Cloud Governance Framework - Required Cloud Sourcing Capabilities


Published on

The introduction of cloud computing and cloud sourcing requires an appropriate cloud governance strcuture to ensure a secured computing environment and to comply with all relevant organizational information technology policies. As such, organizations need a set of cloud governance capabilities that are essential when effectively implementing and managing cloud services.

Published in: Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Governance Framework - Required Cloud Sourcing Capabilities

  1. 1. ICST Transactionson e-Business Research ArticleTransformation to Cloud Services Sourcing: Required ITGovernance CapabilitiesAnton Joha1,* and Marijn Janssen21 EquaTerra, antonjoha@gmail.com2 Delft University of Technology, m.f.w.h.a.janssen@tudelft.nlAbstract The sourcing of cloud services is a relatively new type of service delivery model in which an organization gets access to IT services via a cloud service provider that is delivering services over the web to many users on a pay per use or period basis. Even though the importance of IT governance is often underlined, there is limited literature available regarding the required IT governance capabilities that public sector organizations need to have in place to successfully implement and manage a cloud service delivery model. Using an existing governance framework of IT core capabilities as basis, the required cloud computing capabilities are investigated using interviews and studying reports. The analyses helped to identify 16 discriminating capabilities that are essential when effectively implementing and managing cloud services in the public sector. Different factors, including the cloud service and deployment model, the strategic intent underlying cloud sourcing, the degree and complexity of cloud sourcing and the IT governance structure, were found to influence the relevance of cloud capabilities and the relevance might also change over time. Keywords: Cloud computing, Public sector, IT core capabilities, IT governance, Outsourcing, Public sector, Sourcing. Received on 14 December 2011; accepted on 05 February 2012; published on 05 September 2012 Copyright © 2011 Joha et al., licensed to ICST. This is an open access article distributed under the terms of the Creative Commons Attribution licence (, which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited. doi: 10.4108/eb.2012.07-09.e4 2011). Often, users pay a certain fee for the use of the1. Introduction * software or for a certain period that the software will be used. Other forms are possible, but the essence of allGovernment agencies are in different stages of forms is that no upfront investments are necessary fromdevelopment and looking for different ways to improve the user perspective. Cloud service providers host andtheir service provisioning, while at the same time trying to provide access to software applications over a network.reduce their costs due to severe budget cuts (Chen, 2003). This type of sourcing model enables the development of aOne way of restructuring IT and business functions is by service only once and provides it to many users. Withinusing cloud computing. A cloud infrastructure consists of the public sector there is an opportunity for a similar shiftapplication services hosted on a distributed hardware and and there are already some notable and visible examplesproviding a one point of access for users from anywhere of cloud services, including the use of office applicationsat any time. Clouds can be viewed as a new type of provided by the cloud model and services to citizenssourcing model in which IT-based services are provided which are hosted in a cloud. In both examples theover communication networks to users, enabling for faster governmental agencies do not have to develop or maintainimplementation of software changes (Bennet et al., 2001) the services in-house and they rely on the cloud provider.and allowing to get rid of the own installation, control and Cloud services can be provided by organizations withinmaintenance of the IT function (Gonçalves & Ballon, the public sector, but also by private companies residing outside the public sector, in this way providing at least* *Corresponding author. Email: two ways of sourcing. ICST Transactions on e-Business 1 July-September 2012 | Volume 12 | Issues 7-9 | e4
  2. 2. Joha et al.It is often argued that cloud computing has implications categorized into three main service models (Dillon et al.,for both businesses and management (Olsen, 2006) and 2010; NIST, 2011c):cloud computing will change the relationship between • Cloud Software as a Service (SaaS). The publicbuyer and seller (Sääksjärvi et al., 2005). Yet, the specific sector organization has access to a provider’sIT governance capabilities required by public sector applications running on a cloud infrastructure. Theorganizations to successfully source and manage cloud public sector does not manage or control theservices have remained unexplored. The goal of this paper underlying cloud infrastructure including network,is to understand the cloud governance capabilities that are servers, operating systems, storage, or evenrequired when introducing and implementing a cloud individual application capabilities, with the possiblecomputing model in the public sector. This paper is exception of limited user-specific applicationstructured as follows. In the next section, the background configuration settings.of cloud computing is discussed, including its relationshipwith outsourcing and the governance framework of IT • Cloud Platform as a Service (PaaS). The publiccore capabilities from Feeny and Willcocks (1998) that is sector organization has the ability to deploy onto theused as basis to analyze the interviews and cloud infrastructure customized or acquireddocumentation. In section three, the research approach is applications created using programming languagespresented, followed by an overview of the cloud and tools supported by the provider. The publiccomputing activities in the Dutch and US public sector. sector organization does not manage or control theSection five discusses the findings and conclusions are underlying cloud infrastructure including network,drawn in section six. servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.2. Background • Cloud Infrastructure as a Service (IaaS). The public sector organization has access to processing, storage,2.1. Cloud Computing networks, and other fundamental computing resources and is able to deploy and run arbitraryThere is no agreement about a definition of clouds, software, which can include operating systems andthough there are some characteristics that are more or less applications. The public sector organization does notagreed. These are that clouds offer resources on demand manage or control the underlying cloud infrastructure(Rosenthal et al., 2010) from which application services but has control over operating systems, storage,can be accessed over a network (Buyya et al., 2009). In deployed applications, and limited control of selectmost clouds charges are paid per use, but there is no networking components.consensus about this characteristic. Rosenthal et al. (2010) The cloud deployment model concerns the specific cloudprovide a set of features of cloud computing. Janssen and environment that is used to deliver cloud services to theJoha (2010) add two additional characteristics based on users. Four deployment models are generallythe idea that a cloud is a