Free: The Cloud Optimization Playbook

THE C LOUD OPT IMI ZAT I ON PLAYBOOK

HOW I T LEADERS CAN OVERCOME THE COST, EFF I C I ENCY, AND SECUR I TY BARR I ERS TO OPT IMAL CLOUD PERFORMANCE

INTRODUCT ION

Have we reached peak cloud? New figures would suggest we’re close.

The 2019 Rightscale State of the Cloud survey 1 featuring 786 IT leaders from around the world found that public and private cloud adoption stood at 91% and 72% respectively. And 84% of respondents reported having a multi-cloud strategy. Similarly, IDG reported 2 recently that “nine out of 10 companies will have some part of their applications or infrastructure in the cloud by 2019, and the rest expect to follow by 2021.” With these figures climbing fast, it’s safe to say that every IT leader will be involved with the cloud one way or another. Which leads us to the question: How can we optimize cloud usage?

The answer lies in a closer look at cost, efficiency, and security.

1 “State of the Cloud 2019”. RightScale. https://www.rightscale.com/lp/state-of-the-cloud 2 “2018 Cloud Computing Survey”. IDG. https://www.idg.com/tools-for-markeers/2018-cloud- computing-survey/

2

I N T RODU C T I ON

Three big cloud challenges

As our reliance on the cloud grows, we’re starting to see new challenges beyond implementation and integration.

First, cloud costs are escalating and wasted spend is common. In the rush to shift workloads to the cloud, many organizations have not optimized costs and operations, such as automating the shutdown of unused workloads or moving workloads to lower-cost cloud providers or regions. Victory is often declared at migration. This lack of foresight and governance is now backfiring—and it’s estimated that as much as 35% of all cloud spending could be wasted. Second, organizations are struggling with efficiency, productivity, and speed-to-market. While early wins brought on by the move to cloud were encouraging, many IT organizations remain unchanged operationally. And changing the mindset and culture has proven to be an uphill battle. For example, DevOps adoption is rising but the number of companies who have fully embraced it remain in the minority. Fewer still have seen significant benefits. Third, security continues to be an issue. Although most cloud providers now offer a host of built-in security services, people remain the weakestlink in most organizations. Symantec recently reported 3 that in 2018 more than 70 million records were stolen or leaked solely from AWS S3 buckets that were poorly configured. Indeed, misconfiguration tops the list of biggest security threats in public clouds, followed by unauthorized access, insecure APIs, and account hijacking 4 . It’s also worth re-examining the suitability of your workloads in the cloud. Are all your workloads there because it is more advantageous? Or was it because the product happened to be a cloud service? Understanding why and how the business uses an application is crucial in optimizing the cloud.

In the following sections, we’ll address the root causes behind each of these areas and share our approach in optimizing each of them.

3 “2019 Internet Security Threat Report”. Symantec. https://www.symantec.com/security- center/threat-report 4 “2018 Cloud Security Report.” Cybersecurity Insiders. https://www.cybersecurity-insiders. com/portfolio/2018-cloud-security-report-download/

3

2020 © WAVESTONE I THE CLOUD OPTIMIZATION PLAYBOOK

ARE YOU LEVERAGING THE F IVE ESSENT IAL CHARACTERI ST I CS OF CLOUD COMPUT ING?

Teams that adopt essential cloud characteristics are 23 times more likely to perform at elite levels than those who do not. 6

The five essential characteristics of cloud computing, according to the National Institute of Standards and Technology (NIST):

On-demand self-service

Users can provision computing capabili- ties as needed without requiring human interaction.

5 “The NIST Definition of Cloud Computing”. National Institute of Standards and Technology. https://csrc.nist. gov/publications/detail/sp/800-145/final 6 “Accelerate: State of DevOps 2018”. DevOps Research & Assessment. https://devops-research.com/2018/08/ announcing-accelerate-state-of-devops-2018/

4

ARE YOU L EVERAG I NG THE F I VE ESSENT I AL CHARACTER I ST I CS OF C LOUD COMPUT I NG?

Broad network access

Capabilities are widely available and can be accessed through various clients such as mobile phones, tablets, and laptops.

