it’s a hybrid cloud world - informationsecurity · › lack of integration architecture. the...
TRANSCRIPT
A Forrester Consulting
Thought Leadership Paper
Commissioned By HP
September 2014
It’s A Hybrid Cloud WorldAre You Managing Your Hybrid State?
Table Of Contents
Executive Summary ...........................................................................................1
You’re Already Hybrid........................................................................................2
Speed, Scale, And Cost Motivate The Hybrid State ......................................2
The Management Challenge Is Threefold .......................................................3
Security Is Job One............................................................................................3
What Customers Are Doing To Mitigate Hybrid Cloud Challenges ............4
Benefits Achieved From Managing Hybrid Cloud Well.................................5
Key Recommendations .....................................................................................7
Appendix A: Methodology ................................................................................8
Appendix B: Endnotes.......................................................................................8
ABOUT FORRESTER CONSULTINGForrester Consulting provides independent and objective research-basedconsulting to help leaders succeed in their organizations. Ranging in scope from ashort strategy session to custom projects, Forrester’s Consulting services connectyou directly with research analysts who apply expert insight to your specificbusiness challenges. For more information, visit forrester.com/consulting.
© 2014, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited.Information is based on best available resources. Opinions reflect judgment at the time and are subject tochange. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total Economic Impactare trademarks of Forrester Research, Inc. All other trademarks are the property of their respectivecompanies. For additional information, go to www.forrester.com. [1-N6OVJV]
1
Executive Summary
If your company is using cloud computing services today,it’s highly likely you are already in a hybrid cloudconfiguration. The key question is whether you are activelymanaging this reality.
Whether your company uses software-as-a- service (SaaS)or deploys applications to a cloud platform, there is a highlikelihood those services are connecting back to at least oneresource in your data center. For example, enterprisesusing SaaS-based sales force automation software usuallyconnect this application to their on-premises enterpriseresource planning (ERP), finance, or eCommerce systems.That integration makes your environment a hybrid cloud,potentially exposing your company to vulnerabilities,increased costs, and operational challenges. Enterprisesneed to acknowledge this reality and start managing theirhybrid state now, rather than viewing hybrid as somemythical future state when public cloud meets private cloud.Too late — you’re already hybrid.
In January 2014, HP commissioned Forrester Consulting toevaluate the state of enterprise hybrid cloud environmentsand how they are being managed. Forrester developed ahypothesis that tested the assertion that enterprise IToperations teams struggle to recognize and manage thishybrid state — a hypothesis that was proven out.
In conducting in-depth interviews with 10 enterprise ITleaders, Forrester found that these companiesacknowledged that their cloud deployments were callingback to the data center, but they articulated a variety ofmanagement challenges with these integrations. The mostprominent issues were data management, identity, and lackof heterogeneous tools and dashboards.
KEY FINDINGS
Forrester’s study yielded four key findings:
› Cloud use is motived by agility, scale, and costsavings. Nearly every enterprise spoken to either enteredinto the cloud to quickly address escalating businesschallenges that were difficult to address with traditional ITor to lower the cost of supporting the business. As such,
business leaders played a key role in selecting the cloudservice, specifying desired business outcomes, anddefining integration needs. The elastic nature and costmodel of cloud services were a key value.
› Security, while a top concern, is quickly addressedthrough experience. Enterprises that are leveragingcloud services in a hybrid mode and managing themactively reported far less fear about security than theaverage enterprise. This comfort level came throughdetermining where assets should be placed and howcloud use and on-premises integration can be configuredand managed.
› Positive experience leads to strategic thinking. Noneof the enterprises interviewed saw cloud as a one-timemove. By gaining hands-on experience with hybridenvironments, they quickly began identifying the nextcloud use cases. Use cases shifted from opportunistic tostrategic, thus expanding the use of cloud services.
› Management tools are needed, but choices areunclear. What didn’t come out of this study was a clearpicture of how to best manage a hybrid cloudenvironment. Most interviewees met their managementneeds in an ad hoc fashion using a mix of cloud-specificand in-house tools. All felt the need for a better answer tothis issue.
Hybrid is not some future state when publiccloud meets private cloud. If you’re using anycloud service, you’re already hybrid.