distributed system that is distinguished in the literature (Dillon et al., 2010; Kundra,presented as one infrastructure that provides services 2011; NIST, 2011c). A private outsourced cloud is abased on service level agreements. These characteristics closed environment for a single organization hosted by aare: third party, while a private in-house cloud is hosted(1) Resource outsourcing internally (Kundra, 2011). A public cloud is owned by a(2) Utility computing SaaS service provider that makes it available to the(3) Large number of (inexpensive) machines general public, while a community cloud is shared by(4) Automated resource management several organizations with common policies,(5) Virtualization requirements, values, and concerns and can either be(6) Parallel computing hosted externally by a third party or in-house (Dillon et(7) Data access control al., 2010). Hybrid clouds can consist of combinations of(8) Service level agreements the other cloud models. It is postulated that the differentA cloud consists of large farms of inexpensive servers forms and deployment models of cloud services will havewhich are distributed over several locations. The basic an influence on the cloud capabilities that are required.idea of the use of clouds is to shift the responsibility toinstall and maintain hardware and basic computationalservices away from the user to the cloud vendor 2.2. Clouds and Sourcing(Rosenthal et al., 2010). The cloud vendor should ensuresecurity, scalability, availability, reliability and data Whereas there is relatively limited research literatureaccess control mechanisms. In a cloud there is a dedicated about cloud computing, there is a wealth of literature onpool of hardware and virtualization software that can be outsourcing (Gonzalez et al., 2006; Lee et al., 2003). ITused to support a variety of tasks and provide services to outsourcing is about the contracting out of certain ITthe cloud participants. Cloud computing can be functions to an external service provider that in return ICST Transactions on e-Business 2 July-September 2012 | Volume 12 | Issues 7-9 | e4
  3. 3. Transformation to Cloud Services Sourcing: Required IT Governance Capabilitiesprovides the service for a certain period of time and for a area, (2) the technical area, (3) the business area and (4)certain amount of money (Willcocks & Kern, 1998). the supply area. In the governance area, the role of ITBusiness Process Outsourcing (BPO) is the situation in within the business is defined, combined with thewhich a supplier takes over responsibility for one or more responsibilities of the IT department, the businessof an organization’s business processes (Borman, 2006). departments and the IT service providers in achieving thatOutsourcing arrangements address the relationship role, while the technical area is concerned with ensuringbetween one client having one or more external vendors, that the business has access to the technical capability itand in case a private cloud model is used, this is also the needs in order to translate the business requests andcase with sourcing cloud services. In case of a community requirements into IT specifications (Feeny & Willcocks,or public cloud however, the arrangement generally 1998). The business area is about demand managementconsists of many clients and one cloud vendor. Cloud and involves defining the business requirements in ordercomputing can thus be viewed as a type of sourcing to address the need for alignment between business andarrangement, in which the cloud service providers can be technology. The supply area, finally, is about managingviewed as a specific type of provider. There are various and monitoring the supplier in order to assure they deliverways of sourcing like inside or outside the public sector the required quality of the IT services.and sourcing requires the use of capabilities for managing Feeny and Willcocks (1998) initially found ninesourcing arrangements (Borman, 2006; Feeny & capabilities that enable a business to consistently addressWillcocks, 1998). the described four areas in order to exploit IT successfully, now and in the future. In a later article to validate the model, Willcocks et al. (2006) also found a2.3. Governance Framework of IT Core tenth capability, IT project management, though noCapabilities explicit definition similar to the other capabilities was provided. These ten capabilities and their definitions areDecisions about and around an (out)sourcing transitions depicted in table 1.are part of a much broader framework called ITgovernance. IT governance refers to the “patterns ofauthority for key IT activities” (Sambamurthy & Zmud, Table 1. Governance Framework of IT Core1999, p. 261) and IT governance mechanisms determine Capabilities (Feeny & Willcocks, 1998; Willcocks ethow communication, responsibilities and decision-making al., 2006)structures are formalized (Weill & Ross, 2005). Importantattributes of IT governance are the roles andresponsibilities of the different actors involved (Weill and IT core Definitions (Feeny andRoss, 2005) and the related capabilities that are core to the capabilities Willcocks, 1998)business future capacity to exploit and govern the 1) Leadership Integrating IS/IT effort withdemand and supply of IT successfully (Feeny & business purpose and activityWillcocks, 1998; Mayer & Salomon, 2006). 2) Business Envisioning the businessSourcing requires that that the end-user organization has systems process that technology makesthe necessary IT core capabilities to implement and thinking possiblemanage the sourcing arrangement. The provider is at an 3) Relationship Getting the businessarm’s length which requires other capabilities than when building constructively engaged in IS/IThaving an own IT department. The IT core capability issuesconcept is defined by Feeny and Willcocks (1998) and 4) Architecture Creating the coherent blueprint planning for a technical platform thattheir IT governance framework has been successfully responds to current and futureverified in a couple of consecutive articles (Willcocks & business needsFeeny, 2006; Willcocks et al., 2006). Willcocks and 5) Making Rapidly achieving technicalFeeny (2006, [p. 49]) define a capability as ‘a distinctive technology progress, by one means orset of human resource–based skills, orientations, attitudes, work another.motivations, and behaviors that have the potential, in 6) Informed Managing the IS/IT sourcingsuitable contexts, to contribute to achieving specific buying strategy that meets theactivities and influencing business performance’. interests of the businessFollowing Willcocks and Feeny (2006) we define a cloud 7) Contract Ensuring the success ofgovernance capability is a capability to effectively facilitation existing contracts for IS/ITmanage and govern the sourcing of cloud services, services 8) Contract Protecting the businessmeasurable in terms of IT activities supported, and monitoring contractual position, currentresulting business performance. and futureFeeny and Willcocks (1998) view IT capabilities as core 9) Vendor Identifying the potential addedto the businesss future capacity to exploit IT successfully. development value of IS/IT service suppliersFour main areas are defined that a company must 10) IT Project This capability was included insuccessfully address over time: (1) the IT governance management a later paper (Willcocks et al., ICST Transactions on e-Business 3 July-September 2012 | Volume 12 | Issues 7-9 | e4