Resource pooling

Computing resources are pooled to serve multiple users through a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. The user has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Rapid elasticity

Capabilities can be elastically provisioned and released, in some cases automatically, to scale with demand. To the user, the capabilities available appear to be unlimited and can be appropriated in any quantity at any time.

Measured service

Cloud systems automatically control and optimize resource use through a metering capability at a level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and the user.

5

2020 © WAVESTONE I THE CLOUD OPTIMIZATION PLAYBOOK

In our experience, optimizing cloud costs simply boils down to two things: ensuring optimal application placement and implementing control measures through governance. Optimal application placement mostly comes down to understanding the total cost of ownership (TCO). TCO is not a revolutionary thing, but getting it right can be tricky, especially when there are many hidden factors. The key here is to take a holistic approach to costs that balances value and risk. For example, in comparing the cost of an on-premise solution with a cloud-based one, many organizations overemphasize the cost of hardware and software, while over- looking intangibles, such as labor, quality of service, performance, and flexibility. In fact, labor often makes up the bulk of the cost, and taking it into account drastically changes the equation. OPT IMI ZAT ION 1 : EL IMINAT ING HIGH COSTS AND WASTE

6

In general, we recommend prioritizing software-as-a-service (SaaS) as much as possible, followed by platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS). PaaS is probably the desired state for most applications as it eliminates the burden of maintaining OSes and other infrastructure. And while many applications will only run on IaaS, which is fine in the short term, organizations should have a plan to shift soon. With waste, the underlying cause is often poor IT-business align- ment. In many companies, business units are initiating cloud proj- ects without IT oversight, which translates to suboptimal contracts, instances, and spending. This is why we’re not advocating a cloud cost management solution as the primary step. Governance simply has to come first. The cloud governance function should consist of leaders from IT, business, finance, and procurement—each with clear roles and responsibilities in relation to cloud. IT should act as a guide and broker, establishing best practices, tools, processes, to help the business optimize costs while maximizing performance. Business units should be held accountable for their team’s spending and take proactive steps to leverage IT’s guidelines and best practices. And finance and procurement should lead the way in negotiations, budgeting, and vendor management. Chargeback and showbacks should be instituted to relieve some of the cost pressures on IT. Ultimately, IT must shed its reputation as a cost center and embrace its new role as a value driver. That means less time keeping the lights on, and more time innovating and driving business results.

OPT IMI ZAT I ON 1 : E L IMI NAT I NG H I GH COSTS AND WASTE

7

T H E C LOUD CO S T OPT I M I Z AT I ON C H E C K L I S T

Does your organization have a cloud cost issue? Answer yes or no the following statements to find out:

The benefits and purpose of moving to the cloud are clear across the organization

The organization does not have a shadow IT problem

Important decisions in IT are made with data analytics

All stakeholders are identified and have a seat at the table

IT’s financial responsibility is clearly defined and does not overlap with the business

The business complies with IT’s guidelines about spending

There are clearly defined KPIs for projects

Process maturity is a key part of IT operations

If you answered no to any of the questions above, it’s likely that your cloud spend is suboptimal.

8

THE CLOUD OPTIMIZATION PLAYBOOK I 2020 © WAVESTONE

The benefits of cloud are generally well understood: greater flexibility, agility, scalability—and, if managed properly, significantly lower costs. But in practice, many organizations have not seen much improvement beyond having an easier way to manage resources. The reality is that running an application in the cloud is different than running an application on premise. You need new skills, new processes, and a very different approach to work. Simply lifting and shifting an application will not take you very far. Your organizational culture and operation model will have to change. OPT IMI ZAT ION 2 : BOOSTING EFFICIENCY, PRODUCT IVI TY, AND SPEED TO MARKET

To optimize efficiency, productivity, and speed in the cloud, is to adopt DevOps.