2
You’re Already Hybrid
According to Forrester’s Business Technographics surveys,nearly 70% of enterprises are leveraging at least one publiccloud service today.1 And in nearly all cases, that service isconnected to one or more services running in the corporatedata center. The moment you have connected a publiccloud service to anything else you operate, you have gonehybrid. This integration opens your corporate data center toa public service, a connection over which businessprocesses run, data flows, and identities and intellectualproperty are accessed. This situation will only get morecomplex as some of the following key trends evolve:
› SaaS use is huge and growing quickly. IT decision-makers have long underestimated the use of SaaS,regarding it as a niche phenomenon occurring at adepartmental level. But SaaS is definitely more than that.As our Forrsights Software Survey, Q4 2013 shows, theaverage enterprise is using 38 SaaS applications todayand will more than double this number in the next twoyears.
› SaaS complements existing on-premisesapplications. Our surveys also show, as did theinterviews conducted in this study, that SaaS isn’t alwaysreplacing on-premises software but rather adding newvalue and capabilities to what you already have in place.In 2012, according to our Forrsights Software Survey, Q42013, 63% of SaaS investments were made tocomplement existing systems.
› New systems of engagement need to integrate withtraditional systems of record. Companies are investingin new applications that engage customers andemployees, such as mobile apps and social interactiontools, as a way to innovate and grow. But these systemsare not silos; they must reach back to your systems ofrecord — like core ERP systems, finance and controlsystems, and human capital management (HCM)systems — to engage users and drive meaningfulbusiness interactions. Managing this integration will becritical if companies are to achieve their growth andinnovation targets.
› Scale and speed are best achieved in the cloud.Systems of engagement, media, business intelligence,backup and disaster recovery (DR), and research anddevelopment applications can never have enoughcompute power or storage capacity; their resource needs
vary dramatically based on the business cycle. Theseneeds are precisely what public cloud platforms aredesigned to address and are their key differentiators fromtraditional infrastructure environments.
Speed, Scale, And Cost Motivate TheHybrid State
Enterprises are under growing pressure to move at thespeed of their customers, including by scaling in an instantwhen demand peaks. But hand-in-hand with this are theconstant pressures to keep IT costs from escalating. Thus,the appeal of cloud computing services both for thebusiness and IT sides of the enterprise is rising:
› Autonomy and automation bring cloud value in lessthan 15 minutes. Cloud services are standardized,automated IT solutions that can be provisioned in aninstant. The CIO for a large food production company saidthis helped him roll out a new SaaS-based solutionworldwide in record time: “If we had taken on anothersolution, there’s no way we would have been operationalin three months — not a prayer.”
› Scale is automatic and unlimited in the cloud. “We hadbeen looking to leverage [the] cloud by moving parts ofour website [there] so we have the capability to burstwhen there’s high traffic, then come back down,” said theVP of web operations for a large consumer goods
FIGURE 1SaaS Is Mostly Complementary With SomeReplacement
*Forrester forecast
Source: “The Public Cloud Market Is Now In Hypergrowth,” ForresterResearch, Inc., April 24, 2014
3
company. “We have certain periods when we have peakdemands of 10 to 20 times [our normal traffic], but for ashort period of time. For example, my storage needs cango from 1 to 2 TB all the way to 22 TB.”
› Lower costs are proving real. While cloud is highlytouted in the press as being lower cost, the enterprisesinterviewed for this study proved that when it’s used in ahybrid mode, other benefits come through. A director ofsoftware development at a large construction firm saidthat by putting the right capabilities — things with elasticitydemands or transient use patterns — in the cloud andhaving fewer infrastructure and operationalresponsibilities, the savings come through quickly. “OurCOO and CTO have quantified over 60% in savings,” hesaid.
The Management Challenge IsThreefold
Most companies have arrived at their current hybrid cloudstate deliberately, but not in ad hoc fashion. Rarely did theystart with a strategic plan for broad cloud adoption —although all said that is now a key initiative. Each startedwith a specific business case and built a managementmodel that suited that use best. As their use of cloud hasexpanded, the need for a more concerted approach hasarisen. In other words, things only gets worse the morehybrid you become. Our interviewees faced three key areasof challenge:
› Lack of integration architecture. The essence of hybridis the integration between a cloud service and on-premises (or non-cloud) resources. And there are fewconsistent integration approaches. The first approachmay not be the right approach long term, said the CIO ofa large food production company: “I wish we fullyunderstood our reporting requirements upfront. It wouldhave saved us time on going down some integrationpaths that we ultimately had to reverse.”
