara International and Alitalia abroad. In 2010, the firm opened an office in New York after enjoying a record third year in which foreign deals accounted for a fifth of the contracts won by the web technology firm. It now plans to add to its 40-strong team at its Manchester headquarters to cater for ongoing relationships with its long-term clients and new business. Building Blocks boasts a strong
10 CLOUD IN 2012

relationship with its clients and stays informed of their changing needs. Whiteside identified an increasingly common need amongst his clients for scalability and performance of their web solutions to cope with potential future growth. Clients would tell us that, with the solution we were putting in place, they expected to see double digit growth in the traffic their websites had to deal with. But they didnt want to outlay a huge amount of money on equipment and servers to cope with that expected demand before theyd

seen evidence of it, Whiteside explained. What they wanted was a strategy that allowed them to very easily grow and cost-effectively grow to cope with that demand.

SOLUTION
With his clients needs for flexibility and scalability in mind, Whiteside looked for a cloud-based solution that he could recommend with confidence. We wanted the ability to provide

The knowledge that UKFast has of Microsoft cloud-based solutions, particularly the newer ones, was unrivalled.
www.itpro.co.uk

Case study:

more power and scale solutions quickly when we needed to, he said. Building Blocks approached UKFast with its ideas for a private cloud solution. UKFast has a very good understanding of what a private cloud is. Additionally, we standardise on the Microsoft Stack at Building Blocks and the knowledge that UKFast has of Microsoft cloud-based solutions particularly the newer ones was unrivalled, Whiteside added. We couldnt find that with any other hosting provider. Its unique insight swayed it for us. Opting for a private cloud, Whiteside had to consider the concerns often associated with a cloud environment. The main concern is always around security and particularly around data protection, customer data and how it is being stored. People think it can increase the chances of being hacked because its not within the control of their inhouse team, he said. Weve addressed those concerns by making sure we think about every possibility before we deploy the solution. How are we going to deploy the solution? How will we access the solution? We make sure things have secure, long passwords. He continued: Having a cloud solution makes you think a lot more about security concerns than perhaps

UKFast understands our situation and that of our clients and how important it is to us that we deliver on our promises. From a customer service point of view, theyre excellent.
you would if you were running it inhouse. With a cloud solution we are thinking longer and harder about how we can secure those solutions for our customers. Since adopting the solution in late 2010, Building Blocks hasnt experienced any security problems. Whats more, Whiteside says most clients hosted by Building Blocks havent noticed a change. There hasnt been a visible difference, he said. People cant tell if its being hosted on a cloud platform or not, it just happens in the background. they know the campaign is only running for three months, they can scale up, pay for that particular amount of time, then scale back to their normal amounts.

WHY UKFAST?
Building Blocks is expanding its portfolio of clients for whom their delivery of a private cloud solution works very successfully. Were able to offer another tried and tested solution to introduce to our customers when we think its appropriate when they need scale and flexibility quickly, Whiteside said. Weve been working with cloud technology for some time so we can say with confidence when we think its a good fit for a business. UKFast is the ideal partner to help meet clients needs, according to Whiteside. We have a very good relationship with UKFast. We speak regularly with our account managers and we know if there are any problems we can get on the phone and speak to someone who knows us, he said. The team understands our situation and that of our clients and how important it is to us that we deliver on our promises. From a customer service point of view, theyre excellent.

BENEFITS
The benefits of a private cloud solution have been highlighted when clients have demanded more disk space or capacity and when clients have experienced high peaks in traffic. Weve been able to scale up much more quickly and much more cost effectively, Whiteside said. We have been able to provision more space or more capacity quicker by going through a normal support procedure rather than having to justify a business case and how the new equipment is going to fit into the architecture and discuss where we are going to put the servers. Its also proven its worth for clients launching campaign-driven marketing that is susceptible to traffic spikes, according to Whiteside. Instead of having to outlay for the provision of new equipment and new servers when

If you think your business could benefit from the flexibilityand scalability of a private cloud, talk to one of our hosting experts today. Call now on 0800 458 4545 or visit www.ukfast.co.uk/privatecloud-computing.html
www.itpro.co.uk

11 CLOUD IN 2012

Feature Cumulo - confidence

Cumulo-confidence: how secure is the cloud?

Security is paramount for any organisation. But, asks Adrian Bridgwater, how should you approach this subject when it comes to the cloud?

e appear to exist in a time when confidence in cloud computing security is (if you believe the surveys) very much in question. This perception is driven, at least in part, by the distance between the customer and the cloud provider. But the real and virtual gaps that exist here do not inherently mean cloud application security risks are more difficult to curtail. So where should we draw the lines around cloud application and data security? The 2010 Ponemon Institute cloud security research, sponsored by CA, suggests only 36 per cent of organisations are vigilant when it comes to conducting audits or assessments of cloud computing resources before deployment. The survey also found IT practitioners, at all levels, lack confidence in their employers ability to secure data and applications deployed in cloud computing environments. This is especially the case in relation to public clouds, the research found. The root of the problem It is important for us to stand back at this point and ask some key questions. Is it actually the cloud that is at risk of being insecure? Perhaps its the application that needs to be locked down? The greatest data risks to any organisation come from within; susceptibility to data damage from employees use of the network,

whether through premeditated or accidental action, remains the biggest security issue of all and one that simply cannot, and should not, be ignored. This insider threats message is repeated by anti-virus vendors again and again. Enterprise-level applications may be inherently insecure, whether they sit on the corporate network, in a private cloud data repository or, ultimately, in the public cloud. The cloud itself is not insecure, but what you put in the cloud may well be. If you accept this

Adrian Bridgwater is a freelance journalist and blogger for both UK and US-based IT websites and journals covering the application development landscape. Hes also a regular contributor to both Cloud Pro and IT Pro..

basic truism, we can all start to move on. Nevertheless, it would seem we are all more than a little worried about cloud security and that worry is big business, according to analyst firm IDC, which predicts the cloud security market will be worth 6 billion by 2015. There is going to be a ton of money to make here, IDC research director, Sally Hudson, said at the Cloud Identity Summit in July 2011.
www.itpro.co.uk

