An ITAM View into Cloud Computing – A Look at the Issues Cloud Models present to IT Business Management

By Jenny Schuchert, IAITAM

 

It seems a short time ago that we were trying to define the marketing invented term “cloud computing” from a practical perspective.  The confusion came from the conglomeration of technologies called cloud and the massive media attention pushing executives to adopt the cloud as the next greatest thing without really defining which elements of the amorphous cloud they were talking about.  It is no wonder that a 2012 survey conducted by Wakefield Research and commissioned by Citrix found that 95% of those who thought that they were not using the cloud actually were and that 14% of the respondents confessed to pretending to know what the cloud was during a job interview. [1]

 

However, enthusiasm for the change to the cloud was high in the results from that same 2012 Wakefield Research survey:

  • Three in five (59%) believed the “workplace of the future” will be entirely in the cloud
  • 40% agreed that regularly accessing work information at home would be an advantage
  • More than 1/3 agreed that the cloud allowed them to share information with people they’d rather not be interacting with in person (what a question!)
  • After being provided with the definition of the cloud, 68% recognized its economic benefits [1]

 

Since that time, most have become familiar with the use of cloud providers as an alternative or companion to internally-managed IT and are working in an organization using some aspects of the cloud.  The 2015 RightScale survey of 930 technical professionals found that 88% of respondents were using the public cloud and 63% were using a private cloud.  Recent success of hybrid cloud usage is seen in the 82% that reported the organization had a hybrid cloud strategy, an increase from the 74% reported in the previous year’s survey.  However, the survey results did pinpoint that the volume of applications in the cloud was still small with 68% of the organizations running less than a fifth of their portfolio in the cloud [2].

 

Despite the growth in use and understanding, cloud computing choices continue to challenge organizations.  Review of commonly marketed cloud environments and the general models of cloud strategy is a good foundation for the IT Asset Manager whose workload has expanded to include the business management of cloud technologies.

Marketed Cloud Service Models

The definition of cloud computing includes having on-demand access [3] and it makes sense to group vendor offerings into categories based on the style of service being provided.  Some of the most common service models are discussed in this section, although many variations are being offered.

 

SaaS

The easiest to implement and most accepted cloud service model is Software as a Service (SaaS) which uses a services contract with a subscription as the norm rather than a software license.  (The term “user license” may be used which may cause confusion about the rights and responsibilities as it does not designate a typical copyright entitlement.)  With SaaS, while the subscription is valid, the employee has the right to receive the service or “to use the system.”  Controlling the proliferation and termination of these subscriptions is the chief organizational financial concern for this cloud offering.

 

Major data concerns that surround SaaS are:

  • Securing access while in use and in storage
  • Ensuring access to that data as needed and at termination of the subscriptions
  • Understanding the legal issues related to ownership and access to that data

 

While the cloud provider usually provides basic security for SaaS, the organization typically remains responsible for that data unless there is specific contractual language that broadens the scope of the cloud provider’s responsibility.

 

SaaS may be an easy choice, but organizations need to consider how the product will be used, by how many and for how long.  Since the product is not purchased, the organization will continue to pay for the product for as long as it is in use and in some cases, it may be much more expensive over time to use SaaS even when the costs of physical installation and management are calculated in.

 

Common pricing models for SaaS include tiered pricing and consumption-based pricing.   Premium functionality, extra products or customization frequently add significantly to the cost of the SaaS.   The business model called freemium may be used with SaaS.  Familiar in the consumer market, it offers a subset of services for free to create a low bar for trying their services.

