This report offers the findings from research and investigation into Microsoft’s Azure Cloud Platform, identifying the benefits of relocating elements of physical IT structure and student services from four college campuses to a central, virtualised setting in the cloud with the purpose of supporting college and student needs longer term, encompassing an aim to achieve access to learning resources from any location or device.
The investigations carried out will provide the information for products and services available in Azure, the advantages garnered, and the potential risks that require careful consideration prior to migration.
Recommendations of the services to be transitioned to Azure will be based on the examination of case studies from organisations who have already made the switch and their rate of success, and the requirements set forth by management.
The points noted below will be factored into any commendations:
- Specifications established by the college IT department,
- Laws governing data, storage, geographical location,
- Current and future license requirements
- Service Level Agreements (SLA).
The conclusion put forth will be based on the research conducted throughout the report and observations that were formed to give an informed overall opinion of the product and services on offer with Azure.
The Board of Directors were contacted by a representative from Microsoft about the potential benefits of Azure services, and the technology enhancement cloud facilities could introduce to the college.
The Board have requested that research is compiled, and a recommendation articulated, to ensure an informed decision is made at board level whether cloud services are a viable option.
The services which should be migrated to Azure’s Cloud Platform and those which muststay in-house will be recommended. The strategy must incorporate supporting education for the following 10 years.
Potential problems of security were a determining influence in deciding to retain and administer core services in-house.
The overall aim is to achieve a level of autonomy and provide a reliable and robust learning environment capable of scaling, but ultimately reduce the costs of vital services.
The subsequent sections of the report will determine;
- What is Azure?
- The associated benefits and risks of hosting services in the cloud.
- Licensing, and the products and services available in Azure,
- Connecting internal infrastructure to the Azure framework.
- An evaluation of previous case studies will be used to make informed recommendations
This information will be of paramount importance in the decision-making process.
Conventionally servers, databases and storage facilities were housed within an organisation, however, a variety of developments in technology have made it possible to consider facilitating in-house resources differently and hosting services in a virtual world called the Cloud.
(S, TechRepublic 2018)explain how in 2010 Microsoft launched its proprietary cloud computing service named Azure. Institutions now had the ability to utilise virtual machines, storage, networking, Active Directory, and SQL Server technologies, with no internal data centre. Azure is a solution capable of handling fluctuating workloads using VMware and Hyper-V technology, across multiple platforms, including Android and IOS mobile.
Now the basic concepts of what Azure is are known, it raises the questions, “how can migrating services to Azure be of benefit to the college? and what are the potential risks involved?” The following section will attempt to answer this conundrum.
Before embarking on a decision to take a project forward, management should be aware there are elements of benefits and risks involved, these must be thoroughly explored.
A table has been constructed below to give a brief overview of the potential benefits of migrating to cloud services according to (Marketing 2017), and possible risks associated with this action as described in (Ackermann 2013)and (Association of Colleges 2014).
|Benefits of Migration||Risks of Migration|
|Flexibility – services can be swiftly scaled, reducing response times.||Confidentiality breaches – sensitive data viewed by the provider.
|Branches in different locations can merge resources. e.g. Microsoft 365.||If the internet connection is lost students and staff would be unable to access the services, they need.|
|Services are accessed easily and can increase productivity.||Data can be manipulated by e.g. man-in-the-middle attacks if data is not encrypted to a satisfactory standard.|
|Collaboration is improved between branches, students and staff.||Performance can be an issue in if there is a rapid increase in the overall usage.|
|Staff and students would be able to access college facilities remotely from home.||Accountability issues created by identity theft.|
|Reduces hardware requirements, thus diminishes operational and running costs.||A multi-tenancy cloud which is often more circumscribed regarding the use of customised applications.|
|Supports legacy devices, due to the fact the link is to the cloud, the internal set-up is rarely accessed.||Create costs on a monthly, or yearly basis, it works on usage costs rather than total ownership costs.|
|There is no need for update servers, software updates are automated by Azure||Third-party services may be needed and will incur additional costs.|
|Providers use the best technology available, therefore, so does the client.||It may be necessary to run internal and cloud services simultaneously, until fully functioning.|
|If a failure occurs in a datacentre the workloads are relocated, and the service continues||The network or internet bandwidth may need to be upgraded to sustain the services being deployed.|
|The reduction in IT staff hours required to perform repetitive tasks, enables IT Teams to focus on higher priority tasks.||In multi-tenancy clouds with inadequate separation techniques, snooping could take place.|
[illus.1] Created using Word 2016
This list is by no means exhaustive but does provide an informed case ‘for ‘and ‘against ‘undertaking a transition to the cloud, and the justifiable apprehensions surrounding the technology.
