First, start by taking a broad look at the applications and other IT resources and systems under your “control” (both existing ones and planned ones); categorize them into mission-critical (i.e., if it goes offline your company will not “survive”) and non-mission-critical. Both mission-critical and non-mission-critical can be further sub-categorized into core business practices (those that provide competitive differentiation) and non-core practices (typically internal activities such as HR services, etc.)
Then apply the following rules of thumb:
1. If mission-critical and non-core, then the application is a good candidate for deployment in the public clouds
2. If mission-critical and core, then definitely keep it behind the firewall (you may choose to put them in a private cloud or non-cloud)
3. If non-mission-critical and non-core, then deploy in the public clouds
4. If on-mission-critical and core, then it's a good idea to keep it behind the firewall (you may choose to put it in a private cloud or non-cloud)
With these rule of thumb in mind let's take a look at some more considerations of good and bad candidates for Public Clouds.
Good candidates for the Public Clouds:
• Applications that are used by a group of mobile workers to manage their time and activity (like sales support and field service support applications, e-mail, etc.);
• Software development environments;
• Applications that require system hardware or software not normally used by your company's IT operations (you can save money on IT infrastructures that you don't use often);
• Applications that are run infrequently but require significant computing resources when run, like test and pre-production systems;
• Companies who want to have backup for critical applications are good candidates for both public and private cloud computing;
• Companies that have distributed server locations and data centers (you may be able to make more efficient use of servers and storage, lowering equipment costs, and also support your IT investment more efficiently);
Bad candidates for the Public Clouds:
• Applications that involve extremely sensitive data, particularly where there is a regulatory or legal risk involved in any disclosure, will require special treatment if they are to be run on a public cloud (get legal advice before committing any applications of this type to public cloud computing);
• Applications that require access to very intensive data workloads (for example, loading the database onto the cloud may be costly) as well as any performance-sensitive application (i.e., one that is very likely to create performance problems if it is to run on a public cloud)
• Applications that require high customization (e.g., customized SaaS)
You should conduct a feasibility study that engages legal, risk, and compliance officers to determine if cloud computing is appropriate with respect to laws and regulations your business is subject to.
Step 2 - Prepare Your IT portfolio for the Cloud
Second, prepare your IT portfolio for the cloud (can be somewhere in between cloud services and installed applications).
This could be anything from new assets, to the redeployment of certain existing assets or a complete rewrite of some existing applications (remember not all your current applications are Cloud-enabled: Service Oriented Architecture and Virtualized applications are better candidates) taking always in account the security, audit and compliance systems requirements, as discussed earlier in the “Cloud Computing Challenges and Risks” section. And of course if you take an insecure application to the Cloud (either public or private), it won't become automatically secure!
Next you need to find a vendor that meets those security, legal, and compliance requirements.
Step 3 - Key Questions to Ask Cloud Computing Providers
While reading this section, keep in mind that the exact security measures don’t need to be fully described by the Cloud Providers (nor should they, otherwise they may have security problems themselves) but the degree of security provided needs to be stated, then audited by you or by a trustworthy third party, so that you can be sure that the provider is doing what it claims to be doing.
These are some of the questions you should have answers to regarding your Cloud Computing providers, so that you can be confident that they are secure, collaboratively enabled, and compliant with applicable regulations:
• Where is my data and who has access to it? The provider’s access control and authentication procedures should be reviewed, and companies should find out if third parties have access to the information
• How is data being protected? Ask to review the service provider’s architecture to make sure proper data segregation is available; review their data leak prevention (DLP) deployment to prevent insider attacks; review the vendor’s data protection techniques to ensure appropriate cryptography is used for both data in rest and in motion; and make sure the appropriate documentation is available for auditors.
• Will you maintain the features we contracted? And what are the penalties?
• What's customer support like?
• How can I ensure that my data and the cloud services will continue to be available, in the event of the provider’s bankruptcy or change in business direction?
• What's the exit strategy?
Some links to information about Cloud Platforms, Providers and Enablers:
• List of Cloud Platforms, Providers, and Enablers: http://groups.google.ca/group/cloud-computing/web/list-of-cloud-platforms-providers-and-enablers
• An A to Z of Cloud Computing Companies in 2009: http://virtualization.sys-con.com/node/770174
• Research, Companies, Key Players and Platforms: http://www.cloudviews.org/2009/07/cloud-computing-briefings-about-research-companies-key-players-and-platforms/
Step 4 - Test, Deploy, Monitor and Measure ROI
One of the major benefits of Cloud Computing is the ability to test a concept relatively quickly and easily. Before making the final decision either to deploy or not to deploy (production phase) to the Cloud, you should perform full cloud integration tests. This may seem like a lot of work, but it's worthwhile because when you move a system into the cloud, you introduce a range of new variables that are beyond your experience and direct control, such as security, performance, etc.
Finally you should have monitoring systems so that you can measure the performance, as also continuing to measure the ROI. And remember this effort also takes extra time, capital, and human capital resources.
In the next article, I will give some more recommendations and also present a kind of summary of all the previous articles:
- Cloud Computing, in Plain English, to IT Directors, VP's, CIO's and CEO's
- Why Should IT Directors, VP's, CIO's and CEO's Care About Cloud Computing?
- Cloud Equals SaaS, Grid, Utility Computing, Hosting...?
- What Exactly is Cloud Computing?
- Why Large Public and Private Sector Organizations (not just SMB's) Are Seriously Considering Cloud Computing?
- What are the Cloud Computing Challenges and Risks? (Part 1: Cloud Security Advantages!)
- Cloud Computing Challenges and the Delicate Balance Between Risks and Benefits (Part 2 of 2)
- Real-World Cloud Computing Applications
Thanks, and please let me know how can I help you.