Factfiles

Cloud computing (part 4)

Cloud Implementation - Procurement and Commissioning
A Factfile provided by the Institution of Engineering and Technology

www.theiet.org/factfiles

About This Factfile

The Institution of Engineering and Technology acts as a voice

for the engineering and technology professions by providing
independent, reliable and factual information to the public
and policy makers. This Factfile aims to provide an accessible
guide to current technologies and scientific facts of interest to
the public.

Contents
Introduction 3
Basis for the assessment 3
There are other issues for the enterprise customer to consider3

For more Position Statements and Factfiles on engineering

and technology topics please visit http://www.theiet.org/
factfiles.

A roadmap for successful Cloud deployment 4

A Cloud based IT Architecture 5
A new topology 5
Tackling the issues one by one 5
Tackling the more generic issues 7

The Institution of Engineering and Technology

Is Cloud really new? 7

The Institution of Engineering and Technology (IET) is a global

organisation, with over 150,000 members representing a vast
range of engineering and technology fields. Our primary aims
are to provide a global knowledge network promoting the
exchange of ideas and enhance the positive role of science,
engineering and technology between business, academia,
governments and professional bodies; and to address
challenges that face society in the future.

Further Reading 7
End notes 8

As engineering and technology become increasingly

interdisciplinary, global and inclusive, the Institution of
Engineering and Technology reflects that progression and
welcomes involvement from, and communication between, all
sectors of science, engineering and technology.
The Institution of Engineering and Technology is a not for profit
organisation, registered as a charity in the UK.
For more information please visit http://www.theiet.org
The Institution of Engineering and Technology 2013
The Institution of Engineering and Technology is registered as
a Charity in England & Wales (no 211014) and Scotland (no
SC038698).

Enquiries

policy@theiet.org

Cloud Computing - Cloud implementation - Procurement and Commissioning

A Factfile provided by The Institution of Engineering and Technology
The IET 2013
www.theiet.org/factfiles

Introduction
In the first three fact files in this series we discussed the
technology behind Cloud computing, the compelling business
and commercial drivers that support the Cloud computing
model and the risks inherent in Cloud adoption that need to
be tackled. But for those who now want to take the first steps
toward Cloud adoption, how should they go about starting this
journey? What should they look for in a Cloud provider? How
can they ensure that the Cloud environment delivers value for
their business?
This fact file will attempt
to answer some of these
questions in the context
of a business enterprise
seeking new Cloud
based infrastructure or
applications to unleash
the promised benefits. It
will examine the issues to
be tackled during a public
Cloud adoption programme
and further explore these
for those who want to adopt a hybrid Cloud model. We will
compare and contrast these issues with those likely to be
encountered in a hosted private Cloud environment - and
with a more conventional IT infrastructure outsourcing
arrangement.

Basis for the assessment

To understand the range of issues to be tackled, there is no
better place to start than an informative article1 written by
Peter Wayner, published in Infoworld. Here the author has
subscribed to various public Cloud services and makes many
useful observations. While his experiences as an individual,
working on a research basis, may not mirror the realities
of enterprise Cloud service deployment, his findings form
a useful checklist against which useful conclusions can be
drawn.
A prcis of the main issues follows:
Machine performance is not uniform - suggesting that
different virtual machines from different suppliers can
differ considerably at each price point.
Too many choices - implying that at anything above a trivial
level, configuration options can become complex and
bewildering.
Software services are hard to price - especially if service
is based on projected business volumes (number of
customers, number of transactions...). This relates to the
complex issue of software licensing which we will cover
later.
Totally integrated solutions are scary - solutions which are
apparently easy to implement, with support from the Cloud
vendor, often involve proprietary software and the potential
for lock in; leading to the need to rewrite if porting to
another platform. The smartest Cloud providers appear to
be pushing flexibility and openness.