Forearmed with the material of the potential benefits and risks cloud technologies could present to the college structure, the next section aims to identify the types of cloud platforms and services that could be combined with pre-existing network and the licensing necessities of doing so.
(Marshall 2015) ascertained that instead of a fixed, pre-paid cost, Azure enables a client to pay on a subscription basis, only paying for the total users and services being employed. This seems the apt opportunity to introduce and review the mandatory licensing necessities for users and equipment.
An Academic License Agreement, covering operating systems under a Campus License with Microsoft is already in place, this enables the use of the same identifications to create an Azure account.
License reviews are necessary to ensure full coverage is obtained throughout the project, however, any in-house licenses already owned can be transferred to the new subscription. (Marshall 2015)
As set out by (Microsoft 2018c), an Academic Volume License with a subscription agreement enables the college to remain completely licensed, even if student numbers increase.
The Enrolment for Education Solutions (EES) license in conjunction with The Campus and School Agreement can fulfil the criteria of 4000 users spread over 4 campuses and offers the subsequent benefits according to (Microsoft Open License 2018);
- Software Assurance.
- Price levels are calculated by staff/student numbers.
- Price protection is included on all products and services.
- 1-3-year purchase term, which covers the entire organisation, academic agreements do not expire until enrolment is terminated.
(Microsoft 2018c), states that the student option can be incorporated to this plan to cover access from student-owned devices from home, with online access to Office 365 A1, included at no extra charge when college-wide licenses are obtained for educational platform goods, e.g. purchasing Windows 10 Education E3 or E5 for staff, will provide students with a free license for Windows 10 Education E3 by ordering no-cost licenses.
The Enrolment Agreement also entitles the entire organisation to utilise a free online subscription to Microsoft Imagine, enhancing facilities of the college by offering online access to the latest tools for learning, available in free and premium editions. (Microsoft 2018c)
Licensing can be difficult to keep track of, but with this agreement, that is simplified because it is based on a per-user subscription, which is updated annually to Microsoft on a 3-year subscription, after this period another enrolment form needs completion and prices are reassessed. (Microsoft 2018c)
The licensing agreement set out above will help to alleviate a potentially problematic area. Affording the team, a timely progression to identify cloud deployment types and services that will be procured and are capable of interoperability with existing infrastructure.
Types of Cloud Deployment
It should be noted that Microsoft Azure is not the only cloud service provider available, Amazon Web Services (AWS) or Google Cloud are feasible alternatives, however, the focus will primarily be on Azure Services for report purposes.
Determining the types of cloud platforms that could be suitable for incorporation with the college structure is a practical place to begin.
According to (Microsoft 2018e) three types of cloud deployments are available;
- Public Cloud Services
- Owned by a variety of providers in control of the management and continued maintenance of infrastructure.
- Services are accessed using a browser like Microsoft Edge.
- Azure is one example of a public cloud.
- Private Cloud Services
- Provides dedicated resources to one organisation over a trusted network connection.
- Access to services is strictly controlled, with only authorised users gaining admittance.
- The Regional Broadband Consortium is one example of a private cloud.
- Hybrid Cloud Services
- The consolidation of public and private cloud environments, data can travel back and forth between the cloud and the organisation.
- Enables faculties to maintain more critical services on-site, whilst permitting the migration of other services to a cloud provider.
At a glance, a Hybrid model would be suitable for the institution’s requirements, sustaining the core services in-house, while allowing the migration of non-vital services to the cloud.
Now the Services that can be delivered by the cloud deployments listed on the previous page can be investigated.
