This article is the second of a four part series by AJ Witt of ITAM Review and Josh Brazee of Aspera. The series explores concepts & practical advice for managing Cloud deployments to minimise cost and risk whilst maximising value.
- Part One – provides an overview of the cloud market and its impact on ITAM
- Part Two (this article) – Building the business the case for cloud management
to be followed by
- Part Three – The people, processes, and tools necessary for cloud management
- Part Four – Practical tips for managing cloud deployments
These articles are also available as a whitepaper, downloadable here (no registration required)
What is Cloud Shock?
Part 1 highlighted the following
as the high-level challenges contributing to Cloud Shock – unexpected cost increases typically uncovered in year two of digital transformation programmes or “Cloud First” strategies
To a certain extent, these challenges go hand-in-hand and build upon one another. For example, Shadow IT can mean increased waste because expert ITAM & Procurement professionals aren’t managing spend, and a per-minute or per-user pricing model can quickly get out of hand and blow your OpEx budget.
This isn’t the whole story – there are nuances which we’ll explore in the rest of this article. If we want to avoid cloud shock, we need to solve some challenges and also build the business case for why we should manage it. Before we look at the business case, let’s look at some of the obstacles that need to be overcome before we can deliver on the promise of cloud optimisation.
Solving Shadow IT Management
First and foremost, it isn’t possible to manage something if you don’t have full visibility of it. To get to grips with Shadow IT you need to discover where it is being used, and then engage with stakeholders to help them extract best value from the expenditure. Only then can you address the challenges of reducing wastage and adjusting to an OpEx spend model.
Clouds are fleeting, ephemeral things with the ability to leave you soaking wet if you go out without an umbrella. Similarly, it’s easy for organisations to “take a bath” on their cloud expenditure. The great challenge here is that cloud is easy to buy and deploy but difficult to discover and therefore manage. This particularly applies to Software-as-a-Service (SaaS) expenditure because that is much more likely to be procured outside the normal channels compared to Infrastructure-as-a-Service (IaaS). IaaS will more likely require a level of IT involvement and as such you should have reasonably good visibility of such deployments. No, SaaS is the greatest challenge when it comes to managing cloud costs.
With nothing to install, there is no need to involve IT, and SaaS tool vendors take pride in ensuring adoption of their products is as seamless and frictionless as possible. This has the potential to make every employee a procurer of cloud products – everything from a free calendar integration tool to a $1000+ per annum Salesforce license.
With every employee a potential purchaser of cloud services, this puts greater onus on stakeholder management. As an ITAM team, it is important you get out from behind your spreadsheets and talk to people – your users, department heads, and people outside your traditional remit. This may require new skills and a new approach. Communication is key, and just as your IT Security team may run internal communications campaigns on password management and phishing, so should you on cloud usage, and particularly SaaS.
Departments which will typically need to be involved in discussions on cloud usage include Sales & Marketing (Salesforce) and Engineering/R&D (product design software such as AutoCAD). You may have a challenge to overcome if you’re seen as being “from IT”, so it is important to take an open, partnership approach. If they’re spending their departmental budget on cloud you are there to help them get best value, not to pass judgement and to try to centralise control. They’ve procured it themselves because they didn’t want IT involvement – it’s not your job to tell them they’ve done it wrong and that you know best.
For SaaS solutions concentrated in particular departments or divisions, it makes sense for the budget to be held where the value is created, but that shouldn’t stop you from providing a service to help them manage that budget.
With these two key requirements – Discovery & Stakeholder Management – in mind, it is possible to build a business case you’ll be confident of delivering against.
Building the Business Case
The first article in this series outlined the size of the growing cloud market. Growing expenditure is not an issue per se – what is important is ensuring that business use of cloud is secure, risk-managed, and good value for money. With potential fines for regulatory non-compliance increasing as a result of the GDPR & other privacy legislation, it is useful to consider Cost Control & Risk Management alongside each other. For example, unmanaged SaaS usage can both expose company data and be a waste of money.
Managing cost for SaaS is similar to on-premises software. The question you should ask is the same – is this software delivering value for money? For SaaS, the metrics we can use for this are predominately around usage. Just as we might reclaim unused perpetually-licensed software, so we can do the same with SaaS subscriptions.
Wastage of SaaS subscriptions is around 35% – over $1000 per user per year.
For IaaS, the risk is the same virtual machine sprawl that has been the bane of on-premises datacenter managers. The difference is that where an unused on-prem virtual machine is consuming limited resources, in the cloud you’re paying for it by the second.
We also need to ensure we’re not paying for unused performance. It’s so easy to specify vastly-overpowered cloud computing resources that you can end up using a Ferrari to pop to the supermarket. Over-specifying computing resources on-premises was rarely of concern because virtualisation software would dynamically assign resources to virtual machines as required, regardless of what was specified. In the cloud, if you specify a virtual machine with 4 processor cores and 3 of them are sat idle, you’ll still pay for 4 cores and get no benefit for three of them.
Cloud deployments present considerable regulatory compliance risks :-
- Where is your data stored?
- What is it being used for?
- Who is accessing it?
- Does the cloud provider have appropriate controls in place?
- Are there regulatory requirements applicable to your operations that may restrict your use of cloud?
And this is before we consider the fact that many organisations will vastly underestimate their use of cloud – particularly SaaS. Not knowing that sensitive personal data has been stored in an insecure cloud service will not be a valid defence when your Information Commissioner audits and fines you in response to a customer complaint.
A cloud management programme will address many of these risks by providing visibility and the ability to restrict or prevent use of certain SaaS applications. With almost 90% of ex-employees retaining access to SaaS applications one month after leaving the business, your cloud management programme should also support a robust Joiners, Movers, and Leavers process.
Bringing it all together
The next article in this series will outline the people, processes, and tools required to build a world-class cloud management programme. Cloud expands the potential remit for an ITAM team, and it is important to ensure that you’re ahead of the curve in this regard.
The concept of “Cloud Shock” came to prominence in 2018 – where budget holders became aware that their headline digital transformation projects started in 2016 were now business-as-usual and consuming significantly more budget that expected. On that basis, now is the time for ITAM teams to step forward and start delivering greater value for their organisations – if we don’t do it, someone else will, and as the next article will outline, we’re best-placed to deliver in this area.
For more from Aspera on managing, monitoring, and optimising your company’s cloud services please see