OPEN DATA CENTER ALLIANCE SM USAGE MODEL: CLOUD MATURITY MODEL REV. 2.5

OPEN DATA CENTER

ALLIANCE ^SM USAGE MODEL:

CLOUD MATURITY MODEL REV. 2.5

Version Date Editor Description of Change

Contributors

The following individuals from the Open Data Center Alliance have contributed to the contents of this document:

Christoph Jung – T-Systems Christophe Gevaudan - UBS Matt Estes – Disney Corporation Catherine Spence – Intel

Pankaj Fichadia – National Australia Bank (NAB)

Ryan Skipp – T-Systems

OPEN DATA CENTER ALLIANCE : Page 2 of 17

CONTENTS

Contributors ... 1

Legal Notice ... 3

Executive Summary ... 4

Overview of the Cloud Maturity Model ... 5

Description of the Cloud Maturity Model ... 5

Terminology ... 7

Cloud Maturity Model – Progression (Overall) ... 8

Cloud Maturity Model – Business Perspective ... 9

Cloud Maturity Model – Technology Perspective ... 9

Cloud Maturity Model – Progression (Service Model-based) ... 10

Maturity and Quality ... 14

Self-Assessment: ... 14

Cloud Adoption Roadmap ... 16

Conclusion... 16

OPEN DATA CENTER ALLIANCE : Page 3 of 17

Legal Notice

© 2012-2013 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.

This “Open Data Center Alliance ^SM Usage Model: <Document Title>” document is proprietary to the Open Data Center Alliance (the “Alliance”) and/or its successors and assigns.

NOTICE TO USERS WHO ARE NOT OPEN DATA CENTER ALLIANCE PARTICIPANTS: Non-Alliance Participants are only granted the right to review, and make reference to or cite this document. Any such references or citations to this document must give the Alliance full attribution and must acknowledge the Alliance’s copyright in this document. The proper co pyright notice is as follows: “© 2012-2013 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.” Such users are not permitted to revise, alter, modify, make any derivatives of, or otherwise amend this document in any way without the prior express written p ermission of the Alliance.

NOTICE TO USERS WHO ARE OPEN DATA CENTER ALLIANCE PARTICIPANTS: Use of this document by Alliance Participants is subject to the Alliance’s bylaws and its other policies and procedures.

NOTICE TO USERS GENERALLY: Users of this document should not reference any initial or recommended methodology, metric, requirements, criteria, or other content that may be contained in this document or in any other document distributed by the Alliance (“Initial Models”) in any way that implies the user and/or its products or services are in compliance with, or have undergone any testing or certification to demonstrate compliance with, any of these Initial Models.

The contents of this document are intended for informational purposes only. Any proposa ls, recommendations or other content contained in this document, including, without limitation, the scope or content of any methodology, metric, requirements, or other criteria disclosed in this document (collectively, “Criteria”), does not constitute an endorsement or recommendation by Alliance of such Criteria and does not mean that the Alliance will in the future develop any certification or compliance or t esting programs to verify any future implementation or compliance with any of the Criteria.

LEGAL DISCLAIMER: THIS DOCUMENT AND THE INFORMATION CONTAINED HEREIN IS PROVIDED ON AN “AS IS” BASIS. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE ALLIANCE (ALONG WITH THE CONTRIBUTORS TO THIS DOCUMENT) HEREBY DISCLAIM ALL REPRESENTATIONS, WARRANTIES AND/OR COVENANTS, EITHER EXPRESS OR IMPLIED, STATUTORY OR AT COMMON LAW, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

PARTICULAR PURPOSE, TITLE, VALIDITY, AND/OR NONINFRINGEMENT. THE INFORMATION CONTAINED IN THIS DO CUMENT IS FOR INFORMATIONAL PURPOSES ONLY AND THE ALLIANCE MAKES NO REPRESENTATIONS, WARRANTIES AND/OR COVENANTS AS TO THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF, OR RELIANCE ON, ANY INFORMATION SET FORTH IN THIS

DOCUMENT, OR AS TO THE ACCURACY OR RELIABILITY OF SUCH INFORMATION. EXCEPT AS OTHERWISE EXPRESSLY SET FORTH HEREIN, NOTHING CONTAINED IN THIS DOCUMENT SHALL BE DEEMED AS GRANTING YOU ANY KIND OF LICENSE IN THE DOCUMENT, OR ANY OF ITS CONTENTS, EITHER EXPRESSLY OR IMPLIEDLY, OR TO ANY INTELLECTUAL PROPERTY OWNED OR CONTROLLED BY THE ALLIANCE, INCLUDING, WITHOUT LIMITATION, ANY TRADEMARKS OF THE ALLIANCE.

TRADEMARKS: OPEN CENTER DATA ALLIANCE ^SM , ODCA ^SM , and the OPEN DATA CENTER ALLIANCE logo ^® are trade names,

trademarks, and/or service marks (collectively “Marks”) owned by Open Data Center Alliance, Inc. and all rights are reserved

therein. Unauthorized use is strictly prohibited. This document does not grant any user of this document any rights to use an y of

the ODCA’s Marks. All other service marks, trademarks and trade names reference herein are those of their respective owners.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 4 of 17

OPEN DATA CENTER ALLIANCE ^SM USAGE MODEL:

Cloud Maturity Model REV. 2.5

Executive Summary

The Open Data Center Alliance has identified the need for a Cloud Maturity Model (CMM), which organizations can apply in order to:

1. Support the development of a balanced cloud strategy in any organization

2. Enable the understanding of all dimensions that constitute cloud maturity, from the perspective of both the consumers and the provider of cloud services

3. Enable the development of focused investment initiatives, to move selected cloud capabilities to target maturity levels

4. Steer inputs and priorities relating to cloud service usage and adoption

5. Update the usage models to identify characteristics and artifacts that enable an organization to increase their cloud maturity and service success through cloud service adoption

6. Maximise their potential to achieve the expected benefits of Cloud, to an acceptable degree

The ODCA Cloud Maturity Model maps cloud maturity from two key perspectives: business capabilities and technology

capabilities. It also maps maturity levels for the individual cloud service models: SaaS, PaaS, IaaS, and Information -as a Service.

