Keep a beady eye on your business's cloud service shopping

If you believe the hype, it is only a question of time before every Tom, Dick and Harriet in your organisation becomes a tech decision maker who can spend your company's money, with the power to do so a mere click away.

“Shadow IT”, the term emerging to describe the buying of IT and technology services without any central controls or processes, is fast becoming a reality as the scaleability and flexibility of cloud services strikes a chord with businesses of all sizes.

“People can go to a site, sign up to the Ts and Cs and subscribe to services with a credit card, bypassing IT. It is a reality,” says Carl Harris, business technology director at BCS, the Chartered Institute for IT.

But embracing cloud services in a way that is going to benefit your business is not just about producing your credit card and hoping for the best. The huge market in services and consultancy to help guide corporates through the minefield of cloud offerings is testament to that.

Traditional arts

Although cloud is a game changer, that doesn’t mean all the disciplines that governed IT in the past are redundant, whether that is writing code as efficiently as possible or planning procurement with the next five years in mind.

While some CIOs may hold their hands up in horror at the thought of delegating any responsibility for IT purchasing decisions, Harris believes that relinquishing some control can be very positive, as long as people are supported by an IT team.

“People identify an opportunity to use technology. It’s about operating within these boundaries and using IT as a partner to assist with the more complex technical components,” he says.

But Harris also warns that the convenience of cloud is so great that many of the best-practice procurement procedures have gone out of the window. There are numerous instances where the processes simply aren’t in place and technology is being introduced under the IT department’s radar.

That can not only be highly inefficient, with duplication of technologies already in place, but can also go against organisational standards and practices. It is a significant management challenge.

Conspicuous consumption

“Bill shock” is increasingly hitting CIOs as they open the invoice from their cloud service provider at the end of the month, to be confronted by a figure that bears no relation to the deal they thought they had signed up to.

“The flexibility of cloud computing can be a double-edged sword. People aren’t aware how much they are consuming,” warns Owen Rogers, senior analyst, digital economics at analyst 451 Research.

The most recent figures from industry body the Cloud Industry Forum suggest that cloud computing has achieved mainstream deployment in the UK, with 78 per cent of organisations formally adopting at least one cloud-based service. Turning your back on the cloud is not a realistic option.

In response to concerns that spend could spiral out of control as companies are continually charged for services they may not even know they are using, major cloud trusted providers such as Amazon Web Services (AWS), as well as third-party players such as Cloudability and Cloud Cruiser, have developed services to optimise application use and audit your cloud consumption.

At the same time, new pricing models have evolved as an alternative to on-demand which include volume discounting and pre-payment options that allow businesses to shell out up front for lower per-unit costs.

Optimising tools will tell you the best time to switch to these alternative schemes, according to Rogers.

“It’s a right palaver working out which scheme is better because you would have to work out past consumption and predict future use. The key is to understand your options,” he adds.

Amazon launched its Trusted Adviser service in 2013. This watches your AWS consumption and shows you how to save by switching off resources you don’t use. To date AWS has sent out 1.7 million notifications, giving customers about $300m in cost reduction.

Ian Massingham, technical evangelist at AWS, says: “We are not at all concerned about eroding our own revenues by recommending cost savings. We want AWS to be the most effective place to do it.”

Features allowing enhanced visibility and control of spend have actually been available for several years, although it is only now that they are being packaged up to meet the demands of users increasingly confident with the intricacies of cloud usage.

“We are at the beginning of mass adoption of cloud. Organisations are coming to us with traditional behaviours and processes and want the cloud to be part of it. It’s about establishing the right controls and processes,” Massingham says.

Discount store

In March Google introduced sustained-use pricing discounts, which automatically lower the price of virtual machines when you use them to run sustained workloads.

If you use a virtual machine in a month, you automatically get a reduction for the next month, with no long-term commitment or upfront fees. Discounts increase with use, so the more you use a virtual machine the bigger the discount.

“It is a powerful concept,” says Rogers.

Businesses can also be hit by other hidden expenses, notably bandwidth and storage, transaction and support costs. Checking to see what is included in your agreement could prevent some nasty surprises down the line.

Amid widespread ambiguity surrounding cloud services and what they offer, smart providers recognise the importance of being really transparent on such issues as reliability and cost.

