Home > Blogs > VMware Operations Transformation Services

Cloud Business Strategy

Part Two of the Cloud Business Management Series

Cloud Business Strategy

By Khalid Hakim, Charlie McVeigh and Reg Lo

At VMware we have the good fortune of working with many different customers on driving and implementing a Cloud Business Strategy.  As we have discussed in some of our prior Cloud Business Management blogs, there is a full spectrum of issues to be considered when considering Cloud Business Management.  This spectrum of issues include:

  • Cloud Strategy
  • Cloud Costing
  • Cloud Marketing
  • Service Level Management & Contracts Management
  • Budgeting & Forecasting
  • Services Definition
  • Cloud Pricing
  • Consumption & Charge-back
  • Cost Optimization

Today we are going to look specifically at the role of Cloud Business Strategy and our time tested workshop approach that we use with our customers to derive a road map to success.

CBM_workshop

Our Cloud Business Management (CBM) Workshops always start by asking our customers what their definition of “success” is when looking forward 18-24 months into the future.  While every customer is unique, the common success criteria that we hear from our customers include the following items:

  • Full transparency for IT consumers as to what they consume and what are the costs for what they are consuming, i.e. who consumes what and at what cost
  • Reclamation and recovery of unused or underutilized infrastructure.
  • Establishment of services definitions for “patterns” (repeatable services in the service catalog) and “snowflakes”  (services that are unique and require engineering to stand the service up.)
  • Reduced time of deployment of services especially “patterns”
  • Understanding from an economic and technical perspective of where is the best place to run cloud workloads. Is it private cloud, public cloud or a hybrid cloud environment? Maybe it is more cost efficient to run temporary workloads in the public cloud than the private one.
  • Incentivizing users to “do the right thing” due to understanding of economics and transparency of costs.
  • Incentivizing users to “do the right thing” due to vastly improved day 0, day 1 and day 2 operations automation.

Once we have an understanding of what “success” will look like in the future, we then drive into a deeper discussion of the following items:

  1. We start by asking for current pain points across the CBM spectrum listed after the first paragraph above. For example: Do you have service definitions? Do you know your costs for services?  Do you engage in pricing strategies?  Are you marketing cloud services to incent user behavior?  Do your users know what they are consuming?  What are you doing for cost optimization?, etc.
  2. We then engage our customers in a discussion of what they would like to see in the future across the CBM spectrum and what tangible improvements that they can anticipate as they mature across each of these disciplines.
  3. Discussions then dive into the current level of maturity across the CBM Spectrum. The key here being that more mature organizations provides higher levels of value to the IT organization and the business consumers of IT resources.
  4. Lastly, a deep dive into data sources that can be used for setting up automated cost modeling are investigated. We are looking to understand what are some of the foundational data sources for Cloud Management (such as vRA, vROPs), Foundation sources for costs (G/L, A/P, Organization, Budgets), Operational Data (Labor rates, Headcount, Compute capacity and metering, Storage capacity and metering, Network capacity and metering, Reporting requirements, Financial practices, etc.)

The workshop and the discussions that occur require a significant discovery effort and detailed listening to our customers.   From this effort we are able to derive a detailed deliverable that results in a tangible Cloud Business Strategy deliverable.   The strategy includes a road map with definitive success points at 6 months, 12 months and 18 – 24 months.

Cloud Business StrategyEmbedded within the Cloud Business Strategy document, is an illustration of what will happen to the organizations maturity across the CBM spectrum if the road map is followed.  Maturity gains will be followed and realized by direct and quantifiable improvements in value provided by the Cloud management team to the business that they are supporting.

For more information and to schedule a Cloud Business Management Workshop for your organization, please contact your local VMware representative.

=======

Khalid Hakim is an operations architect with the VMware Operations Transformation global practice. You can follow him on Twitter @KhalidHakim47.

Charlie McVeigh is an IT business management strategic advisor for VMware. You can follow him on Twitter @cbmcveigh.

Reg Lo is the Director of VMware Accelerate Advisory Services and is based in San Diego, CA.  You can connect with him on LinkedIn.

3 Capabilities Needed for DevOps that You Should Already Have in Your Cloud Organization

Pierre Moncassin-cropBy Pierre Moncassin

A number of enterprise customers have established dedicated organizations to leverage VMware’s cloud technology. As these organizations reach increasing levels of cloud maturity, we are more and more often asked by our customers: “how is our organization going to be impacted by DevOps?“

Whilst there are many facets – and interpretations – to DevOps, I will highlight in this blog that many of the skills needed for DevOps are already inherent to a fully- functioning cloud organization. Broadly speaking, my view is that we are looking at evolution, not revolution.

First, let’s outline briefly what we understand by DevOps from a people/process/technology point of view:

  • DevOps EvolutionPeople: DevOps originated as an approach, even a philosophy that aims to break down organization silos, specifically the traditional gap between application developers and operations teams. This is why it is often said that DevOps is first of all, about people and culture. Application Developers are sometimes depicted as “agents of change” whilst the Operations team are seen as “guardians of stability” – teams with opposite objectives that can lead to well-documented inefficiencies.
  • Process: From a methodology point of view, DevOps integrates principles such as “agile development”. Agile this provides the methodological underpinning for Continuous Delivery, an approach that relies on the frequent release of production-ready code. Whilst Agile development was originally about applications, DevOps extends the principle to infrastructure (leading to the idea of “agile infrastructure”).
  • Technology: DevOps processes necessarily incorporate the use of development and automation technologies such as: source code control and management (e.g, Git); code review systems (e.g., Gerrit); configuration management (e.g., Puppet, Chef, Ansible, SaltStack); task execution and management (e.g., Jenkins); artifact and application release tooling (e.g., VMware vRealize Codestream); and others. In order to manage those tools as well as applications generated by them, DevOps also incorporates operations tooling such as provisioning and monitoring of the underlying infrastructure (e.g., vRealize Automation and vRealize Operations).

Features of a cloud organization adapted for VMware’s cloud technology, are described in detail in the white paper “Organizing for the Cloud” (link below):

https://www.vmware.com/files/pdf/services/VMware-Organizing-for-the-Cloud-Whitepaper.pdf

DevOps Organizational Model

Here are, in my view, some key capabilities in the cloud organization as recommended by VMware:

1) The rise of developers’ reach.