› Need for better data governance and management.Integration isn’t just a network, it’s a conduit throughwhich corporate and customer data flows. This meansunderstanding what data can and cannot traverse thisconnection or reside in the cloud. The director of ITarchitecture for a large university faced this when hehybridized its email system with students served from thecloud and faculty and staff staying on-premises: “We have
clear definitions of what is public and not, but don’t havethe governance [in place] to go with it.”
› Lack of good hybrid cloud tools. Most of theenterprises interviewed said they manage the cloud andon-premises sides separately due to lack of tools withgood fidelity on both sides. “It’s another thing I have tobuild,” said the CIO of a large publishing company. “Thereare the standard [virtualization] tools and standard [publiccloud] dashboards, but those don’t help me.”
“Our COO and CTO have quantifiedover 60% in savings.”— Director of software development at a large construction
firm
Security Is Job One
As is cited in nearly any study on cloud implementations,security is the No. 1 concern. Integrations with public cloudresources cross through corporate firewalls, exposeemployee identities to third-party services, and potentiallyput customer and corporate records at risk. But in nearly allthe interviews conducted for this study, enterprisesindicated they were actively managing these risks. “We’redeliberately in a hybrid model for security reasons,” said thedirector of IT engineering at a large publisher. Ourinterviewees faced challenges that fell into three areas:
› Data protection. It’s one thing to say that you should onlyput public data in the cloud. It’s another when the reality isthat you are trying to deliver business value, as is thecase for the healthcare company in our study. “We had aseries of initiatives to get our patient data into a centralrepository (i.e., the cloud) that would enable easy accessfor internal and external users,” said its senior director ofsoftware development. “One of the projects . . . revolvesaround deploying that securely and with easy access. Oursecurity and legal groups were heavily involved.” Theirsolution involves secure private connections between thecloud service, their internal private cloud, and thirdparties. A service provider partner ensures HealthInsurance Portability and Accountability Act (HIPAA)compliance throughout the implementation, he said. Thesame interviewee described the struggle his organizationstill grapples with around actual knowledge of the databeing moved. “The guy transferring over [to the public
4
cloud] has no idea what’s been selected,” he noted. “It’seasy for the dots to become disconnected.”
› Identity and access management. In a successfulhybrid cloud environment, you don’t want the employeeswho use the services to have to maintain separateidentities and passwords for in-house and cloud services.Thus, the enterprise clients interviewed brought in singlesign-on and identity federation solutions. Yet enterprisesshould be aware that this isn’t always a straightforwardanswer. “Our authentication stack is pretty complicated,”said the director of IT architecture for a large university.“It’s a big mess.”
› Expectations and fear, uncertainty, and doubt (FUD).The third — and for many of our interviewees, mostvexing — security challenge is cultural rather thantechnical. With all the news reports about intelligenceagency backdoors, credit card fraud, and other threats,enterprise IT shops often have to spend more timeallaying fears. “The concerns were more hysterical thanfact-based,” said one of our respondents. The universitydirector of IT architecture cited earlier conducted townhalls and team meetings to address the security concernsvoiced by faculty and staff, then let his employees choosetheir own degree of risk. “We offered an opt-in policy atfirst so people could opt out if they weren’t comfortable,”he said. “But the takers on this was under 5%.”
