The author has created a Cloud Computing Tipping Point model to address research gap in the current cloud computing enterprise architecture. The authors believe this model will enable organisations with the knowledge to invest in future strategic decisions. The model will evaluate financial, business and technical data to derive a conclusion whether the organisation will benefit from investing in cloud computing or extend their investment in on premise capability. This important toolset to the industry we are actively contributing to cloud computing enterprise architecture. The following Figure 1 will illustrate the C2TP model.
Figure 1 : Cloud Computing Tipping Point Model
The author believes the C2TP model consist of the following components
ValIT governance framework
Cobit control structures to provide operational level support
Organisation's business architecture requirements. This can be classified into business initiatives and financial initiatives
Organisation's technical architecture requirements. The author has identified data centre variable costs, data centre fixed costs and C2TP foundation services as sub components.
ITIL Implementation guidelines.
Transition to cloud computing cannot be a decision taken in silos without clearly mapping the business requirements and the benefits that it can acquire from the cloud platforms. The business architectural requirements have been divided into two objectives. These are financial objectives and business objectives. There are several business objectives authors evaluated in detail. These are,
Efficiency gains that will eventually provide a differentiator of a competitive advantage over organisations peers.
Improved agility that can insulate the organisations to changes in the industry
Increased innovation with the product set of the organisation.
Increased risk management
Increased security to facilitate any security breaches.
Decrease of complexity of the enterprise of the IT solutions.
Increased socialization among employees to capture collective intellectual property of the organisation.
The model also addresses the financial objectives. These are ,
Increased Internal Rate of Return
Increased Return on Investment.
Decreased of Total cost of Ownership
Decrease in variable operation costs.
Decrease in fixed costs investments (if necessary)
Better process and control structures to manage changing financial environments.
These business and financial objectives are assisted by IT needs of the organisation. These are primarily costs associated with operating an ICT environment to facilitate the business outcomes. These are,
Costs associating with the creation and ongoing management of data centre.
Cost associated managing a healthy network architecture (i.e. LAN, WAN etc..)
Costs associated with procuring hardware
Costs associated with procuring software and licensing
Costs associated with ICT staff requirements.
These cost reductions can be achieved by transition of IT infrastructure from on-site to virtualized cloud hosting which will have smaller mitigated costs. Hence, the ROI needs to be worked out very clearly that shall trade-off the one time transition costs.
1.1 Detailed analysis of the C2TP model
In today's era of stringent regulations like the Sarbanes Oxley Act, 2002, IT Governance is no longer viewed as yet another management system of an organisation but is now viewed as the regulatory compliance framework applicable to every employee and contractor of an organisation. Breaches of Confidentiality, Integrity, Availability, Compliance and Reliability of IT systems can lead to punishments like significant fines and imprisonment if there are impacts on the accuracy of published annual statements of companies (Hardy, 2006). As explained by Hardy (2006), IT Governance is an enterprise wide framework and not just restricted to technical management tasks of the IT department. The corporate strategy need to ensure effective alignment of business and IT strategies to ensure that all business objectives are effectively mapped with IT objectives such that IT is able to effectively fulfil the business needs. As Solms (2005) further pointed out, compliance management and operations management should be treated as different layers of the larger IT framework in which operations contribute to compliance which in turn contributes to the IT Governance. Voon and Salido (2009) presented three aspects of IT Governance - operational, tactical and strategic. From their perspective there are three large frameworks that map with these aspects and hence are required in an organisation together - ITIL for operational, COBIT for tactical and Val IT for strategic. The relationship is presented in the Figure 2below:
Figure 2 : Three aspects of IT Governance framework (Voon and Salido. 2009)
Voon and Salido (2009) also discussed Microsoft Operations Framework that, as per them, is equivalent to ITIL but the same is out of scope of this thesis.
