Introduction

Cloud computing has now been available for several few years. The maturity of cloud technologies and adoption rate has accelerated significantly in recent years. Cloud solutions have provided some fantastic benefits and agility to the delivery of solutions, for example the provisioning of infrastructure in the cloud can be done in minutes. In Seven Consulting’s experience though many cloud-based projects require remarkably similar risk mitigation steps when compared to ‘non-cloud’ projects. It is also necessary to be aware of some significant differences as the importance of some risks increases in cloud-based projects. But before I explore some of the similarities and differences, lets clarify some basic cloud computing terminology.

What is Cloud Computing?

Cloud computing is the delivery of on-demand computing services – from compute power to storage and applications – typically over the internet and often on a pay-as-you-go basis. Responsibilities are shared between the cloud service provider and cloud service consumer:

  • Infrastructure-as-a-Service (IaaS) involves a method for delivering infrastructure i.e. servers and storage through IP-based connectivity as part of an on-demand service. Clients can avoid the need to purchase hardware and operating systems, and instead procure these resources in an outsourced, on-demand model. Popular examples of IaaS services include Amazon Web Services (AWS), Microsoft Azure, Google Cloud, IBM Cloud, etc.
  • Platform-as-a-Service (PaaS) is a platform for creating software that is delivered via the internet. Examples are Application Services, Azure Search, AWS Elastic Beanstalk, Heroku, etc.
  • Software-as-a-Service (SaaS) involves the licensing of an application to customers. Licenses are typically provided through a pay-as-you-go model or on-demand. Most of us are very familiar with SaaS offers such as Microsoft Office’s 365, Salesforce, Dropbox, Cisco WebEx, etc.

Picture 1 illustrates the shared responsibilities in the different cloud computing models compared to on-premise.

Picture 1: Management of application stack components

We have all heard about public, private and hybrid clouds, but what are the differences?

  • Public clouds provide their services on the internet. These are operated by cloud providers, who handle and control all the hardware, software and the general infrastructure. Clients can access services through accounts.
  • Private clouds are reserved for specific clientele, usually one business or organization. The firm’s data centre may host the cloud computing service. Many private cloud computing services are provided on a private network.
  • Hybrid clouds are, as the name implies, a combination of both public and private cloud services. This type of model allows the user more flexibility and helps leverage the user’s infrastructure and security.

Picture 2 illustrates some of the key advantages and disadvantages of public, private and hybrid clouds.

Picture 2: Differences between public, private and hybrid clouds

Some key risks to be managed when delivering cloud solution projects

In its delivery of cloud-based projects Seven Consulting has experienced several areas where cloud-based projects differ from on-premise solutions, which require to be considered and addressed to deliver sustainable benefits.

 

Network Capability and Performance

In ‘on-premise’ based projects the challenge of network performance typically only relates to end user connectivity and performance since the network connecting processing and storage is high performance and all co-located within the data centre. However, because cloud services are accessed remotely typically via the internet, sometimes even located in a different geography, and possibly disparate from the other services that comprise an ‘end-to-end’ solution, network bandwidth and reliability is essential.

In one example we had a project where many end users experienced service issues after being migrated from ‘on-premise’ to applications hosted in the cloud because internet speeds were inadequate at times. There was nothing wrong with the cloud solution we delivered, but the Software as a Service could not be delivered as expected until internet capacity and speed was upgraded by the internet service provider (ISP).

Mitigation: A comprehensive network capacity analysis as part of solution design phase must be undertaken in cloud based projects, including commitments by ISP to meet required internet capacity and speed at all times.

 

Data sovereignty and jurisdiction

Unlike ‘on-premise’ solutions which are bound by the limitations of your data centre, public and hybrid cloud solutions raise the opportunity to provide services without requiring to know where those services store data. Cloud solutions scale across multiple data centres / regions around the world easily and at minimal cost. However, data sovereignty and jurisdiction are areas that have caused some organisations considerable regulator and reputational issues when deploying cloud solutions.

Data sovereignty becomes important when an organisation’s data, for example customer details, are stored outside of their country and is subject to the laws of the country in which the data resides. The main concern with data sovereignty is maintaining privacy regulations and keeping foreign countries from being able to subpoena data.

Cloud providers have responded by offering solutions that allow organizations to determine where (if not the actual data centre but at least in which region) data is stored. Still data sovereignty is an area that must be given appropriate consideration right from the beginning of a project to ensure regulatory and stakeholders’ needs are considered and met by the adapted solution.

