Cloud Survey ResultsCSG 9/13

Thank youUW-MadisonPenn StateVirginia TechPennUniv of MichiganPrincetonCornellUniv of MinnesotaColumbia UnivDuke UC San DiegoNotre DameChicago

Univ of IowaNYUStony BrookUniv of WashingtonMichigan StateUniversity of VirginiaUniv of Colorado BoulderYaleStanfordHarvardBrown Georgetown

Do you feel that your organization is being being pushed to move to cloud products ahead of your

ability to manage deployments/evaluations effectively?

We have the BYOE adoption of commodity cloud services that pulls us along.

(Although I'm the one doing some of the pushing!)

There is a great deal of pressure to move to the cloud: sometimes to a specific product, or cost, or availability, or hype

Yes

No

What is your institution’s attitude to cloud?

0

2

4

6

8

10

12

14

What are the biggest challenges you are facing?

0

2

4

6

8

10

12

14

Biggest Challenges - Other

ComplianceRisk Mgt, Counsel, Some biz units very hesitantPeople understanding that using it for yourself is not the same as an enterprise implementation for everyonePeople's perceptionsNew non-technical skill sets requiredCustomization vs. ConfigurationMaking the financial caseComplexity (Office 365 email). Internal resources to integrate IaaS services (billing, technical integrations - not from a technical standpoint, but from a resource standpoint)We need to develop operating model supportPolicy issues (real and perceived) around compliance and liability.Organizing and supporting a broad set of services in a coordinated way

Cloud as a strategy for...? (Top 5)

0

5

10

15

20

25

Ranked 5

Ranked 4

Ranked 3

Ranked 2

Ranked 1

What is the greatest source of interest in cloud?

Researchers (HTP, HPC)Housing or other non finance central unitsUnit (college) ITDifficult to rank, all very interestedStudents and student groupsResearch collaboration

Academic de-partments and

faculty

Central IT Administration functional areas (e.g., Finance)

Other0

5

10

15

20

25

Ranked 4Ranked 3Ranked 2Ranked 1

Do you have a sourcing strategy that helps you determine if cloud is the right solution?

Sort of

Yes

No

What Integrations Have You Done

between on-prem and cloud

between cloud providers

We have done identity management and provisioning integrations 23 0We have done data transfer integrations 20 2We have done Web Services, API, etc. integrations 26 2

Biggest challenges to integration Vendors being behind the curve on API standards, Web Services, shibboleth etc…Authn, Authz. Hard to tolerate variance in Net+ pilot integrations with local policies, practice.Common authentication. Integration with legacy systems.Every cloud engagement requires integration work with our IAM team, and we have found that group to be a bottleneck because of the many demands on their time. As a result, we have had to slow down some cloud integration work.Experience is still too limited to answer thisWorkday project dis-integrated (ie: disintegrated:-) our ERP data, requiring large and ongoing integration efforts. Traditional approaches to integrating AuthN/Z is fine for large enterprise wide cloud solutions, but doesn't scale for tactical point-solutions that are increasingly consumer driven.Moving from our legacy custom IdM systems to adoption of standard tools that integrate with cloud services.Grouper integration is often a challenge - it's typically an AD integration Real-time updates vs. bulk uploads Non-deterministic timing for updates/integration (Azure/Office 365)We are just began to conduct proof of concept,we only moved a small component of our ser-vices to AWS to test the integration of IdM. We will yet learn about the biggest challenge yet.Authentication, Provisioning

Workflow and "capability impedence". Workflow: developing workflows to manage "flow-through" use of cloud services (brokering), with billing and admin-overhead. Capability impedence: For example, Amazon has a 2-level account structure, which makes it difficult to consolidate existing users under an aggregation model for discounting.Early on, upgrades of one of the systems being integrated. Modern architectures and use of SOA, etc. have helped isolate integrations so upgrades are less of a problem.Making sure we have vendor agreements that are consistent with the type od data being integratedData governance, securityXaaS providers use email addresses as account namesonboarding new users to a managed cloud product, when the product already exists as a consumer productLack of support for OAuth2 (them and, to a degree, us too)Having clueful technical staff that understand RESTful integrations. We just haven’t retooled our skills yetIntegrating and managing multiple IAM services that exist on campusIdentity and Access ManagementMoving to real-time integrations with the cloud AuthN/AuthZ – but it is starting to get easier as cloud providers are moving to SAML based standardRetooling our staff has been hardWe haven't had a lot of integration challenges. The challenges are UI changes on the fly, supporting rapid change, etc.

Biggest challenges to integration

Have you changed your contracting process for cloud or managing SLAs?

Yes 12 No 10

Too early to say, but there's no doubt that all of the requisite offices are changing how they think about their touch points in an SLAAdditional vetting including security review at time of purchase.We're in the process of publishing standard RFP and contract conditions. Already have cloud based security and compliance guidelines.Contracting process now takes 4x as longIncreasingly formalized business processes (cloud contract templates, security reviews, identity integration, etc) as relates to cloud acquisitions.Slowly moving to a common set of processes and templatesWe negotiate cloud contracting with a different perspective and process than traditional software products. Not really focusing on managing SLAs at this point (other than negotiating them in the contracting phase), but also not having any real problems with service levels for the services we're using.Greater involvement from security folks, general counsel; procurement will check to make sure certain "best practice" language gets included, etc.Implementation of a full supplier management process; will see if we can share document from our vendor mgt teamBusiness Associates Agreements, audit controls and certifications, liability, service and lifecycle (pre-nup).