S
ecurity is still a mystery - the nature of public Cloud
offerings means that it is often very difficult to see what is
going on under the covers of the hypervisor.
Moving data is not easy - setting up machines is relatively
simply; moving gigabytes of data into and out of the Cloud
environment can be a complex and lengthy task.
Little is guaranteed - the cloud marketing message may
imply lifting your responsibilities. The truth is that you still
have the responsibility for backing up data, with attendant
cost in terms of bandwidth; depending on the nature of the
service, you may have to maintain and manage the cloud
platform on which your applications run.
No one knows which laws
apply - for example your
data may reside in one
jurisdiction, the processing
in another, and your
business in a third. This is
an emerging market and
these issues are not yet
enshrined in any form of
legislation.
For some, many of these points may be self evident; but
anyone looking to procure public Cloud services should use
this checklist as an introductory guide.

There are other issues for the enterprise customer to

consider
We can add other issues and expand on some of those listed
above. It may be helpful to express these as a list of questions
that a procurer of Cloud services might need to address.
Financial and Commercial Integrity. What would happen
if the chosen Cloud provider were to fail? Should dual
sourcing be considered? Would it be possible to move
applications readily from one provider to another in a
disaster scenario? What assurances could a Cloud provider
offer to ensure protection against data loss or interruption to
service? What should a potential Cloud customer request of
the provider?
Data placement. A known issue with Cloud is that data may
be held anywhere within a Cloud infrastructure. That in
turn gives rise to the problem of data being held outside of
the relevant jurisdiction of the Cloud customer. What would
happen if regulatory audit or discovery were to be blocked
by foreign authorities? What assurances should be sought
on this matter?
Data loss. What provisions are offered by the Cloud provider
to protect the customers data? It has been reported
recently that Yahoo mail accounts have suffered loss of
many years of archived information2.
Interoperability and portability. If Cloud services are used
in conjunction with in-house systems (the hybrid cloud)
or with another Cloud provider, how can a customer be
assured that applications will operate together - or that
applications could be moved from one environment to
another? Are initiatives like OpenStack relevant here?
Indeed, does the adoption of Open Source offer tangible
benefits here (e.g. avoiding lock in to proprietary systems)?

Cloud Computing - Cloud implementation - Procurement and Commissioning

A Factfile provided by The Institution of Engineering and Technology
The IET 2013
www.theiet.org/factfiles

 Security and information integrity. What should the

customer expect of the Cloud provider in terms of robust
network security,
data management,
separation of
customers data and
system isolation? What
should be expressly
written into the
contract? What audit
arrangements are
required? What could
be expected in terms
of penetrating testing?
Is there a case for outsourced implementation of a private
Cloud? Does the recent trend towards consumerisation of
IT (BYOD) require special consideration? Could a Cloud
provider be reasonably expected to address security
issues within mobile devices (Cloud based business
apps potentially leaking data through rogue APIs to/from
consumer applications) - probably not?
Standards. What standards are relevant here and should
be mandated? Factfile 3 dealt with these but what are the
practical implementation issues?
Performance and availability. What should be expected of
the Cloud provider in terms of service levels, contracted
or otherwise? How can performance be monitored?
How can capacity planning be performed? How can the
planned Cloud workload be assessed initially? How can
performance related factors be apportioned between
processors, network and storage?
System Management. What should the Cloud provider
be able and expected to demonstrate here - patches,
mandatory software updates, release change and
regression testing? How should the Cloud provider
communicate the status of system management actions
and should the customer have right of veto against specific
planned actions?
It is clear then that Cloud procurement and implementation
can very complex with many pitfalls to trap the unwary. And
we must remember that Cloud computing is still in its infancy
with many organisations avoiding adoption simply because
a cursory look at some of the issues results in a conclusion
that the risks are still too high. However, IT departments can
no longer avoid the option of Cloud implementation. Almost
all of the business (and IT) community will have experience
of some aspect of Cloud computing through personal email,
social collaboration, Cloud based data storage and so on. So
every business user is now asking why not for our business?
Every IT organisation around the globe has an application
backlog, has a complex sprawl of dedicated but under-used
servers and has a directive to reduce costs while also being
asked to improve service delivery, i.e. to do more with less.
The inescapable conclusion is that, over time, Cloud based
solutions will become part of the mainstream of enterprise IT.
In practice of course, Cloud adoption is not an all or
nothing problem. Every business, moving toward Cloud
implementation, will adopt some kind of hybrid computing

