A Strategic Approach to Cloud Implementation: An Australian Government Perspective

Better Practice Guide
July 2012 (v0.14 draft)

AGIMO is part of the Department of Finance and Deregulation

Disclaimer

This document has been prepared by AGIMO in consultation with other agencies to provide an overarching risk-managed approach for agencies to develop an organisational cloud strategy and implement cloud-based services.

This document and the information contained herein are provided on an “as is” basis and the contributors and the organisations they represent and are sponsored by disclaim all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties of merchantability or fitness for a particular purpose.

Links to other websites are inserted for convenience only and do not constitute endorsement of material at those sites, or any associated organisation, product or service.

© Commonwealth of Australia 2012

Apart from any use permitted under the Copyright Act 1968, and the rights explicitly granted below, all rights are reserved.

You are free to copy, distribute and transmit the work as long as you attribute the authors. You may not use this work for commercial purposes. You may not alter, transform, or build upon this work.

Except where otherwise noted, any reference to, reuse or distribution of all or part of this report must include the following attribution:

A Strategic Approach to Cloud Implementation: An Australian Government Perspective, Copyright Australian Government 2012.

Licence: This document is licensed under a Creative Commons Attribution Non-Commercial No Derivs 3.0 licence.

To view a copy of this licence, visit:

Any of the above conditions can be waived if you get our permission.Requests for permission should be addressed in the first instance to

Contents

Contents

1.Introduction

2.Establishing strategic direction

2.1Assess suitability against business needs

2.2Consider timing and triggers

2.3Consider financial impacts

2.4Consider organisational capability

2.5Manage change

2.6Review governance

3.Implementing a cloud solution

3.1Build a business model

3.2Assess the risks

3.3Capture requirements

3.4Build a business case

3.5Prepare an exit strategy

3.6Determine contractual terms

3.7Approach the market

3.8Select a provider

3.9Plan for implementation and on-going operations

4.Review the implementation

Attachment 1 – Cloud business management checklist

Attachment 2 – Business case template for a cloud solution

AGIMO is part of the Department of Finance and Deregulation

1.Introduction

The Australian Government’s policy on cloud computing is that agencies may choose to use cloud computing services where they provide value for money and adequate security, as stated in the April 2011 Australian Government Cloud Computing Strategic Direction Paper[1] (the Strategic Direction Paper).

Readers new to cloud computing should read the Strategic Direction Paper which provides an introduction to cloud computing, a definition and an overview of its associated risks and benefits as they apply to Australian Government agencies.

This guide provides an overarching risk-based approach for agencies to develop an organisational cloud strategy and implement cloud services. It is designed as an aid for experienced business strategists, architects, project managers, business analysts and IT staff to realise the benefits of cloud computing technology while managing risks.

Agencies should use this document as the first point in understanding the issues surrounding moving services to the cloud. It focuseson overarching activities and issues, and points to the following better practice guides where appropriate:

  1. Defence Signals Directorate’sCloud Computing Security Considerations[2];
  2. National Archives of Australia’s Records Management in the Cloud[3];
  3. AGIMO’s Privacy and Cloud Computing for Australian Government Agencies1;
  4. AGIMO’s Negotiating the cloud – legal issues in cloud computing agreements1;
  5. AGIMO’s Financial Considerations for Government Use of Cloud Computing1; and
  6. AGIMO’s Community Cloud Governance – An Australian Government perspective1.

This guide contains the following major sections.

Section 2 presents a strategic approach to help agencies identify suitable opportunities to benefit from cloud serviceswhich they can incorporate into their ICT strategy. The approach covers the following key areas: suitability to business needs, timing and triggers, financial impacts, organisational capability and governance.

Section 3 provides implementation guidance across the lifecycle of a cloud solution project. The section addresses business analysis, risk management, business case development, procurement, solution implementation and transition to operation.

Section 4 provides a short list of post-implementation activities for agencies to consider. Attachments include a checklist which follows the layout of this guide and a business case template for cloud solutions.

2.Establishing strategic direction

There are many benefits to be offered by cloud-based services, such as increased scalability, flexibility, availability and productivity. While cloud-based services share similarities with other service delivery models, e.g. managed services, they also offer their own unique opportunities, complexities and risks.

This section presents a coordinated approach that business and ICT managers can take to identify opportunities to benefit from cloud services. The approach includes considering the following:

  • opportunities to benefit from other agency or whole-of-government cloud initiatives;
  • alignment with agency business, ICT and information security strategy and policy;
  • timing and triggers, such as planned system replacementsor emerging business requirements;
  • financial considerations, such as impacts on capital and operational expenditure;
  • the ease with which staff members can sign-up and use cloud-based services, e.g. free basic services, without the requisite approvals or controls;
  • the Australian Government’s strategic direction on cloud computing and opengovernment (Gov 2.0)[4];
  • the complexity of integrating cloud-based services with existing processes and technology; and
  • the risks associated with storing and processing information in the cloud, e.g. security and service provision lock-in.

