CLOUD
BUYER’S GUIDE
Understanding Cloud and How to Buy It.
This guide was created by Outsourcing Center (outsourcing-center.com) and sponsored by CSC and EMC2.
CSC is a global cloud provider with datacenters on four continents. The Cloud Business creates cloud solutions for the enterprise that are secure, reliable, easy to use, and supported by an innovative business model. Recognized as a market leader by industry analysts, CSC provides the only opex private cloud, CSC BizCloud, billed as a service and ready for workloads in just 10 weeks. CSC BizCloud® and CSC CloudCompute® are VMware vCloud Datacenter Services and built on the VCE Company’s Vblock™ platform featuring software from VMware, compute from Cisco and storage from EMC2.
For the past few years, everybody’s been talking about cloud — for good reason. This new delivery model has changed how companies work and the speed at which they can respond to changing market demands. The fast provisioning, dynamic scalability and the “pay as you go” cost model bring big advantages to business and more fluidity to its users.
This guide was designed to give readers a clear understanding of what cloud computing is, its various delivery models, as well as explain how the pricing structure, SLAs and selection criteria differ from the provisioning of traditional ITO. WHAT IS CLOUD COMPUTING?
The U.S. Government’s National Institute of Standards and Technology (NIST) defines cloud computing this way:
Cloud computing is an IT sourcing and delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction.
What this rather technical definition is saying is that cloud provides computing capability with significantly less user or administrator interaction than is possible with traditional IT functions, or highly-contractualized outsourcing arrangements. THE FIVE CHARACTERISTICS OF THE CLOUD MODEL
The cloud model promotes availability and is composed of these five essential characteristics:
• On-demand self-service – a consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed, automati-cally without human interaction with each service’s provider.
• Broad network access – capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops and PDAs).
• Resource pooling – the provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.
• Rapid elasticity – capabilities can be rapidly and elastically provisioned — in some cases automatically — to quickly scale and be rapidly released to scale in.
• Measured Service – cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (for example, storage, processing, bandwidth and active user accounts). Resource usage can be monitored, controlled and reported for customer transparency.
CLOUD COMPUTING DELIVERY TYPES
There are three basic cloud delivery models. Customers may employ one model or a combination of different models in delivery of applications and business services.
TYPE DESCRIPTION
Private or
internal cloud Cloud services are provided solely for an organization and are managed by the organization or a third party — or a combination of both. These services may exist on the customer’s choice of premises. This is similar to a traditional data center environment, but service, like IaaS, PaaS and SaaS, is provided within the cloud capabilities, not complete IT service delivery.
Examples of this service would be CSC BizCloud®.
Public cloud Cloud services are available to the public and owned by an organization selling cloud services, like Amazon, Google, Rackspace, and many other small tactical cloud startup businesses, whether a new or additional business unit.
Typically, a public cloud solution leverages a shared infrastructure service for all customers and may or may not enable the end customer to specify or even identify where data resides or applications are executed.
Hybrid cloud An integrated cloud services arrangement that includes a cloud model and something else. For example, data stored in private cloud or a customer’s database in traditional infrastructure is manipulated by a program running in the public cloud, such as CSC BizCloud®.
TYPES OF CLOUD SERVICES
Three basic types of cloud service offerings are recognized and accepted by the industry.
SERVICE DESCRIPTION
Software as a
Service (SaaS) Enables companies to rent application functionality from a service provider rather than buying, install-ing and runninstall-ing software themselves. Examples include Salesforce.com and Gmail.
Platform as a
Service (PaaS) Provides a platform in the cloud, upon which applications can be developed and executed. Examples include Salesforce.com, through Force. com, Microsoft Azure services, or Google App Engine. Some cloud providers, like CSC, offer PaaS for multiple vendor platforms.
Infrastructure as a
Service (IaaS) Provides compute and storage on demand. Examples include Rackspace, CSC CloudCompute or BizCloud. THE CLOUD VALUE PROPOSITION
Cloud computing provides a three-fold advantage over the traditional ITO model: agility, predictability in costs (including moving expenses from CAPEX to OPEX), as well as potential cost savings, particularly when compared to a non-leveraged model. When a cloud provider is also the managed service provider there are cost benefits relative to labor and the ability to quickly utilize new technology and technology enhancements for efficiency when compared to introducing new technology to traditional ITO.
On the infrastructure management side, the benefits result from the use of a shared, multi-tenant infrastructure or by consolidating a company’s infrastructure through virtualization. On the application run and maintenance side, cloud allows for a more leveraged shared services model for applications with which the supplier has competence and capacity. The cloud provider is passing the efficiencies and effectiveness of the leveraged labor pool that are typically not found in outsourcing, hosting or alternative managed services.