ITIL, IT Infrastructure Library - the code of best practices published by British Office of Government Commerce, comprises of details of the operational framework of IT that includes best practices, standard operating procedures and technical operating procedures. The ITIL version 2.0 comprises of two sections - service support and service delivery. Service support section deals with day to day operating processes for regular maintenance of IT infrastructure and service delivery deals with long term strategic planning processes at the operating level for ensuring that the IT infrastructure keeps running with adequate service levels, capacity, availability, service continuity and low cost. (ITSMF. 2007)
COBIT, Control Objectives for Information and Related Technology developed by ISACA, is a framework of defining and measuring critical success factors, key performance indicators, key goal indicators and the maturity models for five focus areas of IT Governance (ISACA. 2007)
Strategic Alignment
Value Delivery
Resource Management
Risk Management
Performance Measurement
As per COBIT recommendations, the organisational business information delivered by the IT service operations must meet seven criteria to ensure adequate contribution to business: Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance and Reliability as described in Figure 3
Figure 3 : Seven criteria of business information delivered by IT systems (ISACA. 2007)
Val IT, developed by IT Governance Institute, has been designed to complement COBIT and align with framework providing an add on framework to realise the best business value from IT investments. It is designed to sit at the topmost layer (at the management and board layer) and enable visibility into the execution of IT projects, processes and operations enabled by COBIT and ITIL. Val IT has three domains - Value Governance, Portfolio Management and Investment Management. (Voon and Salido. 2009)
As described by Tuttle and Vandervelde (2007), an empirical examination of COBIT reveals that the thought process of auditors, when conducting audits, seeking information, providing help and generating audit logs, matches with the information organisation, alignment and measurement presented by COBIT. Hence, a large panel of IT auditors (and even financial auditors) approve the COBIT framework to be an excellent IT governance framework supporting the overall business governance. The study of empirical audit technique developed by Comn-Wattiau and Akoka (1997) reveals employment of COBIT like information charting and assignment of measurable indicators when conducting business viability assessment of IT systems.
The modern IT governance requires continuous auditing mechanisms in which full time IT auditors keep a close eye on the running systems and processes by means of tools and techniques. As Flowerday and Blundell et al. (2006) pointed out, the days of discrete auditing mechanisms would soon be gone and COBIT will have major role to play in enabling continuous auditing systems. The ITIL processes will contribute effectively to implement such a framework. Given that ITIL v3 is the latest version, the author has included its discussions as well in addition to ITIL v2. The COBIT version discussed in this thesis is 4.1.
1.2 ValIT
Please fill in ValIT information - target 400 words
1.3 CoBIT
The COBIT framework comprises of five domain areas that support the IT governance of an organisation - Strategic Alignment, Value Delivery, Resource Management, Risk Management and Performance Measurement. The top level model is presented in Figure 4
Figure 4 : Five domain areas of the COBIT framework (ISACA. 2007)
Strategic Alignment: Effective alignment of IT services with the business requirements to ensure that IT and business work collaboratively and the organisation wide IT resources can be optimally utilised by the business.
Value Delivery: Ensuring direct focus of the top management on the IT expenses to evolve the value achieved against the investments.
Resource Management: To ensure that optimal investments can be done in IT knowledge (both of permanent and contract employees), IT infrastructure components and IT applications.
Risk Management: To ensure that the top management possess adequate visibility into the threats and risks to IT assets and the related business impact. Further to this, the top management would have knowledge and control on the disaster recovery and business continuity process of IT.
Performance Measurement: To ensure that the management is able to track implementation of their strategies and progress of projects, utilisation of IT resources, and performance of the IT processes and corresponding delivery of services. The primary deliverable of COBIT is useful information to business that satisfies the following basic principle:
COBIT delivers information to business in accordance with seven criteria. A brief about the criteria are presented below [ISACA, 2007; Guldentops, 2006]
:
Effectiveness: Relevant, correct and pertinent information that is delivered on time and having consistency and usability.
Efficiency: Information is provided in most cost effective, productive and economical way.
Confidentiality: Information is protected from unauthorised access and disclosure.
Integrity: Information is accurate, complete and valid as per business requirements.
Availability: Information is available whenever required - now or in future. This criterion is also concerned with safeguarding of Information resources and capabilities.
Compliance: Information is complaint as per applicable laws and regulations.
Reliability: Information is appropriate to operate the business entity and fulfil the responsibilities of the management towards all stakeholders.
COBIT recommends that the information criteria should be defined by the business and the IT should align all their resources, processes and services to ensure that information is delivered to the business as per the criteria demanded by them. The following figure illustrates how IT business goals should be formed as an outcome of information criteria that in turn should be an outcome of business and governance requirements. Hence, within the IT organisation, there should be very clear ownership at the business level about the directions established for IT such that IT evolves the right enterprise architecture to deliver against the business ownerships.