As development departments mature beyond  writing strictly  application code, their reach spans broader knowledge bases. This includes writing code that performs end-to-end automation of application development, deployment and management: applications and infrastructure as code. Developers utilize the same skills traditionally relied on in application teams and apply them towards  cloud services:

  • Provisioning for example with VMware vRealize Automation.
  • Automating network configuration with VMware NSX
  • Automating monitoring and performance management (VMware vRealize Operations).

This shift in reach from Ops to Dev forms the the basis of ‘infrastructure-as-code’ – a now relatively standard cornerstone of DevOps.

2) Ability to work across silos

One of the defining capabilities of a cloud team  – and a key skill required of all team members, is to be able to break the boundaries between silos:

  • Technical silos: for example the customer-facing team (Tenant Operations, also known as IT Service Center) will define end-to-end cloud services across technical silos such as compute (servers), networks and storage. Service Owners and Service Architects will define the scope and remit of such services; Service Developers will put together the workflows and scripts to allow end users to provision those services automatically.
  • Functional silos – merging “Design” and “Run”. Whilst traditional IT organizations tend to separate teams of architects/designers from operations team, the cloud development teams bring those skills together. Service Developers for example will build workflows that include not only the deployment of infrastructure, but automate its monitoring and configuration management at runtime. Service Owners are involved both in the definition of services but also act as point of contact in resolving incidents impacting those services.  DevOps takes this trend to the next level by merging the “dev” and “ops” teams.

3) Increased alignment with the business

Whilst all IT organizations aim to align with the business,  A model organization (as described in “Organizing for the Cloud”) aligns business lines with practical structures and roles.  For example this model defines dedicated roles such as:

  • Service Architects who translate business requirements into functional and technical architectures.

DevOps continues this trend towards business alignment: in a context where business is increasingly driven by revenue-generating applications, application development becomes integral to the lines of business.

DevOps Organization

In sum, a well-functioning cloud team will have established many of the positive traits needed for DevOps – a preference for rapid development over fire-fighting, for bridging silos across technologies and processes, and for close cooperation across business lines.

Going one step further DevOps pushes these traits to the extreme – preferring continually improving development and automation of application and infrastructure. For example a Devops team might leverage VMware’s Cloud Native Apps capabilities to build applications optimized to run on cloud from “day one” (for more details see https://www.vmware.com/cloudnative/technologies).

Take-away – practical ways to prepare your cloud team for DevOps;

  • Encourage job rotation of key team members across technical skills and functions.
  • Continuously expand your team’s knowledge and practice of cloud automation tools. This can include advanced training on tool such as vRealize Automation, vRealize Operations; as well as generic skills in analysis and design.
  • Ensure that key tenant operations roles (i.e. customer facing roles) are in place and give them increasing exposure to application development and business lines.
  • Develop an awareness of Agile approach for example by formal training and/or nominating ‘Champions’ in your team.
  • Build up a skill base in Continuous delivery, for example leveraging training or a pilot with vRealize Codestream.

—-
Pierre Moncassin is an operations architect with the VMware Operations Transformation global practice and is based in the UK.

How to Overcome the Resistance to Change

Gordon HodgsonBy Gordon Hodgson

As the New Year begins IT Organizations are beginning to implement their strategies for 2016 which will bring change to their operations that will have impact their staff.  Mark Fields, the CEO at Ford addresses strategy when he is quoted as saying, “You can have the best plan in the world, and if the culture is not going to let it happen, it’s going to die on the vine.”, in other words the culture of the organization needs to change as much if not more than the technology or the methodologies and this is going to be a much bigger challenge.

In 500 BC Heraclitus the Greek Philosopher said that “The Only Thing That Is Constant Is Change -” He seems to have been right and change continues at much faster pace today especially in technology.  Some people embrace change, some fear it, while others try to avoid it all together but no matter your view change is constant and it is disruptive. Change arrives at your doorstep in many ways and with it comes the opportunity to respond either in a positive or negative style and to influence those around you.

My Experience as a CIO

Change

A few years ago I had the great opportunity to lead IT at the world’s largest faith based humanitarian organization as their International CIO. This large Non-Governmental Organization (NGO) had IT staff in 102 countries mostly in the developing world. As you might imagine organizational change in this type of environment was a challenge almost on a daily basis as the majority of employees were focused on solving world hunger and oppression and not on the concerns of IT.  NGO’s by nature are non-profit and meeting the bottom line was not always top priority.

As the CIO I was charged with bringing systems into the 21st century and reducing the overall cost of IT on a global basis.  Organizational Change for IT is difficult in the western world but move that into the developing world with a 102 different cultures and the challenges multiply significantly.  In order to accomplish this initiative many things needed to happen but most of all I needed to be an influencer so that the vison of what needed to be done would resonate in this multicultural environment.  While many IT professional may not have all of the challenges of a large NGO they still face an uphill battle when attempting to implement major IT changes in their organizations.

With Innovation Comes Organizational Change

No one needs to tell IT Professionals that change is inevitable as they have experienced significant changes in this just the past few years.  The Cloud, Software as a Service (SaaS) Infrastructure as a Service (IaaS) Desktop as a Service (DaaS) and the most recent and perhaps the most challenging DevOps.  Customer who embrace cloud technology such as VMware’s to transform their IT services (whether Iaas, PaaS, DaaS or SaaS) will have managed a significant level of organization change. Those who continue this transformation journey towards DevOps will implement even further changes.  This article is not about these new technologies or methodologies it is about the change that they bring and some ideas on how to deal with that change from an organizational perspective.

Considerable materials have been written on the topic of Organizational Change Management and the methods to change corporate culture to adapt to the impact of a large project or of new methodologies.  In spite of all these materials the problem still exists and IT executives need to have a strategy to address these issues so that as they implement new tools they will be assimilated successfully into the organization.  There is no magic formula or silver bullet but by following some proven principles of Organizational Change Management there is an enhanced opportunity for success.