On the application side, the benefits result from an environment that can be quickly established for application development, testing, QA and staging for production. Being able to replicate at a low cost an environment in order to
reconfigure, change, test or stage prior to moving to production is a definite advantage. This saves time, accelerates application development to meet critical business or mission requirements and provides a higher level of quality across the organization.
CAPEX AND OPEX 4-1-1
CAPEX, or capital expenditure, is used by a company to acquire or upgrade physical assets, such as equipment, property or industrial buildings. When this capital expenditure constitutes a major financial decision for a company, the expenditure must be formalized at an annual shareholders’ meeting or a special Board of Directors meeting.
OPEX, which can mean operating expense, operating expenditure, operational expense or operational expenditure, is an ongoing cost for running a product, business or system.
The business advantage of moving an IT model from CAPEX to OPEX is that for those services under OPEX, you only pay for what you use (typically with a minimum buy). This makes it easier to project actual costs: for x users/uses, our costs are going to be y per user/use.
BUSINESS OBJECTIVES FOR ADOPTION
So, why should companies adopt a cloud strategy? The following table details the key drivers.
DRIVER OUTCOME
Business Value • Reduce cost
• Leverage economies of scale
• Provide for per-user/use-cost model
• Enable companies to concentrate on core objectives
• Adopt the use of modern technologies and capabilities to improve the company’s IT value
Operational Flexibility • Rapid provisioning and deployment of services
Operational reliability/
Commodity services, such as messaging and collaboration, or on-demand computing capacity for development and testing, should be the initial focus. These solutions have low-risk barriers to entry and can drive the operational costs down as much as 80 percent, compared to traditional implementations of the same or similar technology.
NEW MODEL — NEW FORM OF RFP
Cloud requires more of a living document of business requirements, containing only those technical requirements that are absolutely necessary. This isn’t a Request for Information (RFI), although it is closer to an RFI than RFP. Instead, companies should create a Request for Solution (RFS). Although this docu-ment may lead to an RFP in some cases, that progression is not a requiredocu-ment. When customers look at a solution in the cloud, they should not be looking for specific technical architectural requirements, unless it is for hosting existing applications. They should be stating their business problem and any specific requirements they may have for that system — such as interconnectivity, middleware, data exchange, generally an SOA that the cloud provider can (or cannot) address.
The specifics of whether an IaaS Windows server instance or network hardware runs on Dell, EMC or any other specific supplier should be superfluous to the overall goal. The provider is guaranteeing a service and availability level. How that is reached should be of minimal concern to the customer.
COMPARING CLOUD PROPOSALS
Because every provider defines a virtual CPU (vCPU) differently, companies must ask some specific questions to adequately compare services in the cloud. When assessing a cloud solution, consider the following:
vCPU
It’s important to understand how the provider is measuring CPU capacity: in gigahertz, number of cores or some other combination. Smart customers should request for providers to compare their measurement to a standard set by the customer, using Intel Xeon X processor as baseline, and how many vCPUs it takes to equal that capacity. Does the provider allow for bursting beyond the contracted capacity — and how is that charged: in the 95th percentile, or is it limited, or is it priced per use? If the customer underutilizes a system, does the customer receive any credit for this, especially in a multi-tenant environment?
RAM
Some vendors are not including RAM as a measured service, because, as a commodity, it is a very small fraction of the total cost. If the vendor is basing compute images off of a matrix of vCPUs and RAM base configurations, ask how much flexibility the vendor has in modifying on demand.
Storage
In the majority of cases, customers should base their cost structure on persistent storage only. It’s important to note that storage includes backup, so customers should ask the provider what backup solution is in place and the cost per GB to store the backup data.
Additional questions should include:
• What are the options for backup frequency?
• Is it differential based or complete backup copies?
• Can it be tiered onsite and offsite?
1. With the introduction of different tiers of storage available via the cloud, what tiers can be leveraged in the cloud?
a. In most cases, Tier 1-2 storage; i.e., high I/O classes typically cannot be moved to offsite cloud capabilities, but a modern storage architecture, supported by solutions such as CSC CloudCompute and BizCloud, allow for leveraging better managed tiering at the VM or application level. b. For Tier 3-4 storage, there is an emerging trend for vendors to move to
cloud-connected offsite backup strategies, replacing what is now delivered via tape and services like Iron Mountain. There are several benefits to these solutions, cost being one, and rapid response to requests for archival data being another. Solutions from vendors like Amazon with its Glacier product, Glacier being an apt name as its SLA for restore operation is in the 4-5 hour range (still much faster than tape), and Quantum’s Q-Cloud, provide long-term offsite storage for costs of approximately $10 per TB, or $0.01 per GB. The biggest issue with these services today is they are not supported by most enterprise backup solutions, as they are new within the second half of 2012. From the perspective of Amazon, it’s highly unlikely for them to provide anything other than an API for third parties to use with existing tools, but Quantum is actively working with VMware and other backup software vendors to integrate these tools; as tape is currently their largest profit area, it makes sense for them to be seen as a leader in the backup space, wherever the backup may be stored.