The business capabilities perspective of the CMM provides a comprehensive view of the maturity model's stages through the lens of "business use of the cloud." This perspective includes a mix of cloud service models, cloud deployment models, and cl oud capabilities across four business categories: governance and strategy, organization, project skills, and portfolios and services.

The technology capability perspective of the CMM provides a similar comprehensive view of an organization's cloud maturity, but does so through the lens of cloud and ICT technology.

The cloud service model perspective explores an organization's maturity across each of the individual cloud service models: S aaS, PaaS, IaaS, and Info-aaS.

These perspectives on cloud maturity offer a way for each unique organization to plot its maturity across the perspective (or perspectives) that best suits its business needs. Some organizations are staffed and organized (or targeted toward business models) where one or more of the cloud service models are of little value or produce an inverse total cost of ownership. These organizations can assess their maturity across the cloud service model that is applicable to their organization, without the added complexity of the service models that do not apply.

In cases where an organization will use two or three cloud service models in combination, the model offers an opportunity to plot maturity across SaaS, PaaS, IaaS, and Info-aaS independently.

The ODCA Cloud Maturity Model supports multiple perspectives in order to accommodate the variety of cloud adoption patterns that different organizations will encounter. The objective of the Maturity Model is to ensure that the necessary elements to support the achievement of the expected cloud benefits are in place. For example, if one is looking to achieve "speed", then a fair degree of automation and process integration need to be in place - the Maturity model addresses these areas directly. Other benefits arising from the use of cloud technology include:

Capability - new features and functions for the business that don't have to be self-developed

Efficiency - re-use of standard designs and solutions with co-ordinated development, operations and support Velocity - ability to change and deploy services in near-real time

Flexibility - ability to scale and change services to align to dynamic business needs

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 5 of 17 Quality - increased focus on standardized services, engineered, operated and supported consistently across the

enterprise

The CMM identifies five levels of cloud maturity. It is not necessary for an organization to aspire to CMM Level 5 in all cases- different levels in the different capability areas may be quite acceptable and may meet that organization's requirements adequately. It is up to each organization to determine for itself where it wants to be, and what actions and enablers will take it there, per capability.

In addition, a mix of legacy, private and hybrid clouds providing infrastructure as a service (IaaS), platform as a service ( PaaS), or software as a service (SaaS) is quite acceptable. The same is true for IaaS, PaaS, and SaaS. CMM 5 does NOT dictate pure public or SaaS-based systems. It describes a managed set of controls, processes, and systems to help to consistently manage cloud services in line with business priorities, with sustained and organizationally aligned processes.

As an organization progresses through introspection in regard to the above, it is common to identify islands of excellence, i n contrast to other areas that have lower maturity. This is normal and an indication of being at CMM 1. A consolidated, cohesive organizational cloud strategy will enable consistent measurement and rating of the whole organization.

Legacy environments will not go away. They add value for many years and should not detract from an organization having a cohesive and effective cloud strategy and strong cloud maturity achievement. Everything does NOT have to be on a federated cloud for an organization to be in the more mature rating levels. Having identified consistent frameworks and controls that enable selected business systems, according to a defined set of categorization, to be run according to a defined strategy in the cloud, representing the characteristics and artifacts identified in the CMM model, could also result in a high CMM rating.

Overview of the Cloud Maturity Model

The CMM provides an end-to-end visualization for how the use of cloud in the enterprise develops over time (adoption roadmap) and how the enterprise’s ability to adopt cloud-based services within defined governance and control parameters increases.

As it matures, the use of cloud becomes more sophisticated, comprehensive, and optimized. The CMM plots the progression of structured cloud service integration from a baseline of no cloud use through five progressive levels of maturity, as shown in Figure 1.

Figure 1. The cloud maturity model has five progressive levels of maturity.

Description of the Cloud Maturity Model

Figure 2 gives a summary description of each maturity level. It does not d ifferentiate between the various types of cloud

technology, cloud methodologies, or cloud deployment models. Each of these factors will be taken into account as the

progressive levels of cloud maturity are explored in detail.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 6 of 17

Figure 2. Descriptions of each level of the cloud maturity model.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 7 of 17

Terminology

Table 1 lists the standard terms and corresponding descriptions that are used in this document.

Table 1. Terms and descriptions.

Term Benefits Description

Architecture  Flexibility

 Compliance

A defined architecture for public and private clouds, through all layers, including business processes.

Classification  Compliance  Data - Defined requirements for handling data throughout its lifecycle according to business value.

 Applications - Defined requirements for handling data throughout its lifecycle according to business value.

Federation  Flexibility  Security - Security domain is structured to include public- and private-based infrastructure as a service or platform as a service.

 Data - Organization’s data is distributed in a structured, consistently managed way across multiple clouds.

 Processes - Organization’s data is distributed in a structured, consistently managed way across multiple clouds.

Identity and Access Management

 Simplify Security domain is structured to enable public- and private-based user access in a managed standard way.

Information as a Service (Info-aaS)

 Flexibility

 Velocity

Metadata and defined access, which enables data to be used to support business decision making, new product identification, and other important “Big Answers” for business.

Infrastructure as a Service (IaaS)

 Velocity

 Cost

 Simple - Single standalone virtual machine (VM).

 Complex - Multi-VM system with network elements; for example, load balancing and firewalls.

Integrated  Simplified Core design process and standard for all system elements.

Orchestration  Automated A tooling layer for handling service deployments, consisting of workflows and work packages.

Platform as a Service (PaaS)

 Velocity  Simple - Single app on a single VM.

 Complex - Multi-VM based app with network load balancing, clustering, disaster recovery (DR).

Policies  Compliance A defined set of policies for handling all aspects of cloud usage, including data protection, applications, risks, and requirements.

Processes  Compliance A defined set of processes for handling all aspects of cloud usage, including migrations, data lifecycle, risks, and exceptions.

