Inside the hybrid cloud, Part 4: Implementation considerations

Learn what it takes to actually implement, govern, and protect a hybrid cloud. This series has discussed the advantages of the hybrid cloud, Every Component as a Service (XaaS), ubiquitous delivery, and Intelligent Workload Management (IWM), which provides the capabilities required to make it all work effectively and securely. This article is the final in the hybrid cloud series.


Grace Walker, IT Consultant, Walker Automated Services

Grace Walker, a partner in Walker Automated Services in Chicago, Illinois, is an IT consultant with a diverse background and broad experience. She has worked in IT as a manager, administrator, programmer, instructor, business analyst, technical analyst, systems analyst, and web developer in various environments, including telecommunications, education, financial services, and software.

31 May 2012

Also available in Chinese Russian Japanese

The implementation of a hybrid cloud can be fraught with risks that can undermine the true value of your investment and perhaps place an enterprise in an even more precarious position. As with any implementation, getting your hybrid cloud up and running requires the careful consideration of several important factors to ensure appropriate functionality, security, and reliability. For a hybrid cloud to work effectively, the silos that have been erected must be torn down to provide a common approach to both business service management (BSM) and IT service management (ITSM). It requires the intelligent construction of governance policies to regulate the system and its performance while maintaining strict compliance.

IT has to become a true business partner by implementing IT as a Service (ITaaS). This implementation requires that IT processes be designed to:

  • Embrace the mindset of a service provider
  • Develop an agile and responsive approach to business needs
  • Act as the gateway to the cloud, which eliminates the circumstances leading to the development of Software as a Service silos and cloud islands
  • Assume the role of security and compliance partner, constantly appraising and scrutinizing services both internally and for third-party suppliers
  • Remove the silos by extending BSM and ITSM policies into the cloud
  • Recognize and appreciate the economic drivers that are critical to the financial health of the enterprise

Ultimately, IT must become a value creator for the enterprise, preventing the chaos that could evolve if the migration to the cloud were not well coordinated, regulated, and managed. At the same time, IT must provide space for the increase in business value based on innovation and optimization. Adeptly walking this tightrope will lead to great value for the enterprise.

Key phases in hybrid cloud implementation

Understanding and planning for any potential problems are critical for a successful deployment of your hybrid cloud solution. To avoid the perils, IT and the business stakeholders must work closely to state business objectives clearly, define project scope precisely, and outline migration guidelines explicitly. To perform these tasks, the implementation team must consider many aspects of the migration carefully and ensure that all stakeholders are informed and in agreement.

Before you begin, be sure to:

  • Describe the business needs that the solution serves
  • Document the underlying drivers that are the impetus for migrating into the cloud (new functionality or applications, moving existing solutions)
  • Understand the true nature of the solution (will it work in isolation or with other systems)
  • Determine the number and nature of the users who will use the new solution and their potential support and training needs
  • Establish the real cost of the solution, encompassing the complete life cycle, not just the implementation
  • Calculate the effect on day-to-day cash flow based on the new pay-per-use model

The implementation process should be organized into planning, execution, monitoring, and assessment phases. During the planning phase, you should establish the key business drivers and delineate the business objectives as well as outline the project plan. A team of IT and business stakeholders should be established to oversee the process. In the execution phase, the plan must be implemented based on the guidelines established during the planning phase, with a wary eye to preventing scope creep. Once established, the system must be constantly monitored and accessed to ensure proper performance and return on investment (ROI).


Hybrid cloud governance must address policies related to availability, security, and compliance while keeping in strict harmony with the general IT goals and the overall strategic objectives of the enterprise. Governance is a policy-making process designed to assess risk as well as opportunities in a constantly changing and evolving environment. These policies must focus on the delivery and location of cloud services and data as well as track and enforce policies at run time.