“We’re deliberately in a hybrid modelfor security reasons.”— Director of IT engineering at a large publisher
What Customers Are Doing ToMitigate Hybrid Cloud Challenges
All enterprise IT leaders interviewed for this study know thatfrom here they are simply going to become more hybridover time as more cloud services come into the organizationand more business cases leverage the cloud. As such, theyare actively shifting from their ad hoc hybrid managementmodels to a more strategic, architectural approach. “WhatI’m working on is a repair effort for the cloud strategy that Ifound when I came in,” said the CIO of a large publisher.The keys to their approaches were:
› Adopting a hybrid cloud integration architecture. Abunch of one-off connections between cloud services andon-premises applications isn’t sustainable, so the leadingenterprises are taking a more concerted approach thatleverages integration solutions, message buses, and(application programming interface) API managementtools that concentrate multiple hybrid cloud connectionsthrough as few means as necessary (see Figure 2).2 “Weused an integration platform behind the scenes,managing the input/output,” said the director of ITarchitecture at a large public utility. The organizationcombined this with a cloud-native integration solution so itcould optimize and standardize the types of connectionsneeded.
With few off-the-shelf options for widely varying and highlycustomized hybrid architectures, customers areconsidering more flexible integration approaches such asopen source integration (OSI) in an effort to cut costs andincrease agility (see Figure 3).3
FIGURE 2Hybrid Integration Requires A MultidirectionalModel
Source: “The Hybrid² Integration Challenge,” Forrester Research, Inc.,May 1, 2013
5
› Building a cloud service broker model. In addition tostandardizing hybrid connections, efficiencies can also begained by procuring and provisioning cloud services in acommon way, which can be achieved by serving as acentral broker for cloud for your company (see Figure 4).A broker approach also lets IT decide which use cases fitbest with the cloud versus those that can be more cost-effectively handled internally. Understanding the differentcost models and architectural fit is key to optimizinghybrid cloud spend for the CIO of the large publishingcompany we spoke to: “I’m deploying an internal cloud tocreate more efficiencies and a broker relationship —whoever’s cheapest and has what we need — processingor speed — depending on the circumstances. Everythingstarts internally and we push out for elasticity purposes,”he said. “I’m now in the process of automating pullingthings in and out so that we can control our costs.”
› Exploring hybrid cloud management tools. While fewsuch commercial tools were in use by our interviewees,nearly all acknowledged the need and in more cases thannot had built their own. These tools focused on two keyvalues: monitoring and provisioning. Both are valuable forperformance, availability, and operational agility, but theycan be key to cost savings as well. As the director ofsoftware development at a large construction company
found, “To save costs, we shut down development andQA automatically at certain times of the day and start itback up at different times of the day.”
“Everything starts internally and wepush out for elasticity purposes. I’mnow in the process of automatingpulling things in and out so that wecan control our costs.”— CIO of a large publishing company
Benefits Achieved From ManagingHybrid Cloud Well
The consensus response from the enterprises interviewedfor this study was that operating in a hybrid cloudenvironment yielded, on average, a 30% cost savings overtraditional IT deployments. However, the straight cost ofcloud versus in-house spend was a smaller part of thebenefits achieved. Nearly all cited that:
› Operational gains were the biggest wins. Cloudservices are standardized and highly automated, whichmeans your use of them needs to move to this model aswell. The director of IT applications at a public utility saidthe biggest benefits have been achieved through“standardizing IT processes and forcing people to stick tothem. The IT guys aren’t too happy about the latterbecause they no longer have the freedom to develop anduse the tools they want. But the cost savings outweighthat.”
› Pay-per-use yields big gains when the apps can takeadvantage. Those achieving the biggest gains from ahybrid cloud architecture were actively placing the rightapps in the cloud and keeping solutions that couldn’tactivate the cloud’s unique economic model on-premises.The VP of web operations for a large consumer goodscompany was very selective about what he put in thecloud, moving only those applications that had elasticity.Only with these applications could he “take advantage ofwhat the cloud was really offering, which is true utilitycomputing. You need to put business rules in place thatleverage elasticity. I lose the advantage of cost savings bybeing inelastic.”
FIGURE 3Cost, Flexibility, And Innovative Features Are TheTop OSI Solution Drivers
Base: 70 application development and enterprise architecture personnelconsidering, piloting, or using open source tools (multiple responsesaccepted)
Source: Q4 2011 Global Integration Online Survey, Forrester Research,Inc.