(Microsoft 2018e) segments services into three distinct groups;
- Software as a service (SaaS),
- Platform as a Service (PaaS)
- Infrastructure as a service (IaaS); the image below gives a description of each environment.
[illus.2] SaaS, PaaS and IaaS service breakdown(Marketing 2018)
Furthermore, each of these components can be further divided into individual services, tailored to meet college specifications.
For report purposes, only Azure services compatible with the college requirements are included, however, a full-service listing is available at https://azure.microsoft.com/en-us/services/.
Potential Services to Procure
Below, a visual representation of the current college infrastructure has been fashioned, showing a breakdown of internal equipment and the services they provide, consequently, it provides a visual aid useful for determining which services to administer in the cloud.
Moreover, clarification of the services already provided by the college to staff and students will enable a more in-depth look at the specific services the college would look to procure in the event of migration.
Utilising a JANET Network Connection
[illus.3] created using Smart Art in Microsoft Word 2016
To comply with the specifications set by college managers, the services that will be retained in-house are;
- Active Directory Can be kept in-house and integrated with Azure.
- Domain Controllers
By keeping the above services on-premises, even if the Azure service should experience downtime, there is still functionality and communication between institutions utilising the on-site infrastructure.
This leaves the options to consider expanding the in-house AD to incorporate Azure AD, virtual machines to access Windows 10 Education, Microsoft 365, and applications specific to learning (using Blackboard or Moodle) essentially migrating the virtual learning facilities.
Networking as a service in Azure is also something to consider, Updates, backup and data recovery in the cloud require further investigation.
By combining elements of in-house infrastructure with Software-as-a-service and Infrastructure-as-a-service platforms, a hybrid cloud could be developed to administer the following services.
Virtual Networking Services
Available as an Infrastructure-as-a-Service, Azure VNET capabilities would greatly reduce the need for Cisco switches, routers and the cost to maintain them within the campuses.
This service allows a connection to each college branch through a Virtual Private Network (Multi-site VPN) using TCP/IP protocols. The virtualised environment is enabled and controlled through the Azure portal or PowerShell, running on a hardware hypervisor known as Hyper-V. (Marshall 2015)
This permits the creation of a virtual server environment including virtual network interface cards, switches and gateways obtaining public or private IPv4/IPv6 addresses as they would from a physical network, ensuring VNET to VNET communication. DNS in this instance can be stand-alone and utilised by the virtual machines, or DNS Zone Replication to the internal network is the alternative option.(Marshall 2015)
A consideration to note here is that Azure VNETs sit at layer 3 of the OSI Model as opposed to layer 2 in old-style Virtual Local Area Networks (VLANs), therefore they are unlikely to be able to leave the internal network. (Marshall 2015)
(Microsoft Azure, SLA 2017) states in their SLA agreement 99.95% uptime, the illustration below, shows the prices for the different virtual private networks available.
[illus.4] VPN Gateway Prices(Microsoft Azure, VPN Pricing 2018)
Azure provides an IT Department with the ability to create, deploy and maintain virtual Machines (VM) from Geo-redundant datacentres, this enables resources to be scaled swiftly due to the extra capacity each datacentre contains.
Azure is tasked with maintaining the hardware within the datacentres, including providing redundancy and disaster recovery. The college would be responsible for the management the operating systems and any necessary updating/patching of the software installed, capable of running Microsoft or Linux. This approach uses high-level hardware without the need to manage or house the servers, thus reducing operational and running costs considerably. (Marshall 2015)
Virtualisation can extend the lifetime of a computer system because the client hardware is not utilised, it is cloud framework that is responsible for carrying out resource intensive work, therefore, it will be a long time before the system becomes out-dated. (Ivanov 2013)
(Microsoft Azure 2018), provides a valuable guide on monthly costs, the first illustration below shows the price of virtual machines (VM) per month, with the second illustration showing the price for storage disks, this must be factored into cost considerations as it is charged separately to the virtual machines. However, these costs are likely to reduce under the academic volume license, to which a discount is applied for larger acquisitions.
