There are generally three steps to moving into a Cloud based service model. The first of these is the classifying what it is that your current information services are. It is not enough to make a leap into the cloud without understanding your own services, just jumping in is going to cost you money, set unrealistic expectations, and most likely end up in a less than pleasant experience. The process to evaluate cloud as an option for your business is similar to one of evaluating outsourcing and requires a degree of maturity within your ICT organisation before engaging. Basically, you need to know what it is that you deliver and how important it is before you can expect to be able to engage a cloud provider to give that service back to you.
Classifying your information services is the process to “understand the function and value of the the organization’s data and the risks to the organization if they are lost or compromised.”*
The process to gather this information, if it doesn’t already exist, can take a reasonable period of time. Effectively every ICT Service that is delivered needs to be categorized in order to understand what it is, how important it is, and where it fits within some kind of service model.
Within the New Zealand Government over the past few years a set of standardized service levels have been evolving, known as the Global Service Levels (GSL), they were developed by the Accident Compensation Corporation’s in-house Enterprise Architects. They were developed to meet a need of standardizing service levels across the corporation’s large ICT Service portfolio. So, instead of having different service levels for each service, which as they number grew became increasingly difficult to manage, the GSL fits all ICT Services into one of four service levels. Platinum, Gold, Silver, or Bronze.
Each ICT Service was then fit into one of those service levels after Business Impact Analysis (BIA). That is, the process of determining the relative importance of each ICT service by talking to the various business representatives, end customers, to figure out how long they could survive without them.
Even without considering cloud the GSL model is a good starter, though it would need to be changed a little to fit different organisations. It essentially sets service levels for non-functional requirements; availability, reliability, recoverability, scaleability, traceability, usability, and securability. There are plenty of other standardised and open source service levels available today.
One of the things that the “Cloud Computing Use Case Group” have added to the mix of classification is the concept of a “security chain.”
“The organization must create a security chain for each class of information. Once the organization’s assets are identified and classified, the security chains should be defined and put into place. A security chain must protect the organization’s information assets at all levels, including physical security, technical security, and procedural and legal steps.
Physical security includes measures such as restricting access to data centers, shredding paper documents and destroying tapes and hard drives. Technical security includes everything from the basics of firewalls and access control systems to more advanced techniques such as disabling USB ports.
Finally, procedures for handling information assets must be clearly defined and adequately explained to all employees of the organization. In some cases, the procedures may include legal requirements such as laws covering the retention or destruction of data.
Once the organization has classified its information assets and defined the risks and requirements for using them, the decision to move to the cloud will be more straightforward. Moving extremely valuable information to the cloud, especially a non-private cloud, can pose risks that outweigh any benefits of using cloud computing.
In some cases the legal restrictions imposed on certain classes of information will make it impossible to move that information to a non-private cloud. Using a private cloud might still be an option, but a private cloud has risks as well. Moving information to a private cloud might increase the number of the organization’s employees who have access to the machines that store and process it. The security chain must be modified to include everyone with access.”*
I suspect that the “security chain” concept is most likely already captured by an organisation’s ICT security and legal policies, and this view brings them together to apply directly to cloud computing.
Once you have the service levels sorted, the classification of your ICT Services, then you are in a position to evaluate cloud offerings against them. Then, each service can be assessed against the various types of cloud; private, community, public, and hybrid. Each with their own set of service levels, costs, and risks.
Without those service levels in place, you are forced to evaluate any cloud offerings on a case by case basis against individual ICT Services that may be candidates. The time to complete that will be long.
The first step to cloud is to understand the value to your organisation of the ICT Service you are delivering.