Adapted from P. Atkinson, How to Implement Change Effectively, (2014). P.34

Adapted from P. Atkinson, How to Implement Change Effectively, (2014). P.34

Taking look at some of the organizational change management challenges that are required, for example when making the move to a Dev/Ops or a Bi-modal approach to application development, which is a Gartner defined concept of optimizing both the traditional SDLC method of development with the concept of agile application development,.  In the chart below is the estimated adoption of a major change by the typical organization.  As you can see by these estimated numbers and Organizational Change requires some heavy lifting to gain acceptance across the enterprise.

To be effective with major changes such as DevOps the IT Organization needs to lead the change not just manage it. Since over 74% of the impacted staff are estimated to be either resistors or fence sitters certain steps need to be taken to influence these stakeholders to see the value of the proposed change.

Overcoming Cynicism around Change

As stated earlier, change is the one constant in almost every environment and this can cause many to become cynics to the next new corporate plan to implement a change.  From the chart presented earlier there are resistors and fence sitters and many of them could possibly be considered cynics. So to move a change forward there is a need to change the cynic’s mind about the change that is being implemented. 

It has been suggested by several studies, (Stanley, Meyer & Topolnytsky) that employee cynicism can be manifested in resistance to change at the organizational level.  Due to this finding it is important for management to take this into consideration when attempting to implement changes such as Dev/Ops. Cynicism is not always easy to overcome it can be addressed by improved communications, adding a trusted advisor within the company to the project team, someone that others look up to and respect.  Management should be a transparent about the change as possible to be continue to show the value to the overall organization of this change.

Becoming a Champion for Change

Cynicism is not the only roadblock to organizational change that management needs to consider and to deal with to be successful.  The overall organizational culture is a very powerful element that can thwart the efforts of a major organizational change such as DevOps.  To help overcome cynicism and other challenges to organizational change to the ability to become an influencer can be a great asset to your success.

Too many times management issues a mandate to implement new systems or methodologies and sends the email down the chain expecting results and success. Gartner states in a 2014 survey that only 37% of IT projects are considered successful.  If that statistic is true, and there is no reason to believe that it is not, those of us in IT need to review our approach to organizational changes that are created by IT projects and develop the ability to lead and not just manage. “We call this ability to create changes in human behavior influence and the people who do in influencers. At the end of the day, what qualifies people to be called leaders is there capacity to influence others to change” (Grenny, Patterson, Maxfield, McMillian & Switzer, p.6 2013).

As the International CIO of a large NGO I had complete responsibility for all of the IT functions outside the US but did not have the authority to mandate change, I would need to move strategy forward with influence and relationship building.  This approach is more difficult and can take a longer time to reach the goal however it is attainable and you can be successful even without a mandate.  (Grenny et al., 2013) stated that there are six major sources of influence and each one has a specific focus area and expected outcome.  By focusing on these six major sources of influence one has an increased chance to implement major IT initiatives and create organizational change.

Adapted from (Grenny et al, (2013). Influencer. p. 70). McGraw Hill Education, New York

Adapted from (Grenny et al, (2013). Influencer. p. 70). McGraw Hill Education, New York

Transparency and Communication

By following some of these suggestions and being as transparent about the changes that need to be made will contribute to your success.  Communicate as much as possible and be involved with changes as much as possible, be the change champion and allow people to see that IT leadership is behind the change with more than lip service but with support and resources to make the change happen.  Consider these points for communication (P. Moncassin, 2013) for any major organizational change as they will help to remove barriers to change and get buy in from the resistors and fence sitters.

  • Enlist visible leaders to paint the vision and be responsible or be the conduit for regular communication.
  • Communicate often and in small chunks.  Plan to communicate over an extended period of time throughout the transformation and beyond.
  • Include enough detail to make the communication personal and practical whenever possible.
  • Vary the communication approaches. Some people prefer visual communications. But others respond better to verbal communication.
  • Avoid too specialized vocabulary (a.k.a. “jargon”) or too technical content, especially at the early stages when concepts are being introduced.
  • Explain the continuity, or at least relationship with “traditional” approaches, concepts and practices that individual are familiar with.
  • Welcome resistance to change (to a point).

It is my experience there is no magic bullet that will make everyone accept the changes that need to be made and not everyone will see your vision for the future.  According to Gartner statistics only 37% of IT projects are successful and that it is estimated that 74% of employees are either resistors or fence sitters with regard to organizational changes.  IT Leadership and especially the CIO need to fully appreciate that no matter how important or necessary a change such as Dev/Ops might be there will resistance. It is futile to not recognize resistance will be present with any major change. Failure to include a plan to mitigate this resistance could negativity impact your initiatives and cause the project to fail or not be as effective as possible.

References

  • Atkinson, P. (2014) How to Implement Change Effectively. Management Services Autumn Edition. Ps. 33-38
  • Gartner. Run IT Like a Business and What does it Mean and How do you do it. Published by VMware 2014.
  • Grenny, J., Patterson, K., Maxfield, D., McMillan, R. & Switzler, A. (2013). Influencer. McGraw-Hill Publishers, New York.
  • Moncassin, P., (2013). 7 Communication Tips to Facilitate Culture Change When Adopting a Cloud Model.  VMWare Blogs
  • Stanley, D., Meyer, J. & Topolnytsky, L. (2005).  Employee Cynicism and Resistance to Organizational Change. Journal of Business and Psychology, Vol. 19, No. 4, summer 2005. Ps.429-459

=======

Gordon Hodgson is a Transformation Senior Consultant with VMware Operations Transformation Services and is based in the Portland, OR metro area.

The Cloud Business Manager Role

Part One of the Cloud Business Management Series

Khalid HakimCharlie McVeighBy Khalid Hakim and Charlie McVeigh

Business leaders look at the cloud model and see new ways to accelerate innovation, create competitive advantage, and drive new business models. IT executives look at private, public and hybrid cloud models and see a host of new possibilities for positive IT outcomes, including among others:

  • Optimizing CapEx
  • Lowering OpEx
  • Shifting focus to optimize the “run IT” budget thus freeing funding for the “grow IT” budget
  • Improved service delivery times through app and infrastructure delivery automation
  • Improved asset utilization by understanding consumption and usage patterns in the cloud

Never forget your history lessons.   Have you ever participated in a successful transformation project that didn’t factor in People, Process and Technology? We still find that all too often, a critical aspect of harnessing the cloud is overlooked: the organizational impact of moving to the cloud model. The fact is, the transition to the cloud model requires an evolution in roles, skills, processes, and organizational structure.