[illus.5] Virtual machine pricing(Microsoft Azure 2018)
[illus.6] SSD storage drives for virtual machines (Microsoft Azure 2018)
As the images show, a virtual machine with 16GB of memory and 32GB of temporary storage will cost £25.39 per month, if sustaining a hybrid environment for a fixed term of 3 years, this could offer a saving of up to 67%. The solid-state drives to permanently store the user data will cost £62.97 per month for 1TB of storage.
The Service Level Agreement from Microsoft regarding VMs and uptime connectivity is 99.5%
Azure Active Directory (AAD)
This service enables the internal authentication carried out by Active Directory to be protracted, effectively becoming a Directory-as-a-Service, with up-to-date proficiencies, offering multi-factor authentication methods and Rights Management Services. This service is already integrated with Office 365 for SharePoint and e-mail, one point to note here is that any accounts locked within the internal Active Directory, will not be synchronised with Azure Active Directory. (Marshall 2015)
(Microsoft, A. D. 2018)claims, that Azure Active Directory provides in-depth security, with identity management, capable of facilitating access – anywhere anytime, on any device. Enabling an organisation to work together with partner institutions and their users whilst keeping confidential or sensitive data separately. It allows IT, staff to mechanise workflows such as a user password reset creating a level of efficiency.
From 1st September 2018 Azure’s multifactor authentication service will not be available as a standalone product, however, it will still be integrated to AAD. (Microsoft, A. D. 2018)
[illus.7] Azure Active Directory Pricing. (Microsoft, A. D. 2018)
Office 365 for Education
Office 365 is a subscription-based application stored in the cloud and accessed via an internet connection, it is stored completely off-campus, and managed by Microsoft.
(Siobhan Climer, Mind 2018)explainsthat there are benefits for educational institutions;
- Application data in use is also stored on the cloud, therefore decreasing the need for physical equipment, and reducing operational costs.
- Resources can be accessed from any device, in any location, creating mobility and 24/7 access.
- Reduces the workload on IT departments.
An attractive feature of Office 365 for Education is that it is free to academic institution staff and students. The subscription is active for each user, only whilst they work or study within the colleges. When integrated with a hybrid environment it can enable single sign-on for users. (Siobhan Climer, Mind 2018)
However, (Response IT Services 2018)reports that on 1st October 2018, Office 365 for Education was renamed to the A 1 Plan. It will remain free but there are now new alternatives in the form of paid packages named Microsoft 365 A3 and A5.
In the A5 version of Microsoft 365, Windows 10 education A3 complete with Windows Defender Advanced Threat Protection is included, (server and client CALs are also included in the new package).
By enlisting this service, the potential to deploy the learning environment to the cloud will result in reduced need for servers running the virtual learning environment, it can all be accessed from a central location, anytime, anywhere. Beneficially, updates are automatic (unless it is decided to delay deployment of a specific update, only possible with the paid plans). (Siobhan Climer, Mind 2018)
Backup and Recovery Service
Servers, Virtual machines and databases are crucial to the effective functioning of the colleges, if a disaster should occur, it is imperative that data is backed up and readily accessible for recovery of lost data. This can be retained internally but backed up to the cloud through a secure encrypted connection.
Azure backup requires storage, of which there are several types;
- Blob Storage
- File Storage
- SQL and non-SQL Databases
- Hybrid Storage (StorSimple).
Hybrid storage is of key interest for report purposes and focus will be given to this area.
(Microsoft Azure, StorSimple 2018), claims that hybrid storage can reduce costs by up to 60%. Network Access Storage (NAS) is provided to remote institutions as and when needed. This method of storage provides the ability to keep all data locally, which will scale as required. Snapshots are taken at intervals and kept within a data centre, often hundreds of miles away from the college location, but data protection is provided.
Most backups were conventionally archived on tape rotation system, with Azure, software policies can provide data instantaneously should disaster recovery be necessary. (Microsoft Azure, StorSimple 2018)
The images on the following page provide a visual aid to show how StorSimple works and the price of the subscription.
[illus.8] How StorSimple works (Microsoft Azure, (StorSimple) 2018)
[illus.9] StorSimple pricing guide (Microsoft Azure, StorSimple 2018)
Now possible services that could be migrated to the cloud have been identified, the next question is How does the college connect to the Azure framework to access and manage the services?