When I led the delivery of a solution used by a bank’s global customers, we had to satisfy the requirements of some 34 regulators. This was a lengthy and ultimately critical path process due to a number of unexpected challenges such regulators’ risk appetite for cloud solutions, country policies regarding data location, different bureaucratic processes in each country and the relationship between the cloud provider and the country in which end users would consume the services.

Mitigation: Data sovereignty is a progressively challenging aspect of cloud solutions. Most cloud providers have published country-specific compliance documentation for their cloud solutions. However, because compliance is a shared responsibility an understanding of the regulatory frameworks applicable to your specific solution and detailed activities to obtain regulatory compliance certification with adequate time in your project plan is essential to ensure you launch a fully compliant product or service.

 

Security

In all technology-based projects the delivery of an adequately secure solution is a mandatory requirement to be planned for. In public cloud-based solutions, you are using infrastructure and services shared with many other unknown consumers of cloud services which are typically not under your control. When cloud solutions emerged initially, security concerns that resulted from sharing and loss of control were a key barrier for many organisations to adapt cloud solutions. Since then cloud providers have done an enormous amount of work to address customer concerns. Today cloud solutions can be as secure, if not more, compared to ‘on-premise’ solutions. However, to achieve this it is important to note that security and compliance is a shared responsibility between the cloud provider and the customer depending on the cloud service and consumption model being used (refer picture 1).  As a minimum the IaaS cloud provider is responsible for protecting the infrastructure that runs all the services offered in the cloud. This infrastructure is composed of the hardware, networking and facilities that run cloud services. The customer is solely responsible for operating system and application security including controls for to ensure data privacy, protection and encryption. In SaaS solutions the cloud provider provides security for all elements of the cloud solution.

Mitigation: Cloud based projects need to ensure that the organisation establishes robust processes and procedures, including commercial terms, to meet security and compliance requirements when operating in a shared responsibility model. Activities must be adequately reflected in the cloud-based solution project plan.

 

Service and operational management

Service management processes and tools such as monitoring, back-ups, etc. can become more complex should your organisation adopt a hybrid (transitional) environment and the complexity of cloud service management should not be underestimated. As noted above, cloud services are accessed via the internet. Therefore, service and operational management processes must include cloud providers and ISP essential to deliver end user experiences.

At a state government agency, we had to align existing Service Level Agreements (SLA) to incorporate the SLAs cloud and internet service providers offered to us.

Mitigation: As many cloud providers have global SLAs, existing SLAs an organisation has with its customer may need to be adjusted. Ensure the SLAs being offered as part of cloud solution projects are considered and adjusted as an activity in the cloud-based project plan.

 

Regression testing

Cloud solutions operate at scale by standardisation (patterns) and customisations are usually not supported. This enables cloud companies to provide consistent services as well as the ability to add features and apply maintenance updates frequently. The high frequency of updates, often weekly as opposed to monthly or even quarterly for traditional systems, may also be applied with limited (or any) dialogue with customers of their services. This has caused many organisations considerable issues to keep up with regression testing of their systems when cloud solution especially in hybrid cloud solutions where end to end services provided to their companies’ users requires to be tested.

Mitigation: Ensure the project establishes processes to support the frequent regression test cycle cloud solution require including the process to determine the adequate level of regression test that is required.

 

Resources

The rapid and large-scale adoption of cloud services is leading to a significant shortage of skilled cloud technology resources. Therefore, a realistic skill assessment before you embark on a cloud project is essential to ensure your company have enough skilled cloud resources (internal and external i.e. suitable partner) available to deliver projects and expected benefits.

You will also need to ensure your company have commercial skills and capabilities to manage cloud providers in accordance to SLAs. Because cloud solutions are offered as services – often by global providers with standardised SLAs – commercial skills are essential to extract maximum benefits. The skill set to manage those (global) providers significantly differs from the skills needed to successfully deliver traditional solutions.

Mitigation:  The skills required to deliver cloud based projects may place less emphasis on technology implementation skills compared to integration, commercial and of course strong Project Management capability to ensure both internal resources and external partners (cloud provider and their partners) operate effectively and efficiently and working towards one plan to deliver a successful cloud based solution.

 

In our experience cloud projects have similar yet significantly different challenges compared to ‘on-premise’ solution deliveries. Like ‘on-premise’ based projects, cloud-based projects require strong Project Management capability to ensure project risks are adequately managed and that the benefits expected from cloud-based solutions are delivered and can be realised.

I trust this article provides you and your organisation some critical insights to be considered in order to deliver sustainable and impactful cloud solutions.

Ralph Glatz

by Ralph Glatz