IT is the most expensive support framework for modern businesses. As noted by Guldentops (2006) a Gartner report talks about more than 55% of capital investments in IT enterprise architecture every year. Hence, the business needs to be very clear about what they want from IT. The business and governance requirements should be thoroughly documented and approved such that there is appropriate accountability of the demands that has been put on IT. The IT in turn will establish their goals and scorecards such that their performance can be monitored by the business. Hence, the business should also approve and accept the IT goals and scorecards whereby the accountability of such approvals should be owned by appropriate authorities in the business. The IT goals translate into the enterprise architecture for IT comprising of IT processes, infrastructure and people. The output of the enterprise architecture comprises of applications (transactions) and information (decision support).
The end to end framework correlates the information delivery criteria of COBIT with the IT processes and IT resources of the organisation. This is presented in the form of COBIT cube as shown in the Figure 5 below:
Figure 5 : The Information Delivery criteria and relationship with IT Processes and IT Resources (ITGI. 2007)
The COBIT cube shows that the information delivery criteria of COBIT is dependent upon the IT processes (domains, processes and the corresponding activities) and the IT resources (Applications, information processing facilities, infrastructure and people). The IT deliverables of the IT resources are aligned towards the IT goals which have been formed as per business requirements and vetted by appropriate authorities of the business. The utilisation of IT resources to deliver the IT goals is presented in Figure 6 below:
Figure 6 : Utilisation of IT resources to deliver the IT goals (ITGI, 2007)
The figure shows that the management of applications, information, infrastructure and people are discrete vertical areas carried out by specialist leaders whereby their integration is carried out employing the IT processes that are effectively aligned to deliver the approved IT goals. The strategic and operating framework of IT comprises of four major process areas that are aligned with the business effectively. These areas form the lower levels of the COBIT framework that drives the day to day thought leadership and operations in the organisation. The following Figure 7 shows these areas and their interfacing with the business:
Figure 7 : Strategic and Operating areas that form the lower levels of the COBIT framework (ITGI, 2007)
Figure 8: Strategic and Operating areas that form the lower levels of the COBIT framework (ITGI, 2007)
These areas are: Plan and Organise, Acquire and Implement, Deliver and Support and Monitor and Evaluate. These areas can be viewed as the low level design of COBIT framework. They comprise of 34 processes at the ground level that integrates the four IT resources - applications, information, infrastructure and people. Please refer to Appendix A for the set of 34 processes and their details. The number of processes attached to each area is listed below:
Plan and Organise: 10 processes
Acquire and Implement: 7 processes
Deliver and Support: 13 processes
Monitor and Evaluate: 4 processes
The author has aligned these low level processes with the strategic and operating environment of virtualised IT environment. The author has evaluated the following process play a significant role from the feedback gained from the case studies we discussed earlier.
Acquire and Maintain Application Software
Procure IT Resources
Acquire and Maintain Technology Infrastructure.
Install and Accredit Solutions and Changes
Manage Performance and Capacity
Define and Manage Service Level
Ensure Continuous Service
1.4 Business Architecture Requirements
Organisation's business architecture requirements. This can be classified into business initiatives and financial initiatives
1.4.1 Business Initiatives
The key focus areas are,
Efficiency gains
Agility
Creativity and Innovation
Security and Risk
Simplicity
Social Impact
Regulatory compliance
Interoperability with partners
1.4.2 Financial initiatives
The key focus areas are
Return on Investment
Internal Rate of Return
Net Present Value
The internal rate of return (IRR), also known as the dollar-weighted rate of return, is defined as the value(s) of that satisfies the following equation:
where:
NPV = net present value of the investment
Ct = cashflow at time t
When the rate of return r is smaller than the IRR rate , the investment is profitable, i.e., NPV > 0. Otherwise, the investment is not profitable.