Network
Network bandwidth can be measured from several different perspectives, so it’s important to understand the differences between them, as well as the costs for each. It is important to accurately estimate the volume of data traffic the solution may require, so either dedicated connections or expansion of current capacity can be planned, prior to implementation:
• Internet-to-cloud hosting
• Corporate-to-cloud hosting
• Usage within the cloud facility (within one data center)
• Usage between one cloud facility and another (between multiple data centers)
• Administrative bandwidth; backup, code updates, etc.
Capacity Planning and Usage
There are two distinct models that are being exercised within the hybrid and private cloud space. They go by several different monikers but are fundamen-tally two ways to arrive at somewhat similar solutions. Why a customer would use one over the other really depends on what the application is, can it take advantage of bursting capacity, and if so, can the bursting capacity be in multi-tenant or dedicated capacity space:
1. Capacity on Demand — This typically will refer to a specific set of circum-stances within the private cloud where a customer reserves a minimum capacity, but can “burst,” sometimes to an upper limit, paying for the additional capacity only when using it. This bursting could be in a dedicated private cloud, sometimes used to refer to reserved capacity where the customer pays an additional fee to have access to the capacity, and some-times to a multitenant arrangement. One of the options from the provider side is to build this capacity but reserve it for multiple clients; if used, it then becomes dedicated. This is potentially a risk, since multiple clients can burst simultaneously and for long periods of time, e.g., e-commerce clients during the holiday season.
2. Guaranteed Capacity — This refers to the customer purchasing a complete “block” of computing resources, but not using all of it due to any number of reasons; however, the capacity has a finite limit. This is especially the case for on-premises clouds, where there is only a limited resource pool, and adding to it will logistically be difficult, either dropping in new capacity nodes or pods, or moving from on premises to a hybrid private cloud, at least temporarily, i.e., scenario 1.
In both of these scenarios, the provider may have a minimum commitment for the customer, either capacity or time frame — typically both, x capacity for a number of months.
It’s also important to note that no provider in the cloud space has an infinite capacity, whether referring to network, compute, or storage. The largest providers may have significant headroom, but if a data center fails, or the customer mix is inherently built on business with unplanned surges, the physical limitation of a cloud infrastructure can be reached. We recommend at least quarterly, if not monthly, reviews with customers and providers to help build a joint understanding of what is coming from both participants. With this practice, surprises are minimized, and more importantly, business functions are not compromised.
Support
The single most important point to consider is the delineation between support from the provider and the customer. In most instances, this management and support ends either at the virtual hardware level or the OS level, with all additional application support provided by the customer.
Another differentiation is how the provider integrates this support with the customer: web, telephone, email or all, and if any premium support options are available. Finally, who pays for OS and application licensing can drastically change the overall cost model, depending on discounts available.
WHAT TO EXPECT IN A CLOUD CONTRACT
Cloud contracts are less complex but also less negotiable than traditional ITO contracts, because customers are buying a bundled service. Here’s what to expect:
• SLAs are typically binary. Customers can choose from several options but can’t customize. If available, customization comes at a cost. Look for a provid-er offprovid-ering sprovid-ervice levels by workload when thprovid-ere is guaranteed allocation vs. pure pay per use with no commitment.
• Support models either include application and OS support or not, with no flexibility to change how that particular provider offers the service. Look for providers that offer support models by workload.
• If it is a pure pay-per-use model, with no minimum monthly spend provided, the provider is less likely to provide support or SLA customization.
• There may be a maximum burst capacity and a premium for this reserved capacity.
Don’t assume that all providers offer disaster recovery (DR) services. While all are required to have offsite versions of all applications, plus a premium for backup intervals, many solutions do not provide a true DR capability, as illustrated by multiple Amazon availability zone crashes in 2012. This isn’t necessarily the fault of the provider, but a failure in informing the customer of the limitations of how the architecture should be deployed.
A typical cloud contract will have little flexibility in negotiating terms and penalties — the only real option in a true cloud implementation will be a credit for downtime, with no enhancements for loss of business critical functionality. This is a key differentiation point for sourcing from a public cloud provider and a cloud implementation “methodology” implemented by a traditional systems integrator, such as CSC, with a higher level of managed service. As referred to previously, pure cloud providers will have little in “value added” services beyond simply providing their product and potentially a minimal amount of implementation assistance, where systems integrators provide much more flexibility, due to their experience in the managed service market, and provid-ing a higher level of application support than pure public cloud players.