12 CLOUD IN 2012

Feature Cumulo - confidence

With this in mind, surely there should be some kind of governing body to oversee cloud security fundamentals? This is what the Cloud Security Alliance (CSA) sets out to do. The CSAs CCSK certification exam aims to set a professional bar for those whom we call practitioners, but whom we should perhaps just call users, software developers and IT managers. The CSA describes itself as a notfor-profit organisation with a mission to promote the use of best practices for providing security assurance within cloud computing. The organisation is clearly having some influence on the industry; its corporate member list doubles as a handy whos who of the cloud industry and this years CSA Summit drew Vivek Kundra, US chief information officer at the White House, as a keynote speaker. What can companies do to stay secure? At a lower level than industry body edicts and infrastructural standards, what can companies do to address

Managing cloud risk

Cloud computing may save money, but how do you manage the risks? Mike Small, of ISACA Security Advisory Groups London chapter tries to answer that question. The risks associated with cloud computing depend on the service and delivery models adopted, as well as the organisation and its individual requirements. The common security concern is ensuring the confidentiality, integrity and availability of the services and data delivered through the cloud environment. Particular issues include ensuring compliance, avoiding lockin and making sure regulated, confidential and valuable data is handled securely. Taking a good governance approach, such

as COBIT, is key to safely embracing the cloud and the benefits it provides. COBIT provides guidance to: v Identify the business requirements for the cloud-based solution. v Determine the governance needs based on the business requirements. Some applications will be more business critical than others. v Develop scenarios to understand the security threats and weaknesses. Use these to determine the risk response in terms of requirements for controls and questions to be answered. v Understand what the accreditations and audit reports offered by the cloud provider mean and actually cover.

security issues in the cloud? As we have said before on IT Pros sister title, Cloud Pro, no commercial entity should approach the deployment of any application from a simple email client application to a mission-critical database without security software controls in place. Encryption layers, firewalls, anti-

It would seem were more than a little worried about cloud security.

malware suites and spam filters all have a purpose but this is not the place for a complete list of security controls. So take it as read that, if these protection mechanisms are needed on the ground, they are needed in the cloud in equal measure. At a deeper level still, finegrained access controls can help. For example, users should only be able to access the rows or table values in a cloud application database that they are authorised to have access to. In practice, this means a sales clerk, using a cloud-based application and its corresponding data store, should only be able to view their own sales and not the figures relating to their colleagues or their department and/or the company as a whole. The vendors viewpoint Cloud providers seem best placed to handle customers security concerns because they sit closest to the data. In an effort to share some of this proximity, Rackspace recently launched its so-called extreme mission-critical cloud offering, known as Critical Sites. This service is said to drill into the application layer to provide real-time visibility of clients most important websites and applications. Industry-speak aside, this means

13 CLOUD IN 2012

www.itpro.co.uk

Feature Cumulo - confidence

customers will get performance management tools and a web-scale engineering team to address sensitivities on a five-minute notification of events service level agreement (SLA). When cloud users

requirements remains with Windows Azure customers, Microsofts commitment to providing fundamental security capabilities is key to our customers success with Windows Azure.

details and transactions. This is not dissimilar to the cloud model in some ways. We place our data and applications with reputable cloud provider brands, safe in the knowledge that these companies will honour the sanctity of the SLA and data privacy agreements we sign. Whether this trust ever needs to be brought into question is a moot point for many CIOs considering cloud migrations. But, as IT Pro contributing editor Jon Honeyball has said, people have trusted their money to banks for many years, but (in contrast) we have only had cloud for what seems like a matter of months. It may just take the natural passage of time before we assign the same levels of trust to cloud computing as we do today to, say, teachers and hospital staff. From this point, we may then find the cloud actually makes data more secure than if left unmanaged. Will this happen? It can and it will, is Honeyballs prophecy.

If these protection mechanisms are needed on the ground, they are needed in the cloud in equal measure.
want security analysis reviews for applications, infrastructure and architecture, they can have it. As the cloud evolves, this kind of SLA is likely to become increasingly prevalent. Echoing this proximity message is Michael Newberry, UK product manager for Windows Azure at Microsoft. Cloud providers uniquely understand their platform and are best placed to describe the controls customers can use to achieve their required level of security, so customers can determine if the capabilities and controls are suitable for their requirements, he says. Resonating with our assertion that the cloud is only as good as the application, Newberry continues: While responsibility for compliance with laws, regulations and industry
14 CLOUD IN 2012

Taken on trust We often use the analogy of banking when it comes to cloud security. As individuals, we entrust our money to our bank on the understanding that other customers dont get to see our

www.itpro.co.uk

Feature Cumulo - confidence

Five Top Cloud Security Tips

Application encryption on the ground should equal application encryption in the cloud. Firms need to initiate this process by performing an inventory analysis of all cloud resources to be managed and, then, assessing the business risk associated with each element of the IT stack. Appropriate levels of encryption can then be applied.

Encryption Equality

All applications are not the same. So-called extreme (or high-risk) mission-critical, cloud-based applications are different, so there will always be some data you dont host in the cloud. This could be data relating to national security, business intellectual property (IP) or sensitive customer account data.

Mission-Critical Omissions

Look to see that your cloud provider has basic Secure Sockets Layer (SSL) and Virtual Private Network (VPN) layers in place. This should be among the ABC first principles of cloud security best practice, so that information in transit has a core level of encryption.

SSL and VPN is ABC

Formalised security and access-control policies are prerequisites for securely using the cloud. Whether your firm produces a one-page, A4 document or conducts formal in-house training, policy controls are the bedrock of cloud security best practice.

Policing Policy Practice

Constantly auditing your cloud providers service for true visibility is crucial. The Ponemon CA study found that half of all respondents recognise many cloud resources are not evaluated for security before deployment. In practice, the process of pre-evaluation, re-evaluation and auditory analysis with a view to achieving application and data transparency, clarity and visibility is essential.

