Creating and implementing a cloud hosting strategy
This guidance outlines how to create and implement a cloud strategy, and when to consider a single, hybrid or multi-cloud solution.
Whether you’re creating your first cloud strategy or making a change to your current one, you’ll need to base it on the needs of your users. This will help you to find and manage the right cloud solution for your organisation. You should aim to keep your cloud strategy as simple as possible while still meeting the needs of external and internal users.
Why taking a strategic approach to cloud matters
Some organisations may have ended up with their current hosting arrangements because of a series of uncoordinated decisions. A lack of intentional planning can result in complex and expensive technology estates.
For example, an organisation that starts to move to the cloud, but later realises that some legacy applications will have to remain on-premise for a period of time, may say they have a hybrid cloud strategy. This is not the case if the cloud and on-premise parts of the organisation are largely uncoordinated and separate. Retrospectively adding the hybrid cloud label as a strategy only describes the current state of the organisation. The label would likely not meet future user or business needs or ambitions.
Going through a process to deliberately and consciously create a hosting strategy based on the needs of your users, will:
- improve your ability to meet current and future organisational requirements
- help you identify the skills and capabilities you will need to carry out the strategy across the organisation
- enable you to store your data in the most appropriate way
- enable discussions with business stakeholders
Write the cloud strategy you need
Your organisation’s cloud strategy will be unique to your organisation.
Whatever its format, you need to make your strategy easy to find and actionable. A cloud strategy is not a decision on whether to use multi-cloud or a single provider. You should consider your organisation’s needs and attempt to solve the organisation’s current issues while allowing for future development.
As well as user research, consult the experts within your organisation to create your strategy. For example, internal governance bodies like technical design authorities.
Start with problems and end with a strategy
It’s important that you assess your current estate and your future requirements and then choose a strategy.
Do not decide on a single, hybrid or multi-cloud solution and then design your strategy to fit. Instead, start with your needs, problems and desired outcomes and make a decision based on those.
You should make sure you have a good understanding of your entire technology infrastructure before creating a new cloud strategy. This should be as detailed as possible, considering the options for each application or service and area of functionality.
Every organisation has different requirements and your strategy should consider:
- the current estate
- organisational and business goals
- security requirements and risk appetite
- current and future location of data
- organisational culture and the skills you will need or already have
- your budget
- your commercial approach
- mandated regulatory requirements
When you’re doing this you will need input from many functions within your organisation, including commercial, technology, security and human resources. Each of these functions will provide a different perspective on how a strategy will affect your organisation.
As time goes on, you’ll need to continually measure the progress of your strategy. You’ll also need to do user research to make sure it’s still meeting your user needs and the needs of the organisation.
Pick the simplest options you can
Once you have a list of your problems, needs, desired outcomes, capabilities and requirements, you should identify a provider or providers that meet your needs, using your organisation’s regular commercial process.
You’ll need to balance getting as many of your requirements as possible against cost and complexity. Sometimes you’ll need to compromise on your requirements if the cost and complexity of getting all of them outweighs their benefits.
For example, you’ll need to analyse whether your organisation will benefit from a single or multiple provider, and what business processes you need to put in place to manage them.
It’s important to follow commercial procurement rules when deciding on your suppliers. The procurement rules include a requirement to work fairly and openly and to provide good value for money for the taxpayer.
When the simplest solution is not enough
Often a single provider strategy may be good enough to meet your most important needs, but there might be occasions where you need more capabilities than a single provider can offer. This might be because you have unusual requirements. Typical unusual requirements can include, but are not limited to:
- cloud concentration risk
- high risk data or complex security requirements
- legacy or unsupported technology
- specific feature requirements
- legislative requirements
Cloud concentration risk
The public cloud market is consolidating and there are now only a handful of “hyperscale” providers. This means it’s likely your services will become “concentrated” with a handful of providers, or even just one. There are generally 2 different types of issues such concentration could bring.
