If you are like most executives, buying technology can be exciting, hopeful, uncertain, frustrating and everything in between. You
must identify requirements, weigh competing needs, evaluate capabilities, assess ROI and consider a host of other factors – all of which can be overwhelming, especially when they involve migrating your computing infrastructure to the cloud.
The CompTIA Buying Guide for IT Security is designed to provide you with a starting point.
Cloud computing is one of the most disruptive solutions on the market. It has not only impacted the technology deployed
by IT departments, but how business is done. It’s changed the way organizations innovate and compete, adding ever-greater
productivity, speed and agility.
IaaS, one of three classes of cloud computing along with software-as-a-service (SaaS) and platform-as-a-service (PaaS),
promises your organization access to computing resources – servers, storage and networking – on-demand in the same way as
other utilities like power and water. As advertised, IaaS is game changing. But is it right for you?
The Computing Technology Industry Association (CompTIA) designed this guide to assist you in navigating the decision-making
process for an IaaS engagement. This guide is not intended to be a Consumer Reports-style product review, but rather a
framework for “asking the right questions” to ensure that you are making an informed decision.
What you will fnd in the CompTIA Buying Guide for Infrastructure-as-a-Service (IaaS):
- What is IaaS?
- What isn’t IaaS?
- What are the options for deploying IaaS?
- How are organizations migrating to cloud?
- What challenges do organizations fnd when migrating to cloud?
- What deployments are most suitable for IaaS?
- What are the potential benefts of IaaS to your organization?
- What are the potential challenges of IaaS to your organization?
- Which IaaS deployment model is right for your organization?
- How does IaaS align with your organization’s capabilities and priorities?
- What are the capabilities and performance of the IaaS deployment?
- How is your data stored and protected as part of the IaaS deployment?
- What level of support is provided for your organization’s IaaS deployment?
- What expertise does the IaaS provider have?
- What are the cost and contract terms for the IaaS deployment?
- What IT security processes should your organization develop?
- How should your organization enact IT security policies?
IaaS, as defined by the National Institute of Standards and Technology (NIST), is the
capability provided to the consumer to provision processing, storage, networks, and
other fundamental computing resources where the consumer can deploy and run
arbitrary software, which can include operating systems and applications. The consumer
does not manage or control the underlying cloud infrastructure, but has control over
operating systems, storage and deployed applications; and possibly limited control of
select networking components (e.g., host firewalls).
The NIST defnition – albeit accurate – is a clunky description for what is an elegantly simple way of accessing computing resources on demand.
What isn't IaaS?
Of course, it’s important to understand what IaaS is, but it’s also helpful to understand what it isn’t. That’s because
many service providers have engaged in “cloud washing” – attaching the word “cloud” to solutions that aren’t technically
cloud-based – to market their services and capitalize on the growing demand for cloud solutions.
That doesn’t mean these are not good solutions – or even the right solutions – for your organization; it just means they
are not IaaS. Indeed, there is a difference between solutions built for cloud (i.e., cloud native) and those that are simply
hosted in the cloud. True IaaS solutions have certain attributes defned by NIST as follows:
What are the Options for Deploying IaaS?
You can deploy IaaS in one of four different deployment models defined by NIST as follows:
- PRIVATE CLOUD – cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple
consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some
combination of them, and it may exist on or off premises.
- PUBLIC CLOUD – cloud infrastructure is provisioned for open use by the public. It may be owned, managed, and
operated by a business, academic, or government organization, or some combination of them. It exists on the premises
of the cloud provider.
- COMMUNITY CLOUD – cloud infrastructure is provisioned for exclusive use by a specific community of consumers
from organizations that have shared concerns (e.g., mission, security requirements, policy and compliance considerations).
It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or
some combination of them, and it may exist on or off premises.