Transparency, clarity and visibility

15 CLOUD IN 2012

www.itpro.co.uk

Feature Building an economic case

Building an economic case for taking to the cloud

Experts say were all destined for the cloud, so why has adoption been slower than expected? Max Cooter seeks an explanation.

here is a paradox at the heart of cloud computing. Every vendor, consultant or industry analyst with their finger on the pulse has said it is set to dominate the business landscape in the future. Gartner famously predicted that, by the end of 2012, 20 per cent of companies would have no IT assets and even businesses such as Microsoft, grown huge off its efforts in on-premise software, have claimed the future is cloud-based. Yet heres the paradox: despite all this interest, there are still large numbers of companies not yet prepared to move to cloud-based delivery. How does this interest in cloud technology marry up with the lack of action in moving to the cloud? According to a survey carried out in 2010, on behalf of BT, theres a simple answer 56 per cent of business managers are struggling to articulate the business case for cloud computing. As these are the people who control the purse strings within organisations, take-up of cloud was likely to stall. Theres another paradox at play here: the people who are best placed to make the call on the possible impact of cloud computing on a business are the IT staff and, in some cases, they are often the people who have a vested interest in cloud not happening. Cloud judge and jury How, then, does a business make the judgment call on whether or not to go down the path of cloud computing? Making that decision involves a finely balanced assessment of different factors not all of them

related to IT. Its true, there are decisions to be made about replacing servers (not forgetting the cost of support and maintenance), moving legacy software to the cloud, managing the amount of power required to support those servers, managing the software licensing and, finally, controlling the cost of the real estate is there a need to build those giant datacentres? It also shouldnt be assumed that its always the case of moving everything to the cloud. Some applications sit far more happily within the cloud than others. For example, any site that has to deal with bursts of traffic either planned (for example, retail sites at Christmas) or

Max Cooter is editor of Cloud Pro. He has seen profound changes to the IT landscape during his 20 years as a journalist, but believes cloud computing could be the biggest of them all.

unplanned (a music site that has an unexpected hit) would sit more comfortably in the cloud. But there are additional factors, some of which are not so easy to quantify. How do you assess the effect of the business transformation that could be brought about by a move to cloud? There are many variables at play here because cloud could disrupt a business in so many ways. Talking tech The talk has all been about IT, but thats the wrong approach. Although IT may seem like an expensive resource, it generally represents no more than five per cent of the average companys expenditure.
www.itpro.co.uk

16 CLOUD IN 2012

Feature Building an economic case

However, cloud computing does offer several hard-to-quantify advantages for any organisation: v Greater efficiency in working. v The ability to better monitor departmental expenditure. v The means to bring products to market more quickly. v The ability to implement new projects more quickly. Thats why calculating the return on investment (ROI) is difficult. There are plenty of calculators available to work out whether moving to cloud computing is financially viable, but there are plenty of drawbacks to their use. Thats because so many of them are heavily focused on IT equipment but, as weve seen, thats not always the most reliable guide to whats best for a business. The other factor is that most of them are produced by vendors and are geared towards that vendors product. Microsoft has a good
17 CLOUD IN 2012

calculator provided you accept its going to be aimed at prospective Azure customers so have Amazon and Google. To be fair to all of these vendors, theres an acceptance that this isnt the whole story and the decision to

move to the cloud involves a lot more than crunching numbers although these tools do give some idea of the factors to be considered. The other strand of ROI tools are from other software vendors. These are not aimed at driving support towards cloud providers products, but are seen as offering an easy path to those software companies paid-for products. For example, companies such as Apptio have released tools that offer a way to assess the cost of moving to the cloud and the value of any savings. In truth, such calculators provide a back-of-the-envelope guide, but wont provide any real help in making the decision. The choice of whether or not to move to the cloud is a decision that has to be made by a group of people: the IT staff (infrastructure and development people), finance director and CEO would generally need to work in parallel on it. The move towards virtualisation and cloud computing has broken up IT silos within companies; much the same effect has to occur throughout organisations as a whole. It involves a radical new way of thinking but, then, cloud computing is going to effect a radical shake-up of business processes, so companies should start as they mean to go on. Without such discussions, the chances of building an economic case for cloud are going to be slim.
From a management accounting point of view, opportunity cost is just a variation on what if? scenario modelling, he says, but it can clarify how making one choice can either prevent you from making another choice, or put you in a position where you have more choices. Take infrastructure. The question might be, do we spend 4,000 buying a server or do we host it externally, which costs 1,000 a year, and then use the remaining 3,000 to buy in a new person or redeploy the money elsewhere, says Sampat. But to properly assess the possibilities, you need a planned budget, going forward for 12 months, and, for a going concern, at least the previous 12 months, too. Credit: Lesley Meall

Making the sums add up

Pratik Sampat is chief executive at Horizon Accounts. He is trained to look more closely at the cost benefits of cloud, but his decision to run his firm and service clients using Dropbox, Erply, Google Apps, Xero and Skype was still driven by the sort of operational and tactical benefits that can be hard to quantify. However, as a chartered management accountant, Sampat is well equipped to explain how economic concepts such as opportunity cost can potentially be used in the context of budgeting and forecasting to cost (and justify) the cloud approach in a way that non-accountants can understand.

www.itpro.co.uk

Feature Read the small print

Read the small print and learn to avoid big problems

Many cloud decisions are being taken by non-IT staff, which is all well and good until things go wrong so get familiar with those T&Cs, urges Lesley Meall.

ts all very well being charged only for the computing power you use, as long as theres some available to use. The recent outage of Amazons US Elastic Cloud Compute (EC2) service made a lot of users understandably unhappy and brought a wry smile to the faces of some industry observers, who noted it was only a matter of time before something like this happened. While the news may not have been particularly surprising, the reasons behind it may well be. This did not occur because cloud computing is inherently risky. The incredulous cries of unhappy Amazon users only go to show how little attention many of them had paid to the small print before they signed on the (in many cases metaphorical) dotted line. Cloud computing is not like normal outsourcing, says Martin Hart, chairman of the National Outsourcing Association (NOA), though some private clouds look an awful lot like managed services and some managed services look an

woeful neglect still looms large. We are left peering into a whopping-great Cheddar Gorge filled with the service level agreements (SLAs) many buyers of cloud computing seem not to have carefully considered. Some providers of public cloud services dont offer a formal SLA, observes Craig West, vice president of channel sales for NetSuite. This is particularly so in the one contract

