The White Paper   Topic: How employees Incentives Affect an Organization’s Profits?   Summary of the Assignment:    Task:  In this paper, you will write a document that provides information that an a

That's entirely possible by moving to the cloud. The servers are physically managed by the cloud provider in their data center, and you are just one of many utilizing those systems. However, with a new environment comes all new tools a nd concepts that you need to understand before making that decision .

Many IT organizations have attempted to make the tran sition and failed due to lack of time allotted, lack of identifyin g project requirements, or lack of knowledge to make an effectiv e plan for budget. Some key factors need to be considered in order to det ermine if making the transition to the cloud is the right fit for your comp any. In addition, proper preparation, including anticipating additional costs and allotting enough time to make the transition is needed in order to be successful. These factors include the following questions:

· Are your applications a good fit for the cloud and w hat will be the approach to migrating them?

· Does your support team have the knowledge to support the new environment?

· What security controls need to be in place to provide adequate security and compliance with regulations? · What other hidden costs could be uncovered and planned for? If you consider these factors, allow time for plannin g, and budget for failure, you may be successful in migrating to the c loud. 2 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP Introduction The cloud has become a household term over the past few years , but what does it really mean? As defined by the National Institute for Standards and Te chnology (NIST), “Cloud computing is a model for enabling ubiquitous, convenient, on-demand netwo rk access to a shared pool of configurable computing resources (e.g., networks, servers, storage , applications, and services) that can be rapidly provisioned and released with minimal manag ement effort or service provider interaction.” (Mell & Grance, 2011, para. 1). However, Microsoft’ s Azure website puts it much more clearly by stating, “Simply put, cloud computing is the delivery of computing services—servers, storage, databases, networking, software, analytics, and more— over the Internet (“the cloud”).” (2018, para.

1). Using this concept, most companies are already u tilizing the cloud if they are getting one or more services through the internet. Several different cloud models exist that further def ine the cloud concept compared to traditional on-premises architecture within one’s own datacenter: Software as a Service (SaaS) – This refers to utilizing software or an application that is provided as a service, such as utilizing web-based email like Google or Microsoft Office 365. Platform as a Service (PaaS) – This type of model refers to a platform, such as a server with operating system and necessary tools, being provided to run an application. In this case, the consumer only has the ability to manage the applicati on but not the underlying architecture or operating system. This is somewhat of a middle gro und between SaaS and IaaS. Infrastructure as a Service (IaaS) – In this case, the infrastructure such as servers, networks, storage, and processing power are provided in a hosted facility. As the consumer, you deploy the operating systems, applications, and s ecurity to the provided infrastructure. Figure 1. Cloud Models. This figure illustrates the responsi bility of management for the cloud models. Reprinted from “SaaS vs PaaS vs IaaS: What’s the di fference and how to choose” by Watts, S., 2017, http://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats -the-difference-and-how-to-choose/ 3 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP In this document, we will primarily focus on Infras tructure as a Service. The concept of moving one’s infrastructure to the cloud can be appealing, es pecially when faced with some number crunching provided by one of the cloud giants like Amazon Web Services (AWS). In the white paper “Introduction to AWS Economics,” AWS claims that movi ng to their cloud infrastructure will provide considerable cost savings both variable and upfront as compared to traditional data centers.

(Amazon Web Services, 2015) See figure 2.

Figure 2. AWS Economics. This figure illustrates the estimat ed cost for data center models as explained by AWS. Reprinted from “Introduction to AWS economics - Red ucing costs and complexity” by Amazon Web Services, 2015, https://d0.awsstatic.com/whitepapers/introduction-t o-aws-cloud-economics-final.pdf With such promises, it comes as no surprise that compa nies are deciding to make the transition.

Many articles are available that discuss the benefits of moving to the cloud. Many companies are being baited by the promises of less cost and less m aintenance. Is it true that the cloud can save money? Possibly. Does the cloud reduce the effort to o perate? It can, but you must also factor in additional hidden costs that the cloud providers don’t initially reveal. On the other hand, there are articles written that cauti on folks from making the transition, claiming that cloud technology is evil and insecure and all of your data is at risk. After all, the cloud is just running your systems in someone else's network, rig ht?

In reality, the cloud can actually be safe and secu re, and may even offer some long-term cost savings. However, it's not all unicorns and rainbows , and especially not up front. Let’s take a look at some previous approaches and issues that have been experienced. 4 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP Previous Approaches Traditional data centers, whether owned or leased, of fer limited space, aging equipment at best, and limited scalability. Every few years some equipment must be replaced. Add to that the cost of power, cooling, maintenance and operations and you have a h efty price tag on your hands. It’s no secret that cloud technology reduces some of that overhead an d offers some additional benefits. Cloud providers, including some of the giants such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, advertise their man y benefits, some of which can make any Chief Financial Officer (CFO) want to make the switch yeste rday. An example of one of these benefits is elastic comput ing which provides scalability. Elastic Computing as defined by Microsoft is “the ability to dynamically provision and de-provision computer processing, memory, and storage resources to meet changing demands without worrying about capacity planning and engineering for peak us age,” (Cloud computing terms, 2018, para. 10).