Organizing for the cloud cannot be an afterthought in the formulation of an effective IT transformation strategy. When IT is in transition, roles and responsibilities are more important than ever. The right people, with the right skills, have to be in the right places and serve the right roles.

Chief among these critical organizational shifts is establishing a Cloud Business Management discipline. This blog is the first in a four part series recommending specific Cloud Business Management roles and processes to consider.

Cloud Business Manager Role:  Run Cloud Like a Business

The Cloud Business Manager role  drives a new business management discipline within IT to lead a comprehensive cloud business management practice, leveraging investments in vRealize Business. The Cloud Business Manager supports Cloud Infrastructure and Tenant Operations to help the business better manage:

  • Cloud spend
  • Rate cards
  • Showback and chargeback
  • Reporting of consumption and wastage
  • Service tier options
  • Fair recovery of IT costs
  • Incentives driving the right economic usage patterns by cloud consumers.

Cloud Business Management

Responsibilities of the Cloud Business Manager are in the following 4 categories:

  • Financial
    • The focus here is primarily to develop the cloud service-based cost model along with a repeatable service costing process for Cloud consumption. Among other responsibilities, this includes service-based cost allocation and classification strategy, tracking and management of cloud costs, cloud services rates settings, and defining consumption and showback/chargeback reports from both the provider and consumer perspective.
  • Business
    • Included here are responsibilities for developing a cloud strategy roadmap, a cloud services marketing program, and liaison work among IT, Corporate Marketing, and Business Unit consumers of the cloud.
  • IT/Cloud
    • Here the responsibilities include defining SLA’s, ensuring delivery, and making cloud workload placement decisions based on the right economic factors to avoid shadow-IT situations.
  •  Value
    • Responsibilities here include defining value metrics, continuous improvement reporting, and regular business performance reporting for key stakeholders. This enables the business consumers of the cloud to make the right economic decisions about where and how to run their workloads.
  • Corporate/IT Marketing
    • Develop a Cloud Services marketing strategy; offers and promotions to ensures cloud services consumption and value. Once you understand the economics of cloud workload placement, cloud marketing will drive users to that desired behavior.

What does the Cloud Business Manager contribute to the business?

The Cloud Business Manager helps IT deliver on cloud promises for the desired quality at the right cost, by ensuring tighter alignment and accountability between IT, Business and Finance.  This roles makes a significant contribution in the workload placement decision-making process, as well as hybrid cloud, cost takeout, application rationalization and bill-of-cloud.

Let us know if we can help you further define this role in your company.  And keep a look out for Part Two in this Cloud Business Management Series next month, where I cover the Cloud Business Strategy topic.

=======

Khalid Hakim is an operations architect with the VMware Operations Transformation global practice. You can follow him on Twitter @KhalidHakim47.

Charlie McVeigh is an IT business management strategic advisor for VMware. You can follow him on Twitter @cbmcveigh

Why and How to Overcome the CAPEX to OPEX Barrier

Benoit-cropBy Richard Benoit

Anyone who has ever struggled with the “moving from CAPEX to OPEX” question knows that it is one of the most difficult barriers to overcome within IT.  Although it is a challenge, it can be achieved if you can answer the following 3 questions:

  • What is the barrier?
  • Why do we want to overcome the barrier?
  • How do we overcome the barrier?

In the rest of this post we will try to answer each one of these quandaries.

What is the barrier?

Resistance to moving away from CAPEX essentially falls into 2 categories: Business Resistance and Finance Rules.

Business resistance to loss of control

As we’ve seen with the move to virtualization, one of the biggest obstacles to adoption is resistance from the business because of their sense that they are losing control.  In the days of old, the business was used to having a ring-fenced domain where its developers, production support, and users had complete control over its every detail.  IT was there to just make sure that the network and server were up and running.  The idea of sharing was a completely foreign concept.  They had a CAPEX budget and they wanted complete control over how it was used.  Going to a completely shared environment is just one of the last steps of a process that started many years ago, but is still no less difficult.

Business resistance to show back or charge back

Invariably when we discuss OPEX, the topic of show back and charge back come up.  In an effort to use resources more efficiently, many organizations attempt to instrument first show back (or shame back as its known in some circles) and then charge back.  Like above, the business is not used to having to justify the use of resources it paid for and is, not surprisingly, resistant to the idea of starting.

Finance Rules

Although various elements of the business will resist going to an OPEX model, the biggest challenge to moving to an OPEX model is an organizations finance rules.  Given that this level of effort is not trivial and will certainly involve C-Level people and probably the board, it’s no wonder that organizations are hesitant to address this conundrum.

Why do we want to overcome the barrier?

Change behavior

CAPEX to OPEXProbably one of the biggest reasons to adopt an OPEX model is to change how the Business consumes IT.  In an environment without chargeback or an OPEX model, the business is used to “squatting” on as many resources as possible due to the fact that getting new ones often has to wait until the next fiscal year. Under the traditional way of delivering IT, the business wants as much as they can get all of the time.

An example of this was at a large East Coast bank where before any form of OPEX or chargeback, every business unit had every environment backed up every night.  This included even test and development systems.  Trying to get business units to consume less backup resources was largely unsuccessful.  However, once an OPEX chargeback cost was introduced, this behavior changed almost over night.  Very quickly when business units saw how much it cost them for just backups, they slashed their use of backups to mostly just production databases.  All other things such as development and production environments were expected to be backed up through other means by the developers and production support teams.

Traditionally, IT has tried to restrain the use of resources of the business units, which has been largely unsuccessful.  By charging businesses for what they use, the business now controls its own usage to maximize their OPEX value.

Granularity and choice

As part of changing behavior, giving the business the ability to choose what they consume with their OPEX payments, allows them to save money on things they really don’t need.  It also allows IT to offer multiple types and levels of service depending on what the business needs.  Common examples of this are the silver, gold and platinum levels of service for virtualized workloads, but can also include things such as backups and storage tiers.