 

IaaS

Infrastructure as a Service (IaaS) became popular at the same time that the data center became highly virtualized.  The cloud vendor provides basic cloud computing resources such as networks and storage.  The customer organization typically deploys the operating system and applications with licenses that specifically permit the use of the products in an IaaS model (where the devices are owned by the cloud provider).  The organization is also responsible for protecting the deployed operating systems, applications and the data.  The cloud provider is responsible for protecting the infrastructure.  [4]

 

Pricing is based on the services and devices used such as setting a price per hour by operating system and server configuration.  The pay-as-you-go pricing model is typical.  In addition to pricing schemes and rates, IaaS cloud vendors differ in:

 

  • Management functions
  • Identity management
  • Monitoring
  • Contractual language in the SLA
  • Customer support [5]

 

 

PaaS

A third common cloud strategy is the Platform as a Service (PaaS) where the cloud vendor provides only the platform.  Aspects of the service management are managed by the cloud vendor.  The customer organization builds and manages their own applications and is responsible for the security of those applications and the data. [4]  This cloud choice is frequently used by software developers working on mobile or web applications. [6]  When choosing a PaaS provider, “…take into consideration the programming languages and server side technologies the vendor offers along with the data storage options.  Support for developer tools and applications integration is also very important as you need to consider how your application in the PaaS will integrate with other applications.  Finally, consider the costs of running your applications in a PaaS and evaluate how the pricing model of the vendor you choose works.” [6]

 

Choosing any of these cloud models depends on characteristics such as:

  • Difficulty of the transition and investment required
  • Estimate of possible savings compared to internal installation (especially over time)
  • Degree of customization or premium products required
  • Amount of flexibility needed (such as significant variability in demand)
  • Availability requirements
  • Visibility through monitoring, reporting, etc.
  • Ease of handling multiple access points such as smartphones, tablets, laptops
  • Level of control desired
  • Risk factors including governance but currently dominated by data security issues
  • Costs and complexities at time of termination

Cloud Deployment Models

Cloud computing options are all pools of configurable resources [3] but differ in whether they are limited to a single organization (private), able to be shared with other customers of the cloud provider (public) or a combination of these models (hybrid).  As the cloud providers advance their technology and options while competing for our business, terminology will continue to be used inconsistently just as IT Asset Managers have seen with licensing models.  In this section, the major deployment models are presented along with some of their characteristics and issues.

 

Private

Private cloud resources are available to a specific organization only.  Private clouds have been a popular concept as the transition to a private cloud is considered the least disruptive infrastructure.  It is important to clarify that a private cloud does not have to be on-premise at the organization.  On-premise is an option for a private cloud but third party cloud vendors may also provide this environment.   Recently, feedback on private clouds has been poor, with some pointing to the difficulties of using a specific product (OpenStack) to create the private cloud and others pointing out that an on-premise private cloud might suffer from the same lack of elasticity of resources that limits the data center. [7]  Also, some environments have been labelled as a private cloud when they are actually just a highly virtualized environment.  The best summary of criticisms is the top ten list from a Gartner blogger explaining why the private cloud projects haven’t produced as expected.

 

The top ten reasons (in no particular order) that private clouds are failing are:

  1. Focusing Exclusively on Operational Benefits:  Thinking private cloud is an internal IT project only.
  2. Building the Wrong Expectations – or None At All: Business case and metrics are key.
  3. Defending IT: Building “private cloud” to protect IT’s turf.
  4. Doing Too Little: Often, private cloud really means virtualization, with maybe some automation
  5. Doing Too Much: Putting in everything including the kitchen sink. Optimized for everything, so it is optimized for nothing.
  6. Focusing Strictly on Infrastructure: VMs are not enough – something’s got to run inside them.
  7. Failure to Change the Operational Model: Jamming cloud into your existing process model and org structure ain’t gonna work.
  8. Failure to Focus on People: Your staff can be your biggest supporters, or your biggest roadblocks. Google the possible etymology of the word “sabotage.”
  9. Failure to Change the Funding Model: When you build a drive-thru service model, you better get paid first.
  10. Using the Wrong Technologies: Choices, choices – what’s tactically right might be strategically wrong. [8]

 

Public

In contrast, the public cloud remains the media darling and is seen as the wave of the future.  This multi-tenanted access to applications and storage over the internet is expected to deliver the best scalability, agility and costs.  However, the data access and security issues described earlier are the most problematic in a public, multinational setting.  Specific national requirements from privacy and data ownership laws must be part of the negotiations when choosing a global public cloud provider.   In some countries like the US, privacy laws and requirements are part of industry-specific requirements like health care or credit card usage.  In other countries, laws are written without regard to the industry, but to the content of the data.  There are also legal restrictions in some countries regarding where certain types of data can be physically located (where the cloud vendor has facilities) specific to nation.

