There are three critical steps to securing a successful cloud deployment.
Peter Williams, Chief Technology Officer, CJC
Solutions that are suitable in all scenarios are rare in technology - and life for that matter. Panaceas are elusive, but the allure of a one size fits all solution is strong. This is, I feel, the key mistake many firms are making when they attempt to ‘move to the cloud’. That statement is in fact part of the problem because if done correctly, you never actually ‘move’ to the cloud. The term ‘move’ is suggestive of picking up what you have and simply relocating. My fear is that is exactly how many have approached the cloud. This is why we are now seeing the inevitable stories about companies ‘moving’ away from the cloud after disastrous results, or unexpected outcomes.
Successful cloud deployments are almost always the result of careful planning and good communication between core business and technology. They also require a broad understanding of the systems which are to be moved and the cloud technology landscape as a whole. But deployment is in reality only the beginning. Once in the cloud, the ways in which systems are supported and managed, throughout their life cycle, must also change.
In my opinion, there are three critical steps to getting the most out of cloud and ensuring a greater degree of success. Each step is equally important and builds on the last.
These are my ABCs of cloud:
‘A’ is for Analyse
Understand your workloads. I can’t stress this enough; take some time to fully review and analyse the systems you plan to deploy into the cloud.
Get answers to:
What does it do?
How does it do it?
What does it need to do what it does?
What do the users need from it?
It sounds blindingly obvious but quite often the assumption is that cloud adoption is simply deploying a VM, installing your application in exactly the same way you always did and then expecting it to run better and cheaper. Doing the same thing and expecting different results is not only madness, in this instance it's a recipe for failure.
Do you have a capacity tool? If so, great, use it. If not, get one! Profile your systems to get a baseline of resource consumption. Is your CPU utilisation consistent or is does it burst? How much disk space is required? What are your backup requirements? What kind of network traffic does it generate/consume? Answers to these questions and others like them will give you a clear picture of what you need the cloud to deliver, and once you know that, you can analyse the options you have in terms of cloud technology.
Too often I see firms declare they are going with a particular cloud supplier instead of leveraging all the available options. While they offer broadly similar services, each cloud vendor, both public and private, have their own spin on the technology. So if you understand your workload and the cloud landscape, you can make decisions to place your workloads into the right clouds (or leave them on prem in some cases). With the analysis complete you can move confidently to ‘B’.
‘B’ is for Build
Think creation not relocation. This is where the hard work which you and your teams carried out in the analysis phase starts to pay off. You understand your workload, you know the best technology for that workload, be it cloud (public/private/multi) or hybrid so now you get to bring those two things together.
You can now make some decisions about how you deploy your workload. Did your analysis suggest that your workload would be suitable to re-code and deploy as microservices, or serverless? Could you leverage autoscaling, or on-demand?
This is where you get the opportunity to “do cloud right” and where you can revolutionize your delivery, performance, scaling and crucially, cost.
It’s not just your systems that can change and benefit from cloud, your processes and workflows can too. Can you use this as an opportunity to move to a devops model? Can you add greater automation and intelligence into how you operate?
With change comes risk so your testing must be thorough and robust to ensure optimum results.
‘C’ is for Control
Let’s assume you have a completely understood, re-architected, fully tested cloud deployment ready for release. In fact, even if your analysis suggests that re-architecture is unsuitable and you are in fact running your old code on a VM, because for whatever reason it’s the best option, this step is still important. While most of these requirements are not new, in legacy platforms they have been applied in various ways and with varying degrees of success. With a well architected cloud deployment it is possible to make them a fundamental part of the system from day 1. This is an area where good tooling can simplify and enhance the whole experience and is where we’re focusing our attention at CJC.
Control is critical and you need to consider it in many areas:
Access and Security
In a heavily regulated industry like financial services, a failure to add sufficient control in this area could have disastrous consequences to operations, system integrity, compliance and governance as well as reputation. Some things you must consider:
Who should have the rights to add, change, remove or simply access your workload?
How do you manage these permissions?
How hardened is your deployment (if you did “A” and “B” correctly this will have been taken care of.)
Not only must you control the “who” you must also control the “how”.
Is it an image that gets manually “spun up”, is it container based with images stored on GitHub or another method?
How do you control versioning?
How do you control testing and release?
What triggers and manages these deployments?
Monitoring and Support
Day to day operation of your workloads should go hand in hand with ongoing support, monitoring and management. Much of this can be solved by automation but for complex systems there is still a requirement for skilled human engineers. How do your workloads report their health and performance? What conditions trigger your automated actions and how are they exposed?
Remember you will no longer be operating in the world of physical servers, instead you’ll be in the realm of VMs, containers, pods and other exotic terms. You need to be able to monitor and control things that do not exist until you need them and then disappear when you don’t. They could also potentially run across multiple clouds and even move between them on the fly.
Audit and Reporting
With all of these controls in place a detailed audit trail is required. For all of your various controls the ability to capture and evidence activity, change, access and consumption is essential.
According to David Mitchell Smith, Vice President and Gartner Fellow, "cloud computing is increasingly becoming a vehicle for next generation digital business, as well as for agile, scalable and elastic solutions. CIOs and other IT leaders need to constantly adapt their strategies to leverage cloud capabilities."
At CJC, we believe that successful cloud deployments are almost always the result of careful planning and good communication between core business and technology, backed up by a broad understanding of the systems involved and the cloud technology landscape as a whole. This is where our expertise and product innovation is focused.