  4. 4. Joha et al. 2006). 4. Clouds Sourcing in the Public Sector The Dutch cloud strategy was driven by the cloudThese ten capabilities are viewed from the perspective of strategies in the US. Both the Dutch and the US publicthe end-user organization and not from the supplier sector consist of many organizations that have ITperspective. In other research (Feeny et al., 2005; Lacity environments that can be characterized as difficult toet al., 2006a; Lacity et al., 2006b) similar kinds of manage, heterogeneous, with duplicative systems withframeworks have been defined with the capabilities low asset utilization, negatively impacting its ability torelevant to outsourcing service providers. serve its citizens. There are several big public organizations having large data centers and many small organizations that find it hard to manage their IT services3. Research Methodology and resources. The US government developed a decision framework that was created to support agencies inThe research conducted in this paper has an explorative- migrating towards cloud services such as cloud-baseddescriptive nature. Our goal is to develop an SaaS, PaaS and IaaS. The revenue model proposed wasunderstanding of the IT governance capabilities required based on the idea that users will only pay for the ITfor public sector organizations that want to successfully resources they consume, and would be able to increase orimplement and manage cloud services. This research decrease their usage to match their requirements andtakes the governance framework of IT core capabilities by potential budget constraints. Following the publication ofFeeny and Willcocks (1998) as a starting point, extending this strategy, each agency was required to re-evaluate itsand refining it for cloud computing. This model is useful technology sourcing strategy to assess the use andas it finds its roots in outsourcing relationships and cloud implementation of cloud-based technology andcomputing can be viewed as a type of sourcing application solutions as part of the budget processarrangement, in which the cloud providers can be viewed (Kundra, 2011). In the Netherlands it was recentlyas a specific type of outsourcing provider. Exploratory decided to create a public cloud infrastructure. Theresearch was chosen due to the need to investigate and rationale is based on the reduction of the 61 data centresexplore the IT governance capabilities required by public and the lowering of energy consumption which accountssector organizations for cloud computing arrangements. for 15 million annually (Hillenaar, 2010).Interviews were conducted within the Dutch governmentand these were complemented by studying international 5. Analysis and Discussioncase study reports and documents. Interviews allowed usto explore and in-depth discuss the concept of cloudcomputing, in this way creating a better understanding of 5.1. Cloud Governance Capabilitiesthe possible challenges and the required capabilities whenadopting and managing cloud services in the public Feeny and Willcocks’ (1998) governance framework ofsector. Thirteen interviews were conducted using open- IT core capabilities was used to identify the capabilitiesended questions, informed in many ways by our that are core for the implementation of a cloud computingunderstanding of cloud services and outsourcing as service delivery model for the public sector. Table 2presented in the background of this paper. The interviews shows each of the 10 IT core capabilities and how theylasted between one and two and a half hours and the relate to the 16 identified cloud governance capabilitiesinterviewees included Dutch IT-managers, outsourcing that are required when sourcing and managing cloudspecialists, outsourcing and cloud decision-makers and services. The table also shows the typical role(s) involvedIT-experts from a variety of public organizations, in executing each cloud capability, as this was anincluding the tax authority, social security agency, important indicator to identify the discriminating cloudMinistry of the Interior and Kingdom Relations, capabilities. The relationship between a role and anmunicipality association and two municipalities. In this individual can be clarified as follows:way, a broad range of organizations and views were • One role can be fulfilled by one or more individuals;covered. Interviewees covered persons in organizations • One individual can fulfill one or more roles.that were already using cloud services as well as thosewho are considering the use of cloud computing or did notdecide to use it. Table 2. Identified IT Governance Capabilities for Sourcing Cloud Services ICST Transactions on e-Business 4 July-September 2012 | Volume 12 | Issues 7-9 | e4
  5. 5. Transformation to Cloud Services Sourcing: Required IT Governance Capabilities Redefined and Clarification of the IT governance capabilities for sourcing Typical extended IT cloud services role(s)IT core governance involved incapabilities as capabilities for executingdefined by sourcing cloud each cloudFeeny and services capabilityWillcocks (1998)1) Leadership 1) Cloud Defining the overall federal IT governance and strategy in terms Federal CIO, Leadership of the organizational structures, the processes and the staffing agency relevant to the cloud services, in order to address all the main executive activities in the business, technical and supply areas and to manage all potential (inter)dependencies between these areas.2) Business 2) Cloud Defining the decentralized business strategy and the translation Business unit systems Business of that strategy to a cloud strategy, where choices have to be CIO/manager, thinking Strategy and made about the role and the priority of cloud services within the Head of IT Policy organization, including the make or buy decision about sourcing cloud services.3) Relationship 3) Demand Defining business functionality and its dependencies, including Information building Management the translation to IT/cloud specifications, demand forecasting manager and interfacing with the end users. 4) Relationship Providing a single point of contact through which the business Relationship Management organization can ensure that problems and conflicts are manager resolved fairly and promptly, within a framework of agreements and relationships.4) Architecture 5) Architectural Creating the coherent blueprint for a technical cloud platform Infrastructure planning Design and that responds to current and future business needs and architect Standards maintaining the technical consistency and standards between cloud information systems. 6) Data Ensuring data security, privacy, compliance, portability and Data Security interoperability. architect, Management cloud security specialist 7) Application Responsible for software design, coding, testing and Cloud Lifecycle configuration of customized cloud business applications, but application Management also for cloud application maintenance and application developer upgrades5) Making 8) IT Network Given that the Internet and intranet are the main ways to Network technology Management access cloud application services, the IT network management specialist, work capability needs to ensure that potential network problems can infrastructure be rapidly fixed. manager6) Informed 9) IT/Cloud Tracking cloud market developments and suppliers and leading IT/cloud buying Procurement the selection process for cloud services including negotiating procurement about procurement terms and conditions with suppliers. officer 10) Risk and Monitoring and auditing potential risk/compliance issues Risk officer, Compliance involved in sourcing cloud services. auditor Management 11) Legal Providing support when entering into (new) agreements with Legal advisor Expertise cloud service providers and making changes to existing contracts, including handling all legal issues related to clouds.7) Contract 12) User Support Providing support to users by means of training and by a (self) Service desk facilitation service desk. employee8) Contract 13) Contract Ensuring contractual compliance by the cloud providers on Contract monitoring Management strategic and tactical level and managing any required contract manager modifications, taking into account all the relevant aspects including financial, legal, technical and business dimensions. 