There are no pre-built plans. Architects and designers are the ones tasked with developing the plans. Buildings cannot be built without a set of plans. The perimeter boundaries are surveyed. The site plan is created. The dimensions of the building are laid out. All of this is establishing scope and size for the architect or designer, who must stay within those confines. Anything outside of those boundaries will be unacceptable and labeled as poor design.

Cloud architecture and design operate in much the same way. We must establish a set of boundaries to work within. We must identify what is acceptable and what is not. All of our questionings must lead us toward a clear understanding of what leads to success and what leads to failure. It is just like building a house; if I put in a five-car garage, but I don't have room for a kitchen, that would be a poor design. I did not account for all requirements and, most likely, missed one that was non-negotiable. The same is true for cloud computing. If I'm not considering the correct requirements, my design will fail. So, the question becomes: How do I identify the right requirements?

We must discover the correct requirements through progressive questioning. We must start with questions that help us identify wants and needs. We must identify what is non-negotiable. What is the foundation? What is the base? What are the things that, no matter what changes, those answers are always the same? They will not change based on better pricing or something else suddenly becoming more interesting because of the latest magazine article. The base foundation elements are truly non-negotiable. They are based on what you know at this time and on the current data you have. They outline what needs to happen as a result of your design creating our base layer and non-negotiable foundation. We have now drawn the boundaries of our property before we start laying out the building. We know where our limits are.

Non-negotiable must always include a combination of economic, strategic, and technical elements. All successful designs must have these elements. Therefore, they must also be included in the design foundation. For the foundation to be correct, these non-negotiables must harmonize. A balance must be met within these limits and boundaries for the design to proceed.

Many factors need to be considered when navigating towards a successful design. Successful design requires boundaries. It requires an understanding of where the no lines are. By trying to find where unacceptable meets acceptable, we are then able to focus on what does work rather than chasing something that was never going to work from the start. It is a bit like some are essential and non-negotiable. These things are set, they cannot be changed. For example, geography. Geography is typically non-negotiable. Services get deployed where they are needed. If services are needed in California, they are not likely to be moved to Singapore because the price is a bit more favorable. Non-negotiable can change with every solution and every design scenario. The point is to uncover what is the foundation for the design. Find the things that absolutely cannot change and go from there. The following are some of the more common non-negotiable attributes within design:

• Enterprise size: While the size of an enterprise can positively influence certain factors of design, the enterprise size itself does not dictate design. For example, there is no minimum company size required to utilize the cloud. Enterprise size may affect design factors, such as scale, economics, risk, distribution, service mix, and so on. Each of these factors must be looked at from a strategic, economic, and technical point of view to make. A Microsoft study showed that the vast majority of organizations of all sizes use both Software-as-a-Service (SaaS) and hosted infrastructure services. Both SaaS and hosted infrastructure services are used most by organizations with less than 100 employees. Smaller companies are also more likely to use Platform-as-a-Service (PaaS).

• Relevant industry sectors: Different industries have different requirements, different levels of compliance, and different appetites for risk. Government and education industries lead in the use of SaaS with a Microsoft study showing more than 60% of organizations reporting active use. While information technology is the ubiquitous horizontal layer underlying all industry sector verticals, security requirements strongly influence implementation specifics. This was highlighted by a cloud computing adoption study that documented the difference between regulated and unregulated industries.

Among regulated industries, insurance companies prefer private clouds because they are considered more secure than public clouds. Even though many studies have shown this to be a false assessment, this misconception is shared across many industry sectors. Even so, industry association community clouds have increased in popularity. While the banking industry is also concerned about security, the industry's forced transition from OS/2 to Windows 7 in 2014 drove a rapid adoption of newer and more sophisticated technology. Additional upheavals caused by subsequent transitions to Windows 10 have made cloud computing an attractive option for administrative and back-office processes like email, file sharing, and sharing of notes. While opportunities to use cloud computing in a variety of ways do exist across the government sector, most users misunderstand them. Today's largest opportunity is in using the public cloud, but many in government also fear security problems. Government-wide efforts such as the Federal Risk Authorization and Management Program (FedRAMP), however, have gone a long way toward educating this sector.