The following section will investigate the methods available to provide college access to Azure services.
There are currently four options the college can utilise to connect to the Azure network, (Microsoft Azure 2016), provides a breakdown of all four methods.
Public Network connection
An internet connection is required to access Microsoft 365 and manage virtual appliances such as databases and virtual machines (there is no supplementary bandwidth charges usually associated with utilising the public cloud), if there is adequate IPv4/IPv6 address allocation and port provisioning, there is no need to adapt the existing internal network. However, data is not encrypted and could be open to interception and alteration from man-in-the-middle attacks.
[illus.10] A Public Connection(Microsoft Azure 2016)
Point to Point Connection
Certain services the college may choose to access in a slightly more secure manner, (Microsoft Azure 2016), offersa PPP connection which uses a Secure Socket Tunnelling Protocol (SSTP), this is essentially a secure tunnel which traverses the internet to access Azure cloud services through a virtual private network gateway (subscription is required).
Like in the public cloud connection, no alteration of the internal network is necessary if there are adequate IPv4/IPv6 address allocation and port provisions. Data is encrypted in the VPN using IPSec, but akin to the public cloud it is still at risk of interception by a third-party. This type of connection is used to interconnect Virtual Networks and Azure services.
[illus.11] A Point to Point Connection (Microsoft Azure 2016)
Site to Site Connection
This type of connection utilises IPSec and Internet Key Exchange tunnelling protocols to encrypt data. The difference between Point to point and site to site VPNs lie in the fact a VPN gateway is required internally.
This type of connection allows internal devices to communicate with Azure services using the internet connection and offers throughput of up to 200 Mb/s for each gateway. One distinguishing feature is the ability to demand that virtual machine traffic passes through the internal network for examination (using Border Gateway Protocol BGP). However, any service not able to connect to a virtual network cannot connect to Azure services. Data is open to interception from a third-party in this method also.
Private Connection (Dedicated)
A dedicated connection is set up between the internal infrastructure and Microsoft datacentres. In this way it can ensure that no data is passed over the internet but through Microsoft’ ExpressRoute, which, extends the existing internal network to the cloud through a secure private channel, capable of providing bandwidth of up to 10 Gb/s per ExpressRoute, with throughput of up to 2Gb/s per gateway. Almost all services can be accessed directly using network address translation (NAT).
Data in this type of connection does not have to be encrypted however, the college would have the option to do so. It is recommended here that a firewall is placed between the internal network and the Azure network, ensuring connections made between networks is limited to only authorised traffic.
[illus.13] A Private Connection. (Microsoft Azure 2016)
How can Microsoft achieve all this?
(Microsoft 2018a), has more than 140 Data centres in the Americas, Europe, Asia, Middle East and Africa.It is estimated Microsoft has more 30,000 miles of dark fibre (a combination of switches, cables and repeaters which are unallocated) creating inter-regional links between datacentres.
A pioneering solution to decrease the load on the trans-Atlantic cabling running from England to New York, was instigated by Microsoft, Facebook and Telsus. They went on to form the Marea Cable, a fibre cable capable of providing 160 Tbps.(Beers 2017)
Microsoft’ success seems to stem from innovation and it is embarking on a number of projects to strive for advancement. Currently, tape drives are stored in racks within the datacentres, each rack containing 72 tape drives, with 16 redundant and used for growth.
Moreover, Microsoft has put considerable capital into research;
- Project Pelican is underway to provide a massive storage facility utilising 1,100 Hard Disk Drives per rack.
- Project Silica which can store up to 50 TB of data on a 1” inch piece of glass (Microsoft have just perfected this!)
- Project Palix investigating the possibility of storing data in DNA, which has the potential to outlast tape backups by 2000 years, estimations state one rack could hold as much as 1 zettabyte of data. (Beers 2017)
It is not hard to see why Azure Cloud Technology has advanced so quickly, and Microsoft has become a market leader of the industry. The investment and continual drive to improve services and security combined with the speed new technology is being delivered, could be indicators of the direction organisations will take in the future.