14) Service Managing the performance of the service delivery on tactical Service Management and operational level as specified in the contractual manager performance metrics, including performance management and maintenance of the cloud service catalogue. 15) Financial Tracking, monitoring and reporting on the IT budget and Financial Control ensuring that the cloud services meet the committed and controller predefined financial goals.9) Vendor The ‘vendor development’ capability was not distinguished as a ICST Transactions on e-Business 5 July-September 2012 | Volume 12 | Issues 7-9 | e4
  6. 6. Joha et al. development specific capability or role. Creating added value happens at each level and role of the supply area and this specific capability can be incorporated within all the other capabilities. 10) IT Project 16) IT Project Managing a project or a portfolio of multiple ongoing inter- Project / Management and Portfolio dependent cloud projects that are executed internally and/or by program Management cloud providers. managerFive capabilities in Feeny and Willcocks’ framework the cloud service provider. Interviewed governmentalcould almost be individually translated to the cloud representatives mentioned that this would enabledomain, though they needed some refinement, both in governments to better keep control over their privacyterms of the terminology used for the capability as well as sensitive data, avoid potential security problems, ensurefor the definitions. In four instances, the capabilities authorization, identification and encryption, and to avoiddefined by Feeny and Willcocks (1998) have been split legislation and regulation risks by outsourcing this to ainto 2 or more different capabilities because of the special third party and nevertheless gain advantages of thisimportance of these capabilities for cloud computing and development.because of the distinct and different nature of these Agencies could bypass the federal or internal ITcapabilities in terms of roles. One capability in Feeny and department to acquire their own cloud services, whichWillcocks’ framework, vendor development, was not could create difficulties in data integration or servicedistinguished as a specific capability or role. This interoperability in the future within the public sector andcapability is meant to ensure that added value is created therefore overall policy standards and guidelines need toby IT outsourcing, but creating added value happens at be defined. The policy needs to be followed by agencieseach level and role of the supply area and this specific to ensure that the agencies comply to regulatory or legalcapability can therefore be incorporated within all the requirements, to enforce organization-wide consistencyother individual capabilities within the supply area. In the and to make sure that the agencies have guidelines in casepart hereafter the capabilities are discussed in more detail. they want to use cloud services. As such, the US government published a federal cloud computing strategy,Cloud Leadership providing a decision framework to support agencies inCloud leadership is about defining the overall federal migrating towards services such as cloud-based SaaS,IT/cloud governance and strategy in terms of the PaaS and IaaS (Kundra, 2011).organizational structures, the processes and the staffing, inorder to address all the main activities in the business, Demand Managementtechnical and supply areas and to manage all potential The demand management capability facilitates the(inter)dependencies between these areas. It also includes dialogue between the business and the IT departmentcreating organization-wide support and strategic regarding cloud services and is responsible for definingstakeholder management for implementing cloud services. the functional requirements with regard to the cloudInterviewees indicated that the choice for cloud solution. The defined cloud policy has to be translatedcomputing is a decision that has a long-term and strategic into cloud functionality and the underlying specificationsimpact, requiring significant organizational changes in and service levels with regard to the cloud services haveorder to adopt and manage this new service delivery to be defined. This capability also includes demandmodel. The US federal government created a 25-point forecast for the expected consumption and use of cloudfederal IT reform plan to address their new IT strategy, in services by the agencies, ensuring alignment withwhich cloud computing was an important element corporate IT, controlling the decentralized cloud budget(Kundra, 2010). and monitoring local cloud SLAs. Agencies could have the possibility to directly buy services from the cloudCloud Business Strategy and Policy provider by means of a service catalogue, which is aThis capability is concerned with defining, integrating and document listing the portfolio of possible cloud servicesaligning the business objectives with IT/cloud capability. that the agencies can buy from the cloud serviceThe overall business strategy from all of the decentralized provider(s) supported by the cloud outsourcing contract.governmental agencies has to be translated to a cloudstrategy, resulting in an information policy, which takes Relationship Managementinto account all the requirements and potential This capability involves managing the requirements and(im)possibilities of the cloud solution. This also includes problems within the business units with regard to thedefining the sourcing strategy in terms of the decision to cloud services. Relationship management provides aoutsource or not and all the relevant strategic choices single point of contact through which the businessrelated to this decision including which cloud deployment organization can ensure that problems and conflicts aremodels can be used. Although clouds can be outsourced resolved fairly and promptly, within a framework ofto a service provider, clouds can also be operated as agreements and relationships. It involves also handlinginternal arrangements within the government. In such a requests from decentralized entities for action on issuesconstruction the internal IT department will function as that range from minor questions to very significant crises, ICST Transactions on e-Business 6 July-September 2012 | Volume 12 | Issues 7-9 | e4