Total lifecycle costs
1.5 Technical Architecture Requirements
1.5.1 C2TP foundation services
Increased computation power
Increased storage
Multi tenancy
1.5.2 Data centre variable costs
Hardware platform costs
Software platform costs
Ongoing support costs
Network maintenance costs
1.5.3 Data centre fixed costs
Data Centre creation costs
Migration costs from current environments
1.6 ITIL
ITIL (version 2 and 3) is an organised service management framework that focussed on close alignment between business and IT. This framework has support from industry given its vast implemented base across the world and large commitments from vendors and consultants. A large number of tools are available to support the various processes of ITIL and hence companies have adopted this framework (the ITIL version 2) significantly across the world. The framework of ITIL version 2 is presented below:
Figure 8 : Alignment of Business and Technology - The ITIL Version 2
The ITIL version 2 framework comprises of two process areas - Service Support and Service Delivery. The service support comprises of details of a service desk operations and five day to day management areas - incident, problem, change, release and configuration. The service delivery comprises of five long term strategic management areas - service level, capacity, availability, IT financials and service continuity. (ITSMF, 2001)
The primary difference between COBIT and ITIL is that the process details offered by ITIL are significantly in-depth and actionable as compared to COBIT. Hence, for most organisations COBIT is adopted as the guiding framework whereas ITIL is adopted as the implementation framework. This is the reason of the preference of ITIL by vendors and consultants over COBIT. However, ITILvery detailed with implementation level details that does not resonate well with the top management. Hence COBIT will continue to remain closer to the management especially with the new supporter released by ITGI - the Val IT. (Voon and Salido. 2009)
The author focused on ITIL version 3 because version 2 is already on the verge of obsolescence as announced by OGC on their website. The ITIL version 3 framework developed by ITSMF and OGC is presented in Figure 9
Figure 9 : : The ITIL version 3 framework of IT service processes (ITSMF, 2007)
The ITIL version 3 has five service management areas as against the ITIL version 2 - Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. ITIL version 3 has retained all the processes under service support and delivery but they have been distributed under one of these five service management areas depending upon relevance. The continuous service improvement is viewed as the driving force of the entire framework as shown in Figure 10
Figure 10 : ITIL version 3 cycle of service management and continual service improvements (ITSMF, 2007)
Figure 12: The ITIL version 3 cycle of service management and continual service improvements (ITSMF, 2007)
The business and IT agree on the service strategy which is documented in the "Service Level Package (SLP)". This stage is similar to the definition of IT goals by business owners in COBIT. Once the SLP is finalised the IT service owners get into detailed design of the services and corresponding solutions that are incorporated in the "Service Design Package (SDP)". The SDP is viewed as a master guide to all service personnel that they need to follow throughout the rest of lifecycle. The SDP is transitioned into the "Service Transition Stage" for essential testing, evaluations and certifications before the SDP is put into operation in the "Service Operations Stage". All operational services need to essentially go through continual improvements that can be measured employing appropriate means. (ITSMF, 2007)
The frameworks of ITIL, COBIT and Val IT are very much popular across the world among the professional communities given their comprehensiveness and completeness. In fact large number of organisations across the world has adopted these frameworks as revealed by the case studies at the websites of OGC, ISACA and ITGI. However, the academic world has presented their own criticisms about IT governance and these frameworks. Posthumusa and Solms et al. (2005) stated that IT governance comprises of policies and procedures for planning, organising, staffing, directing, co-ordinating and controlling the IT services framework in the organisation in order to realise the business goals and comply with applicable laws and regulations. Further to this, Hardy (2006), Posthumusa and Solms et al. (2005), Solms (2005), and Simonsson and Johnson (2006) argued that insight into IT operations is an important component of IT governance that should comprise of alignment of IT with the business objectives, IT performance management, Information Security Management, IT risk management, effective IT sourcing and utilisations and IT value delivery. In fact, as pointed out by Guldentops (2006), the Gartner report discovered that $600 billion every year is wasted every year in ill conceived IT projects. Further to this, Guldentops (2006) also noted that 20% of IT projects fail completely, 50% are challenged by the stake holders and end users and 30% of projects are successful every year. These reports reveal how much important IT governance is for the companies. Now the major aspect to be evaluated is the effectiveness of COBIT, ITIL and Val IT to face such challenges as per perceptions of the academic world. Zvanut and Bajec (2010) argued that these frameworks present a vast management and operating system which may not be suitable for an organisation in their entirety. But the frameworks do not discuss about the suitability of the processes and systems pertaining to the socio-technical characteristics of organisations. Also, the co-existence of ITIL and COBIT is still not clear from implementation and management perspective given that both talk about similar processes in many areas but the context are different at the core of the frameworks. ITIL talks about holistic IT processes whereas COBIT talks about IT governance that also includes the information security framework. Solms (2005) and Broderick (2006) stated that COBIT and ITIL even jointly don't cover Information Security holistically although it is an integral part of IT governance. Hence, COBIT has to be employed along with ISO 17799 and ISO 27001 otherwise it will fail to deliver an end to end IT governance framework. Going back to the basic attributes of COBIT, Boritz (2005) expressed that COBIT doesn't incorporate all elements of information integrity given that there are many factors, like relevance, reliability, usability, consistency, timeliness, segregation of incompatible functions, etc., that are recommended by academic literatures but not considered by COBIT. He expressed that ISACA should re-consider the definition of information integrity in COBIT framework. Some scholars like Walker (2009) and Forte (2007) correlate the ITIL, COBIT and Val IT frameworks only with Security, Incident Management and Risk Management.
