That is the approximate number of cloud services that Ken Hankoff, Manager of Cisco IT Risk Management’s Cloud and Application Service Provider Remediation (CASPR) Program believes Cisco’s 70,000 employees use. For the last 14 years, this program has assessed and remediated risks associated with using a cloud-hosted service.
An assessment process for new cloud services is a vital step toward reducing the risk of using externally hosted services. Many customers I speak with struggle to rapidly assess cloud services and integrate them into their IT organization. As part of my blog series on governing cloud service adoption, I asked Ken to share some of his ‘lessons learned’ in assessing the risks of cloud services and bringing them into Cisco IT’s fold.
How do you ensure that teams wanting to use new cloud services work with your team?
Our team is not in the business of sourcing cloud vendors. That responsibility lies with the individual business units and their architecture teams who are seeking to use the service, often in partnership with IT. Once a vendor is selected, there are two primary ways in which my team gets engaged. First, through the Global Contracts team as they have made Cloud Service Provider assessment a part of the contracting process, and second when a new service is being integrated within IT.
How do you evaluate whether a new cloud service is risky to the business?
We look at seven risk factors to create a formula for risk—business criticality, financial viability, security, resiliency, architectural alignment, regulatory compliance, and assessment status.
We establish the business criticality of the service to determine how Cisco would be impacted or disrupted in the event the capability provided by the vendor would go away, and whether we could react or compensate.
We then look at the financial viability of the vendor to give us comfort that they will remain in business. To evaluate vendors we leverage Dunn & Bradstreet’s Predictive Scores & Ratings. We rely heavily on Cisco’s Information Security (InfoSec) organization to provide us with a Security Composite Risk score. Depending on the parameters of the cloud provider engagement, InfoSec will look at the vendor’s application development process, infrastructure, data handling security, system-to-system interoperability, and other areas. For resiliency we focus on how they meet our standards around business continuity and disaster recovery to ensure that our business data will be there when needed, regardless of what happens.
We also need to ensure that we stay compliant with regulations. A vendor that has to comply with HIPAA, SOX, or other regulatory/privacy requirements poses a higher risk than one that doesn’t. For this reason, we look into whether regulatory compliance is a factor, and if so, that it is addressed appropriately.
Finally, we also assess if the vendor aligns to the broader architecture that Cisco IT is investing in to support the business. Vendors are deemed higher investment risk if they do not align to the business and operational roadmap that Cisco is pursuing.
We re-asses vendors on a periodic basis according to their overall risk score. If a service is overdue for a reassessment, that in itself increases the risk of doing business with the provider, so we factor it in.
In your opinion, what are the three most important things to manage the business risks of cloud services?
First, I would suggest establishing ownership and governance of cloud services via a centralized PMO at enterprise level, not just within IT. This ownership needs to go beyond just assessing vendors for security risk, and focus on establishing company-wide policies for overseeing cloud services at the enterprise level.
Second, provide visibility into existing services and how they are being used. This helps enable a catalog of assessed and approved vendors for people to access. If you can have fewer vendors being used, you can reduce your risk.
Third, continually monitor services across the board to know what risks we might be facing, and ensure that the service providers are meeting their SLAs. Additionally, this helps to ensure that investments aren’t being wasted. There is a natural CSP application lifecycle – selection, implementation, adoption, and eventually that service usage might decline and you may end up supporting something that has very few users if you don’t have a lifecycle approach to phasing out services.
What is your biggest lesson learned in assessing new cloud services?
I wish the program had collected more metrics earlier. What we are finding is that there are a significant number of services being contracted all over the company. By collecting really good metrics we might have been more effective in showing executives what services are being used, who is using them, and how. We are making good progress on this now, but I wish we started earlier.
How are you monitoring cloud services and gathering this intelligence?
Our professional service team has helped us a great deal. With the Cisco Cloud Consumption Services, we have begun to capture an enterprise view of what cloud services are being used, by whom and have a great dashboard of metrics we can now use to inform Cisco executives. I never imagined before we were using the software that we had nearly 2,000 cloud services in use, but with Cisco Cloud Consumption we now know and can monitor activity.
In our previous big data blogs, a number of my Cisco associates have talked about the right infrastructure, the right sizing, the right integrated infrastructure management and the right provisioning and orchestration for your clusters. But, to gain the benefits of pervasive use of big data, you’ll need to accelerate your big data deployments and make a seamless pivot of your “back of the data center” science experiment into the standard data center operational processes to speed delivery of the value of these new analytics workloads.
If you are using a “free” (hint: nothing’s free), or open source workload scheduler, or even a solution that can manage day-to-day batch jobs, you may run into problems right off the bat. Limitations may come in the form of dependency management, calendaring, error recovery, role-based access control and SLA management.