The governance policies must include both design-time and run time governance. Design-time governance focuses on the development phase, concentrating mainly on internal concerns. Run time governance focuses on policies concerned with the regulation of access, security, and the service performance that can be consumed both internally and externally. The policies must be designed to address:

  • Role-based access. Establishing control over who has access to the system and what they can do, including who can deploy and manage cloud assets
  • Metrics for monitoring. Assessing application performance and other business-critical key performance indicators
  • Service level agreements (SLAs). Establishing levels for both the application and the underlying infrastructure
  • Quality of service. Providing the benchmarks for service delivery

To manage a hybrid cloud, you must implement a comprehensive framework composed of various tools and the processes that govern their use. In the final analysis, the achievement of optimal value and utility hinges on the effectiveness of the specific enterprise governance structures deployed. This is the key to realizing the desired returns from IT and associated human resources investments.


One huge governance issue is disintermediation—the bypassing of IT. The cloud makes it extremely easy for impatient and poorly informed IT or business unit personnel to bypass IT all together and create solutions on their own. Pressured by deadlines and with credit card in hand, someone reaches out to Amazon for compute capability, quickly completes a project, and all seems well. Or a business unit needs software that is currently unavailable in house, and the people in that unit are facing a drop-dead date—no excuses accepted, no extensions possible. They quickly reach out to the cloud, use the software, complete the project, and deliver. Again, all seems well. However, they have left a trail in the cloud that is outside their organizational governance and security. This is dangerous and can ultimately be crippling. In addition, disintermediation reinforces silos and leads to cloud island development. In the end, this approach leads to governance and compliance chaos, opening the door to potential data loss as well as malicious intrusions.

The solution to disintermediation is not only well-developed policy but also effective communication. To eradicate disintermediation, IT must provide a catalog or portfolio of approved cloud service providers that have been vetted and therefore can be safely accessed by users. The entire organization must be aware of and adhere to the governance policies and at all times accept the gateway responsibilities of IT. Remember, ITaaS is designed to partner and facilitate.

Change management

Change management is another issue. How do you handle change management in the cloud? Behind your firewall, you control the deployment of application upgrades according to a timetable and schedule that is understood by and agreeable to the overall organization. Before deployment, you test to ensure that the upgrade or change will not affect the operation of the enterprise.

When implementing a hybrid cloud, you must address versioning at all levels, securing system viability through SLAs as well as internal processes, infrastructure, and policy. It is important to make this part of the SLA. There must be rules regulating these changes that you and the service provider agree to before changes are implemented. These rules must include the use of multiple versions as well, to ensure the viability of legacy applications.

Data management

The data that travels into the cloud must be encrypted. Encryption prevents service provider staff as well as rogue servers from gaining access to your data. It also renders unreadable any remnants of data on discarded storage devices.

Network connectivity

A hybrid cloud combines service and deployment models. When the cloud is private, both the enterprise and the provider are encompassed by the same network boundary. When the cloud is public, the enterprise and provider reside in different networks. In the hybrid cloud, the enterprise network may need to extend into the provider and the provider into the enterprise. The bottom line is that both the enterprise and the service provider must expose some of their network to the other. To meet the new challenges of the hybrid cloud, network architecture must become more flexible, network services need to decouple from location, and automated provisioning needs to be facilitated through the abstraction of resources.


The connectivity capabilities of the hybrid cloud are central to the adoption and enduring usage of cloud services, and bandwidth is a critical delivery factor. Bandwidth policy is critical, because an important aspect of the value of data is the timeliness of its delivery.

The hybrid cloud requires a bandwidth-aware system. Bandwidth must be based on the anticipated amount of data, which can be difficult to calculate and costly when overestimated. Scalable bandwidth provides the solution while offering a more efficient use of network resources. Scalable bandwidth responds quickly to changes in demand without sacrificing security or architectural flexibility.


Latency is also a connectivity issue. When users, applications, and data are distributed across the globe, the reliability and performance of your applications can be affected. When it comes to performance, milliseconds between the cloud and the end user can be costly to your business. End users expect results quickly, and when they don't get them, they click away.