What has been the reaction of your technical staff

Staff turnover has changed due to implementing cloud services

For IaaS, they find configuraing VMs in the cloud more interesting and productive

For SaaS, they find configuration more interesting than programming

Staff have welcomed cloud over on-premise

It has been hard to hire people with the right skills

The speed of provisioning has changed staff attitudes to their work

It has been hard to transition our staff from more traditional services to cloud-based services

0 2 4 6 8 10 12 14 16 18 20

Disagree or Strongly Disagree

Strongly Agree or Agree

Reorganized to support cloud?

We have a Net+ point person - that's it. Otherwise, we're morphing lots of people's sensibilities with each and every opportunity.We have hired a cloud sourcing manager. We're also creating a new role for cloud system administration. We've also created a new team to manage our cloud collaboration tools (along with some other things).Shuffled staff to free up 2 managers to become "row people" with a full-time focus on accelerating cloud adoption. After two years as the "Cornell Cloud Initiative", this is evolving into a new service catalog entry - "Cloud Computing Advisory Services".Not really, although this may be necessary in order to make faster progress. Driving this alternate sourcing strategy deep into all the service teams might be the ideal way for it to work, but lifting those teams up from operational and tactical into more strategic levels is challenging, and takes a long time.

We created a SaaS/PaaS practices team to create and communicate recommendation for managing SaaS and PaaS more broadly across Yale, including recommendations in the following areas: adoption, reference architecture, integration, governance, change mgt, organizational design & changeThough we have not reorganized we have a new cross-functional engineering team to explore cloud IaaS ansd PaaS offerings. Some SaaS offerings (specifically Sharepoint and Google) are being operated by a new team within a Unified Communications group that was recently expanded to incorporate legacy voice services in addition to the original email and new telephony servicesCreated Product Manager positions, invested more in architecture, focused more on vendor relations and security, rethinking “service desk” conceptNot yet, but we arelooking to replace our business system teams with integrations teams

Reorganized to support cloud?

Learned: Overall

That you have to work in many streams... security/risk/compliance, legal, technical integrations, and staffing - cultural, skill-set, apprehension/resistance, build-vs-buy approaches. And a comment about the Technical Skills question... The reactions vary, and seem to be all over the board. Some people and groups embrace and rush in and love it; others are more hesitant, apprehensive and resistive. Others are simply too busy or "eyes-down" to see the possibilities.An executive sponsor is imperative to success with "selling" the cloud as an option. A strong business case with cost/benefit analysis is important. Leading from the middle (Central IT) is challenging without a strong IT Governance program.Large cloud vendors are not easily influenced by a single institution or even a consortium of higher ed institutions. The scale is just too big. So we ultimately have to accept terms which are not ideal. Compliance has been a challenge, but vendors are starting to move. On the other hand, accessibility continues to a second or third thought (or no thought at all) for many vendors.

Learned: Overall

That you have to plan for continuous upgrades and have resources ready to accommodate that - both functional and technical.Subtle resistance to change can be a bigger obstacle than the overt kind. Change leadership is required. It's easy to both over and under estimate the complexity and risks of doing cloud. It's equally easy to over and under estimate the benefits of doing cloud. It's no longer about the technology (it probably never was)... it's about the consumer, who is now in the driver seat. IT consumers want to focus on the opportunities, but we keep asking them to focus on the problems.Keep it simple, understand what you are getting into, buy your lawyer lunch, it takes longer than we thought

Learned: Business

The business process changes and cultural changes ("But I like to configure everything exactly how I had it before") are much more difficult than the technical changes. That political pressure internally can make you throw out requirements that really drove the business value of the implementation. I think we knew these things but they were made very clear.Lawyers are paranoid, and not the good kind of paranoid.Vendor management is key--from initial discussions and contracting through implementation and maintenance.Vendor management is keyThe current FUD flight is more in the policy areas, as opposed to technical or operational issuesIt is a tremendous pain to get contracts that our legal folks will sign off on

Learned: Integrations & Security

point-to-point integration/sync of data between many cloud services may not be the long term solution. Perhaps MDM or some other "data of record" store that all services sync with is better. We've learned that the initial perceived (security) risks were exaggerated & that the tendency to want to customize (or complicated configurations) remains trueHIPAA/BAA is a big deal. Not to believe vendor promises of "getting there" in a year.We are just began to conduct proof of concept and we only moved a small component of our services to AWS to test the integration of IdM. We will yet learn about the biggest challenge yet.

Learned: Pace & Staffing

Take it slower and get it right - not as much chance to change after implementation (refine) as neededI wish I hadn't underestimated the central IT staff push back. I thought it was better than it was. Bouncing back, but a price was paid. Also, I would have spent more time on Risk Mgt, Legal, Purchasing etc. to move their asymptotes faster, further.

I wish we had taken on the staffing issues sooner