In general, it appears that the academic world is yet to formalise full-fledged empirical support to these frameworks. Also, the academic world still is not convinced about the totality and completeness of all these frameworks put together given that they discuss about many facets that are empirically supported in the academic world but not yet included in these frameworks. Apparently, it appears that these frameworks have not followed the empirical theories established in the academic world and hence are treated as instigation of new practices that are yet to be approved completely by the academic world. Another reason for this gap is that there aren't many academic researches conducted on these frameworks which itself is a gap that needs to be fulfilled.
Reference List (Harvard Style):
An Introductory overview of ITIL version 3. ITSMF. 2007. pp.12-18.
Boritz, J.E. (2005). IS practitioners' views on core concepts of information integrity. International Journal of Accounting Information Systems. Vol. 6: pp. 260- 279. Elsevier.
Broderick, J.S. (2006). ISMS, security standards and security regulations. Information Security Technical Report. Vol. 11: pp. 26-31. Elsevier.
COBIT 4.1. Executive Summary. ISACA. 2007. pp.25.
COBIT 4.1 - Framework, Control Objectives, Management Guidelines and maturity Models. IT Governance Institute (ITGI). 2007. pp. 5-73.
Comn-Wattiau, I and Akoka, J. (1997). Expert Systems for Computer and Management Information Systems Auditing. Computer Audit Update: Vol. September 1999. pp. 17-28. Elsevier Science Limited.
Control Objectives. COBIT 3rd Edition. IT Governance Institute. 2000. pp.14-15.
Eloff, M.M. and Solms, S.H. (2000). Information Security Management: A Hierarchical Framework for Various Approaches. Computers & Security. Vol. 19: pp. 243-256. Elsevier.
Flowerday, S. and Blundell, A.W. et al. (2006). Continuous auditing technologies and models: A discussion. Computers and Security. Vol. 25. pp. 325-331. Elsevier.
Forte, D. (2007). Security standardization in incident management: the ITIL approach. Network Security. Vol. Jan. 2007: pp. 14-16. Elsevier.
Hardy, G. (2006). Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges. Information Security Technical Report. Vol. 11: pp. 55-61. Elsevier.
Hone, K. and Eloff, J.H.P. (2002). Information security policy - what do international information security standards say?. Department of Computer Science. Rand Afrikaans University. pp. 402-410. Published by Elsevier Science Limited.
IT Service Management Version 2.1a. The IT Infrastructure Library. Office of Government Commerce UK. ITSMF. 2001.
Kritzinger, E. and Smith, E. (2008). Information security management: An information security retrieval and awareness model for industry. Computers & Security. Vol. 27: pp. 224-231. Elsevier.
Posthumusa, S. and Solms, R.V. (2005). IT oversight: an important function of Corporate Governance. Computer Fraud and Security. Vol. June 2005: pp. 11-17. Elsevier.
Simonsson, M. and Johnson, P. (2006). Assessment of IT Governance - A Prioritization of Cobit. KTH, Royal Institute of Technology. Sweden. pp. 1-10.
Solms, B.V and Solms, R.V. (2005). From information security to business security?. Computers & Security : Vol. 24, pp. 271-273. Elsevier.
Solms, B.V and Solms, R.V. (2004). The 10 deadly sins of information security management. Computers & Security. Vol. 23: pp. 371-376. Elsevier.
Solms, B.V. (2005). Information Security governance: COBIT or ISO 17799 or both?. Computers & Security. Vol. 24: pp. 99-104. Elsevier.
Solms, S.H. (2005). Information Security Governance - Compliance management vs operational management. Computers & Security: Vol. 24, 443-447. Elsevier.
Tuttle, B. and Vandervelde, S.D. (2007). An empirical examination of COBIT as an internal control framework for information technology. International Journal of Accounting Information Systems. Vol. 8: pp. 240-263. Elsevier.
Voon, P. and Salido, J. (2009). MOF to COBIT/Val IT Comparison and Cross-Implementation Guide. Microsoft Corporation. pp. 5-51.
Walker, J. (2009). Planning for current day risk. Computer Fraud and Security. Vol. December 2009: pp. 10-13. Elsevier.
Zvanut, B. and Bajec, M. (2010). A tool for IT process construction. Information and Software Technology. Vol.52: pp. 397-410. Elsevier.