 

From the adoption perspective, public clouds represent the largest transition for the organization with the highest degree of unfamiliarity and perceived risk factors (financial and governance).  The organization has a lack of control in the public cloud that increases the need for monitoring and access to that information.  These concerns are addressed by the continual improvement of the offerings and the increased experience organizations have in contracting and governing within these new models.  Software contracting in the public cloud can be quite frustrating as software pricing models often rely on characteristics of usage that are difficult if not impossible to gauge in the agile, elastic cloud. [9] That elasticity of the cloud options is supposed to be a major factor in the savings to be accrued and unmatched by the less flexible data center, but it is a problem for software pricing models.  Certainly, the per-user style of SaaS can reduce some of those problems, but other scenarios remain complicated.

 

Hybrid

The hybrid cloud is a cloud system consisting of two or more different cloud infrastructures that are united in providing cloud services such as dynamic reallocation of resources.  Hybrids allow organizations to weigh issues such as need for security, governance restrictions, usage and criticality of access at the application level.  Hybrids may be the long term solution, allowing the organization to grow cloud usage over time, choosing the cloud model appropriate to a specific application and with the control and security appropriate for the data associated with that application.

 

Despite the advantages that the hybrid’s variability brings to the organization’s IT requirements, the complexity undoubtedly brings management challenges with it.  Diligent attention to the business aspects of IT is particularly important to the organization to avoid unnecessary expenditures.

 

Other

NIST defines a fourth type of cloud deployment called a community cloud.  This deployment model is shared between several organizations and may be on-premise at one or more of the organizations or provided by a cloud vendor.  [3] This deployment model is easy to imagine between government agencies or other affiliated organizations.

 

Benefits Anticipated

A large percentage of businesses that turn to cloud computing do so with an expectation of saving money; to be more cost effective in running the business.  Instead of owning everything necessary to fulfill all needs and carrying the staff to support those needs, organizations choose pay-as-you-go services, an operational expense that is hopefully a reduced overall cost.  The advantage of not having to purchase in advance and suffering through the disruption of major changes have savings that are appealing.  However, organizations have to consider the size of their organization when contrasting opportunities.  For instance, a large organization’s IT may be able to compete or beat the costs of a cloud provider. [7]

 

For other organizational executives, cost reduction is secondary to the benefits of modernization and increased functionality such as rapid mobility handling and easier access to the latest and greatest technologies.  Competitive advantages are anticipated from these services.

 

The geographically disbursed organization has the added incentive of fostering collaboration between employees regardless of location.

 

Scalability, greatly desired and difficult to offer in the data center, has driven organizations to the cloud.  Compared to the disruption of scaling up and the expense of it within the organization, the cloud provider business model can offer more reasonable rates. [10]

 

While benefits are real, expectations need to be realistically set and based on the specific deployment model chosen.  Monitoring and evaluating the overall costs is as important in the cloud environments as it has been within the IT department.

