The Cloud is having an unmistakable and disruptive impact on companies and the way they do business. Company chiefs are confronted with a complex, challenging journey - while in most cases, the train to the cloud has left the station. Companies that decided to hop on board based on the promise of the cloud are now faced with difficult and sometimes hard to implement ‘cloudy’ strategies. A secure and well thought through path to transformation is required when moving to the cloud. In this blog I’d like to highlight the key areas and how they change throughout the journey.
Introduction: The added value of the application and data layers
In the early days large enterprises with well organised IT assets and workflows had an enormous business advantage. Their substantial revenue streams allowed them to invest in complex and highly automated IT environments. Their infrastructure gave them a competitive advantage because it created a strong foundation on which to foster operational excellence.
In a way, you can compare an optimal automated IT infrastructure with a high functioning transport system. A country with a scalable and adaptable infrastructure will by nature allow transport and goods to flow faster and facilitate higher volumes than a country with a poor, ‘laggy’ and cumbersome road infrastructure. To grow, new business facilities need to be built and connections need to be made to get to the desired infrastructure state. It is detrimental to the business if infrastructure adapts too slowly to growing needs, and when wholesale changes are required to the existing infrastructure before a new one can be built. The same goes for IT infrastructures. Businesses that adapt quickly and react swiftly to new business opportunities have a significant advantage over the competition, because services (and products) are delivered more quickly and securely. But getting to such a polished and agile environment is not easy.
IT infrastructures consist of multiple layers, most of which serve as enablers to support other relevant layers. A traditional IT infrastructure consists of networking (routing, switching, firewalls, load balancers), storage (disk, databases), and compute (x86 servers). On top of that we run our workloads, which consist of applications that handle requests, execute tasks, use data and present results. The most important consideration here is the end result - or what is actually presented to the user. Whether the underlying infrastructure is big, small or gigantic is inconsequential to the value it brings, as is the question of whether your infrastructure uses vendor A or B. The key differentiator is the added value of the application and data layers. All lower layers are essentially an overhead. That’s why they should be as agile as possible. And businesses striving for this next step in IT agility are rapidly paving the way to the public cloud.
The advantage of cloud networking is that it brings fewer ‘overhead’ layers and gets the most out of the layers that truly matter. But to benefit from its full potential, applications themselves need to become cloud native. Full cloud native applications are SaaS (software as a service) applications. They are consumed via the internet including Gmail, Salesforce, ServiceNow and Office365.
Cloud native progression has an impact on security too. While SaaS solutions are managed externally and in-house applications are managed internally, the modern agile way of working touches both internal and external cloud endpoints. The safety of this application landscape can only be guaranteed by embedding security native in the application.
Public cloud enforces the need for a secure transformation. For this, companies need to solve challenges in three key areas:
- Application transformation
- Network transformation
- Security transformation
Applications will transform gently to cloud native architectures. These applications will be a mixture of internally and externally managed applications. Consumers of the applications need to be able to use and access the application from anywhere, at anytime and from any device.
Identity and access management (IAM) will therefore become more important than ever. As we evolve towards a mixed application landscape and adopt a shared responsibility model that applies to all cloud solutions.
Consumer capabilities within the application will also be determined by the enforcement of a dynamic business policy. A policy constructed depending on key factors such as identity, location (internal/external), device and other key metrics that are all being managed centrally.
With the majority of corporate applications moving to the public cloud, the pressure on internet traffic increases. The internet has essentially become the new corporate network. The traditional hub-spoke topology of headquarters, data centre and branch office no longer represents this new cloud application landscape. User experience is boosted when corporate internet applications like Salesforce, Office365 and custom-made applications that run in a public cloud are deployed with the shortest path between the consumer and the application front end.
This is why enterprises will need to apply local internet breakout. If you utilise multiple internet connections, your transport (so to say) is cheap and offers high availability. By utilising software-defined WAN (SD-WAN), you are in turn able to decouple WAN underlay and overlay. You even get the freedom of choice in selecting your service providers.
By centrally managing application and traffic policies, you are in control of which applications need to be routed via specific paths.
In traditional topologies, security is pegged to the network. In a direct-to-cloud model, companies do not control the internet network, so direct network security becomes impossible. To protect application consumers and intercept malicious traffic we need network security as a service (NSaaS), delivered from the cloud. This will manifest itself in different solutions like proxy profiles, DNS security, traffic tunnels and cloud firewalling. What is deterministic is the on-demand nature and agility of deployment.
Secondly, security needs to be built around the customer data. By moving data to the cloud, security needs native integration with the application. Security becomes network agnostic and is built and expanded around the data itself. Endpoint sensors monitor leakage of sensitive data, for example. The cloud security access broker (CASB) becomes the security gateway between customer cloud environments and the entire internet.
The journey to the cloud starts by creating a cloud strategy which should, at the very least, cover the three key areas described in this blog. Of course, it encompasses other areas as well such as workflow and process changes, culture change, and application migration selections - such as repurchase, rehost, refactor, rearchitect, retire and retain.
What is crucially important is to address all three of the areas above within your strategy. This will minimise the risk of nasty surprises along the way and accelerate time to deployment. Considering that the journey to the cloud typically takes two years or more, anything that reduces time to value is a worthy endeavour!