rganizations typically conduct a lot of research on cloud providers and enabling technologies before making the decision to embark on their first cloud project. However, sometimes this extensive research and vendor selection effort gets confused with the actual project planning required for success of that initial cloud project.
After the decision is made to move forward with a cloud initiative, sometimes the urge to get our “stuff” on the cloud quickly is hard to resist. There hasn’t been a time in recent memory with more opportunity for IT but, with great opportunity comes great risk! We’ve all heard the saying that goes something like “automate a bad process and make bad stuff happen more quickly”. Cloud brings a myriad set of options for improving how your enterprise utilizes IT and executes its business objectives, but implementing it without sufficient upfront planning can bring serious risk and bring it very quickly.
Some of the biggest gaps I see in cloud project planning occur in the areas of Security, Policy and Governance. These are important considerations everyone should include in the review and planning portion of any project, before moving applications and workloads on to a cloud.
First let me say that I’m not an expert in security, policy or governance. If I have to be classified as an expert, it’s on the ownership and management characteristics of IT infrastructure. So, I’m not going to give you a detailed technical strategy for implementing your security or policy framework. Rather I’m going to focus on the planning and “ownership” point of view, both of which encompass having a clear set of goals and objectives for its implementation, management, and lifecycle.
Security: Planning here should include a well understood set of security requirements and usage characteristics for the project:
Who uses it?
Where and how will data be stored, shared, backed up, etc.?
Who will be supporting it?
What are the individual roles required?
Will it be a private cloud, hybrid cloud, or public cloud?
What are the characteristics of the network?
What experience does your internal network team have with cloud or highly virtualized environments? What are the current skill gaps & where can you get help?
What tools do you already have? Have you compared them against newer products/services on the market that are focused on security in a cloud?
Do your tools allow for automated policy enforcement on new instances?
What type of reporting and auditing will you have?
What about identity management? Is it integrated with your cloud management platform?
What are the partner requirements? Do you have the right partners, with appropriate experience? Should you audit current and proposed service providers? Have you evaluated team skills to identify gaps and training opportunities?
Where and how has security been factored in to your business continuity planning? Security, like an earthquake or a hardware failure, can be a threat to your availability. As such, your security strategy should match enterprise objectives for availability.
Governance and Policy: This includes governing how an instance is created, why it’s created, by whom, and under what restrictions it operates.
Governance and approval work flows should be well understood.
Document and enforce regulations/restrictions regarding data availability, storage location, and performance.
Establish a governance lifecycle that includes the creation and enforcement of policies for cloud workloads as they are planned, built, shared, and deployed.
Where will your instances reside and under what context or situations while they be put there or moved?
What is the performance criteria to determine right placement of workloads?
Define role-based access to assets and environments.
Ensure that automated approaches to scale, distribution and shutdown encompass enterprise policy controls.
What are the guidelines for allowing scale? How is scale approved?
How are Business Critical priorities mapped against threshold limitations
Change management strategy.
Roles and ownership
Who’s responsible for the delivery of cloud services
Who’s responsible for the cloud environment?
Are all the roles well defined?
Many times, the most valuable time spent on a project is the time spent during planning. Moving to cloud is no different. Make your move in a well-planned and controlled fashion so you can more rapidly benefit from new services, while not putting your team or the enterprise at risk.