 

Complications:  Taxes

 

Cloud computing has been a major wrinkle in the way nations, states and local governments collect taxes on business use.  The reliance on the physical location of the business or the customer has been an issue since the Internet, but it is exacerbated by cloud computing.  During this transitional period in the digital economy, tax laws are changing frequently and inconsistently.  As a consequence, organizations are not aware of their tax liabilities when making cloud computing choices and even cloud providers may be missing out on tax incentives offered for investment in the cloud. [11]

 

According to an Ernst and Young white paper, organizations are going to need to ask the right tax questions from country to country and then use that information to structure their cloud-based operations.  [12] Those questions need to include finding out who is responsible for collecting and remitting the tax (the organization or the cloud provider).   The tax term for this obligation is “taxable nexus” which includes some calculation of the amount of activity within a specific country or state.  The use of the nexus in laws is inconsistent and subject to change, so asking questions about who is responsible is a necessity.  One possible scenario is described as:  “If the vendor has nexus in the state and the cloud service is taxable in the state, it should collect the sales tax. If not, the consumer will be responsible for self-accruing and remitting.”  [13]

 

Examples of additional questions to address during selection and negotiation with a cloud provider include:

  • Has the discussion and documentation covered country, state and local taxes?
  • Has the discussion and documentation included indirect (such as VAT) taxes as well as direct taxes?
  • Is there a tax nexus and where is it?
  • How will the relationship and responsibilities adapt as tax laws and regulations change?
  • What steps can we take to monitor that the provider is complying with agreed-upon tax handling? [12]

 

Although the IT Asset Manager is not expected to turn into a tax expert, there is concern that organizational tax professionals may not have sufficient experience with the cloud to understand the tax implications.  It might make sense to ask general questions to start the discussion.  KPMG’s Reid Okimoto mentions some good questions that ITAM could ask the seller of the cloud service:  “‘Are you charging sales tax or not?’  If the answer is no, the next question is, ‘Why not?’ It could be either that the provider does not have nexus or that the service is not taxable.  This answer makes a difference to the consumer.” [13]

 

Complications:  Legal Matters

Along with new tax issues, new complexity is added to legal issues when using cloud computing.  The nature of cloud computing makes it difficult to determine who has the authority to act which is similar to the tax problem of who has the authority to tax.  This jurisdictional problem will have to be worked out as incidents occur.  There are proactive steps that can be taken, mainly being aware of the major problems, questioning the cloud provider about the issue and developing contractual language to delineate responsibilities and actions.

 

Some of the legal topics that surface with cloud computing include:

 

e-Discovery:  Gaining access to an organization’s data in order to respond to a court order may be unexpectedly difficult when data is in the cloud.  Issues have been reported about gaining access in a timely manner and in the right format before the deadline.  The recommendation is to again ask questions of the cloud provider and document the responsibilities in the contract.   As a reference, there is a Computerworld article that outlines the potential issues (like opposing attorneys limiting access to your data) and offers a list of questions to start the discussion with your cloud provider.  [14]

 

Data Privacy:  As mentioned earlier, there are many laws that address the requirement for privacy of individually identifiable information while in the possession of the organization.  The most common examples are laws regarding health care privacy and PCI laws although there are laws in some countries that address digital identifiable information in general.  These laws require specific actions to avoid potentially steep fines, negligence suits and consequences to the reputation of the organization.  The use of encryption is one tool that builds compliance and organizations should investigate all of the data security issues and possible solutions.  Keep in mind that depending on the services model, the cloud vendor is not always the responsible party.  Contractual language after extensive due diligence is the best choice for governing data privacy.

 

Data Breach Notification:  When a data breach does occur, laws frequently specify the actions that need to be taken, the reporting time frame required and exact consequences if those actions are not taken.  The complexity of the cloud adds additional layers to navigate to uncover a data breach as well as concerns about to whom the incident is reported.  Who decides on the best steps to diagnose the security gap and informs the customers?    In some cases, the cloud provider will notify the impacted customers; in other cases, that responsibility belongs to the organization.

 

Export Control:  Certain types of data have been identified by governments as essential and not to be stored outside of the home country.  With cloud computing, it is common for the cloud providers to have a presence (and their customer data) in numerous countries.  In this circumstance, the solution to be chosen by the organization will have to be able to meet that location requirement.