You dont have to wade far into most cloud terms of service to see how little they resemble a formal SLA.
awful lot like outsourcing. But if we put aside the semantic debate on the many types of IT outsourcing and the various flavours of cloud computing on the menu, resist the temptation to clarify things with a Venn diagram and focus on public cloud services, the issue of
18 CLOUD IN 2012

Lesley Meall is a freelance journalist and editor. She has been writing about accountancy, business and technology for more years than she cares to remember, and before this, at some point in the dim and distant past, she used to be a software engineer.

size fits all world of software-as-aservice (SaaS). We may be unique among SaaS providers in offering an SLA with an uptime guarantee, he says, and if the company doesnt maintain its promised 99.5 per cent uptime in any given month, customers have that

months subscription returned. West admits this takes the form of a credit to your account (and if youve lost money because of system down time, this will be small recompense), but this particular remedy tends to be the norm among SaaS providers. The balance of power sits with the service provider, observes Hart. Whats more, you dont have to wade very far into most public cloud providers carefully worded terms of service to see how little they resemble a formal SLA (just ask an Amazon EC2 user). This big fat elephant in the room has always been hovering in the corner behind most public cloud services. Its something that looms large on the radar of any specialist solicitor or experienced buyer of managed services. Some organisations really understand the nature of what theyre entering into, reports Gartner analyst
www.itpro.co.uk

Feature Read the small print

Ian Marriot. If they have been involved in lots of these types of relationship there is a level of knowledge and expertise that enables them to appreciate the totality of the challenge. But cloud computing has put the power to select, commission and pay for IT services into the hands of people who do not always appreciate the need for thorough and ongoing due diligence. According to Gartner, it is essential that those planning to contract for cloud services do a deep analysis on the impact and probability of the risks to mitigate for the issues they consider most critical. Then, its important this is revisited at frequent intervals during the lifetime of the contract though understanding these risks calls for more than a passing acquaintance with contract law. So what else can buyers of cloud

Differentiation is key
With similar services, how do cloud vendors distinguish themselves from the competition? Some try to do so by extending their offerings. But what customers want, and what they are prepared to pay more for, varies widely depending on the type of cloud service being used. Telling the difference between cloud types has never been easy. How many of us can look into the sky and identify a cirrus or stratus cloud, or explain how they become cirrocumulus or nimbostratus? The evolution of cloud computing presents similar challenges. To survive, public cloud providers will

become more like private cloud providers, observes IDC analyst Dave Bradshaw. Businesses want more hand holding than vendors included in their initial public cloud offerings particularly where infrastructureas-a-service (IaaS) is concerned. On-demand access and elasticity are all very well, but businesses are prepared to pay more for services that relieve them of the burden of infrastructure management. Businesses are looking to public cloud providers for the type of service level agreement [SLA] and support they currently get from private cloud providers, says Bradshaw, because they want a higher comfort factor and a transition does seem to be underway.

conference, lawyer Marc Lindsey, a partner with Washington firm LB3, advised enterprises to protect themselves by demanding cloud service providers put their own money at risk and offer liquid

An SME user that is unhappy with a public cloud service is stuck between the devil and the deep blue sea.
services do to protect themselves? That depends on who you ask, which type of cloud service you are using or planning to use, and the size and type of firm that is buying and providing them. At a recent US cloud computing damages for SLA violations. In practice, this is only possible if the relationship between the service provider and the buyer is an equitable one, where the balance of power and risk are not so clearly one-sided as is the case with most public cloud

service providers and the small and medium-sized enterprise (SME) that is typical of their customer bases. An SME public cloud service user unhappy with whats being provided (or not) is stuck between the devil and the deep blue sea. With little negotiating power, they have a choice between voting with their feet or following Gartners recommendations. Maybe theres another option. Despite his disinclination to view cloud computing as outsourcing, Hart has some advice that could help future buyers of public cloud services Think about the balance of power when you choose your supplier, he says, and try to match the size of their business to yours. You dont want to be a small fish in a giant pond.

Cloud contracts: top legal tips

Here, Danvers Baillieu and Angus McFadyen, solicitors at law firm Pinsent Masons, share their expertise when it comes to the law and cloud computing.

Cost: Most cost structures are simple, but check the extras and
model your use to test the total cost. Also analyse metrics; CPU hours, for example, vary as providers gauge them against different benchmark speeds and processes. Cloud services are dependent upon your own network, so see if taking a cloud service will incur costs on that front too.

Trust: The threshold question with any cloud service should

always be: can I trust the provider? If youre worried about the provider going out of business, dont rely only on them for important business activities, and check you can easily move if the service deteriorates.

Licence: See if the subscription flexes up and down. Contracts Data: Make sure data is accessible- it is needed on time in non-

rarely allow group company use as standard. Be aware of providers powers to terminate, or change terms, with little warning.

Service: Clouds are often sold as utilities, with little recourse

proprietary formats, particularly when changing provider. Carefully check where, and by whom, data about individuals is held: you are responsible for how its treated. If data leaves the EU, it can cause complications. Cost savings and efficiencies will often outweigh residual risks. That said, update your BCDR plans, and dont assume that insurance will be there if all fails: cyber risks and data loss are often excluded.

for bad service. This can be tolerable for some services if the provider has a solid reputation, but you can find guaranteed service levels. Its good to look for providers that offer commitments upfront, as it shows confidence in its service delivery, but providers will negotiate these areas (and may offer service credits) if your account is important.