environment. Perhaps the application development team

will adopt a private cloud environment for development and
testing; perhaps the business analysis teams will use some of
that private Cloud capacity for occasional business intelligence
functionality; maybe there will be parts of the business who
use public Cloud services for file backup, collaborative team
working or new applications available from the likes of Google
App Store; maybe the sales team will be using Software as
a Service (SaaS) services for sales force management or
extra contact centre capacity; and so forth. This paper from
IDG Enterprise provides a useful view of the future of Hybrid
Cloud3.
Matters are further complicated when we consider that the
different patterns for Cloud based solutions; Public or Private,
Infrastructure as a Service (IaaS) or Platform as a Service
(PaaS) or Software as a Service; all exhibit the same issues
but in very different ways so the risks can vary substantially.
For example, many Public SaaS offerings may be deemed
high risk for information security but low risk in terms of
contracted performance levels at a given price point while
Private IaaS implementations may be much lower risk in
respect of information security but difficult to procure with
high confidence that performance and availability will meet
expectations.
The time has come, for most businesses, to set a coherent
strategy for Cloud computing otherwise chaos will result. In the
early days of the PC era, when business teams found that they
could simply
and quickly
build their
own database
applications,
spreadsheets
and simple
business
analysis tools
without IT
department
support or approval, enterprise IT environments became
fragmented and unmanageable. The same scenarios will play
out with Cloud computing unless business and IT move in
lockstep to create and implement a coherent Cloud computing
strategy.

A roadmap for successful Cloud deployment

There are some fundamental things that enterprises need to
get right in order to seize the opportunities presented by Cloud
computing.
IT and business departments must work together to
develop a strategy for all aspects of Cloud computing.
Investment in IT services will now be made in two
directions - internal systems and Cloud based systems.
That strategy will be based on business priorities which of
course will include rationalisation of the existing internal
systems, as well as future business needs and investments.
The strategy should produce some business imperatives
and general best principles for IT deployment both

Cloud Computing - Cloud implementation - Procurement and Commissioning

A Factfile provided by The Institution of Engineering and Technology
The IET 2013
www.theiet.org/factfiles

internally and externally. These best principles will include

such things as:
An agreement on the types of application which must
reside internally for performance, security or specialist
functionality reasons. For example, it would be
expected that core banking systems would remain in
house for all of those reasons.
An agreement on the types of other existing
applications which could usefully be deployed in a
Cloud environment - perhaps for cost saving reasons.
For example, file serving of low sensitivity information
or backup and archiving of historical transaction data
under a suitable encryption regime.
Consideration of new business functionality which
would be difficult to develop in house but is readily
available from SaaS providers. For example, complex
analysis of so called big data repositories as
described in this case study from LOral/IBM4.
Rationalisation of existing server sprawl by a transition
to a private Cloud environment as described in this case
study from BMW5.
This joint business and IT strategy, probably looking forward 5
years can then become the foundation for a revised Enterprise
IT Architecture

A Cloud based IT Architecture

Typically, an Enterprise
will already have
an IT Architecture
defined to address
functional requirements
(applications,
databases, networks,
business use cases
and so forth) but the
architecture will also
include principles
and solutions to
address non-functional
requirements. Nonfunctional requirements
include such topics as security, performance, access rights/
permissions, systems management, availability, backup,
resilience and so on. In this short fact file we are more
concerned with architectural aspects governed by nonfunctional requirements as it is here that we find most of the
issues concerned with Cloud.

A new topology
The starting point will be a system map which goes beyond
current in house systems, which may include core Enterprise
Resource Planning (ERP) systems, supplier and customer
transaction systems, desktop and remote computing services
and any outsourced systems which are tightly integrated.
The map will now include private Cloud environments and
public Cloud services (IaaS, PaaS and SaaS), the interfaces
with in house systems and a new network architecture to

allow managed access from desktop and mobile systems. Of

particular importance will be system designs to allow employee
BYOD (Bring your Own Device) devices to operate within this
new architecture in a secure manner6.