- commercial risk - using a small number of suppliers might cause you a disadvantage in contract negotiations or cause “vendor lock-in” as the cost of moving is too great
- technical risk - using a single provider who could fail, temporarily or permanently, causing service disruption and the potential for loss of data
At a departmental level choosing to have diverse vendors or designing for portability or embracing vendor lock-in to benefit from greater agility and a platform’s native capabilities should be a conscious decision.
At a government level it’s important we track how much of our critical infrastructure and key services are becoming concentrated with major providers. The Cabinet Office manages this, rather than individual departments.
Organisations should consider technical concentration risk in their overall risk management plan, but for the majority of situations the benefits of using a single provider will outweigh the technical concentration risk.
If your organisation runs Critical National Infrastructure (CNI) or has unique resilience, redundancy or availability requirements you must consider if concentration poses a risk to your service.
You should alert the Cabinet Office at [email protected] if:
- you plan to move any CNI into the cloud
- you are moving from one cloud to another
- your CNI strategy changes significantly
High risk data or complex security requirements
You should always follow the NCSC cloud security guidance and make sure that you take a risk-based approach to storing data or services in the cloud.
There may be occasions when the simplest solution cannot meet all of the security requirements you have for a specific service. This can be a good reason to consider hosting that service elsewhere, for example with another cloud provider, with Crown Hosting or in an on-premise data centre.
This would mean that you are adopting a hybrid or multi-cloud approach rather than a single provider, and you would need to plan accordingly. For example, by making sure your strategy includes provision to upskill your teams to use different providers.
Legacy or unsupported technology
Following your assessment of your estate, you might realise there is legacy or out-of-support technology which you cannot migrate to the cloud.
Where possible, you should try to move away from and manage legacy technology as they can be difficult and expensive to maintain, and expose you to security risks.
If there is no option to move away from legacy applications, you will have to maintain an on-premise presence. This will mean you have to take a hybrid cloud approach.
Specific feature requirements
If you have a lot of different requirements that need multiple providers, you might have to split your estate across these providers. For example, provider-specific services such as machine learning, translation or big data. This will mean you need to take a multi-cloud approach.
Multi-cloud does not mean running all of your services identically in two or more cloud environments. Trying to run identical services across multiple environments is difficult and needs significant extra work to secure it or run it efficiently. For that reason, you should only run each service in one place.
Some organisations have a primary/secondary approach where they have most services run in the primary provider and use the secondary provider for only a few services that take advantage of the secondary provider’s capability. This allows them to use the benefits of multiple providers whilst mitigating some of the risk of having to connect multiple environments together.
Legislative requirements
If you have specific services that are restricted by legislation or regulation you might need to adjust your approach. For example, if you have data that you must keep in the UK, you need to work with your cloud provider(s) to understand how they support and maintain UK-based hosting for that specific data. This will help you determine if your supplier(s) approach will meet your needs and help you decide which data has no restrictions.
Transitioning to your cloud strategy
Once you’ve chosen a strategy, you’ll need a transitional plan. This might be because you:
- cannot move systems all at once due to availability requirements
- need to increase capability or skills within your organisation before you can fully move to the cloud
- are managing legacy applications which are not compatible with the new cloud environment
Moving from old to new is not quick and simple. A hybrid state can persist for an extended period of time. You will need to manage old and new systems side by side for a significant period of time. During the migration process, you might end up running simultaneous hybrid or multi-cloud systems. This can cause considerable pressure on your organisation. For example, you’ll need to have plans if an operations function has to work across very different and multiple environments.
Once you’ve assessed your organisation’s current situation, your transitional plan might be to:
- adopt a single provider solution on the journey to implementing a multi-cloud solution
- have a hybrid cloud strategy before transitioning from on-premise to the cloud
Your transitional strategy must contain the elements you’ll need to complete the transition to the cloud. This might mean you’ll need to accept some extra risks, costs or capability requirements during that period.
It is important your transition does not become the end strategy. You have created your cloud hosting strategy based on the organisational needs, risks, costs, and capabilities. It is important to set targets and track them. If your organisation stays in the transitional state it could result in you having to do more work to mitigate the issues which may arise by not completing your strategy.