Both the cloud infrastructure and the network must be considered when evaluating performance. They both play an important role, and the success of your cloud deployment will depend on both when it comes to end user acceptance. Because the laws of physics can't be overcome and latency is a function of distance as well as hops across routers, it is important that you test for latency issues early in your cloud evaluation process. Selecting the appropriate location for your cloud infrastructure is the first step. Concentrate on shortening the distance between the cloud and your end users. Doing so lowers latency and also increases the performance of your applications. When it comes to the hybrid cloud and latency, the mantra must be location, location, location.


The firewall must also be considered. The ideal approach is a cloud-based web application firewall (WAF). Cloud-based firewalls are agnostic and do not require hardware or software changes to accommodate expansion. Because a cloud-based WAF is centrally managed, threat detection is shared among all the tenants of a service, resulting in improved detection rates as well as lower false positives. The service grows and expands with your needs and provides an elastic and scalable solution. When the use of mobile devices and telecommuting are thrown into the mix—not to mention the addition of bring your own device delivery—it is easy to see that the increased burden on firewall management can be exponential.

Access control

Comprehensive identity and access management (IAM) is a vital criterion for success in the hybrid cloud. In addition to the role IAM plays in securing your data, it is a key to meeting the rigors of compliance. Compliance requires that you not only show who has been granted access and the security surrounding the role, but it also requires tracking user actions after access has been granted.

Security information and event management (SIEM) technologies can be used to improve IAM user and role management. SIEM permits more extensive exception monitoring and audit capabilities than IAM alone as well as a consistent interface for your logs and reports.

This approach also provides advantages when organizational or economic structural change is required. Today, changes in the economy and business models are frequently at the speed of thought. An identity-driven cloud provides higher visibility into business processes, allowing you to gather real-time, event-driven information, which facilitates rapid change in direction while providing a clear view of the separation of duties.


Implementing a hybrid cloud means your enterprise may be in a multitenancy environment. Multitenancy is the sharing of resources such as compute, storage, and networking amongst multiple tenants. In this situation, an enterprise must ensure the security of its information and the keys to system access. To guarantee that security is managed properly in a multitenancy environment, you must investigate the service provider to see how it organizes the situation. For example, in multitenancy, no tenant can be allowed to access or know of the existence of resources assigned to other tenants. You must know how security is implemented and validate that the implementation method is effective.

The security put in place in a multitenancy environment must be role based. There must be a secure management capability that allocates resources without revealing any of the resources content to the service provider's administrator. The administrator must be able to set up and deploy as well as allocate additional resources, but he or she cannot be allowed to perform single-tenant environment functions.

The enterprise administrator must also be role based. He or she must be able to distribute the management and access roles for the enterprise.

VPN tunnel

To secure your data in the hybrid cloud, use a virtual private network (VPN) tunnel between the private and public cloud services. A VPN tunnel facilitates secure connections and the use of a single name and password to access an array of cloud assets. VPN communication uses generally available assets such as the Internet as the means of moving the hybrid cloud's data. The process employs encrypted access modes and the Secure Sockets Layer protocol's use of dual-key cryptography.

Keep in mind that the access controls you put in place are not just relevant to your users. Your cloud vendor also has access to your servers, so you must ensure that it is following the access policies you have put in place.


The hybrid cloud is the most cost-effective and efficient means for an enterprise to create rapid responses to the fast-paced changes in today's marketplace. It provides an ROI that cannot be achieved using on-premises solutions alone. This paradigm involves new risks that can be mitigated with appropriate governance and oversight. This article concludes this series on the hybrid cloud. Thank you for taking the time to read along.



Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement service-oriented architecture efficiently.


  • Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Cloud computing on developerWorks

  • developerWorks Premium

    Exclusive tools to build your next great app. Learn more.

  • Cloud newsletter

    Crazy about Cloud? Sign up for our monthly newsletter and the latest cloud news.

  • Try SoftLayer Cloud

    Deploy public cloud instances in as few as 5 minutes. Try the SoftLayer public cloud instance for one month.

Zone=Cloud computing
ArticleTitle=Inside the hybrid cloud, Part 4: Implementation considerations