- HYBRID CLOUD – cloud infrastructure is a composition of two or more distinct cloud infrastructures (i.e., private,
community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that
enables data and application portability (e.g., cloud bursting for load balancing between clouds). Editor’s Note: “Hybrid
cloud” is not the same as “hybrid IT,” which describes using on-premises and cloud-based solutions in tandem.
How are Orgainizations Migrating to Cloud?
Unless your company is a startup needing to deploy a greenfield computing environment, you are unlikely to go
100 percent cloud from day one. Indeed, CompTIA analysts have identified four stages of IaaS adoption (see graphic:
How Organizations Adopt Cloud Solutions).
- EXPERIMENTATION STAGE – Companies typically begin testing IaaS by building virtual instances, typically on
public cloud systems, as proofs of concept.
- NON-CRITICAL USE STAGE – Next, they will migrate some computing functions to the cloud, but not their most
- PRODUCTION STAGE – Once comfortable with IaaS and assured of its security and reliability, companies will
add mission-critical systems.
- TRANSFORMATION STAGE – Companies are not simply moving their systems into the cloud; they are changing
the way they work to reap the full benefit.
What Deployments are Most Suitable for IaaS?
IaaS makes sense in many circumstances that are closely tied to the general benefits that cloud computing offers
(as discussed in greater detail in Section 3). The 2014 book, “Essentials of Cloud Computing,” shares some examples,
which are updated here. These include situations wherein an organization:
- experiences unpredictable peaks and valleys in demand for computing resources
- lacks capital to invest in hardware as is often the case with startups but also with companies that have competing
demands on their budgets
- is under pressure to limit capital expenditures and/or move to operating expenditures
- is growing rapidly and, therefore, unable to scale computing resources to keep pace
- has computing infrastructure needs that are temporary, such as testing and development
- needs to access computing infrastructure quickly and cannot wait to purchase and turn up new servers
While IaaS is advantageous in scenarios where scalability and quick provisioning are key, it may be ill advised in situations
wherein an organization:
- must comply with regulations that prohibit outsourcing data storage and/or processing
- has minimal usage requirements that are easily met by available on-premises infrastructure
- requires a high level of performance that may be hampered by Internet access although direct connections to
cloud infrastructure providers can mitigate this concern
- needs control of the underlying physical infrastructure (as opposed to virtual machines)
Any business investment decision requires that you weigh a range of factors: the needs of
your company’s stakeholders, alignment with your corporate objectives, functional requirements,
and the pros/cons and total cost of ownership (TCO) for each individual solution.
As a foundation for evaluating your potential investment in IaaS, this buying guide reviews some of the considerations
that should be factors in your decision. These include reasons to consider investing in IaaS as well as likely challenges. It
also covers the degree to which moving to IaaS aligns with your company’s current environment and capabilities as well
as your future preferences and expectations.
What are the Potential Benefits of IaaS to Your Organization?
Ultimately, what will drive your move to cloud infrastructure will be the benefits your organization perceives pre-deployment
and realizes post-deployment. CompTIA’s most recent research finds cost-cutting to be a top benefit of cloud
solutions in general (see chart, “Benefits of Cloud). Savings are not guaranteed but possible with IaaS, particularly
when you consider its usage-based pricing model. That said some of the other perks such as speeding time to market,
improving uptime and enabling innovation may offer more lasting value to your organization.
What Are the Potential Challenges of IaaS to Your Organization?
Clearly there are many benefits to using IaaS in your organization. But there are also challenges, which range from
technical to market-based. Some are overcome with advanced preparation, but others are persistent risks that your
organization must weigh in your decision.
Which IaaS Deployment Model Is Right for Your Organization?