Another example of this was at the same large East Coast bank where before choice was in place, performance of production VMs had to be guaranteed at all times no matter what.  This led to IT providing their platinum service that had no over commitment and was as a result fairly expensive.   However, IT also offered a gold service that had some degree of performance guarantee, but was much cheaper.  As a result, over time many business units elected to go with the gold level of service by improving the resiliency of their applications and planning for scale out when needed.  This saved them quite a bit of money that then they could use on other projects.

Enable innovation

If you combine the granularity and choice available with an OPEX model with automated provisioning, the business can innovate like they haven’t been able to in the past.  Between technical restrictions that require new resources to be manually provisioned over the course of several weeks and financial rules that don’t allow much flexibility to change allocations quickly, many projects don’t take flight because they take too long and are too much trouble.

However, when a project can be launched in a matter of hours because automation allows a new environment to be spun up quickly and the OPEX model allows discretion on how funds are applied, many new opportunities are open to the business that weren’t worth it in the past.

Be more efficient

Traditional IT is essentially a form of rationing in how resources are allocated.  Users are encouraged to hold on to resources they don’t need because they know they may not be able to get them when they need them.  This of course assumes that they can give them back, which in many CAPEX models, they can’t.

By going to a shared resource OPEX model, business units can consume what they need and give back what they don’t.

Avoid shadow IT

One of the biggest drivers for IT moving to an OPEX model with the above advantages is that, like it or not, IT is competing with the open market.  Many Business units today are just pulling out a credit card and buying resources directly from hosting and cloud providers because IT isn’t responsive or competitive.  As offerings on the Internet continue to improve, shadow IT is likely to increase as a result.

How do we overcome the barrier?

IT as a Business

To be relevant, IT needs to start operating as a business.  Traditionally IT has provided resources to business units by essentially “throwing it over the wall”.  Unless it breaks there is very little effort spent of the resources.  Successful IT departments now define services that they offer to their customers with defined service definitions that describe not only the technology provide, but any SLAs provided along with other non-function requirements that have been included.  As part of that, IT can highlight the value added that they provide above what hosting or cloud providers offer.  IT has to also start doing customer relationship management to make sure that the right services are being offered, at the right time, and at the right price.

CAPEX and OPEX can co-exist

Many finance departments resist going to an OPEX model because it is presented as either CAPEX or OPEX.  In reality this doesn’t have to be.  In order for IT to realize the benefits outlined in this article, OPEX only has to exist in the relationship between IT and the business.  CAPEX can still exist in the bowels of IT somewhere; it would just need to be converted to OPEX according to rules set up by finance.

A good example of this is how some private clouds operate today.  They assume the CAPEX budget of the business unit in return for OPEX credits that the business can use over a predetermined time period.

Conclusion

By answering the questions above regarding moving to an OPEX model, IT departments can become enablers to the business instead of a hindrance.

=======

Richard Benoit is an Operations Architect with the Operations Transformation Services practice and is based in Michigan.

Organization Transformation for Network Function Virtualization Infrastructure-as-a-Service

Enrico MontarioloBy Enrico Montariolo

Network Function VirtualizationThe evolution of technology can have significant influence on the future success, or failure, of companies that operate within an industry. Traditional communications service providers face this challenge today. The technologies driving this transformation are Cloud, Network Function Virtualization (NFV) and Software Defined Networking (SDN). Communications service providers (CSPs) look at the NFV model and see new ways to accelerate innovation, create competitive advantages, reduce cost and drive new business models.

Successful transformation requires that CSPs also evolve their operating model: evolving related roles, organizational structure, skill sets, processes and culture to reflect the reorientation of the company. We strongly believe that the “As-a-Service” cloud-based operating model is the right operating model to achieve the full benefits of agility, operational efficiency, faster time-to-market and cost reduction, as successfully demonstrated by early adopters like Google, Facebook and Amazon. These early movers are at a tremendous advantage. CSPs may be at risk if they don’t aggressively embrace As-a-Service capabilities.

Read this white paper for a thorough examination of the impact Network Function Virtualization will have on organizational structure and guidance on operating model transformation to NFV Infrastructure as-a-Service.

========

Enrico Montariolo is an Operations Architect with the VMware Global Professional Services and is based in Milan, Italy.

IT Transformation and Organizational Process Maturity

John WorthingtonBy John Worthington

Regardless of what process framework you use, and especially if you’ve done some ‘adaptation’ of processes, building process capability over the long haul goes hand-in-hand with building the organization’s process maturity.

Having thought about my comment, ‘so go ahead, adopt and adapt’, in one of my previous posts I thought further discussion might be in order.

Measuring Organizational Process Maturity

Based on the ISO standard[i], an organization’s process maturity is measured by establishing base and extended process sets at each stage of maturity. These base and extended process sets are tailored based on the domain and scope of the assessment and/or client-specific requirements.

For example, if a company decided that process A, B and C are critical to achieving organizational objectives they may determine that these represent the base process set. They could not achieve a process maturity of Level 1 (Basic) unless process A, B and C all met a Level 1 process maturity.

At Level 2, the organization may determine that there are additional processes that must be established. These would represent the ‘extended process set’ at a Level 2. To reach an organizational maturity of Level 2 (Managed), both the base and extended process sets would need to achieve Level 2 process maturity. Additional extended process sets might be added at higher levels of maturity as shown in the figure below.

Process Maturity

Process Capability versus Maturity

Capability

Process capability is focused on the ability of the process to achieve its desired outcomes based on business objectives. The process ‘base’ practices are directly related to the process objectives; which means the base practice attributes of a process are different for each process. So rating the degree to which each process expected outcome is met (or not) is a quick way to provide insight to its capability, which may (or may not) be adequate for a given organization’s business objectives. An example for Incident Management is given below. (Note: A formal process assessment will also review the process inputs/outputs, supporting people/technology and other evidence

Process Maturity

Process Capability Attribute  – Incident Management
(i.e., objectives/process desired outcomes)
Rating
An incident and service request management strategy is defined and implemented
Incidents are reported, prioritized, analyzed for business impact, classified, resolved and closed
Customers are kept informed of the status and progress of their incidents or service requests
Management of potential service level breaches are communicated to and agreed with the customer
Incidents which are not progressed according to agreed service levels are escalated by customers

If all the objectives of the process are either Largely or Fully achieved, the process will meet Level 1 (performed) requirements.