Risk Management  Compliance

 Risk

 Corporate - Company-specific requirements defined in the context of cloud.

 Country - Country-specific requirements defined in the context of cloud.

 Industry - Industry-specific requirements defined in the context of cloud.

Security  Compliance Security domain is structured to enable public- and private-based service access in a managed

standard way.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 8 of 17

Term Benefits Description

Service Delivery Management

 Managed Human interfaces are appointed, with supporting governance and processes, to manage the interface between business users and cloud providers, taking care of translating service detail and other incidents, problems, and reporting between the parties.

Software as a Service (SaaS)

 Velocity  Simple - Single app on a single VM.

 Complex - Multi-VM-based app with network load balancing, clustering, DR.

Transition and Transformation

 Velocity

 Cost

 Transition - Migration from a legacy platform onto cloud.

 Transformation - Migration from a legacy design to take advantage of cloud benefits.

Cloud Maturity Model – Progression (Overall)

Progression through the various maturity levels is based on the evolution of a number of parallel capabilities, as described in the following figures. The result is represented by an inferred resulting maturity, roughly mapped as follows:

CMM 1. The existing environment is analyzed and documented for initial cloud potential. Pockets of virtualized systems exist, for limited systems, without automation tooling, operated under the traditional IT and procurement processes. Most of the landscape still runs on physical infrastructure. The focus is on the private cloud, although the public cloud is used for niche applications.

CMM 2. IT and procurement processes and controls are updated specifically to deal with cloud and who may order services and service elements and how. Private cloud is fully embraced with physical-to-virtual movement of apps and the emergence of cloud-aware apps.

CMM 3. Tooling is introduced and updated to facilitate the ordering, control, and management of cloud services. Risk and governance controls are integrated into this control layer, ensuring adherence to corporate and country requirements.

Complementary service management interfaces are operational. More sophisticated use of SaaS is evident, and private PaaS emerges.

CMM 4. Online controls exist to manage federated system landscapes, distributed data and data movement, federated and distributed application transactions, and the cross-boundary transitions and interactions. Defined partners and integration exist, enabling dynamic movement of systems and data, with supporting tool layer integration (for example, service desk, alerting, commercial systems, governances). Cloud-aware apps are the norm and PaaS is pervasive. Hybrid apps develop across cloud delivery models.

CMM 5. All service and application deployments are automated, with orchestration systems automatically locating data and applications in the appropriate cloud location and migrating them according to business requirements, transparently (for example, to take advantage of carbon targets, cost opportunities, quality, or functionality).

The CMM levels enable the realization of a number of cloud characteristics described below, which in turn translate into the enablement of business functionality and value. These business outcomes are the recommended results of positioning capabilities within the various CMM levels: capability gains, efficiency gains, quality gains, and velocity gains, which ultimately result in powerful business strategy enablement.

Federated. Federation refers to the ability of identity and access management software to be able to securely share user identities and profiles. This ability allows users within a specific organization to utilize resources located in multiple cl ouds without having to generate separate credentials in each cloud individually. IT is able to manage one set of identities,

authorizations, and set of security review processes. From the user perspective, this enables seamless integration with syste ms and applications.

Interoperable. There are two key concepts of interoperability: (1) The ability to connect two systems that are concurrently

running in cloud environments, and (2) the ability to easily port a system from one cloud to another. Both involve the use of

standard mechanisms for service orchestration and management, enabling elastic operation and flexibility for dynamic

business models, while minimizing vendor lock-in.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 9 of 17 Open Standards. The term “open” refers to both software and standards. Open source software operates at a fast rate of change

supported by diverse, vibrant community updates. These frequent update cycles provide access to the latest features and capabilities, including performance and efficiency improvements. The use of common APIs or abstraction layers makes it easier for end users to rapidly consume cloud services from different providers to meet business requirements. Even if the software is not open source, it should adhere to open standards, in order to maximize the benefits of cloud deployment.

Cloud Maturity Model – Business Perspective

The business capabilities perspective, shown in Figure 3, plots cloud maturity across the five maturity levels through four business capabilities.

Business strategy. Contains capabilities such as business motivation, expected benefits, guiding principles, expected costs, and funding models. Capabilities such as service selection and service-level agreements (SLAs) also gain relevance in cloud initiatives.

Organization and skills. Contains capabilities related to the development of organizational competency around cloud computing, including organizational structure and skills development, as well as executive sponsorship and organizational authority.

Governance. Contains capabilities related to the governance structures and processes that support and guide the cloud efforts.

These capabilities include policy management, risk management, and auditing capabilities. The maturity and adoption of adequate governance is a leading indicator of the overall success of a cloud computing strategy.

Projects, portfolios, and services. Contains capabilities related to the planning and building of cloud services, and the management of the portfolio of services.

Figure 3. The business capabilities perspective of the cloud maturity model.

Cloud Maturity Model – Technology Perspective

The technology capabilities perspective, shown in Figure 4, plots cloud maturity across the five maturity levels through four technology capabilities:

Operations, administration, and governance. Contains capabilities related to the post-deployment aspects of cloud service: the operations, administration, and management aspects of the cloud environment. This technology capability includes

capabilities for the delivery of self-service functions and change management.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 10 of 17 Information. Contains capabilities related to the information aspects of cloud, such as metadata management, as well as

customer entitlements and data durability.

Infrastructure. Contains capabilities related to the service infrastructure and tools that provide the technical foundation for the cloud initiative. Shared services, provisioning, and model packaging are particularly important in cloud infrastructure.

Architecture. Contains capabilities related to the definitions of the overall architecture and guidelines for various practitioners to ensure adherence to the architecture. Capabilities fundamental to cloud architectures such as resource pooling,

interoperability, and self-service are considered in the model.

Figure 4. The technology capabilities perspective of the cloud maturity model.

Cloud Maturity Model – Progression (Service Model-based) Iaas Maturity

Not all organizations will use IaaS at the same rate of adoption (see Figure 5). There will be organization -centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization’s maturity level, the regulatory landscape, and strategic considerations.