Tackling the issues one by one

Armed with a new, Cloud inclusive architecture, we can briefly
examine the issues raised in section 1 and point the way to
addressing them. Each topic will direct the reader to reference
papers which will supply the detail. It is important to recognise
that there are no technological barriers to successful Cloud
implementation. Many of the issues will be tackled through
contractual arrangements with Cloud service providers. This
is, in principle, exactly the same as negotiating a contract for
outsourcing
IT services
to a third
party
with one
important
exception.
Third party
outsourcing
contracts
can usually
be tailored
to match the exact requirements of the customer whereas
many public Cloud offerings are generic, i.e. the offering
is designed to be the same for all customers, and there
may not be the scope to define detailed variations to Terms
and Conditions. For example, if data storage in a specific
geography is required, the Cloud provider may not be able to
provide the necessary assurance. If detailed modifications to
user access and authentication is required to a suite of SaaS
applications, such variations may just not be possible. These
kinds of consideration will form the final acid test of whether
many public Cloud offerings are right for the enterprise and
will, iteratively, produce the need to adapt the strategy and
architecture. Lets tackle the issues in the order they were
presented in the introduction
Machine performance is not uniform
When examining this issue it is important to separate the
relevant from the irrelevant. For example it is not important
to be concerned about the specific server technology (e.g.
Intel vs. AMD), but it is important to understand in detail the
price points in terms of business functionality measured in
transactions per second, price level triggers as system load
increases or decreases and so on. It will be important to
ensure that the chosen Cloud provider commits contractually
to price performance levels which can be expressed in terms
which are meaningful to the business.
Too many choices
Across the spectrum of IaaS, PaaS and SaaS offerings it is
generally true that services will be packaged in standard ways.
Customer requested features which lie outside these standard

Cloud Computing - Cloud implementation - Procurement and Commissioning

A Factfile provided by The Institution of Engineering and Technology
The IET 2013
www.theiet.org/factfiles

offerings can lead to complex variations in configuration and

hence pricing. This is why it is critically important for the IT
department to be working in lock step with the business. IT
professionals, trained in the new cloud computing models
will be able to cut through the complexity whereas business
professionals, negotiating on their own would not successfully
address this potential for complexity.
Software services are hard to price
Software services are hard to price for two reasons. The first
simply relates to the way a Cloud provider charges for software
licences - we are talking about SaaS and the operating system
components of PaaS here. Per transaction or per user - or
some other measure? It will be important to get to grips with
this issue in order to agree contract terms. It will be especially
important to understand trigger points for pricing bands in
terms of user concurrency or transaction rates - and over what
period each of these measures is calculated. The second
reason is that different Software vendors typically have widely
different ways to price their offerings. Some will be machine
based licences which are difficult to understand in a Cloud
environment (public or private), some will charge per user,
some may operate transaction based charging. In any event,
getting to grips with the detail is not trivial. This paper from the
Open Data Center Alliance provides very useful background to
aid understanding7.
Totally integrated solutions are scary
Cloud vendors, with a catalogue of standard offerings,
can take the pain out of initial implementation. You have
requirements, they have offerings but under the covers, the
preconfigured offerings, integrated together can often lead to
complex proprietary solutions. The potential issue of vendor
lock-in can be very high here. Ideally, one should look for
solutions which could easily be ported to another vendor or in
house. There is no easy answer to this except to observe that
many Cloud vendors are moving toward more obviously open
software environments and the recent adoption of OpenStack8
may bring welcome relief from this issue. In any event, it
will be critically important to ensure that the implications of
complex integration are fully understood by the IT department.
Security is still a mystery
Under the covers
of the virtualisation
hypervisor, it is very
difficult to see what
is actually going
on. However, this
major potential issue
has led reputable
Cloud providers and
hypervisor vendors to
take this issue very
seriously and they should be able to demonstrate that security
policies are tight and can be audited. Many observers of the
Cloud industry make the very valid point that providers stand