19 CLOUD IN 2012

www.itpro.co.uk

Analysis Insight State of the Market

Ovum: The slow and fast lanes of cloud computing

Whats in store with cloud computing from a user and market perspective? Senior analyst Laurent Lachal takes a look at where it has come from and where the cloud is headed.

n the next five years, the size of the cloud computing market will explode. At the same time, it will evolve slowly as vendors and enterprises get to grips with the opportunities and challenges it represents. The phrase cloud computing was coined in 2007 for two emerging online offerings: infrastructure-as-aservice (IaaS) and platform-as-aservice (PaaS). IaaS delivers computer and/or storage resources. PaaS delivers application infrastructure services, including transaction management, process enablement, user authentication and application functionality services, such as collaboration, content management and business intelligence. The meaning of cloud computing expanded to software-as-a-service (SaaS), which provides user access to application functionality and predates the use of the cloud term. From 2009 to 2010, it grew from a synonym for public clouds (that includes IaaS, PaaS and SaaS) to

revenues headed the same way. Ovum forecasts the enterprise public cloud market will grow from $18 billion in 2011 to $66 billion by the end of 2016, a compound annual growth rate of 29.4 per cent. SaaS will shrink from 87 per cent of the market in 2011 to 62 per cent in 2016 because of the rise of IaaS and PaaS, which will grow from nine per cent and five per cent, respectively, to 23 per cent and 16 per cent. The largest market, North America, will continue its global dominance, albeit down slightly from 54.6 per cent in 2011 to 49.9 per cent by 2016. Asia-Pacifics market share will rise from 15.9 per cent to 18.8 per cent, while Europe, the Middle East and Africa (EMEA) will stay as the secondlargest market, up from 27.1 per cent in 2011 to 29 per cent by 2016. Although cloud computing will rapidly grow, the IT trends it underpins will take longer to evolve. On the supply side, cloud computing drives the convergence between the new public cloud industry, the
Laurent Lachal leads Ovum Software Groups cloud research. During 19 years as an IT analyst, hes provided insight into a range of business and technology issues.

Although cloud computing will rapidly grow, the IT trends it underpins will take longer to evolve.
encompass private clouds and, then, hybrid clouds. Given such evolution, there is a need to be specific when talking about cloud computing. Avoid the phrase if you have one of its subsets in mind. Growing rapidly, evolving slowly Uptake of cloud computing is set to soar in the coming years, with
20 CLOUD IN 2012

state-of-the-art datacentres. The next big wave will focus on consolidation and integration, leading to the rise of the intercloud, a network of public and private clouds. Convergence and consolidation will be at least 10 years in the making, during which time businesses will adjust to the changes public clouds produce:
v IT assets: they impact the way enterprises define, create, procure and consume IT assets. v IT departments: they free IT people to focus on key projects, but undermine by enabling users within and outside IT departments to bypass established processes and enterprise-wide IT strategies. v One another: they make available to SMEs what was formerly only www.itpro.co.uk

internal datacentre/private cloud sector and IT services companies, leading to the emergence of hybrid clouds. Public cloud computing is where the train industry was at in the second half of the 19th century, with its infrastructure being built. Companies, including IBM, Google and Microsoft, are pouring large sums of money into

Analysis Insight State of the Market

available to larger organisations and make it easier for companies to share IT assets. v IT vendors: they shift the risk of investing in and managing IT to the vendors. Public clouds go from technology to business and data platforms There are two ways to view public clouds: from the IT resources they provide (technology-centric) and the ecosystem services they deliver (business-centric). The latter receives less attention, but will become more important than the first. It is about public clouds offering marketplace, business and community services to make it easy for the IT resources they deliver to be sold and consumed. Marketplace services enable users to seek and configure IT resources, and vendors to advertise and sell them; business services enable vendors to manage user accounts, bill and get paid; and community services underpin interactions within, as well as between, user and vendor communities via feedback, review, tagging and forum mechanisms. Apart from IaaS, PaaS and SaaS, a new public cloud offering data-as-aservice (DaaS) is emerging. This is an ecosystem of data producers, processors and consumers, with DaaS offerings based on, or woven into, IaaS, PaaS and SaaS. Many believe

Key predictions
v The enterprise public cloud market will grow from $18 billion in 2011 to $66 billion by the end of 2016, a CAGR of 29.4 per cent. v Public clouds will evolve from technology to business and data platforms. v Private cloud challenges will shift from technology to culture. v Public clouds will not kill IT departments, but they will shift their focus.

they will, one day, be able to send intelligent agents across internal and external networks to find the best cost fit for applications. These agents could be set up to organise auctions in which private, shared and public clouds, as well as hybrid and traditional hosting and outsourcing service providers, contend to deliver the entire application the SaaS way or to provide some (IaaS) or all of its infrastructure (PaaS). Private cloud challenges will move from technology to culture Private clouds build on long-term IT trends, such as the industrialisation, consolidation and standardisation of next-generation datacentres based on automation, virtualisation and SOA designs. But what really differentiates the traditional IT infrastructure from a private cloud is the delivery of shared, standardised and metered services on demand. This will be tough for enterprises to deliver because of cultural issues. Many executives are not keen on sharing, prefer custom systems and are happy not knowing the exact cost of the IT they use. ITs unwillingness to move out of established relationships, meanwhile, is compounded by a lack of operational support systems for functionality such as management and monitoring and business support systems, for provisioning, usage metering and billing. Shifts and challenges Public clouds will not be the death of the IT department, but they will shift

their focus. Provisioning and implementation will adopt a more logical and strategic view of IT, turning IT people from implementers to project managers. Other shifts will include:
v A more holistic approach in connecting network, hardware and software issues. v Less focus on producing services and applications, and more on mixing and matching to create the right processes. v More emphasis on value and innovation, with public clouds responsible for commodity IT assets and IT departments focusing on those that define competitiveness. v Increased risk-taking because public clouds reduce doing costs, freeing IT people for risky, highreward, ventures. v Sharing IT control with public cloud service providers, as well as with partners in shared (virtual) private clouds.