Like any new delivery model, a sensible approach is to target low risk, low value applications or pilots from which the organisation can measure actual costs and benefits, gain insights and draw lessons for future endeavours. The Strategic Direction Paperencourages agencies to adopt public cloud-based services for public facing “unclassified” government services and to undertake proof of concept studies to fully understand the risks of cloud computing.

Agencies should develop a coordinated approach to cloud-based services as an integral component of their ICT strategy and roadmap. Figure 1 shows the various inputs which agencies should consider as they develop such an approach. The following subsections offer guidance for each of the strategic input areas and point to details in the accompanying guides where appropriate.

The Cloud Information Community (CLIC), hosted by AGIMO, serves to help agencies stay informed with developments in cloud policy and cloud-based services being used by other agencies. AGIMO strongly encourages agencies provide details of cloud-based services and lessons learned to the CLIC so that other agencies can factor these into their strategy and implementation programs.

Government agencies should also notify AGIMO at en considering cloud-based services, per AGIMO Circular 2011/0011 to help identify solutions that may contribute to whole-of-government initiatives.

2.1Assess suitabilityagainst business needs

Agencies should identify the information types and associated business processes which stand to gain the most from cloud services and assess the impact of moving them to the cloud. The agency’s enterprise architecture diagrams will provide a useful place to start this analysis.

From an information perspective, agencies maintain the same legislative and policy obligation to protect and manage information across the information lifecycle regardless of where it is stored and processed. Such obligation includes compliance with the Protective Security Policy Framework (PSPF)[5] and the Information Security Manual (ISM)[6]. Agencies should take an information security management approach to determine which information sets to transition to cloud services. This approach includes assessing the business impact(s) that could result from the compromise, loss of, or disruption of access to information. The assessment should include the risk posed by data that has been aggregated. The Protective Security Governance Guidelines - Business Impact Levels[7]provides a common tool to assist agencies to assess the business impact for compromises of confidentiality, integrity or availability of individual or aggregated information, ICT systems and other assets.

To assess the types and classifications of information which will best benefit from cloud-based services, agencies should consider the following factors across the information lifecycle:

  • potential adverse impact to the reputation of the Australian Government;
  • potential impact to the governance of information, with particular reference to ownership, stewardship and custodianship responsibilities;
  • potential impact to an agency’s ability to develop flexible business processes that span one or more cloud-hosted solutions and possibly in-house hosted systems;
  • potential impact to agency business processes if a business service or an IT services is transitioned to a cloud solution; and
  • potential impact to business continuity should a cloud solution no longer be available.
  • ability to assure the availability, integrity and confidentiality of information (refer to Cloud Computing Security Considerations and Privacy and Cloud Computing);
  • potential impact to data formats and interoperability;
  • impact on existing architecture and integration with existing systems;
  • potential impact to data access, discovery,archival and destruction;
  • the ability of the agency to maintain legislative and regulatory compliance, e.g. with the Archives Act 1983 (refer to Records Management in the Cloud); and
  • the cloud deployment model (i.e. public, private, community, hybrid) that would be most appropriate.

As part of determining which services are appropriate for the cloud, agencies should consider the business problem or opportunity. When evaluating which end-to-end business services are suitable for the cloud, agencies should consider the services that:

  • have stable and consistent functional requirements;
  • could be readily shared with other agencies with similar needs;
  • have cyclical, seasonal or uncertain demand, and could benefit from added flexibility from the cloud;
  • aren’t highly integrated with in-house applications or other processes;
  • have data formats or portability requirements that are not critical;
  • have manageable business continuity requirements;
  • have discrete components of the end-to-end business process that can be transitioned to the cloud, e.g. public-facing workflows; and
  • have functional requirements that could be met by cloud-based services.

With an understanding of which information and business processes would benefit most from cloud-based services, agencies should assess the technical barriers they will have to address. Factors such as impacts to existing infrastructure (e.g. bandwidth) and enterprise applications apply to even the simplest cloud-based services. Hybrid cloud-based services that integrate with in-house software services will require an in-depth investigation into technical issues such as service orchestration, programming interfaces, data format standards and latency.

2.2Consider timing and triggers

An agency’s architectural roadmap and project portfolio will provide useful tools to identify the timing and trigger points that present opportunities for the use of cloud-based services. Agencies should consider:

  • business and IT systems scheduled for replacement;
  • planned system implementations/upgrades;
  • requirements for system development/testing where cloud infrastructure could be used;
  • pilots, time-bound or short lifespan projects; and
  • capabilities used only periodically.

Agencies should also seek opportunities to develop/adopt cross-agency or portfolio cloud-based services and/or build on initiatives established by other agencies. AGIMO provides assistance to agencies in finding shared resource solutions and can be contacted at .

