Part 6: Cloud Matters (but not all Clouds are Created Equal)

GRC Implementation Success, Part 6: Cloud Matters (but not all Clouds are Created Equal)

DoubleCheck Software presents GRC Implementation Success, a guest blog series by Blue Hill Research Principal Analyst David Houlihan. This series draws on five years of Blue Hill studies in GRC in order to highlight key lessons for purchasing and implementing GRC software.

Part 6 of this series examines the role of hosted and cloud delivery models in the deployment cycle.

Today’s post continues the examination of application characteristics that contribute to deployment time that began in Part 5. In that post, we considered how application configurability speeds deployment time and embeds flexibility in the application in ways that are not available through traditional, hard-coded customization approaches.

The other major application component that Blue Hill’s research has consistently connected to faster technical deployment is the use of cloud services. Most readers at this point are likely familiar with some arguments for or against cloud delivery models. Rather than reiterate them, we will focus on how cloud models impact the deployment process and deployment time.

The Role of Cloud in Technical Deployment

In Part 5, we observed that configurability is one of two application factors that contributed to KBR, Inc.’s ability to achieve a technical deployment cycle of 3.5 months. (Compare this to the Worst-Case range we benchmarked as 11 to 16 months.) The other factor, unsurprisingly at this point, is a vendor-hosted, cloud delivery model. Blue Hill’s Contributors to GRC Implementation Success: Avoiding the Worst-Case Scenario benchmark study found a similar connection between cloud delivery models and Best-Case technical deployment times (3 to 4 months).

Table: Factors Contributing to the Success of the KBR Implementation

How does a cloud model influence the deployment cycle? In these models, the vendor takes responsibility for providing the underlying infrastructure and management of the application. This helps minimize internal deployment requirements, such as hardware purchasing, installation, or integration within the existing solution ecosystem. These benefits can also minimize ongoing operational burdens related to maintenance, utility consumption, or solution backup.

Cloud deployment also has an impact on implementation cost by eliminating the need for infrastructure investment by the buyer. Since cloud delivery is typically associated with subscription billing models, it also tends to eliminate the immediate perpetual license purchase associated with on-premises enterprise applications.

By removing the need for both upfront equipment and software purchase, cloud delivery minimizes the capital investments required.

However, be aware, total lifetime costs associated with the application may be roughly similar. Blue Hill’s GRC Vendor Implementation Success Strategies discusses these both the time and cost dynamics in more detail.

Different Cloud Models Affect Implementation Differently

The cases analyzed by Blue Hill show that the cloud, as a general proposition, has a positive impact on GRC implementation time. However, nuances between different cloud models impact deployment time to varying degrees. To illustrate, we can consider three common patterns in cloud application delivery:

  • Cloud Hosting – a vendor hosts an application with an on premises architecture, using either dedicated infrastructure components or infrastructure as a service (IaaS) and platform as a service (PaaS) capabilities. In this model, the vendor manages and maintains the underlying infrastructure, but the customer retains responsibility for application management.
  • Single Tenant Software as a Service (SaaS) – a vendor hosts an application architected for cloud deployment in a model where each customer receives a dedicated application instance. In addition to managing the underlying platform, the vendor takes on application management responsibility as well. The customer’s only interaction with the environment occurs through the application interface.
  • Multi-tenant Software as a Service (SaaS) – is similar to single tenant SaaS, with the exception that a single application instance supports multiple customers through dedicated tenancies and partitioned access.

Each of these models creates a different set of dynamics in the technical deployment process. In cloud hosting models (and often in single tenant SaaS models), the buyer no longer has responsibility for provisioning and managing the underlying environment. Nevertheless, the vendor still needs to provision new instances of the required infrastructure and middleware components to support the application. This relieves the buyer of making the investments and conducting much of the work, but it does not necessarily take any more or less time to do so. Often, the vendor possesses standing resources and programmatic processes that will accelerate the process. In single tenant SaaS models, additional time compression is often available through the vendor’s ability to share infrastructure resources at scale and incorporate standardization, automation, and other SaaS characteristics that can accelerate environment provisioning and setup.

Multi-tenant SaaS environments see the shortest possible technical deployment cycles, as the infrastructure environment is essentially pre-provisioned and the application is pre-installed. The vendor must only provision and configure the new tenant, cutting several cycles from the individual customer deployment process. However, the shared environment required by multi-tenant SaaS can raise other concerns unrelated to provisioning. Particularly in the context of GRC, which often deals with sensitive processes and information, organizations can be understandably reluctant to place that data in a shared environment.

Table: Relative Technical Deployment Impact by Cloud Model

Evaluating Cloud Options

It should go without saying that organizations have more factors to consider than provisioning time when assessing cloud options. For example, cloud hosting often presents opportunities to maintain application control and customization that is not possible under the standardization and environment encapsulation required in SaaS models. Similarly, while multi-tenant SaaS models offer the most efficient deployment cycle, other characteristics of the environment may prevent it from being a good fit for GRC.

Organizations will need to evaluate numerous factors when considering a cloud option, but the impact on deployment time certainly should be one of them.

How to weigh that impact will depend on where the organization’s priorities fall and its objectives for the investment.

Next, we look at: deployment project management and the role of the vendor relationship.

Before, we discussed: Why implementation success is investment success

GRC’s role and value contributions to the business

How robust business requirements must drive technical requirements

The “Show Me” approach to vendor assessment

Application tailoring without extended deployment


Interested in being informed when a new blog post is released?

Leave a Reply


DoubleCheck ERM One™

An out-of-the-box tool that delivers an integrated ERM process together with a comprehensive, high-level categorization of exposures (Financial, Core Business, Operational and Strategic), fully loaded with over 60 associated, pre-populated risks to be used as a starting point.