The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization’s needs.

CMM 1 - Internal organization-based virtualization.

CMM 2 - Selected business processes and functions leverage IaaS facilities from service providers, with e arly and developing focus on managed services.

CMM 3 - Deployment of complex IaaS services across managed service providers and internal private clouds providing IaaS services.

CMM 4 - Hybrid cloud environments for IaaS are maturing, and business demand drives an effective use of hybrid clouds in a dynamic and seamless fashion.

CMM 5 - IaaS services across private clouds and public clouds are leveraged through high maturity within interoperability,

federation, and open standards. The focus is on multi-provider SLAs for reliability, meeting business demand, interoperability,

and business benefits through selection of the appropriate services based on cost, capacity, need, and control requirements.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 11 of 17

Figure 5. Infrastructure-as-a-service adoption based on the cloud maturity model.

PaaS Maturity

Not all organizations will use PaaS at the same rate of adoption (see Figure 6). There will be organization -centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization’s maturity level, the regulatory landscape, and strategic considerations.

The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization’s needs.

CMM 1 - Internal use of simple PaaS services within an organization.

CMM 2 - Rapid and deep use of PaaS within the organization, with multiple departments using the services. St andards are developing and maturity.

CMM 3 - Complex PaaS within the organization and through the use of PaaS provided by service providers.

CMM 4 - Existing applications and architectures are modified and streamlined to leverage the benefits of PaaS mod els.

CMM 5 - All application and service deployments are automated, with orchestration systems automatically locating data and

applications in the appropriate cloud location, and migrating them according to business requirements, transparently (for

example, to take advantage of carbon targets, cost opportunities, quality or functionality).

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 12 of 17

Figure 6. Platform-as-a-service adoption based on the cloud maturity model.

SaaS Maturity

Not all organizations will use SaaS at the same rate of adoption (see Figure 7). There will be organization-centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization’s maturity lev el, the regulatory landscape, and strategic considerations.

The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization’s needs.

CMM 1 - Organization makes opportunistic use of SaaS for tactical needs. The service-oriented architecture is basic and developing.

CMM 2 - Depth of SaaS penetration increases, with further business value gained from the use of applications that go across cross-functional roles and departmental boundaries.

CMM 3 - Organizations deploy SaaS for mission-critical business, functional value chain across internal needs, and customer- facing business use cases.

CMM 4 - Value is derived from the integration between SaaS applications, creating end-to-end business processes that generate value across SaaS applications and functions.

CMM 5 - Integration across business partners is based on federated, open, and interoperable cloud environments. All service and application deployments are automated, with orchestration systems automatically locating data and applications in the appropriate cloud location and migrating them according to business requirements, transparently (for example, to take advantage of carbon targets, cost opportunities, quality, or functionality.) The SaaS environment is managed across the lifecycle of selection,

provisioning, integration, operation, and decommissioning.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 13 of 17

Figure 7. Software-as-a-service adoption based on the cloud maturity model.

Information-as-a-Service Maturity

Not all organizations will use Info-aaS at the same rate of adoption (see Figure 8). There will be organization-centric paths taken to benefit from the cloud service model, depending on business needs, the problems being solved, the organization’s maturity level, the regulatory landscape, and strategic considerations.

The following defines the CMM progression levels specific to cloud service models. The objective is to support an assessment of cloud adoption maturity for specific service models that may be most relevant to an organization’s needs.

CMM 1 – Organization explores information-as-a-service concepts, but remains largely on traditional data and information systems.

CMM 2 – An information-as-a-service architecture is defined, with a focus on enterprise services and an understanding of data across the enterprise.

CMM 3 – Enterprise governance plays an increasing role, master data management and data quality are matured, and analytics progress to advanced stages.

CMM 4 – Interfaces and enterprise collaboration allow federated query capabilities, private internal data supp ly chains emerge.

CMM 5 – Organization reaches a state of mature information-as-a-service, with advanced semantic capabilities, internal/external

data supply chains, a catalog-driven workload, governance-driven orchestration, and self-healing data processing capabilities.

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 14 of 17

Figure 8. Information-as-a-service adoption based on the cloud maturity model.

Maturity and Quality

In context of Maturity, it is important to keep in mind that Maturity is different to Quality. Increased Maturity does not necessarily mean increased quality – one can buy a service or product that are rated on high or low qualities – but which are appropriate to the business need. Having increased maturity allows one to maximize the advantage and benefits gained from such services. Typically Maturity relates to processes, governance, integration levels, blueprint prevalence, and these all lead to sustainability and repeatability, along with effectiveness. The differences are represented by means of the following table, with Bronze/Silver/Gold/Platinum quality levels representing a particular service quality, which may relate to additional functions and features built into the service:

The “X’s” identify that there is potentially some correlation in terms of a relationship between quali ty and maturity.

Self-Assessment:

In order to assist organizations to assess their own maturity and identify potential development areas (which lead to potential

investments), the ODCA has developed a questionnaire which addresses with the various areas wi th a question, and 5 potential

answers. The questionnaire identifies appropriate target states for the realization of specific benefits, in context of the specific

business. One can then assess the real state of the organization, and represent the develo pment gaps where investment is

required. Such an example is as follows:

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 15 of 17

The maturity level is usually set in context of business objectives, and the resulting benefits sought. These objectives are often in context of the following:

Business Context Typical Responses to Business Context

Growing OR

Maintaining a flat line, but preparing new products to innovate past the competition

Identify new opportunities and existing problems and adopt innovative new services and solutions to address these. Services could be contracted with external providers or adopted through mergers and acquisitions.

Create additional capacity for new business and products by investing in additional infrastructure (typically achieved through adding CAPEX).

Create additional capacity for new business and products by using existing infrastructure (that is, improve OPEX).

Maintaining a flat business line Reduce costs by optimizing existing systems and thereby reducing existing operational costs.

Decide to maintain all systems and operational costs as-is (this is rare).

Losing business Reduce costs by optimizing existing systems and thereby reducing existing operational costs.