Further reading
Planning for Cloud Computing
http://store.ovum.com/Product/ planning_for_cloud_computing?produ ctid=OI00005-006

Cloud Computing Fundamentals

http://store.ovum.com/Product/ cloud_computing_fundamentals?prod uctid=3072AAED-75A5-467CB912-2B25D6104925

Amazon Web Services Vendor Profile

http://store.ovum.com/Product/ amazon_web_services_vendor_profile ?productid=OI00127-061

Cloud computing promises to tackle the needs to lower costs and boost innovation. But it will take effort from enterprises to make this work. They need a fresh mindset and new skills, both of which are best achieved by practical experience. Getting hands-on with the cloud is the best way to understand its strengths, weaknesses and impact.
www.itpro.co.uk

21 CLOUD IN 2012

CIO Profile Phil Richards, Loughborough University

Phil Richards CV
A University of Oxford graduate, Phil has worked in a number of university IT departments. Before becoming CIO at Loughborough, he was head of ICT at the University of Plymouth from 2000 to 2007 and, before that, was assistant director of information services at Aberystwyth University so he knows his way around the IT departments of some high-profile educational institutions.

What criteria do you use when making technology decisions that will impact your business? Firstly, we assess how they map onto and enhance the core university business areas of research, learning, enterprise and student experience. Following this, we must consider what is the Total Cost of Ownership (TCO) and carbon footprint. Finally, we have to consider what the potential softer benefits are to the wider university community. What advice would you give your peers or those looking at becoming a CIO in the future? As you work your way through ticking the experience boxes of supporting generic systems/applications, user services and infrastructure as cost-effectively as possible, focus on spotting and developing niche areas of IT that can be transformational in delivering competitive advantage to your

f you dont want to make the leap into the public cloud, but still want a taste of the value it can offer, the hybrid model is a viable option. You can choose what data and applications to send to the cloud, without having to risk moving everything to a datacentre over which you have no control. Phil Richards, CIO of Loughborough University, chose the hybrid approach. We spoke to him about how it has transformed the universitys IT. Describe your role in three words Strategy. Leadership. Complexity.

What IT challenges does your organisation face? There are a number, including being able to deliver high performance computing to support our world-class research. We also need to deliver an IT experience for students that matches our clear premier status in this area, as well as support and secure a huge infrastructure, from 20,000 student-owned

A hybrid approach is a good way of de-risking things and adding comfort for nonIT managers nervous about the cloud.
Wi-Fi devices through to classified MoD research, all on the same campus. And doing that in a challenging financial climate. Whats the biggest mistake you think youve made? And, your greatest success? Not buying Google shares all those years ago. My greatest success is my family. Were talking about the cloud later but what other technologies are you watching/planning to deploy? We can deliver most of the student IT experience via the web. The one exception is some demanding specialist academic software (e.g. CAD packages for engineering, manufacturing and architecture), where students still need to troop across to dedicated laboratories. Virtual desktops and applications have promised to solve this problem for some time and I am hoping the latest generation of technologies will finally deliver on this. own particular business domain and then surfing the wave of these career-wise as they (hopefully) become mainstream. What are you doing in the cloud? Two things: our student email calendaring has gone out to Google Docs, but the main thing we are doing is infrastructure related, with Logicalis. Weve created a hybrid cloud, with the local part holistically designed withthe remote service in a co-operative cloud hosted in Logicalis servers. What initial steps did you take in moving to the cloud? We had a 40-year-old datacentre that was clapped out a lot of universities are in that position. We had a choice: refurbish likefor-like for a couple of million pounds, before we even buy a server, or look at some other way to cater for our growth for the next 20, 30 or 40 years. Because that growth is so unpredictable,
www.itpro.co.uk

How did you get to where you are today? Via a number of university roles, where I worked within research, computing and e- learning, building my reputation, and taking on wider responsibilities as these previously niche areas became mainstream. Whats the biggest challenge you face as a modern-day CIO? Doing more with less. And the most rewarding aspect of your job? Developing teams and individuals within the university. What business challenges does your organisation face? The biggest challenge for us is the rapidly emerging competitive market for students paying higher fees. The rules of the game seem to change on a weekly basis, so planning a way forward could not be more challenging.
22 CLOUD IN 2012

CIO Profile Phil Richards, Loughborough University

we thought it would be daft to build something for the next 40 years, for millions of pounds, so we came up with the hybrid model. For the next couple of years, we have sufficient capacity to meet all of our on-site needs. During that period, the remote service from Logicalis is primarily doing disaster recovery. But, beyond that two-year period, we are hoping we dont have to put any more tin, or any more capacity, on campus into the local part of the cloud, so the hybrid model will cater for growth beyond the two-year period.

because of blade servers and high-density hardware, and then virtualisation on top of that, which gives another factor of 10 in terms of consolidation. The real migration weve gone through is from traditional datacentre setup to what we call mini-pods essentially, two, quite small, fixed racks of equipment at opposite ends of the campus that mirror each other. Theres not much tin in them at all. Logicalis built the mini-pods. Meanwhile, we worked with our facilities management departments mechanics to get the chilled water supplies and power supplies in place. Then they [the pods] literally came in the

were going to fit into place and lineup with all the pipes. There were a few minor snags, but it all went rather smoothly. What future plans do you have involving the cloud? Im interested in whether infrastructure-asa- service can be provided in a more generic way, as a utility, where potentially Id be able to switch from one supplier to another, maybe with just a months notice. I think Logicalis will be a player in that. Im confident that, in a couple of years, it will have a competitive service Ill be able to use to satisfy the universitys growth model. But if, in two or three years time, someone offers me a better price and they meet the required quality and security standards, theyre going to get my business. What advice do you have for other CIOs when it comes to the cloud? Consider a hybrid approach, particularly if your datacentre is clapped out. Try to avoid major building refurbishments. Even if your datacentre has been refurbished in the past year, the hybrid cloud may still be an attractive option. A hybrid approach is a good way of derisking things and of adding comfort for non- ICT managers who feel a bit nervous about the cloud.
Loughborough Universitys cloud milestones v Decide between spending millions on a datacentre or moving to a hybrid cloud. v Work out which provider could offer the security and performance required for a university IT infrastructure. Logicalis was chosen to provide a hybrid cloud. v Work with the facilities management department to decide where to place on-premise infrastructure. v Have Logicalis build and deliver two mini-pods to deliver hybrid infrastructure. Move disaster recovery over to Logicalis.

