As enterprises embark on their cloud journey, it is critical to look at important elements of a public cloud adoption journey.
A key part of any strategy is deciding what not to do. The first question that enterprises need to answer is whether a wholesale migration to a public cloud environment is part of their cloud strategy. If the answer is no, by definition, their strategy is going to involve hybrid cloud (i.e. splitting workloads across on- premise and public cloud environments). If enterprises are also planning to leverage multiple cloud provider environments (i.e. AWS, GCP, Azure) for running different workloads that benefit from the unique capabilities of the major cloud providers, their strategy now includes multi-cloud. A key thing to note is that hybrid cloud is a necessity while multi-cloud is a choice. Their strategy also needs to account for how they are going to govern their cloud adoption of infrastructure as a service (IAAS), Platform as a service (PAAS) and Software as a service (SAAS) service models of cloud.
Cloud requires a change in mindset, toolset and skillset. As a result, any cloud-based transformation needs to include a role centric (for example application developer, data scientist/data engineer, infrastructure engineer, security engineer, architect) training/upskilling & continuous learning program.
In IAAS/PAAS, public cloud operates with the shared responsibility model. In this model, the cloud providers are responsible for the security of the cloud while customers are responsible for security in the cloud. To address security in the cloud, enterprises need to build preventive, detective and corrective controls to mitigate confidentiality, integrity and availability risks. Cloud security needs to address Identity & access management, application, infrastructure, data security, detective controls and security incident response functional areas.
"Cloud requires a change in mindset, toolset and skillset"
As enterprises embark on modernization journeys, cloud applications enable enterprises a pathway towards modernization by enabling the build out of new cloud native applications like function as a service/serverless applications as well as the ability to modernize legacy applications by leveraging innovative and fully managed cloud platform capabilities.
Certain applications (i.e. bursty, cyclic and part-time) benefit from the elasticity of a cloud environment. A key part of the cloud application strategy involves doing an application portfolio rationalization by deciding which existing applications are a good fit for a replacement through a SAAS purchase, refactoring custom monolithic applications into capability oriented micro-services/API’s as well as which applications need to be retired as well as which applications should not be considered for a move into a public cloud environment. In addition, in order to innovate, enterprises need to be able to do many experiments and fail fast. Public cloud as an experimentation platform reduces the cost of each experiment.
System of insights (i.e. data warehouse, business intelligence reporting, ad hoc analysis and reporting, predictive analytics using machine learning and enterprise data lakes) are good fit for purpose cloud workloads. A key part of any enterprise cloud data strategy should also account for data management (hybrid cloud data movement, cataloging/meta data management, retention, governance and sensitive data management) and data protection controls (identity & access management, backup, encryption, tokenization and data loss prevention). On the operational data store side, different data integration/migration as well as eventually consistent application patterns (when applicable) will need to be devised to address data gravity challenges.
One of the major benefits of public cloud is the ability to provision infrastructure programmatically which reduces the time to value and increases speed & agility of any enterprise IT organization. In addition to provisioning cloud infrastructure programmatically through infrastructure as code tools like Terraform and CloudFormation, it is also imperative to automate security (for example IAM role provisioning, firewall rule creation/updates, cloud account creation, encryption key generation, security code scanning) and application delivery pipelines. The automation of infrastructure, security and application through devsecops tools, practices and operating models should be treated as a key enabler & accelerator of enterprise cloud adoption journey.
Public cloud enables enterprises to have a cost effective and better high availability &disaster recovery posture. As part of the cloud adoption journey, enterprises need to incorporate proper change & release management, incident response, high availability and disaster recovery designs at infrastructure, data and application level based on the service level objective (SLO) requirements of a given workload.
Governance, Risk and Compliance
Public cloud brings agility, speed, cost and elasticity benefits for the right set of workloads. However, enterprises (especially the ones that operate in a regulated industry) need to account for compliance risks as well as handle different aspects of cloud governance (including third party management, data, security, privacy, availability/business continuity and architecture). To be compliant, regulated enterprises need to do control objective mapping exercise to different standard frameworks like COBIT, NIST PCIand CCM as well as regulations like HIPAA, FFIEC, GLBA, CCPA, GDPR that are applicable to their industry and implement the appropriate controls to mitigate operational and compliance risks.
The pay by the drink model or continuous consumption-based billing of public cloud brings new risks. Finops is a new approach for cloud cost management that brings a combination of technical capability and financial management cultural & operating model changes. Cloud cost management strategy needs to include tagging of all resources, identification of untagged resources, detailed cost visibility, forecasting, budgeting, tracking, allocation, reporting & anomaly detection as well as right sizing & optimization.