  7. 7. Transformation to Cloud Services Sourcing: Required IT Governance Capabilitiesbeing the focal point of contact for business managers, processes to integrate cloud applications; definingfacilitating people relationships and devising processes processes and criteria for granting exceptions to the cloudfor conflict resolutions regarding the cloud delivery applications standards and defining architecturemodel. components and interfaces based on application architectural standards with regard to cloud computing.Architectural Design and StandardsThrough insight into technology, cloud service providers IT Network Managementand the requirements from agencies, the architectural In cloud computing, it is essential that the networkdesign and standards capability is about the development capacity is meeting the required standards as the Internetof the vision of an appropriate technical cloud platform. and intranet are the main ways to access cloud applicationWithout such planning, the organization could end up services. IT network management is about ensuring thewith independent systems that might result in redundancy, quality of the network and local or remote servers. Thegaps between systems or the inability to integrate cloud cloud infrastructure should have the necessary capacitysystems. Cloud standards need to be determined with and processing power at all times. This network capabilityregard to the technical platforms, e.g. networks, protocols, could be outsourced, but it was suggested by intervieweesresilience. Questions about standardization, security of the that it is important that potential network problems can bearchitecture, the necessary flexibility and the integration rapidly fixed and to retain parts of this capability in-with other components need to be addressed, but also the house. The main risk is that increasingly less operationalimplications for the people using the technology. In the technology knowledge seems to be necessary in cloudUS federal government a lot of attention is paid to arrangements, while the dependency on the servicestandards (NIST, 2011b) and there is a central group providers is increasing. The network dependency is alsoinvolved with standards management responsible for recognized as such by the National Institute of Standardsestablishing a framework and roadmap to define standards and Technology (NIST, 2011a) recommending that thefacilitating interoperability, portability and security of traditional IT skills required to manage devices thatcloud services. access the private cloud need to be retained, also for managing special hardware or system requirements andData Security Management unique security needs for special projects.The data security management capability involves settingenterprise level data requirements regarding security, IT/Cloud Procurementprivacy and compliancy and enforcing policies for IT/Cloud procurement is responsible for analyzing theprotecting sensitive corporate and customer data from cloud service providers and leading the procurementbeing shared, including managing all forms of virus process for the selection of a cloud provider till theprevention and detection relative to public cloud services moment the contract has been signed. This includesThis also comprises the development of a framework for managing the Request for Proposal (RFP) process, whichsharing user identities and providing user access to includes the collection and verification of equipment andsensitive data, including conditions under which service component requirements and SLA specifications,providers, third parties and government agencies may development of the RFP, evaluation of the responses andhave access to the company’s data. The framework should giving recommendations for supplier selection to theinclude authentication, authorization and use of physical agencies.devices like digital signatures, encryption, social barriers, This also includes the responsibility for assuring that theand monitoring by humans and automated systems. The cloud procurement is completed within the predefinedframework should be audited and updated regularly to timeframe and meets the identified cost objectives as welladdress changing technology and service delivery as continuously analyzing the external cloud servicesmechanisms. In the federal US government a central department was set up in order to identify,aggregate, and disseminate security, privacy and Risk and Compliance Managementcompliance issues, solutions and processes that could This capability needs to ensure that potential regulatoryimpact the adoption and implementation of cloud and compliance risks are identified and also needs toservices. continuously confirm that the assurance methods adopted by service providers are evolving to include, in addition toApplication Lifecycle Management SAS 70, the new Service Organization Controls (SOC)Application lifecycle management is responsible for reporting model and other cloud security design, coding, testing and configuration of The cloud infrastructure should be secure and reliable.customized business applications, but also for application Although contractually this might be arranged, publicmaintenance and application upgrades. Activities include organizations do not want to be confronted with problems.monitoring emerging cloud technologies and leading the Therefore regular audits, either internally by a separateinvestigation and adaptation of new cloud application department, or externally, are necessary to determine iftechnology, documenting the existing cloud application the cloud vendor’s infrastructure and support is compliantarchitecture portfolio, setting formal policies and to the contract. These audits need to be part of risk and ICST Transactions on e-Business 7 July-September 2012 | Volume 12 | Issues 7-9 | e4
  8. 8. Joha et al.compliance management. Security policies, but also Contract management is about ensuring contractualbackup, recovery and contingency procedures and plans compliance by the cloud provider(s) on strategic andshould be regularly evaluated to account for potential tactical level and managing any required contractcloud provider failure. Interviewees were suggesting that modifications, taking into account all the relevant aspectsclear agreements about data ownership need to be made including financial, legal, technical and businessincluding what will happen in case a SaaS provider goes dimensions. This includes contract administration,bankrupt, is taken over by another company, or is monitoring compliance with terms and conditions, reviewchanging its strategic orientation and vision. and revision of contract changes, supplier negotiation andThe interviewees were very reluctant to move to a cloud contract interpretation for dispute resolution. Long termmodel on a large scale without any assurances, because of sustainability is a key issue, as the bankruptcy or otherthe dependency on the cloud provider, and as part of the problems of the cloud vendor could jeopardize certainrisk process, a careful migration strategy was therefore business operations. Data might simply not be availablesuggested. The interviewees argued that applications and anymore in specific circumstances.information that are of particular importance must initially The interviewees considered good contracts to bebe retained in-house and run on the own IT system, but essential, as this is an important instrument to avoid thecan be maintained by the cloud providers. In case of risks and accomplish the benefits of cloud computing.dissatisfaction with what comes as part of the package Contracts are more complicated as it should be flexiblewith the cloud provider, those applications can and demands instant scaling up based on pay per use onimmediately be taken over by the own staff. This means the one hand, whereas on the other hand long-termless risks, but higher retained software costs for the client sustainability, software access and information storagethan may have been initially assumed, and