A user perspective on Cloud Computing (i.e. SME)

From wiki.enisa.europa.eu

[edit] Questionnaire

• What are the reasons behind your possible engagement in the Cloud Computing area?

1. Remove economic/expertise barriers impeding to modernize business processes by the introduction of Information Technology
2. Avoiding capital expenditure in hardware, software, IT support, Information Security by outsourcing infrastructure/platforms/services
3. Flexibility and scalability of IT resources
4. Increasing computing capacity and business performance
5. Diversification of IT systems
6. Local and global optimisation of IT infrastructure through automated management of the virtual machines
7. Business Continuity and Disaster recovery capabilities
8. Assessing the feasibility and profitability of new services (i.e. by developing business cases into the Cloud)
9. Adding redundancy to increase availability and resilience
10. Controlling marginal profit and marginal costs
11. Others (specify)

• Which solution do you see as the most suitable for an SME, according to this possible Cloud Computing taxonomy?

1. Public Cloud (owned and managed by an unrelated business)
2. Private Cloud (owned and managed internally)
3. Partner Cloud (owned and managed by a trusted partner)
4. A federation of clouds provided by various sources (partner, private, etc)

• Which “layer” of the Cloud would you be most likely to approach?

1. Individual software packages (SaaS)
2. Complete operating system and software package available via cloud services (PaaS)
3. Just infrastructure services such as storage, network capacity etc (Iaas)
4. Security services in the cloud

• Would you be willing to outsource to multiple providers?

YES / NO

• Which of the following disaster recovery options are of interest to you?

1. Fully outsourced disaster recovery and business continuity
2. A contingency plan based on internal resources (i.e. leveraging services/platform/infrastructure already in use „before the Cloud‟)
3. Others (specify)

• Which IT services/Applications supporting business processes are most likely to be outsourced to a Cloud Computing service provider?

1. Payroll
2. Human Resources
3. Procurements
4. CRM/Sales Management
5. Accounting and Finance
6. Project management
7. Application development on the cloud
8. Anonymised data analysis
9. Others (specify)

• What are your main concerns in your approach to Cloud Computing?

Privacy

1. Availability of services and/or data
2. Integrity of services and/or data
3. Confidentiality of corporate data
4. Repudiation
5. Loss of control of services and/or data
6. Lack of liability of providers in case of security incidents
7. Inconsistency between trans national laws and regulations
8. Unclear scheme in the pay per use approach
9. Uncontrolled variable cost
10. Cost and difficulty of migration to the cloud (legacy software etc...)
11. Intra-clouds (vendor lock-in) migration
12. Others (specify

[edit] Scenario - first draft

The Company CleanFuture works in the photovoltaic business. The company produces and supplies complete solar and photovoltaic systems and key components for solar systems and heating. The company was founded in 1999 in Germany, where the main production site is located. Since then CleanFuture has been a fast growing company and the turnover has been constantly increasing on the average of 20% per year. In 2003 a branch office was open in Spain, in 2004 new offices were opened in Italy and Portugal and 2005 another 3 offices were opened in UK, Greece and USA During 2005 a decision to relocate the business line producing anti-reflective solar glass in Poland was taken and by June 2006 the factory was already producing the first products. CleanFuture employs 163 people:

• 80 in Germany (4 different sites: 1 production site, 2 laboratories and 1 branch office)
• 54 in Poland
• 5 in Spain
• 4 in Italy
• 3 in Portugal
• 4 in UK
• 4 in Greece
• 7 in USA

The company has also a variable number (between 20 and 50) of contractors (interim agents, sales representatives, consultants, trainees, etc.).

Due to competitive pressure and the economic and financial crisis during the period 2008-2009, ClearFuture started the internal discussion for a near term strategy to reduce cost and increase productivity. IT services were identified as a crucial area with a large margin for improvement. An internal analysis was performed on IT and security requirements and the following conclusions were drawn:

1. More flexibility and scalability are needed to respond to the variable needs for IT services (a variable number of employees during the year, variable number of partners/suppliers to deal with, sudden changes in the market landscape, possible cooperation with Research Centre and University, possible opening of branch offices and enlargement of the sales representative base, etc).
2. High quality IT services (in terms of effectiveness and performance) and high level of information security (in terms of availability, integrity and confidentiality) are required from the company. On the other hand to provide with internal recourses (IT Dept) such high level of service specific expertises and skills are needed as well relevant capital investments in hardware, software, It support, information security are necessary.
3. Business Continuity and Disaster Recovery capabilities need to be improved
4. A test-bed for assessing new applications to support the business as well as a cooperation environment where develop together with partners new solution and projects would be extremely important in the perspective of business efficiency and innovation capacity.

The services/applications identified as the ones to be effected by the new IT approach were:

• Email and Messaging
• Desktop (office applications)
• Project Management
• Payroll
• CRM and Sales Management
• Accounting and Finance
• Custom application and Custom application development

The internal working group supported by an external consultant involved in the analysis proposed to take into consideration Cloud Computing technologies as a possible solution for CleanFuture’s needs.

As a next step a feasibility study on Cloud Computing was performed.

After 3 weeks a report was delivered to the Management Board of the company

‘CleanFuture – A feasibility study on Cloud Computing: a possible implementation and related business concerns’

“...based on the analysis of the ad hoc working group we propose to outsource the identified IT services and application to a so-called Federation of Cloud Providers. The Federation will be constituted in the long run of 3 Partners Cloud and a Private Cloud

1. Cloud Provider 1: will offer SaaS for the Email, Messaging, Desktops, Project Management, Payroll, Account and Finance, CRM and Sales Management
2. Cloud Provider 2: will offer PaaS for Custom Application development and custom applications
3. Cloud Provider 3: will offer Business Continuity services
4. CleanFuture will take care of Disaster Recovery using the existing infrastructure for the time-being. The strategic medium term plan for disaster recovery imply that CleanFuture will identify a business partner with whom create a small private cloud and share the capabilities and cost of such infrastructure. This solution will be needed in 3 years from now when the actual IT infrastructure will be obsolete.

The moving towards a Federation of Cloud Computing Providers leads to several concerns. The most important ones are related to the confidentiality of high critical and sensitive information such as: new products and solutions not yet protected by a patent, specific know-how, research results, customer and project information. There are also other reasons for hesitation, namely, Privacy, availability and integrity of services and data (very high concerns), repudiation, loss of control on services and data flows, lack of liability of providers in case of security incidents, provider failure and from the financial perspective point of view, the possibility to have uncontrolled variable costs has to be taken into account (high concerns). Besides these threats there are other important potential problems to evaluate, like for instance: the inconsistency between trans national laws and regulations, cost and difficulties of migration into the cloud, unclear schema in pay per use approach and the risk of vendor lock-in. It has to be further investigated the impact on the ISO 27002 certification of the new IT approach. ...... It is therefore recommended to perform a more detailed risks analysis and assessment on the cloud computing solution implementation scenario.”