or fall by their cloud security policies and standards and their

experience probably leads to Cloud services being more secure
than many in house systems, especially those within mid-sized
businesses. Never-the-less, security remains at the top of the
worry list. Encryption regimes, both for data at rest and for
data in motion are
vital from a technical
standpoint. Secure
network access
through VPN or
some other network
security protocol
coupled with robust
user identification,
authentication and
authorisation routines
are paramount.
Also, with the
proliferation of the consumerisation of IT (BYOD), the endpoint
mobile device is likely to be connected simultaneously to the
cell phone provider, to a public internet ISP, to the in house
network and to Cloud based services. The potential for data
leakage within the user device is very high and it will be
fundamentally important for the IT department to grasp these
issues and ensure, architecturally, that security policies in this
area are fully defined and are capable of being implemented
by Cloud providers with suitable contractual measures in
place. Ultimately, a rigorous risk analysis will be required and
if it is deemed that privacy and security of certain data sets in
a public Cloud environment are major issues then Cloud is not
right for those data sets.
Moving data is not easy
The issue here is that once your new virtual machines are
instantiated in the Cloud you need to move data into that
environment. And here, network performance may become a
limiting factor. This can be a key issue when porting existing
applications or whole machine environments from in-house
to Cloud (public or
private). Whereas inhouse systems might
be expected to have
fibre or GB Ethernet
connection to data
repositories, now data
must be moved over
internet connections.
Initial load of data can
be time consuming
and, depending on
the system design,
movement of result data sets back in house also similarly
slow. Again, the solution lies in a robust Enterprise System
Architecture, and here the IT department has a key role to
perform.

Cloud Computing - Cloud implementation - Procurement and Commissioning

A Factfile provided by The Institution of Engineering and Technology
The IET 2013
www.theiet.org/factfiles

Little is guaranteed
Beware the essential differences between the Cloud vendors
marketing messages and the reality of Enterprise grade public
Cloud environments. The standard product offerings may be
easy to set up and deploy by the Cloud provider, but what
are their ongoing responsibilities in terms of management,
maintenance and overall system integrity? The answer lies in
precise agreement of contract terms. Ensure that you know
your responsibilities and that you have a clear understanding
of theirs.
No one knows which laws apply
After the security issue
this is perhaps the next
most difficult. In a public
Cloud environment,
the customer does
not know where his
applications run or his
data resides, indeed
the Cloud provider may
not know either. Most
businesses need to be
able to demonstrate that
they comply with local laws and regulations (e.g. SarbanesOxley or Data Protection...). This means that the customer will
need to ensure that critical data is available for periodic audit.
If the data resides in a different jurisdiction, this can pose
significant problems. Moreover, if the customers data resides
in a foreign jurisdiction then that foreign government may have
its own rights to inspect those data, despite the customers
views of privacy and security of their own assets. This issue
can be very difficult to address but guidance can be found in
a useful paper from IDG Connect which contains expert views
from the audit and compliance industry9. Also helpful is this
paper on Information Security Compliance and Audits10. More
recent press news highlights the potential issue of government
snooping on Cloud based information11.

Tackling the more generic issues

We finished the introduction by posing some more issues
and expanding on those listed above. In practice there are no
simple answers. We presented these with an associated set of
questions which must be addressed in negotiations with the
Cloud provider. The list is not exhaustive but should serve as
a starter checklist of topics to be covered. The Cloud Buyers
guide, published earlier this year contains excellent advice
and is highly recommended12. One other important topic is
Compliance Standards. This paper from LogicWorks provides
a comprehensive view of the emerging standards in this area
as they apply to each industry vertical13.

Is Cloud really new?

The answer to this is probably not. Cloud is just an extension
of the old ideas about distributed computing. This refers to
the development in the 1980s and beyond in which the single

central computer was replaced by a network of computers

(servers and client devices). The industry has, over time,
tackled the associated issues of performance, simultaneous
and synchronised update, systems management, mixed
development environments, mixed operating systems and so
on... Cloud computing (public, private, hybrid) just extends the
distributed computing environment to places that are just a bit
further out of reach. Extending your computing environment
to people and businesses that you know little about; extending
it to systems of which you may have little control; and relying
on other peoples descriptions of what those systems can do.
So a new word comes
into play - trust.
Relying on Cloud
means:
trusting other
peoples description of
computer- and dataarchitectures; that
these architectures
bear some semblance
to the reality of the
devices concerned rather than merely acknowledging the
intentions of the builders;
trusting other peoples legal (contractual) commitments to
reflect, indeed predict, how they actually will behave
These two are probably the most important challenges. If you
can find ways to address them you are most of the way there.
To get all the way there, a word to IT engineers is appropriate.
Cloud computing will inevitably become increasingly attractive
to business users, both from their own personal experience
of consumer IT paradigms and from an increasing awareness
of what others are doing at an enterprise level. It will be
fundamental for engineers with IT responsibilities to embrace
the new paradigms, learn the in-depth skills needed, stay
one step ahead and seize the initiative to move the business
forward in new directions - and have the courage to ensure
that all Cloud initiatives conform to the chosen strategy and
architecture. Also to remember that successful Cloud adoption
will not only need the adoption and understanding of new
technology patterns by IT engineers but also for those IT
engineers to work more closely with and within the business to
understand business needs. That in itself will lead to the need
for quite fundamental IT organisational change.