SLAs AND LIMITATIONS OF LIABILITY AND WARRANTIES IN CLOUD With cloud, SLAs for true multi-tenant solutions will be very limited in scope. There may be several options at differing price levels between 99–99.9X percent for “system availability.” The key differentiators will be in support capabilities and what metrics measure the availability.
Remedies for downtime will be limited in most cases to credit for the provider’s service, often capped at 50 percent or less of the monthly fee. So in the case of multi-day outages, the provider would at most be responsible for a two-week fee credit. Also, some providers are limiting the credit to a single month, so even in the case where the remedy fee exceeds 50 percent, there can be no carryover between months.
The single most important aspect of any liability and warranty statement revolves around breach of security and loss of personal data. The average cost per user of a data breach is approximately $215, so the liability language in the contract should ensure that the insurance coverage provided by the provider could cover the total fees for a breach where the provider is at fault.
This liability clause must ensure that the provider WILL and MUST allow for a third party to perform a root cause analysis and be bound by the findings of the party. This may need to be negotiated prior to the execution of a contract.
IN SUMMARY
The advent of cloud brings new agility, speed and flexibility to companies. It enables them to contain capital expenditures, reduce operating costs, and scale up and down to meet fluctuating market demands with ease. Cloud’s capabili-ties come from its standardized, multi-tenant delivery mechanism, which means it simply cannot offer the same customization or attributes of traditional ITO. This brief guide was created to help companies gain basic knowledge they need to approach cloud with eyes wide open, so they can make better buying decisions and more clearly identify how cloud fits within their own IT strategies.
GLOSSARY OF TERMS
Bastion Host: a special-purpose virtual machine optionally configured to each Virtual Farm that provides access to a customer’s virtual and/or physical server desktops within the Virtual Farm. The customer accesses the bastion host within a Virtual Farm via a remote desktop connection.
Consumption-Based Pricing Model: model in which provider charges custom-ers based on the amount of service consumed, rather than a time-based fee.
Customer Self-Service: feature that enables customers to provision, manage and end services on their own, without involving the service provider, via a Web portal.
Subscription-Based Pricing Model: model in which customers pay a fee to use a service for a pre-determined time period, often used for SaaS services.
IaaS Customer Management Portal: a Web server-based provisioning interface that allows the customer to create Virtual Farms along with virtual and physical computing, storage and networking elements within the IaaS Utility Infrastructure.
IaaS Utility Infrastructure: a multi-tenant on-demand computing environment that allows a customer to create a computing infrastructure. That computing infrastructure will include hardware and company-developed software at a company-provided data center.
Virtual Farm: an allocation of IaaS elements that includes the following: virtual firewall, virtual load balancer, a two-tiered network space that includes a DMZ network with up to 100 host IP addresses and a trusted network with up to 50 host IP addresses. Each Virtual Farm created by the customer is capable of supporting 3,900 concurrent connections. Each Internet connection established to the DMZ network of a Virtual Farm and each connection established between the DMZ network and the trusted network within a Virtual Farm counts as a concurrent connection.
Worldwide CSC Headquarters The Americas
3170 Fairview Park Drive Falls Church, Virginia 22042 United States +1.703.876.1000 Asia 20 Anson Road #11-01 Twenty Anson Singapore 079912 Republic of Singapore +65.6221.9095 Australia Level 6/Tower B 26 Talavera Road Macquarie Park, NSW 2113 Sydney, Australia +61(0)2.9034.3000
Europe, Middle East, Africa
Royal Pavilion Wellesley Road Aldershot, Hampshire GU11 1PZ United Kingdom +44(0)1252.534000 About CSC
The mission of CSC is to be a global leader in providing technology-enabled business solutions and services.
With the broadest range of capabilities, CSC offers clients the solutions they need to manage complexity, focus on core businesses, collaborate with partners and clients and improve operations.
CSC makes a special point of understand-ing its clients and provides experts with real-world experience to work with them. CSC leads with an informed point of view while still offering client choice.
For more than 50 years, clients in industries and governments worldwide have trusted CSC with their business process and information systems outsourcing, systems integration and consulting needs.
The company trades on the New York Stock Exchange under the symbol “CSC.”
CSC, CSC CloudCompute, CSC BizCloud and all CSC logos are trademarks or registered trademarks of CSC. All other product and service names mentioned are the trademarks of their respective companies.
© 2012 Computer Sciences Corporation. All rights reserved.