Identify non-core systems and consolidate or optimize them. Also reduce non-essential functionality as necessary, to reduce operational and infrastructure costs.

Outsource non-core systems and convert to a pay-as-you-go system, with flexibility for

rapid capacity changes (up or down)

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 16 of 17 Selling assets to reinvent itself out

of a downward spiral

Identify non-core systems and consolidate or optimize them. Also reduce non-essential functionality as necessary, to reduce operational and infrastructure costs.

Outsource non-core systems and convert to a pay-as-you-go system, with flexibility for rapid capacity changes (up or down)

Eliminate all spare unused capacity.

Modularize non-core functionality into sellable or outsourceable units.

Test company rules or restrictions against using alternative pay-as-you-go options such as public cloud for email and web services

Refinance assets for a short term CAPEX injection, through an outsource or lease-back arrangement.

The Questionnaire mentioned previously, is a sample to support organizations in performing self-assessments of their cloud readiness levels, and ability to achieve maximum value from cloud based services.

It must be noted though – sampling one department or just the IT organization is not a true representation of the companies’

cloud maturity or readiness to maximize cloud benefits – some complexity lies in analyzing how and why the business will apply cloud services, mapping the various involved departments, and then assessing each of them using appropriate questions from th e questionnaire – from the business unit, through finance, procurement, risk management, project organization, IT, and the partner services.

Cloud Adoption Roadmap

The cloud adoption roadmap provides an end-to-end visualization for how the technical use of cloud technologies in the enterprise develops over time. As technical implementation matures, the use of cloud becomes more sophisticated, comprehensive, and optimized. Based on ODCA industry experience, many large enterprises are progressing using the same overall trajectory but at different rates of adoption. A typical technical adoption roadmap is represented in Figure 9 below.

Figure 9. A typical technical adoption roadmap.

This adoption roadmap gives context to technical planning and assists organizations in quantifying existing deployments and the steps that following from that point.

Conclusion

When an organization’s technology and business strategies align to meet the objective cloud maturity level for that organization,

an organization should achieve a federated, interoperable, and open cloud environment that delivers the expected benefits. This

in turn will enable the expected business value that cloud services should represent to that organization: capability gains,

OPEN DATA CENTER ALLIANCE : Cloud Maturity Model Rev. 2.5 Page 17 of 17

efficiency gains, quality gains, flexibility increase, and velocity gains, which ultimately result in powerful business strategy

enablement.

Quality Tier Bronze Silver Gold Platinum

Description

Description Represents the lower- end enterprize security requirement and may equate to a higher level for a small to medium business customer

Represents a standard level of enterprize security likely to be evident in many enterprises

Represents a stronger level of security that would normally be associated with the processing of sensitive enterprize data.

Represents the highest level of contemplated enterprize requirements

Example

Development environment Test environment; “out-of-the box”

production environment

Financial Services sector production environment

Special purpose, high-end security requirement (e.g. military)

NOTE: Every following Quality level assumes ALL characteristics of previous Quality level are already in place, starting with Bronze, and graduating up to Platinum

Every following CMM Level assumes that all characteristics of the previous CMM Levels have been fulfilled already, starting with CMM 2, and graduating up to CMM 5

• Bronze level: segregation of data through access rights (database privileges) within shared resources (e.g. applications, databases)

• Silver level: additional segregation through multi-tenancy of resource structures (e.g. own database plan/schema on database server) on a shared virtual machine (VM).

• Gold level: separate runtime instances and virtual machines (e.g. own Operating System (OS), databases, applications) on shared hardware, but all tenants at Gold level

• Platinum level: physically separated instances of hardware, VMs, OS, databases and applications per cloud subscriber.

The CMM Levels are based on the following concepts:

CMM Level CMM 1 CMM 2 CMM 3 CMM 4 CMM 5

Description Initial Repeatable Defined Managed Optimized

Result

Initial efficiency gains Capability gains Efficiency gains Increased Velocity, Increased Quality Cloud based systems aligned to and

enabling Business Strategy, pro-actively

These are then combined as follows:

CMM 1 CMM 2 CMM 3 CMM 4 CMM 5

Bronze Silver Gold Platinum Action plan to graduate to next CMM Level

Describes the actions to get from this, to the next CMM level

Describes the actions to get from this, to the next CMM level

Describes the actions to get from this, to the next CMM level

Describes the actions to get from this, to the next CMM level

An additional possibility, but NOT prescriptive, could be as follows with respect to applicability

CMM 1 CMM 2 CMM 3 CMM 4 CMM 5

Bronze X X X X

Silver X X X X X

Gold X X X X

Describes the characteristics of this Quality Level Describes the characteristics of this Quality Level

Cloud Service Maturity Level

Maturity Describes the characteristics of this Quality Level

Describes the characteristics of this Quality Level

Area Assessment question

CMM 1:

(Initial) Initial efficiency gain

CMM 2:

(Repeatable) Capability gains

CMM 3:

(Defined) Efficiency gains

CMM 4:

(Managed) Increased velocity, increased quality

CMM 5:

(Optimised) Cloud based systems aligned to and enabling Business Strategy, pro-actively

Desired Business level Benefit

Benefit Rating (rate each in importance using numbers 1 to 5 (1

= most important, 5 = least important)

CMM Curent Status Analysis Result

CMM Target Level

Sought Audience Benefits

Recommended Action focus area to yourself

Does a formal enterprize level strategy exist positioning the use of

cloud based services? No Yes, but with ad-hoc adoption

Well communicated throughout the organisation and signed off by all key

stakeholders

Guides all new system deployments and technology renewals as "the rule".

The coverage is measured by means of tracked KPI's.

The cloud strategy enables the growth and optimisation of business outcomes across the Enterprise. The strategy is revised on a regular basis, according to a defined

timeframe.

Capability Efficiency Velocity Flexibility Quality

………...

…………

…………

…………

…………

Strategy department

- a strategy gives guidance to the company - Measuring services which comply to the strategy ensures the usage and shows needed improvements to the strategy.

