There’s network as a service (NaaS), infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). All offer opportunities to outsource major areas of IT operations to third-party vendors in turnkey fashion if desired. In other words, all you need to do is to call the vendor, much as an end user will call IT if a service goes down, gets slow or develops a bug.
The oft-cited value point of these outsourcing approaches is that IT will have more time to focus on strategy, and not so much on the mundane tasks of daily operations. However, consider whether cloud management and operations should be a totally “hands off” practice or are there levels of management and control that IT should keep?
“Whether building or buying technology, it’s critical for companies to consider how they choose their systems, devices and applications,” said PWC in a recent paper on technology and ethics. However, even if you exclude ethics and are just talking about day-to-day IT, there is a responsibility to oversee technology for the company and its stakeholders, even if the technology is tucked away in a cloud.
IT in the Cloud
The initial role that IT plays with the cloud is determined when the company decides to move to the cloud and then meets with vendors to determine which cloud provider to sign with. In many cases, getting contracts signed and services started is all IT does in the process, unless there is a cloud service interruption or it’s contract renewal time.
Very small companies of 20 or fewer employees live in this world. The cloud benefits them greatly because they’re able to subscribe to IT services and support they otherwise could not afford, and then they simply don’t think much about it anymore.
However, for mid-sized and large companies with large IT portfolios and in-house IT staff, a totally “hands off” role with the cloud that fails to address questions of cloud risk or management control is less than optimal. IT departments in these organizations recognize this, so they ask staff members to manage the cloud as needed. The problem with that approach is this: More IT is shifting to the cloud, making the cloud a more dominant IT hosting platform, and it becomes less viable to handle day-to-day cloud issues on an informal, “as needed” basis. That is why more mid-sized and large companies are codifying IT responsibilities for the cloud by writing them into staff job descriptions.
Cloud Roles That IT Staff Members Play
Here are some IT cloud responsibilities that need to be more formally addressed.
Contracts and SLAs. A contract for a mission-critical system like cloud-based ERP involves more than just signing up for a service. Companies with large ERP systems depend on ERP applications as the operational “driveline” of the entire business. An ERP vendor should take the criticality of this system as seriously as the company does. During contract negotiation, this means hammering out service level agreements (SLAs) that are more robust in their performance and uptime requirements than what a vendor would typically offer in a boilerplate contract. There is also room to negotiate on pricing and support.
Who does this? Enterprise IT departments hire contract administrators to do this work. Medium-sized companies that can’t afford a dedicated contract administrator should consult with attorneys.
Cloud contract negotiation and administrative responsibilities should be written into contract administrator job descriptions. For companies employing outside legal counsel, the CIO or an upper-level IT manager should be tasked with the responsibility of cloud contract negotiation and coordination with the legal team.
Compliance. In large enterprises, there are dedicated internal regulatory groups that monitor and ensure compliance, whether the company standards are HIPAA (healthcare), PCI, Sarbanes Oxley (finance) or something else. SMBs without dedicated regulatory staff turn to attorneys. The goal is to ensure that prospective and existing cloud vendors are compliant with various regulations.
Who does this? IT gets involved because almost always, IT owns the cloud vendor relationship.
Typically, a senior business analyst in IT coordinates and verifies cloud vendor compliance, working with the regulatory group and attorneys. In the past, this responsibility often was performed informally. It should be formalized as part of the business analyst’s job responsibilities.
Security. Cloud vendor security audits and methods must be reviewed annually to assure that vendors continue to adhere to company security requirements. At the same time, IT is responsible for configuring the security levels for its own assets in the cloud.
Who does this? The IT security staff should have written accountabilities for configuring and monitoring security in the cloud. This includes setting up of security for cloud-based IT assets and annual reviews of cloud vendor security audits.
Asset deployment, management, and performance optimization. Applications and IT infrastructure components that support the production environment should be deployed, monitored, and optimized for performance in the cloud as part of IT’s daily work. In some cases, there will be joint responsibility for sharing these tasks between IT and cloud vendors, but ultimately it is IT that is responsible for ensuring that applications and the supporting infrastructure are running in the cloud as they should be.
Who does this? In PaaS and IaaS cloud environments, it will be the systems group that should have an individual assigned to maintaining performance levels in the cloud and in working with cloud vendors as needed. On the applications side, it will be a senior applications group staff member or manager who would carry out this responsibility for applications.
Data stewardship and testing. Cloud services sell data, and other cloud services are in charge of maintaining data in a safe and secure environment. In still other cases, cloud services are being used to provision and de-provision test databases and infrastructure for IT unit application testing. Someone in IT should be formally assigned the responsibility of assuring that cloud data is safe, and that IT test environments are correctly configured.
Who does this? The database group should be tasked with data management and stewardship of cloud data. The DBA or a data analyst should also be assigned the responsibility of setting up or taking down testing facilities, or in many cases, supervising the application programmers themselves to ensure they are doing this correctly.
Final Thoughts
Cloud-based data, applications and infrastructure are a major part of IT portfolios, so IT can’t afford to consign these responsibilities to third parties, especially if these IT departments are in very large enterprises.
It’s time to formalize cloud responsibilities throughout the IT organization, and to provide the time for IT staff members to get up to speed with cloud-based tools that they will need in performing their cloud-based responsibilities.
The task now for CIOs and senior IT leaders is to map these cloud responsibilities across the IT organization, because different individuals in diverse areas of IT will be needed to do them.