6
› Valuable staff is freed up to add greater value. Withcloud services managing infrastructure, backup and DR,and even full applications in the case of SaaS, valuablefull-time IT employees don’t have to deal with theseoperational details and can instead focus more on howthe company can best leverage these services. Thedirector of IT architecture at the university said just the
support burden alone was reduced 20% to 30% fromleveraging the cloud. Additionally, the move to hybridcloud “freed [IT staff] to focus more on refining internalprocesses to provide better service overall,” he said.“We’re a lot less reactive than we used to be and havemore bandwidth to be proactive.”
FIGURE 4Be A Hybrid Cloud Services Broker For Your Organization
Source: “Cloud Broker — A New Business Model Paradigm,” Forrester Research, Inc., August 10, 2011
7
Key Recommendations
So how can you get going on a successful hybrid cloud implementation? It starts with recognizing that cloud servicesare unique tools to add to your overall portfolio rather than replacements or threats to central IT. You should also havea solid plan to onboard cloud services and integrate them into your existing portfolio and operational model. Forrester’sin-depth interviews with IT executives yielded several important recommendations:
› Get a cloud policy in place. To best embrace cloud services, your organization needs to have a plan for when,why, and how to use cloud services. This starts with a clearly articulated policy statement that lays down thebasic rules for their use.4 It should help articulate what makes cloud services different and how they can best beused to bring benefit to your organization. And the policy should point out who in IT can help the businessleverage cloud most effectively.
› Start hybrid management with unified monitoring. Many respondents said visibility was most needed wheretrue customer experience could be best measured. As the VP of IT engineering for a large publisher put it, “Iwould prefer to have an app-centric (as opposed to network-centric) reporting view that shows the overallrelationship between the cloud environment and our own.” The director of software development for a largeconstruction company added: “We have seen slowness and some customers have complained, but it’s verysporadic. We’re monitoring this so we can identify it and tackle it if it happens again.”
› Know your data in order to secure your assets. If you’re like most companies in our study, you’re sending amyriad of sensitive information across connections and into the public realm. Defining your data by giving itidentifying traits is a basic and effective way of knowing what is where, thereby enabling you to pinpointvulnerabilities while still driving crucial business value. Knowing where your data lives, classifying its “toxicity,”defining clear data use, and handling roles and guidelines are relatively simple yet highly effective steps inachieving hybrid cloud security.5
› Bring in third parties to supplement your staff and knowledge. If your company is just starting down thecloud path or hasn’t started moving from ad hoc to strategic use, don’t learn the lessons of cloud the hard way.There are many consultancies, managed service providers, professional services firms, and peer groups thathave rich expertise in managing hybrid cloud environments. Take advantage of what they know so the benefitsyou want to achieve will come sooner. This helped the VP of web operations at a large consumer goodscompany meet his time-to-market objectives and accelerate internal learning: “We outsourced support of thisapplication to a third party and said, ‘Put it in [the cloud] because we want to get our feet wet and we don’t havetime to do it.’”
› Help your IT staff see the benefits they will gain from cloud. For many an enterprise, the group resistingcloud the most is often your own IT staff. Their reluctance is often driven by fear that the cloud will make themredundant or that their skills won’t translate. Rarely is this the actual case. But you must address these fears andhelp these important stakeholder see a more valuable career path through the use of cloud services. “Our IT staffisn’t concerned about moving more to the cloud,” said the director of IT architecture at a university. “There’splenty [of services and plenty of work for them] staying on campus.”
8
Appendix A: Methodology
In this study, Forrester interviewed 10 senior-level IT professionals with experience in cloud platform implementation in theUnited States, Canada, and Germany to evaluate their deployment and consumption of such services. Questions provided tothe participants addressed adoption motivation, implementation challenges, management practices, and future plans.Respondents were offered gift cards of $100 as a thank you for time spent on the interview. The study began in January2014 and was completed in April 2014.
Appendix B: Endnotes
1 Source: Forrsights Software Survey, Q4 2013, Forrester Research, Inc.
2 Source: “The Hybrid2 Integration Challenge,” Forrester Research, Inc., May 1, 2013.3 Source: “Open Source And Cloud-Based Integration Trends,” Forrester Research, Inc., February 6, 2012.4 Source: “Write An Effective Cloud Use Policy,” Forrester Research, Inc., August 31, 2012.5 Source: “Twelve Recommendations For Your Security Program In 2014,” Forrester Research, Inc., February 5, 2014.