- a revised strategy reacts to new cloud possibilities

Incentive System for Cloud adoption

General innovation framework exists, but does not address cloud concepts

specifically

Ideas are evaluated, by the experts, without management support.

Employees receive responses to their idea.

An idea management process exists which is orientated towards cloud, with an

incentive scheme for employees.

An incentive scheme exists and employee measurement (where appropriate) aligns to the achievement of this strategy

# of Ideas and success is measured. The process is evaluated on a regaular base.

Strategy department - the employees with work on a topic have usually the best ideas how to improve it.

- An incentive systems motivates additional effort.

- KPI's document the success of the strategy

People, Process

Is there a Cloud Adoption Framework

The current application landscape has been analyzed for possible cloud migration.

Classification framework for all Business Applications & Data, with all apps

considered for cloud, classified

A cloud service adoption plan exists, with Milestones defined, planning, and budget.

The use and success of the framework is managed by means of KPI's

New opportunities offered by cloud services are evaluated and included in the Cloud Adoption Framework on a regular basis.

Strategy department, Cloud Architects

- a common framework ensures efficient manageable services.

- only a clearly defined area of knowledge has to be developed.

Is Organisational Change planned, in order to enable cloud effectiveness?

Impacts on some affected teams have been identified

Planning and design of structure updates done, to improve cloud adoption

Structured implementation plan for updated organisation

All partners integrated into organisational plan, with roles & responsibilities defined

Organisational culture includes high performance aspect, to take advantage of technology opportunities in all initiatives

Strategy department, HR Department

- Cloud benefits might change role definitions, and the work-scope of departments

- updated job descriptions drive efficient use of ressources People

Do Key Performance Indicators exist for cloud based services?

Success of cloudservices is evaluated by different users.There is no common

definition of success.

KPI's are defined to measure the success of the cloud strategy

KPI's are argeed to measure the success of the cloud strategy

The KPI's are constantly measured, and the results are reviewed.

The definition of the KPI's are checked and reviewed regularly

enterprize strategy, IT strategy - KPI' are necessary to prove and track the success of the cloud strategy

- Checking the KPI's enables a company to select the appropriate

cloud services and focus areas Technology

Has the organisational structure been updated to enable Cloud based

Service delivery No Structure defined

Teams created.

Cloud KPI's per team identified

Teams measured by KPI's.

Active planning against gaps, and reviewed regularly

The organisational structure is able to bring tangible business benefits - and the operating model is an integral part of the

culture, with defined KPI's

Capability Efficiency Velocity Flexibility Quality

………...

…………

…………

…………

…………

enterprize Strategy, HR Department

- Cloud benefits might change role definitions, and the work-scope of departments

- updated job descriptions drive efficient use of ressources

People

Is formal Cloud Training planned

Incidental, Training in new topics is done by individual employees with personal

commitment or interest

Training on new topics is discussed in teams with some organisational support.

A training and development plan exists and is implemented, defined per impacted

business unit

The use and success of a enterprize training and development plan is ensured through product certifications, and other

knowledge tests.

A training concept exists, which is constantly updated to align to the changes

of the cloud strategy of the company.

IT Department, normal Management

- Proven knowledge about a service ensures maximum benefit derived from the cloud service

- Beside the IT resources, training for normal end users of the service might be necessary

Process

Role of Internal IT

Continues handling internal IT and internal data center / outsourcing topics

A cloud capability exists, and IT participates in Cloud deployments

Clear positioning as a Cloud Provider or as a facilitator or broker, with updated skills and

roles

Consults with Business on appropriate cloud platforms

Acts as a bridge between external providers, internal providers, and manages

service definitions

- IT Management - Use of cloud services enables the IT Department to offer fast, flexible support and services to the business.

People

Are the right controls in place to identify, assess and manage risk and compliance, and alignment to business objectives?

Ad-hoc deployments leveraging "non virtualised" definitions and interpretations

Defined system and service classes for cloud use, with rules, policies and guidelines, communicated to the organisation and deployed manually by

projects

Defined and communicated / signed off by all business units, with manual ad-hoc

auditing

Automated deployment according to categorisation

Automated exception reporting in real-time (e.g. by a data loss prevention system)

Capability Efficiency Velocity Flexibility Quality

………...

…………

…………

…………

…………

-Data Security - IT Strategy

- Sensitive data is handled according to Security rules in the cloud application

- Clear definition helps to enable fast and compliant cloud adoption.

- Late and expensive changes to cloud solutions are reduced.

Technology

Does a formal Communication plan exist, positioning cloud and the impacts?

Governance, risk and compliance requirements are available for those who

look for them, for cloud services, documented in an enterprise repository

Limited positioning of cloud with respect to requirements and compliance are communicated to islands of adoption

A communication plan exists relating to cloud services, and detailed follow through activities with the impacted business units is ongoing, including a feeedback mechanism, and regular progress reports, possibly via the enterprize communications

vehicles.

Partners, clients and suppliers are addressed and cloud based implications clearly defined at commerical, service and

business impact level

Co-ordinated roadmap updates and communications are broadcast through the

full eco-system, with feedback loops in place

- Service Designer - Security Management

- Having a clear defined and functional communication structure is important to ensure fast reaction to challenges and opportunities.

- Clear communication of the risks supports a functional mitigation plan.

People

Is Enterprise Architecture Cloudaware and focussed?

Cloud design is handled completely and seperately by lines of business

Written enterprise architecture charter and operating documents outlining scope of responsibility and strategy (charter, RACI's,

decision process guidelines, standards processes)

A centralized cloud service selection process has been established.

The cloud services are measured and the quality is evaluated.

The company acts as a "Cloud Service Broker" according to Gartner's definition.

- IT Architecture - IT Governance

- Using a common architecture approach:

- ensures interoperability between cloud infrastructure and the business applications hosted on it

- reduces training costs

- reduces risks, because of limited elements which are heavily re-used

- quality measures help all services at once.

- reduced effort in Application Management - clear responsibilities for the different layers - reduced migration efforts when changing to or from a plattform.

