When you hear “Go Big on Cloud–Faster and in Complete Control”, you might think of those late night, TV infomercials that promise bigger muscles in minutes or perfectly cooked food in a non-stick pan. But it is possible for any enterprise to reach the promised land of cloud adoption quickly and in control, by following industry best practices.
This guide outlines what is required to build out your cloud program by answering the key questions you may have:
- Why are enterprises going big on cloud?
- How can I lead my team through times of change?
- How can I accelerate my cloud program?
- How can I ensure security in my cloud program?
- How can I enable continuous innovation once my team is operating in the cloud?
Why are enterprises going big on cloud?
The “why” of cloud is agility. For some, agility means survival, while for others it means greater prosperity. No one likes living in reaction mode; therefore, going big on cloud should be a mandate. It is about having the courage to chart a new course and owning your destiny.
Moving fast is now the mantra of every business unit and central IT group worldwide. Cloud native applications are enabling small, scrappy teams to compete head to head with established multi-billion dollar enterprises, which often results in the complete disruption of their well-defended markets. Without the burden of legacy people, processes and technology, the born-in-the-cloud team will do more, in less time and for significantly less money.
How can I lead my team through times of change?
When we speak of going big on cloud, we are referring to the adoption of attitudes and actions that enable a business to move faster while controlling risk. Going big is a leadership construct that requires a vision unlike any other. As a leader, you must see what is possible and lead your team to the goal.
Cloud enables much of what is possible — but there are three critical tenets to accomplishing every significant change.
- Lift Team Value: Tools, resources and training must be provided so your team can deliver on the promise of cloud. Without the tools and resources to do the job, the team’s inner emotional core does not feel supported. This is when they fracture and stop acting like a team. As a leader, your top priority is to enable your team by providing them with what they need to get the job done.
- Lead the Way to Mentors: Every team wants to succeed, but when a team is plowing new fields, the rocks in the dirt are hard to see and even harder to navigate. Working in a vacuum, teams can get derailed and make choices that put the project at risk. As a leader, bring in partners, vendors and experts who have done this before and can mentor the team, as an insurance policy against project failure.
- Make It Safe to Try: The team needs protection. Agility is about rapid failure and discovery. A team may iterate on a project 20 or 30 times in a short period before they get version 1.0 right. When using cloud platforms appropriately, the risk and cost of failure is dramatically lowered. However, your leadership mindset must change to enable a culture of trust and to encourage a fail-fast mentality. That means it must be safe to try new avenues, new technologies and new ideas. If the team does not have significant executive trust, agility and innovation will die because the team fears failure.
How can I accelerate my cloud program?
Going fast in the cloud is about teaching your teams to adopt processes and technologies that are not common in today’s enterprise IT universe. You are going from a waterfall process to one that enables iteration on infrastructure code. For many, the approaching storm of cloud computing is anything but quick and easy. The vast array of technology choices and their implications often stop decision makers in their tracks. At that point, the goal of agility is lost in the IT paralysis of “not wanting to make a bad decision.” Here are ten accelerators that cut months from your project, helping you realize value sooner.
The Ten Cloud Accelerators:
- Naming and Tagging: Naming and tagging provides an easy way to assign metadata to AWS and Azure resources. Tags are ubiquitous in the cloud ecosystem of tool vendors. Therefore, having a solid tagging structure from day one is critical. It enables the rapid inclusion of tools without having to sort out how they interact with each other.
- Tool Selection and Strategy: Teams must consider a new array of tools for building a secure and robust cloud environment that meets their needs. Without the knowledge of how these tools interact, handle scaling and autorecover from a failure, you could waste a solid year of time. Your tool strategy must be road tested and include a prescriptive list of tool providers who solve specific functions in a highly agile, highly available manner.
- Patch Management: Similar to on-premise, OS images and tool components must be updated with patches regularly. Your patch management practice should leverage an automated framework that ensures all applications and tools are running on your approved OS images. More importantly, the framework underlying the patching process should be a combination of detection and remediation, as defined by the release standards of your organization. Done right, this results in a platform that both the development and security communities can trust.
- Cloud Account Structure: The major cloud providers offer a variety of services and features that allow for flexible control of cloud computing resources and the account(s) managing those resources. These options are designed to help provide proper cost allocation, agility and security. However, our clients are sometimes unsure of how best to implement an account structure strategy — especially when working with multiple, even hundreds of, accounts.
- IAM Policies and Roles: Identity and Access Management (IAM) policies and roles provide the ability to securely control access to services and resources for users — whether they are groups of individuals, or roles required for tools to perform their jobs. Getting your users and groups sorted out can be tricky business and will block the agility play without a proper methodology for control.
- Encryption and Key Management: The major cloud providers offer a key management system (KMS) as a service, for the seamless, centralized control over keys used to encrypt data on the cloud. KMS gives options for data protection, and features for scalability and availability when implementing key management at enterprise scale.
- Backup / Snapshots Standards: Just as data is backed up in the traditional on-premise world, it has to be backed up for cloud workloads too. A backup / snapshot uses proven, highly scalable, highly resilient tools and processes that avoid time-consuming, costly and risky learning exercises and the use of expensive third-party tools, thereby achieving objectives faster with less expense and risk.
