Cloud Computing is no longer an option, but a reality in the IT landscape of almost all organizations. At the same time cloud computing has a lot of variants and choices. These choices are relevant for the IT strategy, and in some cases even the company strategy.

This article outlines in a step by step way the most important questions that you can ask to come to the right cloud strategy.

The first question is: what to expect of cloud computing? Which business improvements do you aim for? Cost advantage? Agility? Mobility? Innovation? If you don’t have a clear idea on this, it may be sensible to first dive into cloud characteristics, models, options and alternatives.

The next question to ask yourself is this: which IT applications and functionality are the most important ones for your organisation? What is most needed in IT, now and in the future? Is that e-mail, ERP, CRM, a big website, or something else?

With this overview, you can ask yourself the central question, the one question that has a fundamental impact on your strategic cloud choice. And that question is: are these important applications unique for your organization? Do they make the organization into what it truly is, are they nowhere else to be found, are they of vital importance?

If the answer to this question is ‘no, these applications are not uniquely important to my organisation’, this means that the core competence of your organisation is not in IT. That is not a bad thing, you can be a very successful 5 star restaurant, or a manufacturer of advanced pumps for the process industry, without having unique software. In that case, having your own hardware is senseless, in the long run. It may take a while for the software market to realize this, but you are ultimately a SaaS ‘consumer’.

Star restaurant or not, as a ‘SaaS consumer’ the most important IT competence is selecting and implementing SaaS offers. Depending on the type of company this also requires quite a bit of IT competence, but that will be the topic of a later article.

If the answer is: ‘yes, my software is very unique, i cannot get it elsewhere’, then new opportunities arise. Your software and the associated data is a ‘strategic asset’. It would be a waste to only use it for your own company. There are probably other organisations who could also benefit from this software. If you are not directly competing with them, you could be their SaaS provider.

You should also consider giving your partners in the supply chain (customers, suppliers, etc) access to that software to enable them to do their work better, and to generate new business. This is in line with the practice of certain insurance companies: they give their agents direct access to their policy database. It is even thinkable that there are start-ups that would love to innovate with that strategic software. Procter and Gamble, for example, has opened up its research database to enable innovation by outside companies. As a result the percentage of patents that are actually used in products has risen from 10% to more than 50%. As early as the 1960s, American Airlines set up the SABRE flight information and reservation system that was used by travel agencies and other airlines.

My proposition is this: if you have strategic software assets, you also want to be a cloud provider for that software.

So, as a provider of software services (SaaS), what are your strategic options? Unless you have a substantial and constant workload it is not very sensible to purchase a lot of servers and associated hardware. The more obvious approach is then to procure your servers in an IaaS model (Infrastructure as a Service). This has the disadvantage that your system administrators, in collaboration with your software developers have to have substantial expertise in software scalability. You will have to deal with choices around multi-tenancy architectures, and detailed capacity and performance management. It may be worth your while, but there are quite a few alternatives these days.

Instead of IaaS, you can also focus on a PaaS (Platform as a Service) strategy. Scalability of the architecture is then no longer an issue for the developers. One disadvantage of this strategic choice is the potential for ‘vendor lock-in’ if the software is not easily ported to a different PaaS provider. This will then be something to address in the software architecture.

An example of this approach is the website that was built in 2011 for the British Royal Wedding. It was developed and deployed on Google App Engine. The scalability of the website was very important, and could be guaranteed easily with this design choice. For a website of this type, vendor lock-in is also not very hard to avoid. Most of the content is fairly static, functionality is limited, and the lifetime of the website is also short.

A few other strategic design choices for the cloud provider have to do with the degree to which services of other cloud providers can be used. For starters, you can ask yourself if you want to go to market all by yourself, or that you want to work with a ‘broker’ who includes your service in his portal (which is like an app store). That too has implications for your software architecture, because the portal can assume some of your functionality, like customer registration.

Finally, once again, it is a good idea to ask yourself which part of your functionality is truly unique. As an example, if you are a start-up companies it does not appear to be very distinguishing to develop your own software for helpdesk, payments and identity management.

In summary, cloud computing offers a lot of opportunity for setting up IT and positioning an organisation for a bright digital future. But doing it all by yourself is only rarely the best plan..

Interested in finding out more? Find yourself a relevant cloud training or workshop, or contact me directly.

The Dutch CSA chapter has a plan to address the number one concern of organizations using cloud: “can we trust our provider?”.

The CSA (Cloud Security Alliance) has developed a number of tools to address that situation. Our plan is to test these tools in practice, and record the experiences for inclusion in a “best practices” paper.

The main CSA tools are combined in the so-called CSA GRC stack (which stands for Governance, Risk management, and Compliance).

The “Security guidance for critical areas of focus in cloud computing v3.0” is the underlying body of knowledge for the GRC stack. We typically refer to this document as the ‘CSA guidance’.

The first component of the GRC stack is the CSA Cloud Controls Matrix (CCM). These controls are largely based on the recommendations of the CSA guidance.

The CCM is called a matrix, because it cross references other assurance frameworks such as PCI-DSS (payment card industry) and HIPAA (Healthcare).

The CCM can be used as a framework to give assurance to cloud customers. To make this process more efficient, CSA has introduced a number of additional tools. One of them is the CAIQ (Common Assessment Initiative Questionnaire, pronounced ‘cake’) which is a standardized list of questions to use to evaluate cloud providers. Each question in the CAIQ corresponds to exactly one control in the CCM.

Cloud consumers can take the CAIQ as a basis, select questions from it, add their own questions, and submit it to a number of cloud providers.

The smart move for a cloud provider is to pre-answer the CAIQ, and publish the results. This is the ambition of STAR (Security Trust and Assurance Registry), which is also a CSA initiative. And it does not stop there, beyond this there is Cloud Audit and the Cloud Trust Protocol. These products are in development and aim to go further by automating parts of the assurance process.

STAR is planned to have multiple levels:

• Level 1 is Self-Assesment, based on a provider report following either the CAIQ or the CCM.
• Level 2 is Third-Party Assessment, where the idea is to use the requirements of the ISO/IEC 27001:2005 management systems standard integrated with the CSA Cloud Control Matrix (CCM) and an organization’s own internal requirements or specifications to assess how mature their systems are.
• Level 3 is a Continuous Monitoring based certification. This is currently under development.

These three levels are collectively referred to as the Open Certification Framework (OCF).

Our ambition is to do a number of case studies in applying the CCM and CAIQ. These case studies would preferably cover at least a provider and a financial business (bank or insurance firm).  For providers, this could lead to an actual STAR entry with its associated benefits.

Some of the expectations are:

• The CCM will be a better fit for cloud services than other assurance frameworks
• Assurance frameworks such as the CCM will lead to lower costs for consumers and providers because audit costs will be lower.

Some of the research questions are:

• How is the coverage of the CCM in relation to assurance requirements, what else do you need?
• How much work is it to fill in the CAIQ?
• How do you experience value in CCM/STAR/CAIQ?

Currently we have started to work with a number of IaaS providers who are interested in exploring better assurance. If you are interested you could still be part of this initial group. Just contact us.

Just to let you know that I created a brief note about 5 organisations that got value from using cloud computing.

It is brief, but explains the main business reason and how they did it.

Examples include profit and nonprofit businesses, public cloud and private cloud.

You can get immediate access to it by filling in your e-mail address in the box on the right.