Process

Is Risk Management updated for Cloud?

Risks may be evaluated in project

situations. No general risk definition Risks are discussed (4-eyes principle) Risks are known and documented.

A Risk management framework is defined and contextualised for cloud. Risks are constantly monitored. Risk mitigation plans

are in place

A governance structure has been implemented to manage risks for the business. The risk mitigation plan is regulary updated. Computer Emergency

Response Team (CERT) exists

- IT Governance - Risk Management

- Clear communication of the risks ensure a functional mitigation plan.

- Active management of risks reduces the potential impact - a risk mitigation plan ensures a structured approach in the case of a breach

Process

Is there a formal Compliance framework for Cloud?

Standard original compliance framework carries forward, without cloud awareness

A Compliance framework is defined and includes cloud appropriate dimensions

Compliance framework is updated to include cross border legislation, data protection in transit and at rest in cloud

environments, and data privacy requirements

Categorisation of requirements exists graded separately for Private, Hybrid, Public

& Hosted cloud types.

Monitoring and Management of compliance requirements is automated,

sensitive per cloud category

The compliance framework is regulary updated to reflect changes in cloud services

and usage.

- IT Governance - A defined framework provides guidence to the organisation, especially in new technologys (like cloud).

- a fast review of new solutions and options is possible

Technology

Is the Procurement Processes cloud aware?

Ad-hoc approvals and business units ordering directly from cloud portals

Online service catalogue and approval process (via enterprize repository)

Operating in real time with real-time approvals and updates

Cloud aware service agreements are established to support online real-time ordering, changes, cancellations, and data

retrieval

Multiple providers selected, with commercial frameworks in place, and available via the portal, with automatic routing of appropriate service orders to

appropriate clouds

Capability Efficiency Velocity Flexibility Quality

………...

…………

…………

…………

…………

- IT Procurement - IT Service management

- Well prepared Procurement Process and teams accelerates the implementation of (cloud) services for the business

Process

Is the Procurement Tooling cloud aware

Each providers own Cloud Portal is used for ordering & configuring services

Links exist from the enterprize Procurement Intranet to selected supplier's

portals/catalogues

Providers Catalogues and approval workflows are integrated with the enterprize order portal and workflow

system

Provider Catalogue contents updates are synchronised, selected and published within the enterprize order portal based on

application and data compliance requirements

A generic catalogue is available on the enterprize portal, with transparent automated routing to the appropriate

provider

- Service Catalouge Mangement - IT Procurement - IT Service Delivery

- Common order portal is the single point of contact for all order processes. Cloud Services should be orderable in the same way as other enterprize Services.

- A fast, easy and common way to order services ensures than no

shadow IT appears. Technology

enterprize StrategyProcurement

GovernanceStrategyOrganisation GovernanceStructure

Development performed for supporting organisations

Procurement team are operate in CAPEX based ordering activities

Procurement team are trained about cloud, and the commercial models

Team is incentivised based on cloud strategy deployment

Realtime authorisation and approval is operational, aligned to enterprize budgets

Defined partners are elctronically integrated into the enterprize systems and

processes

benefits to be achieved by the business

Process

Have Sourcing &

contracting been updated to accommodate cloud?

Cloud ressources are ordered ad-hoc from undefined vendors. No partnering or

contract framing

Default frame contracts exist for cloud services, which are available to the organisational business units, and re-used

consistently.

Frame contracts are integrated in procurement tools and standard cloud

vendors may be chosen

Quality and quantity based performance reporting of cloud vendors

Active partner management with cloud vendors. Multiple vendor sourcing for

identical cloud services

- IT Procurement - Frame Contracts are a common Procurement approach, so it is nomal to do the same in the cloud area to ease service contracting.

- Every tool / methodology/process which speeds up the ability to start using cloud services adds momentum to the business.

Process

Does a specific Cloud Service Catalogue exist?

Hardcopy brochures used, with functions and features defined per deployment, via a

technically orientated portal

A Cloud Portal includes a full integrated Catalogue of services, including technical functions and features, costs, and service

level details, for IaaS Services

A well defined set of standards for catalogue definitions are applied and communicated (e.g. CIMI). Processes are defined to enable entries in the consumer facing catalogue to be updated regularly, and for retirements to be performed according to a defined roadmap process, without contract changes being needed

Included in the Service catalogue are detail costs and calculations, detail rules associated to services, and automated links

and updates to contracts for changed services

All partnered or federated services are mapped into a single well structured catalogue for the consumer, transparently,

wth back-end integration automated and orcehstrated, based on consumer requests

- Service Catalouge Mangement - IT Procurement - IT Service Delivery

- A common order portal is the single point of contact for all order processes. Cloud Services should be orderable in the same way as other Services for business.

- A fast, easy and common way to order services ensures than no shadow IT appears.

- Having a service catalogue speeds up the cloud adoption, because the user does not need to search the web for the right solution and then determine their own appropriateness and compliancy crtieria on beahlf of the business

Technology

Is Reporting updated to monitor and measure cloud services

Basic management and Monitoring data is produced from systems within the

companies' own control

Defined interfaces and reports exist, for cloud providers to integrate to and supply

data, in real time

Standardised supplier contracts enable JIT delivery, from pre-selected suppliers, with defined reporting and source data avaialble according to pre-determined business

criteria

Clear standard online contract and supply management is integrated with supplier systems, to ensure that the cloud service never runs out of capactiy, by pre-warning suppliers of approaching order events

automatically

Integrated reporting and data sharing of relevant data is enabled between pre- selected contracted suppliers and the cloud

provider, to ensure that pre-warning of Procuremnt events is possible, and that service quality can be monitored and

managed pre-actively

- IT Procurement - Easy to use reporting provides a base for future decisions.