This means that resources are provided as they are n eeded. An example is during a holiday sale on a commercial website, perhaps the site gets 5 times as many customers visiting and placing orders than during a n ormal day of operations. This influx of traffic could have devastating effects on an IT system hosted in a traditional architecture. However, utilizing the elastic computing concept in the cloud c an allow for more processors to be provisioned when needed, and then turned back off when the load decreases. The concept of elastic computing also saves money in the long run, as you only pay f or the services as they are used. However, the cloud has had its fair share of problem s. Below are a few of the issues that have been experienced at the provider level and at the customer level. · In Microsoft Office Suite Exchange Online, both standa lone and Office 365, suffered a disruption in June of 2014 leaving many companies th at relied on the service for email in the dark. (Endler, 2014) · Again, this time in November 2014, Microsoft's Azure cloud service experienced an 11-hour outage due to improperly applied updates, which affec ted many customers that used the platform around the globe. (Okyle, 2014). · Healthcare.gov experienced tremendous system issues when it tried to launch its cloud based website in 2013 resulting in error messages, latency, and downtime that caused many to not be able to enroll for health care coverage. Thi s issue resulted in public embarrassment for the Department of Health and Human Services. (Hen dricks, 2014) David Linthicum, contributor to InfoWorld.com, discus sed IT project failures in recent years, citing an Innotas survey that depicted a 32 percent failure in 2014, and a jump to 55 percent failure in 2015. However, in 2016 the failure rate decreased sl ightly to 50 percent. David attributed these failure rates to companies migrating to the cloud. He a lso said “In fact, I figure you have a one-in- three chance that your cloud project will be consider ed a failure, perhaps because you spent way more than you budgeted or more likely because you pi ck the wrong technology or cloud services,” (2017, para. 4). 5 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP According to a survey conducted by Sungard Availabil ity Services in 2015, the 3 top reasons for cloud migration failures as illustrated by Fleece (2 015): Table 1. Top 3 reasons f or cloud migration failures Reason % of 276 total respondents Lack of understanding of cloud security and complian ce 56% Lack of clearly-identified business objectives for migrating to the cloud 55% Lack of planning 42% Note: Adapted from “Why cloud computing implementat ions typically fail” by Fleece, J., 2015, November 17, https://www.forbes.com/sites/sungardas/2015/11/17/w hy-cloud-computing-implementations-typically-fail/ New Findings As Jeff Fleece of SungardAS wrote “What it all comes down to is this: businesses need to treat the cloud exactly the same as any technology enhancemen t. Cloud adoption may include a number of desirable benefits, but you have to think of it as ju st a new technology architecture: nothing more, nothing less,” (2015, para. 11). Some considerations need to be made to effectively dec ide if moving to the cloud is feasible for your situation so your project doesn’t end in failure. Belo w you will find some questions that you can ask yourself to assist in making an effective decision:

Approach – Depending on your existing systems will determin e the approach you would need to take should you pursue migrating to the cloud. · Does your company have existing IT systems that you believe are good candidates to host in the cloud? · If so, are those systems cloud-ready or do they nee d significant code changes? New Technology – With the new cloud environment comes all new termi nology and applications. · Is your staff educated well enough on the new environ ment and technology to provide support? · Do you need to hire contractors to help with setting up the environment?

Security – With new technology comes new sources of attack. H aving an understanding of how security is implemented and managed in the cloud is a must. · Does your staff have the knowledge to effectively sec ure the new environment? · Have you considered the legal regulations that you mus t abide by in your business as it pertains to cloud technology? Unexpected Costs – Quotes and invoices for cloud computing are usua lly dependent on the amount of data in transit and at rest. However, there a re a few other factors that make that monthly invoice increase. In addition, training and licenses will add to the overall price tag as well. · Do you know how much traffic your website will gener ate? 6 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP · Do you know how much storage you need?

· Do you have an idea of what licenses you will need to procure to complete the transition? Approach If you are looking to utilize IaaS-benefits and beco me a cloud based company, there are several approaches you can take depending on if the system yo u are looking to make cloud based is an existing system or not. New Systems – If you are either a new start-up company or are an existing company that is looking to build a new system in the cloud, this ap proach is much easier than the rest. You can design the application from the beginning to inte rface with the cloud technology.

