Earlier this week I was fortunate enough to speak on a panel at AIM Infotec on the topic of IT transformation. My role on the panel was to comment on the security implications of the cloud. It takes some serious effort (if not charisma) to get people engaged at talks like these. But these days when you start talking more directly about cloud and how larger organizations can best embrace it, you’ll notice people perking up since these issues are finally top-of-mind for most business. It’s very clear to me that in the enterprise, the desire for a real transformation is there, they just need the right strategy. The panel discussion confirmed this and, from my perspective, the line of questioning from the audience was a perfect representation of where IT leader’s heads are at.
So what are the C-Suite and IT leaders thinking right now? Well, one thing is clear, they want to get out of the hardware business. There are many implications to an organization moving away from owning infrastructure. Decision makers are seeing that the value to the business lies in speed-to-market, customer experience, and business agility. All of these things can be achieved without owning any infrastructure and, in fact, owning infrastructure hinders your ability to achieve those goals effectively. The questions we fielded from the audience were informed and relevant signalling that these are hot issues at their companies.
I thought I’d jot down a few of the really good questions we received from audience members and address each one. What struck me about the questions were how many times I’ve heard these same things asked by customers and prospects just recently. These sorts of topics are top-of-mind in the industry and how they’re addressed in board rooms is going to determine whether those companies can really transform how they use and deliver IT.
Is a DevOps strategy a prerequisite for IT transformation?
DevOps is a loaded term – not unlike ‘cloud’ – which has come to mean so many things that it no longer means anything specifically. In reality, DevOps is a methodology that brings together the ideas of agile software and agile operations to optimize the software development lifecycle. If organizations want to truly move faster and be more competitive, that often means deploying new code faster and more frequently. To make this happen operations (which includes systems, security, networking, dba, etc) and application development need to work together seamlessly as part of a software development pipeline. When these two formerly disparate entities – operations and development – are brought together the delivery of technology becomes more streamlined enabling organizations to be more competitive and react faster to business change. That is the essence of IT transformation.
If our corporate data footprint includes data that falls under HIPAA, can we even look at public cloud?
The myth that the cloud is not secure or can’t be used to store compliance regulated data is strange because it couldn’t be further from the truth. Go take a look at Azure or AWS’s compliance certifications for their facilities and platform and find me the corporate or MSP data centers that are better. I’m sure there are some but not many. For example, GE Healthcare moved all of their core customer solutions (HIPAA compliant) to Azure.
Compliant workloads can absolutely go to the cloud, but like anything else, you need to plan by identifying the sensitive data and make sure you understand how it will be accessed and how it will flow through the architecture. The most important thing is to understand how the shared responsibility model impacts your data. Make sure you’re capturing the right logs since the cloud environment is likely different than your on-premise environment. Also, leverage vendor tools to help secure those workloads and make your life easier.
How does security and management change, if at all, in a cloud environment?
The cloud is a paradigm shift. Where infrastructure used to be permanent with capacity meant to last years, the cloud is ephemeral with servers and resources going up and down while you only pay for what you use. The flexibility and variability of the cloud, combined with the tools and interfaces those platforms expose, presents some challenges surrounding security and management that are unique to the cloud model. One thing companies need to do is to not try and lift and shift every process into the cloud but to look at the intent of each process and determine the best way to accomplish it in the cloud. Many times the management process or security procedure will translate to the cloud just fine, in other scenarios you may have to adjust and use a new tool or tweak the process. Yes, management and security practices will likely change in the cloud but you ultimately gain more capability and thus more control as a result.
When looking at cloud providers, how should we approach portability and avoid provider lock-in?
The good news is that virtualization is mature and fairly standardized with most workloads being capable of moving into and out of a provider with relative ease. Both Azure and AWS have VMware connectors and most MSP’s are using VMware or Hyper-V which have supported migration paths between the platforms. By and large, provider lock-in is not much of an issue for IaaS. The place to be careful is PaaS, including access management.
As soon as your application relies on platform APIs for authentication or unique attributes of a database-as-a-service backend, you cannot just move your application without extra work to remove the dependency on those platform specific components. If you’re going to leverage PaaS, make sure your team clearly understands the application’s dependencies and that you have a known path off of that platform if the situation arose. They key here is to know what you’re getting into and plan for it.