2.3Consider financial impacts

The transition to cloud-based services will have financial and budgetary impacts that agencies must consider at a strategic level. While cloud-based services have the potential to reduce capital expenditure, agencies will have to consider the impacts on their budgets and financial statements.

Any impacts will need to be reflected in the agency’s financial statements. Any reduction in capital spending will need to be reflected in the agency’s capital management plan. Refer to Financial Considerations for Government Use of Cloud Computing for more detailed coverage of this topic.

2.4Consider organisational capability

The management of cloud-based services requires capabilities similar to that used in typical outsourcing arrangements. That is, agencies will require well-developed skills in project and program management, relationship management, procurement and contract management, and services provisioning and management. Agencies will also need to understand workflow design, cloud architecture and capacity management. Agencies that do not have mature capability in these areas should take a gradual approach to moving to cloud-based services while they develop that maturity. For example, a lack of service management maturity may lead to challenges for themanagement of service and performance, as with any outsourced arrangement.

Cloud services may require new skills. There may be a decreased need for specialist operation and support skills depending on the nature of the cloud solution. Agencies will also need additional contract management capabilities.

The agency should also have mature capabilities in the areas of enterprise architecture and business analysis to assess and manage changes to its architecture and business processes. A cloud solution will not fix immature business processes or cultural issues.

Agencies should consider the strategic impact that their approach to cloud-based services will have on their organisation structure and skills sets, and implement a plan to mature capabilities in targeted areas.

2.5Manage change

Agencies can improve the likelihood of successful adoption and user take-up of cloud services by actively keeping stakeholders informed and addressing their concerns. Stakeholder concerns may include:

  • storing information in the cloud;
  • uncertainty with new technology;
  • shifting staff roles;
  • increased dependence on a third party;
  • the possibility of deterioration of customer care or service quality; and
  • loss of control.

Agencies should establish a stakeholder engagement plan, obtain senior executive sponsorship and work closely with key stakeholders to ensure they are kept informed throughout.

2.6Review governance

Well-defined, effective governance is essential for cloud computing. Agencies should review their governance model to ensure the structure, guidance and controls are adequate. Agencies should consider new or changed roles and responsibilities, such as the addition of CSPs and partner agencies for community clouds.

In the case of community clouds, the lead agency may need to review existing memorandums of understanding and establish a cloud computing agreement. The Better Practice Guide: Community Cloud Governance – An Australian Government perspective provides specific guidance on developing governance for community clouds and includes a sample governance structure. The information provided in this guide may translate to other cloud models.

3.Implementing a cloud solution

Implementation activities for a cloud solution are similar to that of an outsourced solution. That is, the agency will have to conduct business analysis, build a business case, source a CSP, plan and implement the solution, possibly with the assistance of a third-party system integrator. This part of the guide provides advice across the lifecycle of a cloud solution project with the aim of ensuring the cloud solution will:

  • meet business needs in terms of both functionality and performance;
  • provide the expected efficiencies and benefits;
  • adequately protect agency information;
  • comply with legislative and regulatory requirements; and
  • integrate with existing processes and systems.

3.1Build a business model

The work to develop an agency’s approach to cloud-based services will provide the business context required for candidate cloud-based services. Business analysis activities will be similar to those used for an outsourced solution. Such activities include building a business model and gathering requirements to form the basis for the business case, sourcing, implementation and testing.

The business model will help the agency determine performance and resource requirements, lifecycle cost estimation, and required risk treatment measures. Agencies should consider how they would respond to business continuity and disaster recover scenarios, such as cloud service disruption or cancellation. These scenarios can later be developed into requirements and plans.

The Australian Government Architecture Reference Models[8], in particular the Performance Reference Model, can be used to identify and define measures to quantify resource utilisation, costs attributed to business process execution and costs to promote the use of output by customers.

The business model must have sufficient detail to estimate cost in terms which can be applied to the CSP’s cost model. For IaaS and PaaS, this might be measured in resource usage per period of time, as for processing, throughput and storage. For SaaS, service might be measured by number of transactions or number of users.

With an understanding of which resources to measure, business analysts should model expected utilisation and potential surge scenarios by considering:

  • user characteristics, e.g. user types/roles, number of users, usage scenarios;
  • data characteristics, e.g. data types, size and quantity;
  • average usage rates, e.g. transactions per second
  • how usage rates will vary, e.g. upper and lower ranges;
  • where can changes to usage rates be predicted, either at planned times or based on events;
  • how usage will grow or scale over time, perhaps with the number of users; and
  • how usage will change for each system actor, e.g. end user, administrator, batch processes.

Where possible, agencies should validate the model either by comparison to existing systems, with a benchmarking program, or by piloting a solution. Cloud-based services may provide better value for short-term or burst use, but a non-cloud solution may provide more value over the long term, particularly for services with steady loads.