However, being a new system does not make the system i mmune to configuration errors, security threats, or the hidden costs described furth er on. Lift and shift – This approach refers to lifting an existing IT sy stem that is not built for the advanced features of the cloud and shifting it to the ne w cloud environment without very many modifications. Figure 3. Lift and Shift – Moving a system from one location to another without many modifications. Essentially, the existing IT system is running as if i t were still in a traditional data center with all of the traditional limitations. In order to ta ke advantage of the cloud capabilities of automation using application programming interfaces ( APIs), load balancing, and auto- scaling, the application has to be designed for it. Ma rgaret Rouse wrote an article for tech target describing the lift and shift approach and mad e a comparison to moving a houseplant (2017, para. 5): Lifting and shifting can be compared to moving a hous eplant from one environment to another; being in a different habitat c an affect whether the plant will thrive. Likewise, an IT project that starte d in an on-premises or original legacy system might not work as well in a n ew location. 7 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP Modernize and release - For existing applications, this approach may have th e best end result, but it also has the highest price tag. While you are designing the application and developing the new cloud environment, you must contin ue to support the existing system within the original data center. This means for a pe riod of time, you will have two invoices each month, one for the current environment and one fo r the future environment. In addition to the double cost, another consideration with this type of approach is return on investment.

The business unit within your organization that utilize s the system does not get to see any benefit to the rewrite of the application until there i s something available to demo within the new cloud environment. New Technology The technology within the cloud environment has some of the underlying components shared with traditional data centers, like virtual servers, operatin g systems, IP addressing, etc. However, there are many new tools and additional terminology that s ystem administrators must become accustomed to. As a cloud administrator, he or she mus t understand virtual machine and virtual network configuration, provisioning and automation, i nterconnectivity between instances, and much more. Furthermore, some of the existing IT roles may no long er be necessary for administrators. In the white paper titled “The impact of cloud computing: Sho uld the IT Department be organized as a cost center or a profit center,” it was stated that “As mor e services are procured from cloud vendors, the need for functions within the IT department that serve to administer, monitor, and maintain the IT infrastructure will be considerably diminished or ev en eliminated” (Choudhary, V., & Vithayathil, J., 2013, para. 66). Some considerations for the roles of your administrators need to be made prior to implementation.

Security One security concern is for auditing of who has acc ess to your data, both physically and logically.

Many organizations can audit access control to their d ata center and see who entered the premises, or determine how secure the facility is. That’s not really a possibility in a cloud environment. In addition, who has access to your virtual servers? In an article discussing cloud adoption based on perceived risks, it was stated that “organizations can not ignore the fact that once their corporate proprietary information is transferred over to a Clou d service provider, it can no longer be considered private and confidential” (Ho, Booth, & O casio-Velazquez, 2017, para. 504). This is a considerable issue and a sticking point for many org anizations. Another consideration for security is that cloud desig n is typically based on the idea that multiple tenants share the cloud resources, which can be an a udit concern for many regulated organizations. Many auditors and security professiona ls feel that any shared technology can potentially expose your assets through vulnerabilitie s in the multi-tenant architecture. How strong are the mechanisms that provide isolation to your data ? Two recent vulnerabilities in 2018, Meltdown and Spectre, are among some of those threats that pose a risk to application isolation requiring both firmware and operating system level p atching (Donohue, 2018).

8 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP JP Morgenthal was quoted in a Forbes article as sayin g:

There are not as many trained professionals with ski lls on how to secure cloud applications and, thus, there is a greater likelihoo d of a mistake in the configuration of a cloud environment. These mistakes are a lot more dif ficult to make in a private data center. However, each is open to breach. (Poremba, 2 018, para. 2).

The best bet for keeping security in any environment under control is to have educated staff that know your systems and environment, conduct regular routine patching, limit access for users, systems, and applications to least privilege, and be familiar with what's happening in your environment through monitoring, logging, and auditing . Unexpected Costs As mentioned previously, elastic computing allows for provisioning of servers automatically.

However, if you are not aware of the amount of expect ed traffic and plan for the additional usage, you may incur additional costs that you didn’t plan f or. In addition, another type of unexpected cost can come in the form of cloud sprawl. Cloud sprawl is an over-abundance of virtual servers, instances of ap plications, or services running than are needed, and frequently without the knowledge from t he company until the monthly invoice shows up. These virtual servers are frequently turned on b y a developer or engineer to do some testing and then abandoned. It is usually very easy in the cloud e nvironments to initiate new servers or services and not quite as easy to monitor and manage them. This of course benefits the cloud provider, who stands to make more money with more servers being utili zed. Additionally, unmanaged virtual machines pose a secur ity risk. In an article from the International Journal of Emerging Engineering Research and Techno logy, it discussed virtual machine sprawl, stating “This dynamic nature and possible for VM spraw l makes it difficult to achieve and maintain consistent security,” (Ballada, 2017, para. 14). Therefore, it is very important as a consumer to have a plan in place to monitor cloud storage and maintain the environment so those unexpected line item s don’t show up on the monthly bill. Conclusion There are many reasons one may consider the cloud as a viable option for hosting one’s services.