- Virtual Networking Best Practices: Built in code, and key to an agile framework, virtual networking is the logical isolation of resources via software-defined networks (SDNs). All three major public cloud providers offer SDNs. Developing, testing and releasing SDN code in the public cloud is often a huge mindshift for IT groups. Rarely have we engaged a team who was ready to build and manage their networking model – especially one so critical to the success of a cloud program.
- Monitoring and Logging: Monitoring and logging in the cloud offers significantly greater visibility into the operation of your environment. Monitoring takes on a whole new meaning when all infrastructure services are accessible via a common API. Monitoring goes from a reactive service to being in a proactive and preventative position.
- Continuous Governance and Continuous Cost Management: The faster you run, the better your control systems have to be. Without continuous protection of your assets against a standard governance framework, the hygiene of the platform drops and costs run out of control. The name of the game is speed of continuous control. That means you need a set of services and practices that are the culmination of industry best practices and are constantly updated, to keep your systems healthy.
How can I ensure security in my cloud program?
With a bit of understanding and planning, there is no reason your data will not be as secure in the public cloud as it is in most on-premise systems. Actually, your public cloud security can surpass your on-premise security. Considering the paranoia around cloud computing and security, most public cloud-based systems have better thought-out security mechanisms than those in traditional data centers.
Here are 5 easy steps to ensure security in your cloud program:
- Understand your true requirements: Many organizations have notions that are not based in reality about legal and compliance issues around the protection of corporate and government data. Things that need to be reviewed in detail include any laws or regulations that require compliance, and what technology is mandated. Moreover, existing internal policies around the protection of data must be identified. These should be written down and approved by leadership, so everything is clear and well understood.
- Consider identity-based security: The best approach to cloud computing security requires that we deal with all assets, including humans, servers, databases, data, processes, services, etc., as identities. These identities can then be managed for access to resources, and as resources themselves. The most successful and useful cloud security systems are able to manage fine-grained identities, to control when and how they interact.
- Create a plan: Many consider security to be one of the things that gets added in the final hours of deployment or migration. The reality is that approaching security in general – and cloud security specifically – requires a master security plan based on the requirements gathered in step one above. Keep in mind, security is systemic in cloud computing. It is a part of every step in the plan.
- Select the right security technology: Many implement security technologies without ever testing them first. POC testing is mandatory. You should go into deployment with no unanswered questions.
- Deploy, test, monitor: Deploy the security solution with the understanding that it is not a separate entity from the core system or the data, but is bound to them. Take a few weeks to try “white hat” penetration testing. This will provide insurance that the solution works, or perhaps it will point out the need for some additional configuration. Finally, understand that monitoring is required over time.
How can I enable continuous innovation once my team is operating in the cloud?
The answer is to go big on DevOps. At CTP, our definition of DevOps is a culture shift or a movement that encourages great communication and collaboration, to foster building better quality software more quickly with more reliability. DevOps is the progression of the software development lifecycle (SDLC) from Waterfall to Agile to Lean. When we perform DevOps maturity assessments with our clients, we assess their maturity across three spectra: People, Process and Technology.
DevOps and People:
Not only do people need to be trained to use the cloud provider’s services, but they also must learn new methods and approaches required to take advantage of the cloud. This includes breaking down department silos to foster greater collaboration between groups that might not have worked together in the past. In the DevOps model, there are many shared responsibilities. Everyone owns security; everyone owns quality — not just the IT people. Specifically, the product owner and the business sponsor also share ownership. When ownership is shared, everyone works toward a common goal.
DevOps and Processes:
One common mistake we see with legacy processes is a lack of analysis of those processes before proceeding with their automation. As a result, enterprises are automating wasteful steps and not realizing the agility benefits they were expecting. If enterprises only implement CI/CD without performing a value stream assessment of the complete system, they will only move bottlenecks from the build process to another part of the system, and never achieve the desired agility. Engineers must think about the system as a whole, instead of just focusing on automating one component. Unfortunately, system thinking can be a foreign topic to a silo-based organization.
Governance is another important process area. The days of holding multiple weekly review boards for architecture, security and governance must be put to bed. These processes and mindsets simply do not work in the era of continuous deployment. In this new age, you must trust in your automation and institute proactive and continuous monitoring to check for ongoing security and compliance. Manual review by humans just does not scale when multiple teams are able to perform push-button deployments.
DevOps and Technology
Here we finally start focusing on IT automation and the famous CI/CD processes. Running systems in the cloud requires new tooling and methods. Providing visibility into system health and application state is crucial to providing high SLAs in this new world where deployments happen frequently. Much thought needs to go into building a robust security and monitoring framework that feeds into a central logging solution and can be accessed through a single pane of glass.
The build process should perform security and coding standards scans. Testing should be automated and part of the build process. The build process should produce a score for security, programming standards and quality. The build should fail if any one of those scores is not at an acceptable level. The goal of this approach is to not let issues progress downstream, because it is much more expensive and time-consuming to detect problems later in the life cycle.
Going Big on Cloud in Your Organization
Cloud computing is providing enterprises the capabilities to greatly improve their overall agility as an organization. Embracing the cloud to take advantage of this opportunity calls for a complete transformation of an enterprise’s people, processes and technologies.
Remember to communicate the goals and objectives of the project to your team from the onset; to use proven accelerators to realize value sooner; and to promote a DevOps mindset company-wide.