Maturity

Process maturity attributes apply to all processes, and are considered ‘generic’ attributes. These ratings are usually taken across a group of processes (such as the base and extended process set). Each level of process maturity builds on the next:

  • Level 1 – Performed (Process Performance)
  • Level 2 – Managed (Process Performance Management, Work Product management)
  • Level 3 – Established (Process Definition, Process Deployment)
  • Level 4 – Predictable (Process Measurement, Process Control)
  • Level 5 – Optimizing (Process Innovation, Process Optimization)

How mature are your processes?

Download this simple exercise using the ISO standard generic process attributes. Identify what you feel would be your ‘base process set’, and if you want a ‘extended process set’ as well. Then answer these questions for each process.

Organizational Process Maturity and ITaaS Transformation

Each organization has different starting points, different goals and objectives, and different levels of capability/maturity. So while we can effectively leverage our extensive experience with ITaaS transformations, each transformation path will be unique.

As processes are adapted along an ITaaS transformation path, changes in process boundaries, roles, controls and supporting technology can dilute organizational process maturity. This is another reason why ‘slow and steady’ may win the IT transformation race; frantic attempts to speed up the hill (again and again) increase the costs associated with the transformation effort an ultimately exhaust IT staff.

So go ahead, ‘adopt and adapt’, but be careful to maintain your hard-earned gains in organizational process maturity.

[i] ISO15504 – http://www.iso.org/iso/catalogue_detail.htm?csnumber=54175

=====================

John Worthington is a VMware transformation consultant and is based in New Jersey. Follow @jMarcusWorthy and@VMwareCloudOps on Twitter.

5 Steps to Build a Security Strategy for the Digital Enterprise

From team bonding to micro-segmentation: a 5-step journey to develop a proactive security mindset in your cloud organization.

Pierre Moncassin-cropBy Pierre Moncassin

Only a few years ago security was at best an afterthought for some cloud teams., Everyone in the team thought that security was someone else’ s problem. For some less-fortunate organizations, this mindset did not change until a major security breach occurred with resulting financial losses, reputational damage not to mention job cuts. By that point security did becomes everyone’s problem – but that realization happened far too late.

To avoid this sort of less-than-optimal scenario, let me share here what I see as some key steps to develop security mindset right at the core of your cloud organization

First, why is security in the cloud specifically challenging?

IT security risks have of course existed well before the cloud era. However cloud technologies have brought along a new dimension to the risk. Reasons include:

  • Due to unprecedented ease and speed to provision infrastructure, a new population of business users have become able to provision their own cloud infrastructure. They may not all be fully aware of the corporate IT security guidelines (or may not feel bound to follow them strictly).
  • Fast provisioning in the cloud has often led to a proliferation of “temporary” workloads – many of which are not rigorously controlled.
  • Data in the cloud can be stored anywhere. Users are usually not aware of where their data is located physically, or have no control over that location. Therefore protecting confidential data becomes an additional challenge. Some country legislation, for example, mandate that confidential data from their nationals must remain within designated geographies.

Step 1: Build a broad awareness and knowledge base.

All cloud team members need to understand the basics of security for their cloud platform. That includes not only the enterprise security policy, but also a broad awareness of relevant laws (e.g. data protection) and compliance requirements (e.g. PCI, Sarbanes Oxley).  It also helps to build some basic awareness of common security breaches. In order to incentivise this learning, consider including security training in personal objectives (also known as ’MBO’); include security awareness in new hire onboarding and individual training plans.

Step 2: Break down technical silos

As I explained in on my recent blogs, technical silos occur quite naturally as specialists organize themselves along groups of expertise (networks and servers, operating systems and hardware). However entrenched silos can easily cause gaps in security coverage. This is because hackers are experts at finding fault lines between silos – those tiny gaps or fault lines from which they can launch an intrusion.  They will look for the ‘weakest link’ wherever it might be found (e.g. access password too simple, un-patched operating system patch, lax email security, defective firewall  – the list of risks is long).

Instead of relying on a silo mentality, the team needs to consider security end-to-end, and assume that breaches can occur in any layer of the infrastructure. In the same way as cloud services need to be designed end-to-end across silos, teams need to work together to manage security risks.

Step 3: Involve the business stakeholders

Part of setting up a cloud organization with VMware’s model, involves building close working relationships with business stakeholders. Specific roles within VMware’s cloud organization model will be in place to liaise with the business (eg Service Owner, Customer Relationship Manager).  And security is a key part of this cooperation. Some key aspects are:

  • Establish clearly responsibilities (e.g., who patches the workloads? who checks compliance?)
  • Document the responsibilities and expectations e.g. within the service level agreements;
  • Ensure regular communications about security between business users and cloud team (e.g. are there security-critical applications? Confidential data? What level of confidentiality?)

Step 4: Automate day-to-day security & compliance checks.

As part of operating a VMware cloud, the team will most likely be using tools such as VMware’s vRealize Automation and vRealize Operations Manager. These tools can be configured and leveraged to enhance some of your security and compliance procedures – adding much-needed automation to routine, day-to-day activities that otherwise consume effort and attention. Here are some examples of steps your teams can take to leverage these tools for security & compliance.