Further Reading
The references contained within the text will lead the reader
to many other information sources. Within the first half of
2013 general experience with Cloud computing has gained
pace. With many new vendors, customers and consultants
now gaining real firsthand experience with all aspects of
Cloud computing the number of valuable whitepapers, vendor
marketing documents and case studies has also increased
rapidly. The last endnote reference contains a selection of
useful websites where the reader can gain new insights14.

Cloud Computing - Cloud implementation - Procurement and Commissioning

A Factfile provided by The Institution of Engineering and Technology
The IET 2013
www.theiet.org/factfiles

End notes
1

Peter Wayner 12 Hard Truths about Cloud Computing

http://www.infoworld.com/d/cloud-computing/12-hard-truths- about-cloud-computing-214920.

http://www.complaintsboard.com/complaints/yahoo-inc-mail-deletion-of-folders-and-emails-c660743.html

Private or Public Cloud isnt the right question, its going to be a hybrid world.
http://resources.idgenterprise.com/original/AST-0066800_Private_Or_Public_Cloud_Isn_t_The_Right_Question_It_s_Going_To.pdf

LOral USA Gains Purchasing Power with IBM Services and Cloud Analytics
http://www- 03.ibm.com/press/us/en/pressrelease/41072.wss

BMW Case Study: BMW Path to Cloud with Alliances

http://www.opendatacenteralliance.org/docs/bmw_path_to_cloud_with_alliances_white_paper.pdf

Top Three Mobile Application Threats

http://resources.idgenterprise.com/original/AST- 0084487_Know_the_big_three.pdf

Open Data Center Alliance: Software Entitlement Management

http://www.opendatacenteralliance.org/docs/Software_Entitlement_Management_Framework_Rev1.0.pdf

Top level link to OpenStack.org

http://www.openstack.org/

IDG Connect Data Sovereignty

http://www.idgconnect.com/download/14517/data- sovereignty?source=intl060713idgce

10

Latitude Software, Interactive Intelligence Group and InsideARM. Beginners Guide to Data Security and Information Security Compliance and Audits
http://www.inin.com/resources/Documents/Beginners-Guide-to-Information-Security.pdf

11

http://www.guardian.co.uk/commentisfree/2013/jun/20/nsa-surveillance-doctors-lawyers-clients-snooped

12

Cloud Buyers Guide

http://www.outsourcing-center.com/requests/index.php?docid=2144

13

LogicWorks Cloud Compliance Standards

http://resources.logicworks.net/canyoumanagecomplianceinthecloud.html?source=Website

14

IEEE Cloud Computing Standards - http://cloudcomputing.ieee.org/standards

The Cloud Security Alliance - https://cloudsecurityalliance.org/
Securing Cloud Based Communications - McAfee - http://www.ithound.com/abstract/cloud-computing-cloud-comes- security-17411
Cloud Standards Wiki - http://cloud-standards.org/wiki/index.php?title=Main_Page
Hybrid Cloud Future - http://resources.idgenterprise.com/original/AST-0082679_Hybrid_Cloud_Future.pdf
IT Standards including those applicable to Cloud - http://www.itgovernance.co.uk/standards.aspx

Cloud Computing - Cloud implementation - Procurement and Commissioning

A Factfile provided by The Institution of Engineering and Technology
The IET 2013
www.theiet.org/factfiles

Factfiles

The Institution of Engineering & Technology

Michael Faraday House
Six Hills Way
Stevenage
SG1 2AY
01438 765690 - Policy Department
email: policy@theiet.org
http://www.theiet.org/policy
http://www.theiet.org/factfiles
The IET 2013
Issue 1.0 - July 2013
The Institution of Engineering and Technology is registered as a Charity in England & Wales (no 211014) and Scotland (no SC038698).