SIAM and the art of multi-sourcing
Ten years ago, IT organizations debated whether to outsource and what to outsource. Today, this question makes no sense. In the era of cloud computing, all IT organizations do multi-sourcing in one way or the other. And this has a profound effect on how you manage your IT service delivery. Service Integration and Management (SIAM) offers a relevant new governance model.
Best practices and process description frameworks, such as ITIL (Information Technology Infrastructure Library), matured over many years. However, this was at a time when organizations had one or a few major outsourcing partners. Today, organizations employ new multi-provider sourcing models, while changes in IT consumer behavior have changed considerably.
ITIL strategic partners
Diagram 1 illustrates the ITIL section Supplier Categorization And Contracts Database (part of ITIL Service Design). Strategic suppliers involve “…senior managers and the sharing of confidential information for long-term plans…”. In the past, these were typically outsourcing partners with whom the customer built long-term relationships. In the age of cloud computing, changes are taking place, especially with regard to the strategic partner relations.
From processes to automation
Today, organizations are shifting base services from former strategic partners to new IaaS or SaaS providers. The explicit goal is to gain the benefits of a competitive market. It allows a more frequent re-negotiation of contract conditions and, if needed, a transition to providers that better meet the organization’s changing requirements.
Rather than cultivating the relation with one or a small number of strategic partners, organizations can shop services from whatever provider offers the best deal at any point in time.
And indeed, from an ITIL perspective, the shift to cloud services has a much broader impact. In many respects, ITIL helps establish governance in manual processes. By comparison, cloud-based business models strive to replace these manual processes with automation. And while new automated processes also require governance, the approach is different.
The chaining of SLAs is complicated as is in ITIL terms, as the second diagram illustrates. Third-parties and subcontractors are involved on many levels. Replicated across many service providers, the SLA chaining model becomes overwhelming. A new model for multi-sourcing management – or rather a complementary layer building on an existing model - is required. The good news is that such models are emerging.
Service Integration and Management (SIAM)
Service Integration and Management (SIAM) is a governance layer based on ITIL. It explicitly addresses the challenge of multi-sourcing management. Diagram three provides an overview*:
* The image is based on an illustration in the White Paper “An introduction to Service Integration and Management and ITIL®” by Kevin Holland, available at the web site of Axelos, the organization behind ITIL.
Between internal service consumers and related service providers, a centralized and separate management layer is introduced: the Service Integration and Management (SIAM) function. Thus, the organization’s service consumers don’t have to interact with multiple service providers for their service requests, support issues, incident or problem management procedures, etc. Instead, the SIAM function takes on the responsibility of orchestrating the services for the organization.
Innovation leadership becomes an important side-effect. To improve and innovate a service combining multiple service providers, you need to have a holistic perspective. From the perspective of the individual supplier, you simply do not have sufficient overview to understand how the organization’s future needs will evolve. The SIAM function, however, has this perspective and a self-interest to ensure innovation helps simplify service consumption while adding business value.
For more details read the Haninge Municipality case study.
Cloud operations introduce new risks
Beyond SIAM and ITIL, IT governance frameworks also have gaps when it comes to cloud services. The use of cloud providers means a greater dependency on third parties which, for instance, means:
- Issues in a cloud provider’s external interfaces may propagate to an incident in your organization
- An attack on other tenancies in the provider’s data centers may impact your organization
- Organizational or technical failures in the provider’s (possibly immature) operations become your problem
- Auditing and assurance require the assistance of an independent assurance process
The dynamic nature of cloud services also means that you can expect:
- The location of data processing facilities change dynamically due to autoscaling or load balancing
- As a result, data processing may take place across national boundaries
- The legal framework becomes difficult to understand since multiple jurisdictions may apply
Regulatory compliance can also become an issue if:
- Privacy sensitive information crosses country borders
- Your organization’s contractual obligations to third parties conflict with the provider’s business model
Finally, the dependence on the internet means business critical services are exposed to vulnerabilities in a public infrastructure outside your control.
Weak standards and best practice frameworks for cloud service governance
All of these risks are difficult to capture in SLAs. The ISO/IEC standards 17788, 17789 and 19086:1-4 help define the terminology and frame of reference. But they do not yet provide a relevant assurance framework. For instance, you cannot demand that your cloud provider becomes certified against these standards and then rest assured that everything is under control.
The trend towards hybrid cloud computing models requires a considerable amount of professional common sense. Data Ductus prides itself with the ability to offer a good portion of it. If we can be of any help, do not hesitate to let us know.