  • Ensure that provisioning blueprints are up-to-date with the latest security policy (e.g. patch levels).
  • Configure vRealize Operations Manager’ dashboards to display an aggregate view of compliance risk across your virtual infrastructure. For example, vRealize Operations Manager can be configured with extensions and third party integrations that allow to extend its analytical capabilities across a broad variety of sources including VMware Cloud Air, VMware NSX, Amazon AWS, NetApp Storage (for further details check out: http://www.vmware.com/files/pdf/vrealize/vmware-vrealize-operations-management-packs-wp-en.pdf).
  • Leverage vRealize Operations Manager’ ability to automate and report on compliance checks (the technical capabilities are described in more detail in this VMware blog: https://blogs.vmware.com/management/2015/03/compliance-in-vrealize-operations-6.html).
  • Leverage the potential of automated integration with your support desk. Once detected, compliance or risk issues must be acted upon. These events can be automatically associated to the creation of an incident ticket. I have outline the potential of such integrations in an earlier blog  https://blogs.vmware.com/cloudops/2015/09/cloud-itsm-integration.html
  • From an organizational point of view, what we want is to automate as far as possible the bulk of routine compliance checks and security monitoring, so that the teams can focus on the ‘big picture’ work pro-actively to identify emerging security threats

Step 5: Shift paradigm on network security with micro segmentation.

Whilst the expression “paradigm shift” has been much over-used, it still fits perfectly to describe the evolution from traditional network security to micro-segmentation.

The traditional approach to securing a private cloud’s network is to setup strong security (firewalls) at the perimeter. This is the fortress model of security – highly protected boundaries (perimeter) and a gate to control traffic at the entrance.

The downside is that all “fortresses” share a weakness by construct. To understand why, let’s consider the typical stages of a data breach:

  • Intrusion: attacker finds a breach in the perimeter
  • Lateral Movement: the intrusion is expanded for example, by compromising neighboring workloads or applications.
  • Extraction: potentially sensitive data from the compromised systems.
  • Cleanup/deletion: the intruder attempts to remove traces of the intrusion (deleting log files etc.).

Security Data BreachIn the event where an intruder manages to pass through the security gate, moving from room to room within the fortress becomes relatively easy. In IT terms, once a network’s perimeter is breached and a first workload is compromised, the intruder can often move “laterally” to compromise other workloads with little or challenge, then locate potentially sensitive data to retrieve (‘Exfiltrate’).  There may be other lines of defense within the fortress (traditional network) – but these tend to be static, and once broken the same problem of “lateral mobility” occurs again.

Micro-segmentation allows fine-grained network security that can prevent not only the initial intrusion, but challenge attempts the other stages i.e. Lateral Movement Exfiltration, Cleanup.  The reason is that each ‘room’ (or workload) can be isolated from the other. We could compare this new model to the layout of submarine where each section of the ship is partitioned by watertight doors. Each compartment  (micro-segment) can contain an intrusion. The would-be intruder is just as challenged to move from one compartment to the other, as getting past the entrance door in the first place.

However micro-segmentation means more than fine-grained network isolation. It offers the possibility to tailor security policies down to the workload level, therefore increasing to a new level the control over cloud security.

For example, network security rules can be associated to logical objects like a workload. When the workload is moved from a network location to another, the security rules are maintained – they ‘follow’ the workload rather than being attached to a fixed network address.

Security Rules

Leveraging that potential requires a new mindset – shifting from a static security model to dynamic, fine-grained security. It also requires the cloud team to develop new skills. For example to replace routine configuration skills with automation, traditional network skills need to be complemented with design and programming skills.

Key take aways:

  • Think of security as by essence, teamwork. Encourage your team to coordinate security across silos – users, cloud engineers, security teams.
  • Leverage your automation tools such as VMware vRealize Automation and vRealize Operations Manager – they will help automate some of your security and compliance procedures.
  • Transform your team’s perspective on network security by leveraging micro-segmentation, moving from the traditional ‘fortress’ security model to a dynamic, fine-grained approach.

—-
Pierre Moncassin is an operations architect with the VMware Operations Transformation global practice and is based in the UK.

Increasing the Adoption of vRealize Operations Across Your IT Organization

Alberto Martinez-cropBy Alberto Martinez

As I visit customers, I have heard similar feedback about vRealize Operations (vROPs): “It’s a great product but we are not getting the best out of it.” The unfortunate reality is that they are probably right! There is often a large gap between the wide range of possibilities and functionalities that vROPs can offer to the SDDC/Cloud environment and the real way in which it´s being consumed. This could be preventing your IT organization from getting the best from the product and impacting your investment.  For many companies that investment is not insignificant, as it includes licensing, professional and educational services, and dedicated resources to manage it.

The challenges are often related to more than just technology and require looking at the operational aspects of the solution such as your specific operating model / environment, how your IT organization is structured or what IT processes you have defined and are running.

Our proposed approach to maximize the vROps usage within your environment

A consistent methodology is crucial if you want to maximize your investments in vROPs, and this will include the identification of improvement areas (formulated into a set of actionable recommendations) and the subsequent implementation of them into your IT organization:

vRealize Operations

  1. Understand your specific environment through a set of discovery workshops with the key stakeholders focused on your IT strategy & organization, your existing roles & responsibilities and your defined processes related to performance and capacity.
  2. Produce an assessment report with the key findings & early state recommendations.
  3. Consolidate & transform the assessment report content into a comprehensive set of proposed recommendations and roadmap.
    • Present assessment findings & roadmap to the executive team as a sponsorship checkpoint. This will reinforce commitment and will identify key initiatives.
  4. Implementation of the agreed recommendations across your IT organization.
    • Measure and validate the success of the implemented recommendations focusing on the utilization of vROps and the stakeholder´s feedback!

Based on our experience delivering this methodology across many customers, we have been able to identify some key common considerations that will drive the success of this initiative:

  • Every customer environment is specific: We see different levels of maturity across processes, political issues across the teams, change readiness of the IT organization, teams in siloes with collaboration issues, etc. That´s why the initial phases of the approach are critical for the success: the better we understand you, the better we will articulate the improvement recommendations and engage with the required impacted people!
  • Sponsorship is crucial to promote the benefits and break the resistance to change across the IT organization. Motivate your IT organization using a top-down approach. Effective communication is the key to success.
  • Stakeholder identification and involvement during the early stages of the assessment is key to ensure involvement and commitment and capture their unique viewpoint. Miss a key stakeholder and you will miss a key input!
  • Leverage existing initiatives that are in place or planned to start in the organization that can have an impact on vROps (e.g. application monitoring, log management, cloud transformation). This will facilitate expanding the adoption of vROps by integrating smoothly into your ecosystem.