- Appropriate reporting shows which solutions are often used, and which ones need to be replaced or changed

Processes

Do Cloud Contract

templates exist? No, still using original templates

Leveraging contracts supplied by each cloud provider, with slightly different terms

and conditions, and processes

Zero $ based framework contracts (agreements defining services and service

level agreements, but with no volume commitments due to the nature of cloud services) are in place to enable service use, and all roles and responsibilities and remediations are clearly defined, including risk, compliance, and data related actions

Contracts with multiple suppliers are synchronised to common terms and processes, enabling the business to scale, migrate and adopt services transparently

All commercial terms are electronically integrated and linked to the service classes

and qualities selected from the available catalogues, by the consumer

Capability Efficiency Velocity Flexibility Quality

………...

…………

…………

…………

…………

- IT Procurement - Common templates make the complex cloud related service levels, compliance, certifications, and risk management simple to navigate.

Process

Are Processes updated to accommodate cloud service delivery?

Original internal IT processes are used, and cloud is fitted to those, as applicable

Defined manual handling of exceptions exists, where existing systems don't accommodate integration with cloud

providers

Standardised supplier contracts are defined, enabling JIT delivery, from pre- selected suppliers, with electronic levels of

integration consistently

Clear standard online contract and supply management is integrated with supplier systems, to ensure that the cloud service never runs out of capactiy, by pre-warning suppliers of approaching order events

automatically

Integrated reporting and data sharing of relevant data is enabled between pre- selected contracted suppliers and the cloud

provider, to ensure that pre-warning of Procuremnt events is possible, and that service quality can be monitored and

managed pre-actively

- IT Management - IT Procurement

- Cloud services need to be integrated into the common enterprize service management processes, and by doing this, one can identify what updates are necessary in the enterprize processes, and update them once for the whole company, to accommodate cloud based service delivery.

Process

Do Key Performance Indicators exist for cloud based services?

Infrastructure availability SLA's are used to

measure services SLA's are in place for IaaS, PaaS & SaaS

KPI's are defined in context of the expected benefits of cloud, including avaialbility,

performance, cost, flexibility etc

Clear KPI's for service delivery against procurement events are defined and automatically monitored in the system, in

context of defined business objectives

Each Business objective has a KPI mapped to it, and data is automatically collected to indicate status and progress in achieving

the objective KPI

- IT Service Delivery Management

- Defined measured KPI's form the base for every strategic decision for change, in order to motivate or justify the cost of change

Technology

Are Partner & Client Interactions updated for Cloud service delivery?

Cloud provision is handled like any other supplier by the involved teams and

processes

Some Suppliers are integrated into the Procurement and Event management

systems

Clear Service Levels and KPI's are defined for all online services from partners

Clients interact via defined shared cloud based interfaces, which adhere to strict

SLA's

Partners are integrated at contractual, electronic and process levels, transparently

- IT Procurement - IT Service Management

- Cloud services might not have direct service contacts, so it is important to have a defined, tested process and channels to approach.

Process, People

Are the costs of a service billed to the consumer of the service?

No, IT Costs are handled by a common IT budget

Yes, costs are billed to the main departments (Production, Management,

R&D, …), but only 1 -2 times a year

There is a capability for the consumer to check ordered Services and their corresponding costs. The costs are billed to

the consumers costcenter once a month

Costs are constantly monitored, and billed to the consumer, and unused ressources are optimized or returned to the available

resource pool

There is a constant process which monitors the billing. Growing costs are proactively monitored and are constantly discussed with the consumer. There is a process which terminates unused Services.

- Financial Controlling - Pay per Use for cloud servcies enable constant cost optimisation - Costs need to be charged to the consumer of the service otherwise there is no motivation to terminate a service, so the pay per use value of the cloud makes no sense anymore

Process

Do consistently defined templates, guidelines, best practices and blueprints for cloud based service & product deployments exist

Developed by each project manager on an as-needed basis

Use is made of centrally defined and published Blueprints, Best Practices, and

Checklists for Cloud Service integration

Comprehensive documentation exists, and is used by all projects: A clear framework exists and is used for classifying applications and data (protection) for projects (for mapping systems against cloud

platforms and services) , prior to deployment, ranging from Development,

through Q&A, Pre-Production and into Production

Automated selection of platforms is enabled (via a Cloud Portal) for placing applications and data, based on business rules and application calssification, all the way through Orchestration and deployment

to Production

Online tooling, tracking and reporting is in place to support all project based

deployments

Capability Efficiency Velocity Flexibility Quality

………...

…………

…………

…………

…………

-IT Service Management - Quality Management - Knowledge Management

- Usually there is a defined approach for handling a project in a company. The re-use of common cloud enabled templates in Project Management is as important and useful for cloud projects, as it is in normal IT Projects

Process

Is Project Initiation updated for Cloud?

Ad-hoc projects developed by the project manager, developing own processes, methodologies and frameworks for Cloud

service integration

Partial re-use of cloud methodologies, defined by certain new projects, and shared

for further enhancement

Standard training is available for the various involved organisational units, tailored to their needs, addressign important cloud rules, policies, aspects and skills that they must develop and apply in their cloud

service adoption

Projects are planned in a cloud portfolio annually in advance, with clear budget, scope and objectives towards enabling

cloud benefits realisation

Leveraging existing templates, resources and methodologies for cloud use, high performance innovation is enabled, multiplying the organisations new product

development by a defined factor

- IT Service design - IT Programme Management - It Architecture

- There are common design patterns which are useful for enabling cloud applications to be able to take advantage of cloud scaling, security models, and increase robustness of the service

Process

Are Project Tools updated to support Cloud projects

Each project is defined by the assigned project manager, and built from scratch

Cloud based project templates are shared between project managers for re-use

Pre-defined elements are automatically populated into the project plan by the tool,

and consistent feedback loops exist to update approved steps

Online project tool with integrated documentation is linked to selected cloud

deployments and reporting systems.

Online project tool also integrates with and triggers / invokes workflows and processes for partnered services, as part of the Cloud

Service landscape

- IT Architecture - there are many elements which can be used across all cloud projects in a company, like Identity Management, Singe Sign On, Buisness Process Management, Data Orchestration Master Data Management,… all of these elements can be pre-prepared already at the start of any new project.

Technology

ProcurementCommercial

GovernanceProjects & Services Projects

Business