The next section will investigate institutions that have already made the switch to host services in the cloud. Previous case studies will observe the success or failure of each, highlighting any challenges, solutions and lessons that can be taken forth into the future migration projects under consideration.
A study conducted by the(Association of Colleges 2013), provided the details of several college projects that have taken place, in which the virtual learning environments were migrated to the cloud. Portsmouth College was selected, due to the similitude of size and multi-site requirements.
The objective of this project was to enable six, 6th Form Colleges to develop and access Moodle from within a private cloud. It was necessary due to staff shortage levels and a lack of teaching resources available for A Level Physics.
A private cloud was obtained with colleges working in tandem to achieve improvements. During the creation of multi-user systems, a security issue was raised; uploaded material could be accidently deleted. This meant configurations had to be re-assessed with each institution receiving full read and write access to their own data, but read-only access to those of the other institutions.
Some staff had noted that there was less access to the VLE systems, security issues were also highlighted in the initial collaboration stage between colleges. However, the implementation was smooth, already experiencing a reduction in the time needed to maintain the cloud VLE environment. (Association of Colleges 2013)
Staff experienced less control of the virtual learning environments after migration to the cloud, and a recurring theme focused on the issue of security regarding collaboration tools and stored data. Whilst these are important, the study was conducted in 2013 and unfortunately, the future outcome of the system was not updated.
However, cloud technologies have been heavily invested in by Microsoft (over $1 billion annually) and the technology has advanced a great deal over the last five years, particularly in the areas of compliance and security. Built-in as standard in Azure are;
- The separation of networks,
- Prevention of unauthorised access and DDoS attacks.
A microcontroller called Cerberus (a chip that prohibits unlawful access or malevolent updates). Checks the Pre-boot, boot-time and run-time firmware and its integrity. (Avi Ben-Menahem, Microsoft Azure 2018)
Many new features have also been added since this study and the list of resources that can now be added to the virtual learning environmentis extensive, Microsoft Store for Education offers a variety of applications (most of which are free) that can be incorporated to enhance learning and productivity. (Microsoft 2018d)
In 2014, the CIO for the Department for Education prepared to move organisational services to the cloud. Their current system whilst functioning was utilising older technology and did not permit mobile access, but by migrating to the cloud, it was believed restructuring could take place simultaneously with a relocation of premises. (Cliff 2017)
On June 5, 2018 (Microsoft 2018b), released a publication regarding the uptake of Azure and Surface device services by The Department for Education in the UK, an organisation consisting of 1000-9999 employees, tasked with enabling every student fair access to education and training.
Due to changing location, and the current data centre soon to be renewed, it presented an ideal time for the transition to take place. Major influencing factors for the CIO was that it offered flexibity and recovery of data in a disaster swiftly. It also had the additional benefit of never having to replace internal infrastructure. However, they wanted to retain in-house services, expected to be completed in an 18-month timeframe. (Cliff 2017)
New premises were obtained, but the lack of IT skills meant that they had to outsource and enlist the help of Microsoft. The internal team and Microsoft worked closely together to ensure specifications were correct. Due to the fact, a large proportion of the workforce was mobile, Windows 10 Virtual machines were decided against, instead six thousand encrypted surface devices were purchased. (Microsoft 2018b)
DfE took a cloud-based approach, it was a risk, but they claim to be seeing the benefits of the system already. Teamwork has been greatly enhanced with the tools available e.g. OneDrive or Word.
Staff have reported a change to the way things are done for the better, mobility achieved utilising a Blackberry Enterprise Server connected to Microsoft Exchange, Windows 10 and Office 365 enabled increased workflows and production, with the service becoming portable and flexible. (Microsoft 2018b)and (Cliff 2017).
The Department of Education was in the unique position of relocating premises at the same time as their datacentre was due to be renewed. This presented opportunities which, otherwise may not have been possible. Early acceptance and realisation that they did not have the necessary skills to complete the migration in 18 months seem to have been a factor in their success, driving them to enlist the services of Microsoft to counteract any problems they could perceive. As a result, the project albeit mammoth in capacity was completed successfully and added real diversity to the way the organisation could work and collaborate.