Across unregulated industries, the story differs greatly. Cloud implementations in the retail market have been mostly IaaS or PaaS solutions. Security, availability, and vendor maturity are all aspects that retailers consider when deciding which functions to deploy as a cloud service. Media companies have gone all in on utilizing cloud computing. Today, the media audience can access any content through a variety of channels. These new opportunities are why cloud service providers and application developers are exploring a cloud-based ways to enable multi-screen entertainment. Industries are using cloud integrate, automate, and enable innovations in logistics, sales support functions, HR, product development, and lifecycle management, as well as some manufacturing operations.

• Geography—Where am I? Where do I need to be? Cloud computing is composed of physical data centers with five primary considerations influencing where data centers are built:
  • Physical space required to build the data center buildings
  • Availability of high-capacity network connections
  • Inexpensive electricity
  • Applicable jurisdictional law, policies, and regulations
  • The cloud computing export markets are shown in the following figure:

The first three are governed by physical constraints based on environmental variables:

• • Physical geography
  • Weather and natural disaster risks
  • Renewable energy resource availability (such as water, geothermal, or wind) for cooling and power
  • Safety concerns fueled by crime, terrorism, and corporate espionage

After that, proximity to high-capacity internet connections is key, because a data center's value is measured by the number of users it can support. Proximity to the internet backbone, or the main trunks of the network that carry most of its traffic, is another important driver. Data centers consume huge amounts of energy to cool servers. Areas with cheap energy are highly attractive. Considerations associated with jurisdictional laws, policies, and regulations are addressed later.

While US companies lead the cloud computing marketplace globally today, that doesn't guarantee leadership in the future. Some foreign companies, such Germany's SAP or Japan's Fujitsu, have become strong global competitors, while others, like Alibaba in China, have become formidable global competitors.

Public cloud services are rapidly becoming more important strategic factors in business. Public cloud will constitute more than half of worldwide software, server, and storage spending growth, by 2018, according to IDC. An example of this is General Electric, a global company that currently has over 90% percent of its applications in a public cloud. Greater public cloud adoption has also spurred wider SaaS usage, accounting for approximately 55% of all public cloud spending by 2018.

• Legislation and other external regulations that apply: The laws, policies, and regulations of a particular jurisdiction can have a significant impact on the cloud provider and the cloud user. The many law and policy problems that may affect its use by a company include:
  • Security with the assurance that unauthorized access to sensitive data and source code will be guaranteed by the cloud provider
  • Confidentiality and privacy of data held by the CSP with an expectation that the cloud provider, third parties, and governments will not be able to monitor their activities
  • Clear delineation of liability with regards to operational problems
  • Protect of intellectual property
  • Regulation, control, and ownership of data that is created or modified using cloud-based services
  • Fungibility and portability which is described as the ability to easily move or transfer data and resources from one cloud service to another
  • Ability to audit users to verify compliance with regulatory requirements
  • A clear understanding of legal jurisdiction

The manner in which an organization will approach cloud computing policy vary and will be driven by organizational priorities. One of the largest challenges will be associated with user security and privacy. Since many data centers are located in the United States, some of these concerns will be caused by the USA PATRIOT Act, the Homeland Security Act, and other intelligence-gathering instruments employed by the federal government to for release of information. One of the most disturbing aspects of these policies is the restrictions placed on a CSP that prevent notification to a user if the government issues a subpoena for a user's information. Other policy issues that can impact cloud use include Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, Stored Communications Act, federal disclosure laws, federal rules of civil procedures, and e-discovery.

Adopted by the European Commission to strengthen data protection for all European Union citizens, the General Data Protection Regulation (GDPR) was approved in April 2016. With an effective date of May 25, 2018, GDPR compliance is challenging for companies of all sizes. With cloud computing, the problem may be even worse. Studies have shown that only 1 percent of cloud providers have data practices that comply with GDPR regulations. In fact, only 1.2% of cloud providers give users encryption keys that the customer manages and just 2.9% have secure password enforcement that is robust enough to pass GDPR muster. Only 7.2% have proper SAML integration support.