Eric Ullmann, Director of Enterprise Architecture
At some point, most organizations realize that they are not in the business of IT. In order to return focus to their core business, be it airplanes or higher education or healthcare, the efficiencies and benefits of the public cloud make a ton of sense. But that doesn’t mean the C-suite always knows where to start. Here are a couple of questions to ask when moving to the cloud, or upgrading your AWS/Azure/GCP program.
Migration: How will you use the cloud?
In the cloud, everything becomes infrastructure as code. This can become challenging for organizations and requires a mindset change. Many organizations will take a lift and shift approach but this does not allow the organization to take full advantage of efficiencies that can be realized from the public cloud. In addition, security is now implied in everything we do. In order to remain secure in a cloud operating model, security teams must inject security controls into the CI/CD pipeline. Traditional approaches are no longer effective and applications need to be de-coupled to work effectively in a cloud model.
What does that mean? It means fully taking advantage of a cloud that offers elasticity and scalability for every use-case. Applications should be redesigned dynamically to be able to function differently, work differently, and react differently to everything that happens, and present it differently to the end user.
The problem with this whole scenario is every org sees the value-add of going to a public cloud or a hybrid (which is really a mixture of your private environment and your public cloud), but often don’t understand the available resources that, at best, are limiting their potential and, at worse, become a huge security liability. Every org sees the advantage of the cost savings, the faster go-to-market strategies, etc, but need to be careful how they formulate and execute their cloud strategy. (Example: GCP’s cloud technology itself is not new, it’s everything that Google used to build Search a decade ago, but now they’ve open-sourced it and given it to the community. Taking advantage of that intel offers huge potential!)
All of these tools are available, but how do we use them? And then how does security come into play?
Fishtech’s cloud enablement services might mean strategizing a full-blown migration — moving an org’s primary data center to a cloud approach. And using an advisory approach, we ask questions like:
- How are we going to get there? We have to get an understanding of what it’s going to look like from a security perspective.
- What controls need to be put in place?
- What does the migration strategy look like from an operational standpoint? While we don’t normally have our hands on the keyboard for this, we can if necessary.
Enablement: How do we mature a cloud program?
What happens when our client is already in the cloud? If an org has its primary data center and is already using resources in AWS or Azure, then we explore readiness or enablement. We say, “Hey let’s evaluate and figure out where you are and how you can take better advantage of security automation, Infrastructure as a code, and other Cloud benefits. Perhaps you are already doing well in these areas, but let us show you more.” Our advisors look at the entire infrastructure in real time and figure out how it’s being used to then develop a strategy to mature it.
Strategy: What are your ultimate business objectives?
Fishtech will look at governance, not merely in the traditional sense of compliance, but rather how do we actually govern inside that environment. We want to govern that environment so we can allow automation to occur without hindering any process.
We believe a core component of DevSecOps is that security is everyone’s responsibility. That means a security engineer no longer has to have their hands on the keyboard. A developer can actually do the same thing! Because of this new governance strategy, the security team will now have the process in place to build the framework, or guardrails, to enable the environment without hindering it.
During the build process, we test in run time. The developer builds an application and it goes through a testing period where we can ask — is X (scenario or result) happening? DevSecOps takes the same approach and throws security in there. We can automate the application security program, and if it fails, we have the processes in place to shoot it back. Everything is logged so the developer gets notified, is able to fix the problem, and it then goes out again. This process never stops; we just integrate everything into the process. This is the ultimate objective – to be able to continually iterate with security in mind every step of the way.
Next Steps: Where to Start
In summary, for organizations who want to move all their data or just an application or service to the cloud, understanding your business objectives will help you formulate a strategy on how you will use the cloud.
Becoming less popular is the idea of “lift and shift” where companies say “I want to just get up there first. I might just do DR (disaster recovery) up there, to learn the environment, and then I move everything over later.” Lift and shift is a common approach and a lot of companies do it. Cloud companies love it because there’s a lot of money heading their way, but in reality it’s never effective.
Why? Because orgs often fail moving over and not fail back correctly, and then have to redo everything all over again.
Every organization is different, with different objectives, goals, and outcomes desired.
It’s worthwhile to consider having a trusted cloud security expert assess your current state and draw up a plan to move to the cloud or upgrade your existing infrastructure while getting rid of excess, saving money, and optimizing business objectives.