Positioning IT as a real partner to the business, rather than an obstacle to be overcome, should go some way to reducing shadow IT

In the meantime, lack of standardisation in the provision of services and charging models can make it a minefield for business, Spelman warns.

Appropriately positioning IT as a real partner to the business, rather than an obstacle to be overcome, should go some way to reducing shadow IT, according to Harris.

“IT can’t be seen as holding the business back. That means working with the right stakeholders. You will lose control of your IT if you don’t work with the business and understand how it wants to use technology,” he says.

Dan Power, EMEA sales director of OneLogin, which provides single sign-on cloud services, says there is a need for a new conversation between IT and the lines of business.

"That conversation is about building up trust. IT needs to accept that,” he says.

“It needs to own the process of provisioning and de-provisioning of services, to report on usage of licences so you can buy the appropriate level of services and ensure that users are revoked when they leave.”

In many respects, cloud offers IT departments an opportunity to show just how invaluable they are.

“Some organisations really leverage technology. There’s a really good partnership between IT and the rest of the business and the CIO has earned his or her place on the board from both a business strategy and technology perspective,” says Harris.

Trust me, I'm IT

In particular, data security and the physical location of data are just two critical areas (see box) that, if they are not addressed with sufficient rigour, could leave your business with substantial amounts of egg on its face. It is worth remembering that the business relies on IT’s expertise to make the right decision.

Bringing all of those elements together in a set of standards for cloud procurement and communicating them to the organisation is key to getting this right.

“Companies should have a policy for procurement, and that should include cloud services,” says Ross Spelman, group service manager at information security specialist Espion.

He recommends having a single point of procurement, telling internal customers what is available and channelling efforts into checking the performance of apps.

“Remember that no cloud service provider is that interested in the context of your organisation or what is a priority. Take a risk-based approach, make risk assessments, identify what should and should not be moved and get assurances in place from providers before you move,” he says.

The rapid evolution of the cloud services market has not made assessing a provider any easier. Focusing on the number of its service users, its commercial plan for the service and its financial and strategic track record should give you some indication of long-term viability.

Bringing some of the old-school IT discipline to the new cloudy world is no bad thing. But discipline needn’t mean laborious processes or long-term contracts.

Short and sweet

Across the UK public sector, for example, procurement policy is moving away from reliance on large incumbent suppliers and long-term contracts, some of which have proved to be expensive and less productive than originally specified.

Procurement frameworks such as G-Cloud are now challenging the status quo. The Crown Commercial Service aims to assist buyers with a compliant and regularly updated framework to speed up the procurement process, allowing rapid access to innovative services at lower prices.

“We are seeing public-sector organisations exploring all options, which has brought about opportunities for new suppliers and smaller providers,” says Phil Dawson, CEO of Skyscape Cloud Services.

“Procurement must focus on the outcome not just on the inputs, delivering greater choice, value for money, innovation and successful project delivery, while ensuring due diligence when it comes to assessing security credentials is maintained.”

The emergence of standards across key areas such as security – for example, information security standard ISO27001 – is helping businesses navigate the minefield of cloud options and removes some of the risk out of the decision making process.

The Cloud Security Alliance’s STAR (Security Trust and Alliance Register) provides another independent assessment of the security offered by a cloud service provider.

However, while these schemes give some reassurance, for business-critical issues it is wise not to take anything at face value.

John Davis, managing director at BCSG, a cloud service provider for SMEs, urges businesses to conduct thorough risk assessments, including penetration testing of cloud applications to make sure there are no security loopholes. Turning to user-generated content can be a real eye opener and a useful part of the due diligence process, he adds.

“The democratisation of services thanks to cloud computing offers great opportunities to SMEs but you need to take sensible steps to sort the wheat from the chaff,” Davis says.

With everyone now wanting to get a look-in on IT services procurement, there is an argument for the IT department to morph into a broker of cloud services, with specific business departments or cost centres effectively paying for cloud services consumption.

“It gives end-users some democracy and gives IT an element of control if you can get such an internal broker model to work. But it is early days and the technical challenges are just the beginning,” Rogers warns.

“The sociological and organisational challenges are much bigger: who controls the usage, who will be able to run them and how much power will they have?

“And that will certainly require the business to engage with IT in a completely different way.” ®

Find out about the largest Amazon Web Services public sector cloud event in the UK here.