And really, this is just the start of your needs for full-scale, enterprise-grade workload automation for Big Data environments! As the number of your mission-critical big data workloads increases, predictable execution and performance will become essential.
Lucky for you Cisco has exactly what you need! Read More »
Today’s blog post is by a guest author, Adel du Toit, who is currently spearheading the effort by Cisco’s internal IT organization to deliver IT-as-a-Service internally, dubbed the Cisco IT “eStore.” Recently, the eStore team took home multiple awards, you can read more about that here. (If you’re not familiar with the eStore, be sure to check out my other blog posts regarding the eStore here and here.)
Over the last few months I had to take a few steps back and admire the passion and dedication of the team as our Vision is starting to become a reality. For those less familiar with the Cisco IT eStore, have a look at the latest customer case study here. You can also check out the demo video below:
In the last few months the eStore team has delivered IT services, to any device, simply, while achieving broad adoption while showcasing Cisco as the #1 IT Company thanks to Cisco Prime Service Catalog, which is the underlying foundation for our end-user storefront interface.
Delivered IT services:
We have 2 ways of delivering IT services and apps. In estore.cisco.com employees can find the IT services that one needs to order from a desktop or laptop computer. As for mobile devices, employees can go to eStore for Mobile to install the apps he or she needs to stay productive whilst on the go.
Today we have nearly 290 IT services and mobile apps that our users can choose from:
To Any Device:
It is important to embrace BYOD and at Cisco we live this every day. It was important that the store we created could be used by any device.
Below is a breakdown of the device types that have accessed both eStore over the last 6 months.
User experience is important to us and we wanted to make sure that the store provides a similar experience to what you would expect when shopping at Amazon or eBay, for example.
In both our mobile and web interface we have the ability to surface the apps and services most needed by our end users:
The Cisco IT eStore (Desktop Version)
The Cisco IT eStore (on iOS mobile)
Adding spotlight content and recommendations is important to help with findability and user experience. This was made possible by the latest release of Cisco Prime Service Catalog, which introduced a next-generation user interface and powers the storefront that the eStore is built on. Be sure to check out Phillipe’s post on the latest release here.
Achieving broad adoption…
One of the most recently added features in the internal Cisco IT eStore has been the addition of desktop software for employees to download. Going forward, we expect to see around 20k unique visitors a month ordering Desktop Software from eStore. For the first time we will have a single, unified platform for both Mac and Windows users to install their software from.
In addition, during our Global Sales Conference (GSX) in Las Vegas in late August we had the requirements to support 18,000 Sales users downloading the recommended mobile apps during the event. We had to be ready to surface the apps, but also support 18k users downloading the event app in a 15 minute period!
Lots of long hours and planning later, we made sure that all of this happened seamlessly, here are a few statistics from the event:
– 89% of the GSX attendees installed eStore for Mobile
– During the event we had 5.4k average visits a day
– 81% of the attendees installed the GSX event app from the store
– 49% of the attendees also installed other apps in addition to downloading the event app
– Very few support issues (less than 40 total!)
– Our max CPU stayed below 12%
– With an average load response time of 1.7 secs
If we take a step back and also look at our overall adoption for Q4, FY14 the numbers look very healthy. Nearly 50k requisitions in the 3 months period from May to July 2014.
…While showcasing Cisco as the #1 IT Company
The Cisco eStore team is no stranger to awards, and we continue to add our trophy cabinet with our latest award, the Gold Stevie Winner for Information Technology Team of the Year. For more information on the latest awards, be sure to check out this blog post detailing all of the awards we won this year at the International Business Awards.
Want to learn more? We have a webinar coming up on October 8th at 8 am PDT where we will discuss best practices for delivering Enterprise IT-as-a-Service, and delve deeper into the latest developments in both the Cisco IT eStore and Cisco Prime Service Catalog. You can register here.
Thanks for reading. For more info be sure to follow us on Twitter @CiscoIT to learn more about the Cisco IT eStore, and follow @CiscoUM for the latest info on Prime Service Catalog.
Cisco IT has always strived to improve the user experience. It is often overlooked in some IT organizations, but Cisco IT has service managers who are held accountable for the feedback they get for their service sectors. This focus on how we perform means we are constantly pushed to improve how users interact with the technology. Read More »
How can a global company make the most of its talent all over the world? How can teams of people collaborate productively no matter where they live and work? While email helps and phone calls help even more, video is critical.
Cisco IT supports our global teams with a successful integrated suite of video options. Cisco employees made nearly 6.5 million video calls this year. What are the most popular video solutions for calls or meetings, and how it has changed Cisco culture? Find out in my short video.