The benefits of potential lower cost, flexible scal ability, and no aging equipment are worth considering. However, the transition must be successf ul in order to achieve any of these benefits.

Many companies have attempted the transition and suffere d for failed altogether. This is primarily due to lack of planning and education. Know your applications and decide if they are good ca ndidates for the new environment. Realize that new technology is hard to support if you do not ha ve staff educated in that technology. Plan to incorporate security up front so you don’t build in v ulnerabilities into the architecture. Finally, realize that there will be unexpected costs. Budget f or failure. Allow enough time to build these concepts into your final plan and you may be a succe ss story. 9 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP Sources Ballada, L., (2017, February). My cloud data logger. International Journal of Emerging Engineering Research and Technology 5(2) 32-35 DOI: http://dx.doi.org/10.22259/ijeert.0502004 "Benjamin Franklin Quotes." (2018, February 17). Benjamin Franklin Quotes. Retrieved from https://www.quotes.net/quote/36948 Choudhary, V., & Vithayathil, J., (2013, October 1). The impact of cloud computing: Should the IT Department be organized as a cost center or a profit center? Journal of Management Information Systems (pg. 88, p 3) DOI:10.2753/MIS0742-1222300203 Cloud computing terms. (2018). Microsoft Azure. Retrieved from https://azure.microsoft.com/en- us/overview/cloud-computing-dictionary/ Donohue, B., (2018). Meltdown and spectre attacks expl oit speculative execution in processor chips.

MKA Cyber . Retrieved from https://mkacyber.io/news/meltdown-and-spectre-attacks/ Endler, M. (2014, June 24). Microsoft Exchange Onli ne suffers service outage. Information Week.

Retrieved from https://www.informationweek.com/cloud/software-as-a- service/microsoft- exchange-online-suffers-service-outage/d/d-id/1278829 Fleece, J. (2015, November 17). Why cloud computing implementations typically fail. Forbes. Data retrieved from https://www.forbes.com/sites/sungardas/2015/11/17/w hy-cloud- computing-implementations-typically-fail/ Hendricks, D. (2014, January 14). Why HealthCare.gov was desperate to switch hosting providers.

Forbes. Retrieved from https://www.forbes.com/sites/drewhendricks/2014/01/1 4/why- healthcare-gov-was-desperate-to-switch-hosting-providers/ Ho, S.M., & Booth, C., & Ocasio-Velazquez, M., (2017). Trust or consequences? Causal effects of perceived risk and subjective norms on cloud techno logy adoption. Elsevier Ltd. DOI:

10.1016/j.cose.2017.08.004 Introduction to AWS economics - Reducing costs and com plexity. (2015, May). Amazon Web Services. Image retrieved from https://d0.awsstatic.com/whitepapers/introduction-to-aw s- cloud-economics-final.pdf Linthicum, D. (2017, February 28). Cloud project? Prepare for failure. Infoworld. Retrieved from https://www.infoworld.com/article/3174482/cloud-compu ting/cloud-project-prepare-for- failure.html Mell, P., Grance, T. (2011, September). The NIST definition of cloud computing. National Institute of Standards and Technology . Retrieved from https://csrc.nist.gov/publications/detail/sp/800- 145/final Okyle, C. (2014, November 20). Microsoft says 11-hou r Azure outage was caused by system update.

Entrepreneur. Retrieved from https://www.entrepreneur.com/article/240029 10 C LOUD CONSIDERATIONS – W HAT YOU NEED TO KNOW PRIOR TO MAKING THE LEAP Poremba, S. (2018, February 17). 7 Common misconcep tions about security threats in cloud computing. Forbes. Retrieved from https://www.forbes.com/sites/sungardas/2015/05/12/7-c ommon-misconceptions-about- security-threats-in-cloud-computing/ Rouse, M. (2017, December 29). Lift and shift. Techtarget. Retrieved from http://whatis.techtarget.com/definition/lift-and-shift Watts, S. (2017, September 22). SaaS vs PaaS vs IaaS: What’s the difference and how to choose.

BMC. Image retrieved from http://www.bmc.com/blogs/saas-vs-paas-vs-iaas-whats -the- difference-and-how-to-choose/ What is cloud computing? A beginner’s guide. (2018). Microsoft Azure . Retrieved from https://azure.microsoft.com/en-us/overview/what-is-clo ud-computing/