Enterprise cloud strategy: Improve agility while avoiding risk

freshidea - Fotolia

This article is part of our Essential Guide: A CIO's guide to cloud computing investments

Fine-tune your cloud-first strategy with better metrics

Calculating the risks and benefits of a cloud-first strategy is a difficult problem for CIOs with large, complex IT environments. Experts discuss the salient metrics to use.

Some calculations are easy: A small company with a couple racks of servers running a few off-the-shelf applications...

can easily figure out the return on investment for moving to the cloud.

"It's hard to argue in that case that you'll do better with uptime, refreshing systems and performance than with cloud," said technology and cybersecurity strategist Bryce Austin, CEO at TCE Strategy.

But most businesses have a more complex calculation to make when it comes to determining the metrics that can influence a cloud-first strategy and define success, Austin and other advisors said. For them, it's not necessarily a pure apples-to-apples cost comparison.

That's because these organizations have much more complex environments, with a mix of proprietary and customized applications, legacy software and off-the-shelf options. Some of these enterprise applications hold data governed by regulations stipulating where the data can be stored and how it's protected. Some of the apps might need to run constantly while others need to run only periodically or during standard business hours. A handful might run huge volumes of data or send that data back and forth for processing, characteristics that can quickly run up cloud costs and hit snags if there's latency in transmission.

Bryce Austin, CEO, TCE StrategyBryce Austin

All these factors, and more, impact whether organizations are better off keeping an application on premises or putting it in the cloud, experts agreed. However, many organizations simply don't -- or can't -- consider the costs associated with these factors when determining what stays and what goes.

They should, though. Although several leaders in this space said that organizations should still adopt a cloud-first strategy, they stressed that organizations also need to realize that a cloud-first strategy does not mean all-cloud automatically.

"Cloud isn't always the best choice, and I've been surprised there's been so little discussion of that," Austin added.

Now, after a decade or so of enterprise IT experience with cloud computing, IT executives are -- or at least should be -- fine-tuning their cloud strategies by weighing numerous metrics to estimate the total cost associated with a cloud move.

"CIOs are looking at it in a more refined light. It's being redefined as we find out more information," said Jeff Spivey, founder and president of Security Risk Management and board director of ISACA, a nonprofit IS industry association. "An analysis needs to be done, and part of the analysis is understanding all the different risks that could come into play and what are the advantages."

Three areas that should factor into every cloud-first strategy

Analysts said there are no standard formulas or equations to be had when doing this cloud analysis work, and they noted that putting firm numbers around the various risks and benefits to consider is difficult, at best. The complexities of developing effective cloud metrics is  compounded by the fact that many IT shops don't know the actual cost to run an application on premises -- thereby making it hard to do a true cost comparison.

Still, there are some areas that organizations can consider when refining a cloud-first strategy:

  1. Flexibility and agility
Mindy Cancila, analyst, GartnerMindy Cancila

Cloud proponents cite the flexibility to scale up and down with demand changes as a key cloud computing benefit. That's true, but advisors said that's only a benefit if the business has a need for that flexibility. Austin cited the case of a specialty company that does 40% of its annual business during the six-week Christmas period. Buying the year-round capacity would be prohibitive, yet being unable to handle that seasonal spike in volume would be devastating to the company's bottom line, so the metrics clearly tip the scale to cloud. However, others said the cloud metrics for a steady-state application without any spikes doesn't necessarily make cloud the better option.

Flexibility and agility aren't only about scaling up and down with demand. As Gartner research vice president Mindy Cancila pointed out, cloud usually allows businesses to seize on emerging opportunities, such as expanding into new regions more quickly, as well as shortening development cycles to launch new functions and services faster. She said it's hard to quantify agility, but its value needs to be considered when refining a cloud-first policy.

  1. Regulatory and security risks

Risk takes multiple forms, with certain organizations facing specific risks that don't apply to others. So, IT leaders need to determine which potential problems could impact their business and determine how to factor them into their cloud strategy.

Consider, Spivey said, regulatory risks. For instance, the risk of using a cloud provider that can't meet strict European Union regulations regarding data -- and the potential fines levied for violations -- is one cost. On the other hand, an environment that doesn't meet business needs also creates risks -- say, perhaps, from employees using a consumer-grade file-sharing service to access and share documents containing sensitive data. A cloud option there could eliminate costly risk exposure, he said.

Cancila said she advocates for business leaders to create risk assessments that can be used to rate, or grade, applications, on their risk profile. "That helps them identify those applications that carry the least amount of risk for the organization to move to a public multi-tenant environment."

  1. Business impact

Like risk, there are multiple calculations that could come into play here.

What if, for instance, the internet is out and your manufacturing plant can't operate because it doesn't have access to a cloud-based critical app, Austin asked. What are the costs associated with that downtime -- and do they exceed the value of the benefits that cloud computing provides?

Or, consider the business impact of applications that might not move as fast as needed in some cloud environments; that could slow productivity, which has a real and potentially significant financial impact to the business, he said.

Cloud isn't always the best choice, and I've been surprised there's been so little discussion of that.
Bryce AustinCEO, TCE Strategy

"The speed of the internet is a limiting factor compared to having everything in a local data center. With a lot of ERPs and accounting and niche systems, it never occurred to anyone that the users and servers wouldn't be in the same place and without good connectivity. And when you take those to the cloud, you can only move things so fast," Austin said. That issue can be overcome by rewriting applications and creating APIs, he added, but that, too, is another cost to factor into a cloud-first policy.

On the flip side, experts asked, what are the costs of not having capacity to react to new business opportunities that the elasticity of the cloud provides? Would that cost be greater -- or less than -- the costs associated with the scenarios listed above?

Similarly, what's the value of being able to support incubator projects or new marketing initiatives quickly because IT no longer needs weeks -- or months -- to stand up servers in its own data center? "The notion of being able to fail fast has a business advantage," Austin added.

Calculating ratio of cloud to on premises

Even when considering all the multiple cloud metrics that could be calculated, Gartner's Cancila said her firm believes cloud should still be the preferred and promoted option.

But she also acknowledged that this bedrock belief in a cloud-first strategy "does not mean everything goes to the public cloud."

"It's all about finding the right mix of applications for your organization," she said, explaining that for some companies that could mean 90% of the applications are in multi-tenant public clouds while the remaining 10% stay in the data center and that for another organization, it's the complete opposite.

As for companies that still have most of their applications in the data center? They wouldn't be wrong to do so, if they're evaluating their strategies properly, Cancila said.

"They may want to move more [to the cloud] eventually," she said, "but they do that by putting in place assessment criteria to decide the right applications to segue into cloud."

Next Steps

Recent SearchCIO stories by Mary K. Pratt:

Machine learning enlists in the battle against cyberthreats

How to prepare for enterprise robotics

CIOs still stumble on executing IT strategies

Dig Deeper on Cloud computing for business