those costs requirements need to be met. These short term and longshould be understood and be part of the initial business term interests might be conflicting, as the cloud providercase justifying the use of cloud services. might require some kind of payment of longer term commitments are part of the contract. Effective contractLegal Expertise monitoring means holding suppliers to account on bothLegal expertise provides support when entering into (new) existing service contracts and the developing performanceagreements with cloud service providers and making standards of the services market. This includes developingchanges to existing contracts. Out of the interviews, it service level measures and service level reports,became clear that the location of storage is an issue, as specifying escalation procedures and cash penalties forDutch governments often require that data will be stored non-performance (Kern and Willcocks, 2001).within the Netherlands to ensure that the Dutch law willbe in effect to the SaaS providers. It is likely that new Service Managementagencies or authorities are required to verify and control The service management capability involves managingthat data does not cross national boundaries and that the performance of the service delivery on a tactical andlicenses are legal. In general the contract needs to take operational level as specified in the contractualinto account issues regarding data protection and performance metrics, including performance managementregulatory compliance, intellectual property concerns and and maintenance of the service catalogue, to ensure thatcontingency in the event of business discontinuity caused performance targets continue to be met, users remainby the service provider. Also the risks of non-performance satisfied, the expected service levels continue to beand potential exit scenarios need to be contractually achieved and the services continue to be performed anddefined. delivered in the expected manner. This includes monitoring, reviewing, managing, changing and reportingUser Support on all cloud service levels. The cloud provider is normallyInterviewees indicated that as cloud services are based on able to retrieve information regarding SLA compliance,a hosted delivery model, users may find they do not have usage levels, account activity, etc. Further activitiesaccess to the same level of service and support they would include, but are not limited to, ensuring that the cloudget from their internal IT group or would get in an performance review system and the SLA metrics areoutsourcing arrangement. As such a (self) service desk maintained to be relevant to the outsourcing contract,needs to be in place for any user support. Supporting and applying service level penalties if the cloud suppliertraining users on new functionality delivered via the more performs below the service credit threshold and approvingfrequent upgrades enabled by the cloud model requires change requirements.skilled resources, but not all cloud providers will offer thelevel of support required to meet end-user needs, Financial Controlespecially during initial implementation efforts. As a Financial control is about tracking, monitoring andresult, public sector organizations must account, plan and reporting on the IT/cloud budget and ensuring that thebudget for all required support requirements. outsourced services meet the committed and predefined financial goals. Relevant activities include directing andContract Management coordinating the organization’s financial IT planning and IT/cloud budget management functions, recommending ICST Transactions on e-Business 8 July-September 2012 | Volume 12 | Issues 7-9 | e4
  9. 9. Transformation to Cloud Services Sourcing: Required IT Governance Capabilitiesbenchmarks for measuring the financial and operating resources and team members. When implementing cloudperformance of the cloud supplier, monitoring the overall services also the (inter)dependencies with other IT/cloudcost of the cloud contract, preparing financial analysis for projects need to be taken into account, managing multiplecontract negotiations with the cloud supplier, and projects as a portfolio. This capability was initially notcoordinating with the contract administration for payment included in Feeny and Willcocks’ IT capabilityprocedures and budget procedures related to the delivered framework as they considered project management not ascloud services. a specific IT core capability but as an organizational one. When verifying their model however, they also found thisIT Project and Portfolio Management capability to be distinctive to the IT function (WillcocksIT project management is the application of knowledge, et al., 2006).skills, tools, and techniques to plan and execute IT project Based on the analysis in the former section, Feeny andactivities that meet the predefined objectives in terms of Willcocks’ capability model could be refined andplanning, cost and quality (Project Management Institute, extended for cloud computing. In Figure 1, the sixteen2000). Especially for cloud computing services, the distinguished cloud governance capabilities have beentransition and migration strategy and activities have been plotted within the governance, business, technical andrecognized as very important by the interviewees. This supply area.capability includes identifying and planning projectactivities, minimizing risk and managing the project, the Figure 1. Cloud Governance Capability Model (based on Feeny & Willcocks, 1998; Willcocks et al., 2006)Several interviewees mentioned that uncoordinated first and experiment on a small scale, the intricacies andadoption and not having the appropriate capabilities in expertise needed could be could undercut the financial benefits of cloudcomputing, and severely increase the risks. They indicated 5.2. Relevance of the Cloud Capabilitiesthe need to first find out which capabilities are requiredand ensuring that investments can be made and Determining the relevance of the different capabilities isorganizational structures and routines are in place before important in order to determine which and how manythe cloud model can be used on a large scale. By individuals can fulfill the role involved in executing thedeveloping and implementing the required capabilities ICST Transactions on e-Business 9 July-September 2012 | Volume 12 | Issues 7-9 | e4
  10. 10. Joha et al.respective capability. When the relevance of a certain The need to manage an outsourcing arrangement increasescapability increases, it implies that either a higher quality proportionally with the degree of outsourcing in terms ofof the individual fulfilling that capability is required, or the size of the outsourcing deal(s) (Barthélemy, 2001;that more individuals are necessary to fulfill that specific Kern & Willcocks, 2001). The more clouds have beencapability. When the relevance of a capability decreases, outsourced to multiple vendors and the higher the contractit implies that this capability might be integrated with value, the higher the costs will be to transition the cloudother related capabilities so that one individual can fulfill activities to a new supplier or to insource the activitiesa role that covers multiple capabilities. There are different again. This implies that more control is needed, not onlyfactors identified that influence the relevance of the from contract management, service management andcapabilities in some way or another and these will be financial control, but also from the capabilities