We had a choice: refurbish for a couple of million pounds or look at some other way to cater for our growth.
Security is often a major factor in cloud deployments. Was this a concern for you? Universities are in quite a difficult position with regards to security. On the one hand, students bring in a whole range of devices and expect to use them on our network to help with their learning and socialising. At the same time, we have Ministry of Defence and research contacts at British Aerospace that require the highest levels of security. But one of the main reasons Im not worried about security issues with the Logicalis cloud service is that we connect into it via JANET [the UKs education and research network], not via the commercial internet. Its a very high-speed, highperformance network. Loughborough has got two 10Gbps connections into JANET. Logicalis has decided to tier directly into JANET, Google has also done that, so we can bypass the commercial internet and that mitigates quite a lot of the risk. A combination of that and the VPN, and the containerised security model weve got set up in our link between us and Logicalis, really gives us good assurance. What kinds of migration work did you have to do and did you have any problems along the way? Weve not had to buy much equipment to get us through the next couple of years
23 CLOUD IN 2012

back of a lorry and we plugged them in, and plugged in the fibre cable, and it worked. Since then, its been a straightforward physical-to-virtual process. What benefits did you gain as a result of your move to the cloud? As we switch off the old infrastructure, were starting to see the power savings. We projected it would save us 640 metric tonnes of CO2. Part of the reason that number is so big is that our old datacentre was appalling it had a PUE rating of 2.5, which is dreadful. We wont see the full benefits until weve switched off all of the old infrastructure, which we are on course to do before the end of this calendar year. The mini-pods have a relatively small amount of equipment and that meant we didnt have to do any building. So, instead of a 2 million building, the cost to house the mini-pods was just 20,000 for reinforced enclosures. Weve saved a fortune. Have you had any problems with your move to the cloud, or have you concerns about future hiccups? With Logicalis, we did have a few hairy moments around the mechanical and electrical work at the university. We were all really nervous about whether the mini-pods

www.itpro.co.uk

CIO Profile Simon Bulleyment, haysmacintyre

Simon Bulleyments CV
Simon has more than 10 years experience in technical support, project management, network design, security and IT management. His early career was spent at one of the worlds leading electronics conglomerates, but, in 2008, he became CIO at London-based chartered accounts and tax advisory firm haysmacintyre. There, Simon has designed and implemented major new systems, including an electronic audit approach, electronic document management, secure mobile computing and secure/resilient computer room facilities during office relocations.

We spend a not insignificant amount of money on maintaining a secure and reliable comms room facility and paying somebody else to do this for us (i.e. hosting our existing private cloud infrastructure in a datacentre is potentially attractive). We also face a challenge with the evergrowing use of email, the associated storage requirements and getting access to information retained within Exchange. We are about to implement a cloudbased email archival system to ensure information is retained in a structured manner and easily retrievable (especially for compliance purposes). Whats the biggest mistake you think youve made? And your greatest success? Implementing a certain new system (based on a relatively new technology) too early on when all the research and independent opinions pointed to it being the right thing to do.

oving to the cloud can be a fear-inducing thing, especially for companies holding sensitive data. C-level executives, while often in favour of the cloud and the savings it can bring, can get fairly tetchy about where their information is going. This is not a bad thing. Far from it. Given the potential risks, its often wise to start with a move into a private cloud, where all of the data is still in the hands of the business. You get all of the benefits of the cloud and the added sense of security but will have to invest more in infrastructure. Accountancy firm haysmacintyre is a 24partner practice with 150 employees. While the company is based in London, it supports clients on both a national and international level. Clients range from individuals and small companies to notfor- profit organisations, charities and large businesses. The firm, which specialises in audit services, tax advice and transactional support, has gone down the private cloud route. We caught up with the companys CIO, Simon Bulleyment, to learn more about this cloud computing implementation and how well it is working for the business. Describe your role in three words Busy. Challenging. Rewarding. How did you get to where you are today? My background is in defence electronics.
24 CLOUD IN 2012

I graduated from Brunel University in 1995 with a degree in Electrical Engineering and Electronics and I moved into IT within Thorn EMI/Thomson CSF in the late 90s, working my way up from technical support to an infrastructure role. I joined Haysallan in 1999 as IT Manager and became CIO at haysmacintyre in 2008

Im a firm believer in not implementing new technology unless there is good reason to do so.
(Haysallan merged with Macintyre & Co in 2001). I am also director of a sister consultancy company specialising in IT security. I became a CISSP in 2005. Whats the biggest challenge you face as a modern-day CIO? Ensuring my role is less about managing the IT operation within the company - I have great staff who can do that - and instead being a business enabling function. And the most rewarding aspect of your job? Delivering new systems at haysmacintyre which have a positive impact on how staff and partners work. What IT challenges does your organisation face? The cloud is a great buzz term at the moment but has benefits to offer to many organisations which need to be considered carefully. My greatest success was designing/ implementing our own in-house electronic audit application which transformed audits from being largely a paper-based exercise to an entirely electronic process. Were talking about the cloud later but what other technologies are you watching/planning to deploy? Were looking at remote/mobile working solutions to enable secure remote access from any type of device (rich client, tablet, smartphone). We are also doing a proof-ofconcept for desktop virtualisation. Im also keeping a close eye on the [nextgeneration] iPhone as we will be refreshing most of our mobile devices in the next few months. What criteria do you use when making decisions that will impact your business? Is there a business need for what were
www.itpro.co.uk

CIO Profile Simon Bulleyment, haysmacintyre

about to do? Im a firm believer in not implementing new technology unless there is good reason to do so. What advice would you give your peers or those looking at becoming a CIO in the future? In my opinion, a CIO is an interface between the technology and the business/ senior management. A CIO has to think less about the technology and more about business issues and how IT can assist/drive growth or make existing processes more efficient. Its about moving IT from the traditional overhead department to a businessenabling function. What are you doing in the cloud? We have moved to an on-premise, private cloud infrastructure, using

What migration work did you do and did you have any problems? There was some physical-to-virtual migration work using standard VMware tools, but, in most cases, we virtualised at the time of upgrading platforms. For example, physical Exchange 2003 went to a virtual Exchange 2007 environment. There were very few problems because we had done all of the necessary homework during the planning phase. What benefits did you gain as a result of your move to the cloud? Reduced server hardware, along with associated benefits, such as reduced hardware support costs, less aircooling in the comms room and less server hardware churn. Furthermore, we had improved backup features (we back