What typical areas do we focus on when identifying recommendations for our customers?

After reading about the methodology and key considerations some of you might be thinking that this is nothing really new.  You may wonder what concrete examples of operational recommendations we can offer to enhance the adoption of vROps.

It is important that you first understand the methodology and how we normally get to those recommendations. It is a journey in which we discover information about our customers while at the same time educating and inspiring them to do things differently. If we present the recommendations directly missing this critical inspirational element, it is less likely that the transformation will be absorbed, and more likely that the implementation will fail.

Having reviewed the methodology and the key considerations, a high-level example of operational areas that we normally focus on may include:

  • Expanding the information in vRealize Operations across other teams in the IT organization (e.g. Level 1 Operators, Level 2 Admins, Business teams, DevOps groups).
  • Defining workflows in VMware Orchestrator that automate the execution of repetitive tasks and / or the resolution of detected events in vRealize Operations.
  • Expanding vRealize Operations across your existing monitoring architecture.
  • Standardizing the reactive capacity process to support incoming project demand requests (e.g. capacity policy, capacity & scalability plan, What-If scenarios).
  • Defining a business right sizing capability to drive the proactive capacity management including resource reclamation (undersized VMs), VM recertification (idle or powered off VMs) and hot spot identification (oversized VMs).
  • Defining a governance model to support the IT Infrastructure Capacity and foster the collaboration across systems, storage and networks teams.
  • Identifying any specific recommendations across the SDDC/Cloud environment (e.g. upgrade paths, backup & recovery strategy, training needs).
  • Identifying other future initiatives that could be critical to the success of your SDDC/Cloud strategy (e.g. cost models and IT business management strategy, disaster recovery strategies).

Sometimes it is important to step back from the day-to-day activities, analyze your current environment (including both the good practices and the areas of development), and then think about different ways to bring value to your existing solutions. And this is exactly why VMware offers our Ops Transformation Performance & Capacity Management services – to help our customers to maximize their vRealize Operations investments by driving them towards different ways of doing things…because if you do what you’ve always done, you’ll always get the same results!

—-
Alberto Martinez is an operations architect with the VMware Operations Transformation EMEA practice and is based in Spain.

Build Your Operations Transformation Agenda for VMworld Barcelona 2015

dc2105-150x150By: Andy Troup

For those of you fortunate enough to attend VMworld Barcelona from October 12 to October 15, here is the Operations Transformation breakout session agenda, to help you plan your schedule.

As a reminder, the track is focused on helping you understand how the VMware Software-Defined Data Center is redefining IT infrastructure, and how it enables IT organizations to combine technology and a new way of operating to become more service-oriented and focused on business value. This track offers unique opportunities to learn the latest best practices and key considerations from experienced VMware experts and practitioners transforming their IT infrastructures and operational processes.

In Barcelona, the Operations Transformation track is offering 3 different types of sessions. There are 7 breakout sessions and one Group Discussion session all of which last for an hour. In addition, and new for this year, there are also 2 Quick Talk sessions which last for 30 minutes and are available on Monday October 12.

Operations Transformation

VMworld 2015

VMworld 2015

The track as a whole is all about how to transform the way that you operate so that you can really start to get the benefits of your technology investment and become a service provider to your customers. There are a number of sessions that cover how transformation is achieved. This includes a session covering VMware’s own transformation and our “OneCloud” implementation. Some of VMware’s transformation specialists who have helped many customers undertake a transformation will also be providing you with details of best practices and pitfalls to watch out for. Check out the following sessions:

  • OPT4682-QT – A Roadmap for Transformation – Planning Your Future State and Ensuring Governance
  • OPT5361 – Best Practice Approaches to Transformation with the Software-Defined Data Center
  • OPT5814-QT – AGILE for Infrastructure: Utilizing Agile Methods to Drive Iterative Infrastructure Development and IT Service Delivery
  • OPT5972 – 80,000 VM’s and Growing! VMware’s Internal Cloud Journey Told by the People on the Frontline

vRealize Suite

The vRealize suite of products features in the OPT track this year, covering vRealize Automation, vRealize Buisness, vRealize Operations and vRealize CodeStream and how they have been instrumental in enabling operational transformation. How vRealize Business can be used to help you become service focused and really manage IT as a business will be covered as well as how to build effective cost models.

Other sessions will show how the implementation of vRealize Operations has enabled customers to undertake their transformation and manage the services that they are offering. How close integration between vRealize Operations and vRealize Automation has meant a clearer understanding of the service provision process and the operational benefits will be covered in another session.

Check out the following sessions:

  • OPT4680 – Advanced  Automated  Approvals Use Case—Using vRealize Operations and vRealize Automation to Seize Back the Approval Charter
  • OPT4992 – VMware vRealize Code Stream:  Is DevOps about Tools or Transformation?
  • OPT5029 – How to Use Service Definitions in VMware vRealize Business to Build Highly Effective, Service-Based Cost Models
  • OPT5075 – 6 Steps to Establish Your IT Business Management Office (ITBMO) with VMware vRealize Business

NSX

NSX is become front of mind for many people, and there is realization that this technology product is having a big impact on the way that IT groups operate. The OPT track is offering a session that will provide real world experiences of how this takes shape.

  • OPT4953 – Operationalizing VMware NSX:  Practical Strategies and Lessons from Real-World Implementations

SDDC

The impact that the implementation of the Software Defined Datacenter has on organizational structure is a common discussion point, and this year the OPT track offers a group discussion with leading organizational change specialists who have a vast amount of experience with many customers.

  • OPT4743-GD – Organizational Change Group Discussion

Use the Schedule Builder tool at vmworld.com to locate these sessions and schedule into your VMworld agenda. Hope to see you there.

 


Andy Troup is a Cloud Operations Architect with over 25 years of IT experience. He specializes in Cloud Operations and Technology Consulting Service Development. Andy is also a vCAP DCA and VCP. Andy possesses a proven background in design, deployment and management of enterprise IT projects. Previously, Andy co-delivered the world’s first and subsequent vCloud Operational Assessments (Colt Telecomm & Norwegian Government Agency) to enable the early adoption of VMware’s vCloud implementation.