in thediscussed in the following paragraphs. governance area to mitigate the risks as much as possible. When the variety and number of cloud projects increase,Cloud Service and Deployment Model so will the complexity of the relationship with the cloudThe capabilities in the governance area were found to be vendor(s). An increase of complexity might well result inrelevant for all cloud service models. Leadership is an increase of the number of hierarchical levels andrequired for all cloud implementations, and so is the IT requires further standardization of procedures (Kern &project and portfolio management capability to Willcocks, 2001). The governance capabilities becomesuccessfully implement the cloud solution taking into more important, because the organizational structures,account all the (inter)dependencies. Legal expertise and processes and procedures need to become formalized andrisk and compliance management need to be in place in standardized as much as possible to improve theorder to ensure that as many legal and compliancy risks coordination. The technical area will also rise in relevanceare mitigated and minimized. The capabilities within the as the responsibility to provide the expertise for thetechnical domain are more important in IaaS and PaaS technical standardization and integration of the differentarrangements than in SaaS arrangements, as the cloud cloud activities is within this area. It was suggested thatprovider will be having more technical responsibilities in also in case of only in-house clouds, all 16 capabilities areSaaS arrangements. The importance of the capabilities required, as public organizations will increasingly have towithin the supply area will therefore however increase in develop and professionalize their own internalSaaS arrangements because of the increased dependency organization in such as way as if they would interact withon the service provider. Also the capabilities within the the external area are more important in SaaS arrangementsgiven the critical business nature of the applications. IT Governance StructureThere are also differences between the control and An important organizational factor is whether the ITcapabilities required for private and public clouds, as in governance structure is centralized, decentralized orthe latter case there will be an increased emphasis on the federated, which was also found by Earl et al. (1996) andcapabilities within the supply area given the decreased Sambamurthy and Zmud (1999). In case of a centralizedcontrol over a public cloud. IT governance structure, the capabilities in the technical and supply area become more important as there willStrategic Intent Underlying Cloud Sourcing typically be a focus on increasing standardization andThe strategic intent underlying cloud sourcing refers to efficiency. In case there is a decentralized IT governancethe benefits that are sought to be achieved by introducing structure, the capabilities in the business area will becomeand implementing cloud services. In the US federal more important, as the IT function will be mainlygovernment all participating agencies can prioritize one or controlled by the decentralized business entities which aremore different strategic intents and according to their responsible for defining the cloud strategy and theirindividual requirements, an appropriate cloud solution can specific cloud requirements. In a federated IT governancebe provided. In case the main focus is on cost reductions structure the control over the IT function is dividedand/or cost savings, the importance of the supply between central and decentral units, increasing the needmanagement capabilities such as financial control and for strong leadership and coordination (Hodgkinson,contract management will increase to ensure that costs 1996). As such, the capabilities in the governance areawill be properly managed and the expected cost savings will increase in importance.and reductions will be achieved.In case the main focus is to improve the services to thebusiness by delivering more precisely on changing 5.3. Differences with regular IT Outsourcingbusiness requirements, the importance of the capabilitieswithin the business area will increase, as the functional There are several differences between the capabilitiesrequirements from a business perspective will have to be required for regular IT outsourcing services compared todefined and translated to an appropriate cloud solution. those relevant for cloud sourcing. Given the dependency on the service provider and that there are other risksDegree and Complexity of Cloud Sourcing involved than in normal outsourcing arrangements, risk and compliancy management and legal expertise are ICST Transactions on e-Business 10 July-September 2012 | Volume 12 | Issues 7-9 | e4
  11. 11. Transformation to Cloud Services Sourcing: Required IT Governance Capabilitiesimportant capabilities for cloud arrangements. Theserisks, including security and privacy risks, also need to be Several interviewees indicated that uncoordinatedtaken into consideration in the technical dimension with adoption of cloud computing and not having the requiredadditional capabilities such as data security management capabilities in place could increase the risks and undercutand application lifecycle management. Some interviewees the financial benefits of cloud computing. As such,indicated that cloud computing is changing the nature of governments need to adopt these capabilities whenthe organization, providing more decentralized power to transforming their operations to cloud computing.the business users and therefore also making the business Feeny and Willcocks’ governance framework of IT corecapabilities more important than in regular outsourcing capabilities framework was found to be appropriate toarrangements. Because of this shift, it was also suggested customize it for cloud computing. Therefore we argue thatthat certain capabilities within the supply domain, e.g. in general this framework will be useful as a startingcontract and service management, though relevant, were point, but further customization and detailing might beless demanding roles than within regular outsourcing necessary to adopt it for a specific domain.arrangements. Another important remark is that at some The analyses show that that there are differences betweenpoint the cloud market will become more mature and the capabilities required for cloud services compared tostandardized in terms of legal contracts, security and those required for regular IT outsourcing services relatingcompliance standards and that certain capabilities will to the fact that there are more uncertainties and risksbecome less relevant over time when industry standards involved in cloud computing that need to be properlyand best practices become available. mitigated. Moreover, it was found that different factors influence the importance of each of the cloud capabilities, including the cloud service and deployment model, the6. Conclusion strategic intent underlying cloud sourcing, the degree andA cloud governance capability can be defined as a complexity of cloud sourcing and the IT governancecapability to effectively manage and govern the sourcing structure. The importance of the capabilities can alsoof cloud services, measurable in terms of IT activities change over time.supported, and resulting business performance. Different As the market for cloud services is still in its infancy andcore capabilities were required to manage the internal is expected to significantly