With the advent of the Coronavirus pandemic, many businesses were rushing workloads to the cloud – some for the first time. Public cloud was a lifesaver for IT teams moving quickly to support staff working from home, unprecedented demands for customer service and the imperative for expediting digital initiatives to support the business during the ‘new normal’.
According to recent ADAPT research with Australian CIOs, over 50% say they increased their cloud workloads by over 50% to enable their remote workforce and meet extra demands. The circumstances were extraordinary. IT stepped up to help manage the necessary changes but, the reality is, some elements may have been sacrificed to speed – good governance the most important.
So now you’re in, what steps should you take to reduce risk and avoid a cost blow out?
Step 1: Optimise Governance
Normal governance procedures might have been bypassed in the race to increase capacity. There is a lot of planning required before going into the cloud – whether public or private – to ensure your workloads and data are on a best -fit cloud platform. However, public cloud calls for a special mentality as there are specific risk and compliance scenarios that need to be considered.
There are widely held perceptions that public cloud vendors take care of governance – but all they actually provide is a platform; the way it’s used and managed is entirely up to the customer. You are responsible for your own subscription topology – or the way you architect your cloud-based IT infrastructure.
Imagine you take a floor in a hotel with ten rooms: one for Finance, one for HR, one for your Retail business unit and so on. Governance calls for rules over what each department can do what within each of these virtual rooms, even down to application and project. This is especially important for government and industries with high M&A activity. Governments frequently merge or decouple departments, or outsource functions, while businesses sometimes want to sell off whole divisions. This will entail ‘giving up’ one or more of your rooms to another party. Designing and setting up your subscription topology with flexibility and mobility in mind will determine how easy and clean it will be to manage change later.
Another important aspect of governance is role-based access control. It is highly complex and calls for deep consideration. For example, you may need to set up a sandpit for developers to play in with, say, five toys for 10 hours a day. But you don’t want them to be able to provision additional toys or run them for more than 10 hours a day. Additional toys and time will have cost implications. More on the design of access controls later…
You must also thoughtfully consider network design in terms of performance, cost, and security. You should factor in on-premises connectivity by providing access via site-to-site VPN, ExpressRoute, Direct Connect, or SD-WAN to allow direct branch or user connection to the cloud. Network security groups and firewalls may require reconfiguration.
Capacity bursts of network traffic must be anticipated and provisioned for across relevant links, as well as the transit of data. It’s not well-known, but you can typically put as much data as you like into public cloud at no cost. You are charged, however, for pulling data out – and the costs can be both alarming and unnecessary. Architecting your network appropriately can reduce this risk.
Step 2: Minimise Cost
There can be several cost implications of not having the time or ‘headspace’ to impose governance policies over your public cloud workloads. Tagging all resources on creation enables you to conduct a granular analysis of your cloud usage and costs – then break down and report on trends by department, project, and so forth. It also enables chargeback to different areas of the business.
Careful thought also needs to be put into which workloads and which data go where. Analysis and time must be put into identifying critical applications so they can be prioritised – because not all call for the costliest compute instances.
Compute has reserved instances and the ability to automatically burst in scale. Virtual machines can be optimised so that they maintain high availability; if one falls over, another jumps in with limited downtime. Standard compute is less costly and fine for many applications. You still have the ability to set scale for expected bursts without provisioning (or paying) for them all of the time – for example, mid-month when HR is processing payroll, and end of quarter for Finance systems.
Public cloud storage typically comes in three or more categories. The Rolls Royce of storage is a high speed, highly available, and, naturally, more expensive because it delivers the highest IOPs and offers the highest levels of redundancy. At the lower scale, Corolla-grade archival storage is slower but cheaper.
So, to optimise savings from using public cloud, it is very important to rate and prioritise each application, classifying workloads and data, in order to determine the performance you actually need.
Step 3: Maximise Security
Many have the perception that public cloud providers will look after your security, but that is a myth. Certainly, their data centres are physically secured to government standards, but online access to your own systems and data is entirely your responsibility.
Data sovereignty is a critical consideration because Australian legislation requires that some or all data may only be stored onshore. It may be requested that your workloads are provisioned in an Australian data centre, but you may also need to ensure your instance backups are not stored at the public cloud provider’s facilities in Singapore or the US – or anywhere else. (Both countries claim sovereignty over data held within their borders.)
I talked about the importance of carefully crafting role-based access under governance, and it has security implications too. You would never allow ‘everyone’s an Admin’ within your enterprise admin group in Active Directory – but it’s amazing how many do in public cloud! Managing cloud resources requires experience, so workshop beforehand and allocate access with care.
Finally, there’s the matter of industry alignment. Is your organisation subject to compliance with APRA, HIPAA, ISO, ASD Essential 8, or any other security standards or regulations? Remember that public cloud data centres in Australia may well be compliant with all of the above – but securing what’s in them is entirely up to the user!
Time to take a step back?
Challenges around governance, cost and security have always existed – especially in regards to public cloud – but the pace of execution required by COVID-19 may have exacerbated them.
If yours is one of the organisations which have escalated their uptake of cloud to cope with the ‘new normal’, you might well need to review some of the decisions necessarily made in haste. However, as we continue to deal with ongoing change, will you have the time, resources, and expertise?
Having managed Australia’s largest private cloud for over a decade – and with extensive experience of public cloud environments – our multi-cloud experts are well placed to quickly help you optimise your cloud governance, spend, security and compliance.