 

Summary

For the IT Asset Manager, this review of cloud computing exposes the issues that IT Asset Management practices can help address – such as the importance of all of Software Asset Management’s processes!   It has been said that with the cloud, the IT Asset Manager needs to be seen as the business manager or money manager of IT.   Regardless of the cloud computing choices made by the organization, the financial and contractual management requires just as much diligence as before.  That means that whether that management reduces disputes on usage with a software provider, ensures access to data in the cloud contractually or helps eliminate unnecessary expenses such as unused subscriptions, IT Asset Management is an important part of those successes.

 

Everything IT Asset Managers have learned from alternatives to purchase in the past are relevant such as taking the broader view that includes the entire lifecycle of the usage into account.  With the cloud, we are continuously spending money to secure the use of services and environments.  This is a rental model and has to be assessed carefully for the long term implications of always paying out for the services whatever the organization’s financial position is or the strength of the economy.

 

The role of the IT Asset Manager as a communication bridge between the technical understanding and the legal, financial and user aspects is even more important as organizations wade through the unfamiliar territory of this generation of technology change.

 

References:

 

[1] “Most Americans Confused By Cloud Computing According to National Survey,” Oct 28, 2012, http://www.citrix.com/news/announcements/oct-2012/cloud-confusion-survey.html

 

[2] Download the 2015 State of the Cloud report from Rightscale at  http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2014-state-cloud-survey#Next-Generation-IT-Shapes-Up

 

[3] National Institute of Standards and Technology Special Publication 800-146, Cloud Computing Synopsis and Recommendations, http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf

 

[4] “Monitoring Security in Cloud Environments,” Michael Cobb, Information Week Dark Reading Reports, March, 2015, http://reports.informationweek.com/

 

[5] “IaaS Providers List: Comparison And Guide,” Dan Sullivan, Feb 14, 2014, Tom’s IT Pro, http://www.tomsitpro.com/articles/iaas-providers,1-1560.html

 

[6] “PaaS Providers List: Comparison And Guide,” Dan Sullivan, Jan 31, 2014, Tom’s IT Pro, http://www.tomsitpro.com/articles/paas-providers,1-1517.html

 

[7] “Private cloud’s very public failure,” Matt Asay, Tech Republic, Feb 10, 2015, http://www.techrepublic.com/article/private-clouds-very-public-failure/

 

[8] “Why Are Private Clouds Failing?” Tom Bittman, Gartner Blog, Sept 12, 2014,  http://blogs.gartner.com/thomas_bittman/2014/09/12/why-are-private-clouds-failing/

 

[9] “Everything you need to know about cloud in just one tweet,” Matt Asay, Tech Republic, March 12, 2015, http://www.techrepublic.com/article/everything-you-need-to-know-about-cloud-in-just-one-tweet/

 

[10] “10 reasons we’re still talking about the cloud,” Barclay Ballard, April 8, 2015, http://www.itproportal.com/2015/04/08/10-reasons-still-talking-about-cloud/#disqus_thread

 

[11] “KPMG Survey: Companies Remain Lost When It Comes To Tax And The Cloud,” KPMG Press Release, April 9, 2014, http://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Press-Releases/Pages/KPMG-Survey-Companies-Remain-Lost-When-It-Comes-To-Tax-And-The-Cloud.aspx

 

[12] “Cloud taxation issues and impacts,” 2015 edition, Ernst and Young, http://www.ey.com/Publication/vwLUAssets/EY_-_Cloud_taxation_issues_and_impacts/$FILE/EY-Cloud-taxation-issues-and-impacts.pdf

 

[13] “FAQ: What you need to know about cloud computing’s hidden tax hit,” Ellen Messmer, Network World, May 6, 2013, http://www.networkworld.com/article/2166019/cloud-computing/faq–what-you-need-to-know-about-cloud-computing-s-hidden-tax-hit.html

 

[14] “E-discovery in the cloud? Not so easy,” Tam Harbert, Computerworld, March 6, 2012, http://www.computerworld.com/article/2501989/cloud-computing/e-discovery-in-the-cloud–not-so-easy.html

About Jenny Schuchert

Jenny Schuchert is the Content Director for IAITAM