evolve over the coming years,cloud computing demand management process and the there are no best practices yet providing a definitive list ofexternal cloud service provider(s). These capabilities can required governance capabilities to manage cloudbe used by strategists and policy-makers to stimulate the arrangements and as such this model will need furtherdevelopments of capabilities needed by organizations to verification. Further quantitative research into the factorsmanage their cloud providers. influencing the relevance and quality of these capabilitiesEven though the importance of IT governance is often would also be of interest, including the question if, and tounderlined, there is very limited research literature what extent, the identified cloud governance capabilitiesavailable regarding the required IT governance are different for private sector organizations.capabilities that public sector organizations need to haveinto place to successfully implement a cloud servicedelivery model. This paper fills that gap by identifying theIT governance capabilities that are required when Referencesintroducing and implementing a cloud service deliverymodel. Using the governance framework of IT core Barthélemy, Jérôme (2001). The Hidden Costs of ITcapabilities by Feeny and Willcocks (1998), 16 core cloud Outsourcing. Sloan Management Review, 42(3), 60-69.capabilities are identified. These are: Bennet, K. H., Munro, M., Gold, N., Layzell, P. J., Budgen, D.1) Cloud Leadership & Brereton, O. P. (2001). An Architectural Model for Service-Based Software with Ultra-Rapid Evolution. Paper2) Cloud Business Strategy and Policy presented at the Proceedings of the 17th IEEE3) Demand Management International Conference on Software Maintenance4) Relationship Management (ICSM01) Florence.5) Architectural Design and Standards Borman, M. (2006). Applying multiple perspectives to the BPO6) Data Security Management decision: a case study of call centres in Australia. Journal7) Application Lifecycle Management of Information Technology, 21(2), 99-115.8) IT Network Management Buyya, R., Yeo, C. S., Venugopal, S., Broberg, J. & Brandi, I.9) IT/Cloud Procurement (2009). Cloud computing and emerging IT platforms:10) Risk and Compliance Management Vision, hype, and reality for delivering computing as the 5th utility. Future Generation Computer Systems, 25(6),11) Legal Expertise 599-616.12) User Support Chen, H. (2003). Digital Government: technologies and13) Contract Management practices. Decision Support Systems, 34(3), 223-227.14) Financial Control Dillon, T., Wu, C. & Chang, E. (2010). Cloud computing: issues15) Service Management and challenges. Paper presented at the 24th IEEE16) IT Project and Portfolio Management International Conference on Advanced Information ICST Transactions on e-Business 11 July-September 2012 | Volume 12 | Issues 7-9 | e4
  12. 12. Joha et al. Networking and Applications. Retrieved Mayer, K. J. & Salomon, R. (2006). Capabilities, contractual from hazards, and governance: Integrating resource-based and Cloud%20Computing%20Issues%20and%20Challenges.p transaction cost perspectives. Academy of Management df Journal, 49(5), 942-959.Earl, Michael J., Edwards, Brian & Feeny, David F. (1996). NIST. (2011a). Draft Cloud Computing Synopsis and Configuring the IS function in Complex Organizations. In: Recommendations. Retrieved 5 November, 2011, Earl, Michael J., Information Management: the from Organizational Dimension, Oxford University Press. 146/Draft-NIST-SP800-146.pdfFeeny, D. F., Lacity, M. & Willcocks, L. P. (2005). Taking the NIST. (2011b). NIST Cloud Computing Standards Roadmap. Measure of Outsourcing Providers: Successful outsourcing Retrieved 5 November, 2011, of back office business functions requires knowing not from only your company’s needs but also the 12 core computing/pub/CloudComputing/StandardsRoadmap/NIS capabilities that are key criteria for screening suppliers. T_SP_500-291_Jul5A.pdf Sloan Management Review, 46(3), 41-49. NIST. (2011c). The NIST Definition of Cloud Computing.Feeny, D. & Willcocks, L. P. (1998). Core IS Capabilities fo Retrieved 5 November, 2011, Exploiting Information Technology. Sloan Management from Review, 39(3), 9-21. 145/SP800-145.pdfGonçalves, V. & Ballon, P. (2011). Adding value to the Olsen, E. R. (2006). Transitioning to Software as a Service: network: Mobile operators’ experiments with Software-as- Realigning Software Engineering Practices with the New a-Service and Platform-as-a-Service models. Telematics Business Model. Paper presented at the IEEE International and Informatics, 28(1), 12-21. Conference onService Operations and Logistics, andGonzalez, R., Gasco, J. & Llopis, J. (2006). Information systems Informatics, 2006 (SOLI 06). outsourcing: A literature analysis. Information & Project Management Institute (2000). A Guide to the Project Management, 43, 821-834. Management Body of Knowledge (PMBOK guide). ProjectHillenaar, M. (2010). Rationalisering en groen om ICT kosten te Management Institute, USA. besparen. Retrieved 11 November, 2011, Rosenthal, A., Mork, P., Li, M. H., Stanford, J., Koester, D. & from Reynolds, P. (2010). Cloud computing: A new businessHodgkinson, Stephen L. (1996). The Role of the Corporate IT paradigm for biomedical information sharing. Journal of Function in the Federal IT Organization. In: Earl, Michael Biomedical Informatics, 43(21), 342-353. J., Information Management: the Organizational Sääksjärvi, M., Lassila, A. & Nordström, H. (2005). Evaluating Dimension, Oxford University Press. the software as a service business model: From CPU time-Janssen, M. & Joha, A. (2010). Connecting cloud infrastructures sharing to online innovation sharing. Paper presented at with shared services. Paper presented at the Proceedings the IADIS International Conference e-Society 2005. of the 11th Annual International Digital Government Sambamurthy, V. & Zmud, R. W. (1999). Arrangements for Research Conference on Public Administration Online: Information Technology Governance: A Theory of Challenges and Opportunities, Pueblo, Mexico. Multiple Contingencies. MIS Quarterly, 23(2), 261-290.Kern, T. & Willcocks L.P. (2001). The Relationship Advantage: Weill, P. & Ross, J. W. (2005). A matrixed approach to Information Technologies, Sourcing, and Management, designing IT governance. MIT Sloan Management Review, Oxford University Press. 46(2), 26-34.Kundra, V. (2010). 25 Point Implementation Plan to Reform Willcocks, L. P. & Feeny, D. (2006). IT outsourcing and core IS Federal Information Technology Management. capabilities: challenges and lessons at Dupont.Kundra, V. (2011). Federal Cloud Computing Strategy. Information Systems Management, 23 (1), 49-56.Lacity, M., Feeny, D. & Willcocks, L. P. (2006b). The twelve Willcocks, L. P. Feeny, D., & Olson, N. (2006). Implementing supplier capabilities: part II. Arlington, MA., USA: core IS capabilities: Feeny-Willcocks IT governance and Cutter Consortium. management framework revisited. European ManagementLacity, M., Willcocks, L. P. & Feeny, D. (2006a). The twelve Journal, 24 (1), 28-37. supplier capabilities: part I. Arlington, MA., USA: Cutter Willcocks, L. P. & Kern, T. (1998). IT Outsourcing as Strategic Consortium. Partnering: The case of the UK Inland Revenue. EuropeanLee, J. N., Huynh, M. Q., Kwok, R. C. W. & Pi, S. M. (2003). Journal of Information Systems, 7(1), 29-45. IT Outsourcing Evolution. Past, Present and Future. Communications of the ACM, 46(5), 84-89. ICST Transactions on e-Business 12 July-September 2012 | Volume 12 | Issues 7-9 | e4