INSIGHT

SIAM and the art of multi-sourcing

Ten years ago, IT organizations debated whether to outsource and what to outsource. Today, this question makes no sense. In the era of cloud computing, all IT organizations do multi-sourcing in one way or the other. And this has a profound effect on how you manage your IT service delivery. Service Integration and Management (SIAM) offers a relevant new governance model.

Best practices and process description frameworks, such as ITIL (Information Technology Infrastructure Library), matured over many years. However, this was at a time when organizations had one or a few major outsourcing partners. Today, organizations employ new multi-provider sourcing models, while changes in IT consumer behavior have changed considerably.

ITIL strategic partners

Diagram 1 illustrates the ITIL section Supplier Categorization And Contracts Database (part of ITIL Service Design). Strategic suppliers involve “…senior managers and the sharing of confidential information for long-term plans…”. In the past, these were typically outsourcing partners with whom the customer built long-term relationships. In the age of cloud computing, changes are taking place, especially with regard to the strategic partner relations.

From processes to automation

Today, organizations are shifting base services from former strategic partners to new IaaS or SaaS providers. The explicit goal is to gain the benefits of a competitive market. It allows a more frequent re-negotiation of contract conditions and, if needed, a transition to providers that better meet the organization’s changing requirements.

Rather than cultivating the relation with one or a small number of strategic partners, organizations can shop services from whatever provider offers the best deal at any point in time.

And indeed, from an ITIL perspective, the shift to cloud services has a much broader impact. In many respects, ITIL helps establish governance in manual processes. By comparison, cloud-based business models strive to replace these manual processes with automation. And while new automated processes also require governance, the approach is different.

The chaining of SLAs is complicated as is in ITIL terms, as the second diagram illustrates. Third-parties and subcontractors are involved on many levels. Replicated across many service providers, the SLA chaining model becomes overwhelming. A new model for multi-sourcing management – or rather a complementary layer building on an existing model - is required. The good news is that such models are emerging.

Service Integration and Management (SIAM)

Service Integration and Management (SIAM) is a governance layer based on ITIL. It explicitly addresses the challenge of multi-sourcing management. Diagram three provides an overview*:

* The image is based on an illustration in the White Paper “An introduction to Service Integration and Management and ITIL®” by Kevin Holland, available at the web site of Axelos, the organization behind ITIL.

Between internal service consumers and related service providers, a centralized and separate management layer is introduced: the Service Integration and Management (SIAM) function. Thus, the organization’s service consumers don’t have to interact with multiple service providers for their service requests, support issues, incident or problem management procedures, etc. Instead, the SIAM function takes on the responsibility of orchestrating the services for the organization.

Innovation leadership becomes an important side-effect. To improve and innovate a service combining multiple service providers, you need to have a holistic perspective. From the perspective of the individual supplier, you simply do not have sufficient overview to understand how the organization’s future needs will evolve. The SIAM function, however, has this perspective and a self-interest to ensure innovation helps simplify service consumption while adding business value.

For more details read the Haninge Municipality case study.

Cloud operations introduce new risks

Beyond SIAM and ITIL, IT governance frameworks also have gaps when it comes to cloud services. The use of cloud providers means a greater dependency on third parties which, for instance, means:

Issues in a cloud provider’s external interfaces may propagate to an incident in your organization
An attack on other tenancies in the provider’s data centers may impact your organization
Organizational or technical failures in the provider’s (possibly immature) operations become your problem
Auditing and assurance require the assistance of an independent assurance process

The dynamic nature of cloud services also means that you can expect:

The location of data processing facilities change dynamically due to autoscaling or load balancing
As a result, data processing may take place across national boundaries
The legal framework becomes difficult to understand since multiple jurisdictions may apply

Regulatory compliance can also become an issue if:

Privacy sensitive information crosses country borders
Your organization’s contractual obligations to third parties conflict with the provider’s business model

Finally, the dependence on the internet means business critical services are exposed to vulnerabilities in a public infrastructure outside your control.

Weak standards and best practice frameworks for cloud service governance

All of these risks are difficult to capture in SLAs. The ISO/IEC standards 17788, 17789 and 19086:1-4 help define the terminology and frame of reference. But they do not yet provide a relevant assurance framework. For instance, you cannot demand that your cloud provider becomes certified against these standards and then rest assured that everything is under control.

The trend towards hybrid cloud computing models requires a considerable amount of professional common sense. Data Ductus prides itself with the ability to offer a good portion of it. If we can be of any help, do not hesitate to let us know.

Get in touch

Cookie	Description
_GRECAPTCHA	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.
cookielawinfo-checkbox-analytics	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-functional	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-others	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-performance	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp-wpml_current_language	Used by WPML language plugin. Stores the current language.

Cookie	Description
_ga	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
_gat_gtag_UA_#	Used by Google Analytics to throttle request rate
_gid	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
_hjSessionUser_#	Collects statistics on the visitor's visits to the website, such as the number of visits, average time spent on the website and what pages have been read.

Cookie	Description
_fbp	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.
bcookie	Browser Identifier cookie to uniquely identify devices accessing LinkedIn to detect abuse on the platform
lang	Used to remember a user's language setting to ensure LinkedIn.com displays in the language selected by the user in their settings.
li_gc	LinkedIn, Used to store consent of guests regarding the use of cookies for non-essential purposes
lidc	LinkedIn, To facilitate data center selection
muc_ads	Advertising cookie from Twitter
personalization_id	Used by Twitter if you are logged in to Twitter to associate your device with your Twitter account. Twitter may also use this cookie for personalization across devices whether or not you are logged in to Twitter.