The next logical step is to move the VMware infrastructure to a hosted environment, so that somebody else can take care of comms-room requirements, such as physical security, logical security, power, cooling and so on. We will also look into whether we can establish real-time replication of SAN/ VMware data, so that disaster recovery becomes as simple as re-routing clients to an alternative hosting facility. Because of the complexity of a lot of our software and difficulty of integrating between systems, I do not believe public cloud is a viable option. I may consider a separate environment to virtualise DMZ hosts in the future. I still prefer the idea of physical separation between the DMZ and the intranet because I am worried about misconfigured virtual LANs, switches and other virtualised components of our infrastructure. What advice do you have for other CIOs when it comes to the cloud? Plan for your requirements and dont scrimp on the underlying infrastructure, including the network, SAN and virtual machine hosts. There seems to be plenty of horror stories of companies migrating to a virtual world who then suffer performance issues. This mostly seems to be the case when resource requirements have not been properly considered or slow storage systems are being used.
haysmacintyres cloud milestones v Understand what the resource and availability or uptime requirements were for each service moving to the cloud. v Design the infrastructure capable of scaling to demand. v Choose the right product VMware vSphere 4.1 in this case. v Carry out physical-to-virtual migration work until completion of the move over to the cloud.

In most cases, we virtualised when we upgraded. There were very few problems because we had done our homework.
VMwares vSphere 4.1 operating system, with the exception of server-based security products and DMZ hosts. What initial steps did you take in moving to the cloud? First, we had to understand what the resource and availability or uptime requirements were for each service, such as Microsoft Exchange. After that, we had to design an infrastructure that could cope and be scaled-out. This mainly involved looking at disk, network and processor requirements. We chose VMware because it met our requirements. At the time, it had some strong advantages over competitors. Back then, Microsofts Hyper-V had very few enterprise features. Security is often a major factor in cloud deployments. Was it a concern for you? Security wasnt a major factor because I decided not to virtualise security systems.
25 CLOUD IN 2012

up at file and server image level) and improved disaster recovery capability, because rebuilding a virtual server is much easier than the physical equivalent. There has been far greater server resilience, too, because virtual machines float around between various physical hosts subject to resource demands and automatically fail across in the event of a server outage, all without any service/user interruption. In most cases, performance was enhanced because we moved from a server architecture, with local-based disk storage, to an enterprise-grade fibrechannel storage area network (FC SAN). Have you had any problems with your move to the cloud or are you concerned about future hiccups? None whatsoever. What future plans do you have involving the cloud?

www.itpro.co.uk

Column Max Cooter

Peering into the cloud crystal ball

Predicting the future is tough. Just ask Ethernet inventor Bob Metcalfe, who famously predicted the internet would collapse under the volume of traffic (and publicly had to eat his magazine column when it did no such thing). Or ask Bill Gates, who, seven years ago, said spam would disappear within a couple of years. Trying to predict the shape of the cloud market over the next five years or more, therefore, is not the simplest of tasks. A couple of years ago, Gartner gazed into its crystal ball and stated 20 per cent of companies would have no IT department by the end of 2012. We are now staring that date in the face and were a long way from that prophecy coming true. Cisco research, released in September 2011, claimed only around half of organisations have put any applications into the cloud. Whats more, just seven per cent thought a move to cloud was critical. We are far from Gartners bold vision coming true but thats no reason, just yet, for analysts to pull out their cutlery and tuck into the prediction. There are plenty of indications that the move to cloud is set to continue apace. The value for public cloud services is expected to show a massive increase over the next four years: according to research company IDC, the market will grow from $21.5 billion in 2010 to $72.9 billion by 2015. The UK-focused CloudWatch report reckons 74 per cent of British organisations looking at the cloud route are planning to invest in the technology during the coming year. And, while only seven per cent of applications currently reside in the cloud, this is set to triple in the next two years. Why have we become so much more willing to adopt cloud services? There are several reasons, including a growing understanding of what cloud means. Facebook users worldwide are used to the idea of applications being hosted elsewhere. The use of the word cloud by Apple, Microsoft et al has probably helped, too. Theres also the way in which initial concerns have been dismissed. A major inhibitor used to be security potential customers were not happy about leaving data with a third party. Theres now a growing acceptance that cloud 26 CLOUD IN 2012 service providers have a strong interest in keeping data safe and, whats more, have the infrastructure in place to do so. Perhaps the biggest driver is the need for organisations to be more flexible and react more quickly to changing market conditions. This is going to lead to some major changes: v The cloud will spread rapidly in small businesses. Were already seeing this, but the trend will accelerate. v Most software will be delivered via subscription again, this is happening already. v There will be a big shift to hybrid clouds as organisations become much smarter about which applications they move to the cloud. v Much more work will be done on identity management for improved access to cloud services while maintaining security. v Well see more community clouds. There are cloud platforms for different organisations with common interests and objectives. The most wellknown UK example is the Government G-Cloud initiative. Others will follow. v Accurate chargeback will be more prevalent as the IT time and usage of departments within organisations is more accurately measured. v There will be changes in datacentre location. The need to be near head office and areas of population will disappear. Latency will become less of an issue. In the longer term, we could see employees working in small, local hubs housing 50 or 60 people, but shared between companies. You may be working in insurance, but sit next to someone working for a bookies and opposite someone working for a publisher. Resources could be virtually allocated and, with greater use of video-conferencing and collaboration software, workers would be quickly connected to their peers. Its a radical change, but current employment practices of commuting and working 9 to 5 have scarcely changed since Victorian times. Its not likely this approach will last another 100 years. Werner Vogels, Amazon Web Services CTO, says, when it comes to cloud, were still at Day One a mark of how much change there is to come. Enterprises will look very different in 10 or 20 years and cloud computing is going to drive much of that change.

Max Cooter
Read more cloud comment from Max at www.cloudpro.co.uk

Enterprises will look very different in 10 or 20 years and cloud computing is going to drive that change.

www.itpro.co.uk