Based on the benefits and risks that a cloud model poses, you can plot your organization’s best IaaS deployment
options in a high-low matrix like the one below developed by Gartner. In this matrix, cloud benefits, range from uncertain
to clear and the challenges range from unmanageable to manageable. According to Gartner, if your deployment
lands in the:
- Upper-right quadrant, that’s where public cloud services make most sense
- Lower left, it’s unsuitable for the cloud computing model
- Upper left, it may be a good candidate for a private cloud service approach
- Lower right, it’s worth experimenting with the cloud model
While this is an individual decision for every organization, Gartner noted in a June 2016 study that the trend is toward
more outsourcing. The research firm said that by 2020 more computing power will have been sold by IaaS and PaaS
cloud providers than sold and deployed into enterprise data centers. The IaaS market has been growing more than
40 percent in revenue per year since 2011, and it is projected to continue to grow more than 25 percent per year through
2019. By 2019, the majority of virtual machines (VMs) will be delivered by IaaS providers. With most computing power
moving to IaaS providers, Gartner recommends businesses build the capability to manage multiple cloud providers and
How Does IaaS Align with Your Organization’s Capabilities and Priorities?
Before you go car shopping, you typically spend some time beforehand evaluating your transportation needs
(e.g., number of passengers, price range, gas mileage, style, etc.). Similarly, it’s premature to begin cloud shopping
without a needs assessment. This guide includes two self-assessments:
- The first will help you prioritize the benefits you hope to achieve by using IaaS
- The second seeks to highlight your organization’s IT capabilities and preferences for an initial IaaS deployment.
Use these tools as starting point. You are bound to encounter areas of uncertainty just as you would when considering
optional features on a new vehicle. Refinements can be made along the way as business objectives and needs are
This exercise can serve to jumpstart internal conversations with your business and technical decision-makers about
their comfort level and expectations for moving to IaaS. Once all stakeholders have weighed in, the final ranking can
be a framework for internal teams (and/or their trusted IT providers) to specify a private cloud solution or source an
The following questions may apply to a cloud infrastructure service provider, an IT solution
provider supporting your organization, or internal staff pursuing a cloud initiative.
IaaS Performance & Capabilities
- What metrics are used to assess speed,
reliability and overall performance?
- How does the SLA handle performance
- Are there “good, better, best” tiers of features
- What tradeoffs exist between capabilities and
- What is the mechanism for determining how
this cloud solution integrates with our other IT
systems, applications or processes?
- If customization is required, how is that handled?
- What are the mobile or remote capabilities of this
IaaS Data Storage & Protection
- What methods are used to protect my data?
- Are there any guarantees to protect my data
against security breaches or data leaks?
- Who can access my data? This may include
insiders, other firms, government agencies...
- How is data backup and disaster recovery
handled? What redundancy is built into
- How is support provided (phone, email, IM)?
- Is emergency support available 24/7?
- What can I expect from your customer
- How are complex questions escalated?
- Is there a user forum or other self-serve
repository of FAQs?
- What type of training is provided to ensure my
staff get the most out of this investment?
IaaS Provider Expertise
- How does your team stay current with new cloud
technology developments and trends?
- What members of your team will be working on
my project? Will this change over time?
- What relevant industry credentials or
certifications, if any, does your firm or
- What is your level of expertise with the regulatory
compliance requirements for my industry?
- If I am required to provide an audit trail to
demonstrate compliance, how will this
- Do you have any customers that are in a similar
line of business as mine?
IaaS Costs & Contracts
- What is the fee structure? Are there any extra or
- Do you offer contract flexibility, such as the
option of annual or monthly payments?
- Is there a cap on how much rates can be
- What happens if I want to terminate my
contract? How do I get my data back?
- Do you have any case studies or ROI
assessments to help me understand the cost/
benefits of this proposed solution?
- Do you have any comparisons showing the cost
of on-premises vs. cloud solutions over time?
- Will I need to purchase any additional
infrastructure, software, etc. to use this solution?
CompTIA is the voice of the world’s information technology (IT) industry. Its members are
the companies at the forefront of innovation and the professionals responsible for maximizing
the benefits organizations receive from their investments in technology. CompTIA
is dedicated to advancing industry growth through its educational programs, market
research, networking events, professional certifications, and public policy advocacy. For
more information, please visit CompTIA.org.