9

OPT I M I Z AT I ON 2 : BOO S T I NG E F F I C I E N C Y, P RODU C T I V I T Y, AND S P E E D TO MA RK E T

If we look at the core principles of DevOps, it’s obvious why it is the ideal model for the cloud. DevOps emphasizes collaboration, continuous improvement, accountability, transparency, and automation—all of which are enabled by the cloud. The two are synergistic. More importantly, it’s a practice that’s gaining momentum, with a growing community of practitioners and companies offering tools and expertise. In fact, every cloud service provider has a suite of services to enable best practices, such as continuous delivery, microservices, and infrastructure as code. We recommend starting small. Form a cloud services organization that will lead DevOps adoption as well as any cloud-related initiatives. This group’s responsibilities should include the following: / Managing relationships with the business and other organizations / Developing, releasing, and operating services / Managing virtual environments / Overseeing cloud infrastructure, which includes infrastructure architecture, engineering, and deployment; operations management; and integration and automation management So, what is the best way forward?

The cloud services organization should have dedicated resources, with the option to draw from the existing IT infrastructure services team.

10

OPT IMI ZAT ION 3 : STRENGTHENING SECURI TY

If there is one rule to cloud security, it is this: never trust anyone to run security for you.

You may not have direct control of your data, but that does not relieve you of your responsibility and accountability when it comes to its security. This is especially true with SaaS vendors where the perception is that little can be done to improve security. Your challenge, then, is to ensure the right security controls are in place. We recommend the following six steps to start. It is by no means an exhaustive list, but it does cover some of the most common and preventable mistakes that are often overlooked:

Evaluate security control requirements

1

Determine what security controls your IaaS/PaaS program needs and what controls are available to you. What does access look like? Who has permission to access from an admin role perspective? Know where your data is and where it moves.

11

OPT I M I Z AT I ON 3 : S T R E NGT H E N I NG S E C UR I T Y

Understand security roles and responsibilities

2

It is imperative for your organization to understand the security posture that is provided by the cloud vendor “out of the box.” Unless you negotiate for additional control coverage, any gap will need to be covered by your security team. This needs to be performed prior to the commitment of any data to the cloud instance.

Check your firewall settings for every instance

3

Ensure you have the right types of firewall in place and that their settings are right. What ports do you have open or closed? Who has access to change the firewall settings? Make sure you start from zero trust and open up only what is needed for the work to get done.

4

Eliminate insecure or misconfigured APIs

Application programming interfaces (API) provide us with quality integration points into our cloud environments. First and foremost, if the API is not needed, disable it. Further, work with your cloud provider to understand what APIs are available for your environment and how they are configured. Ask your cloud provider for a review of the set of APIs that are included with your cloud deployment, providing the latest in security and vulnerability testing that has been performed on each.

Bolster cloud identity and access management (IDAM)

5

Single factor authentication is too low of a barrier for threat actors. It is time to move to two-factor authentication (2FA) for all your cloud identity and access. At a minimum, your administrative personnel with elevated access to your cloud environment should always employ 2FA. Extend this to your user base, dependent on the workloads and sensitivity of the data in your cloud environment.

12

THE CLOUD OPTIMIZATION PLAYBOOK I 2020 © WAVESTONE

OPT I M I Z AT I ON 3 : S T R E NGT H E N I NG S E C UR I T Y

Monitor data movement East and West, as well as North and South

6

It is common for data movement monitoring to take place on ingress and egress of an environment (North and South). Key to a cloud environment, due to its inherent shared hardware and software profile, is monitoring data movement across the environment. This has added importance to the tenet of understanding critical data flows, allowing for identifying anomalous behavior. Approaching providers with an auditor’s mindset is the first step to better cloud security. Know everything about your data—what it is, where it sits, how it moves. Get access to all relevant logs and reports for every application. Take the lead on security by demanding contractual and configuration requirements at the negotiation stage with vendors.

It is your responsibility to verify, audit, and maintain control of a cloud instance at all times.

13

Where does your organization stand today in regard to its cloud capabilities and where is it headed? The Open Data Center Alliance’s (ODCA) Cloud Maturity Model 3.0 is a good starting point. We like CMM 3.0 because it’s centered around business objectives and outcomes, not technical capabilities or technologies. Used correctly, it is a comprehensive tool for identifying gaps in your organization and for building a roadmap to an optimized environment. CLOUD MATURI TY: WHERE DOES YOUR ORGANI ZAT ION STAND?

14

Legacy applications on dedicated infrastructure / No cloud approach. No cloud elements implemented

CMM 0 Legacy

Analysis of current environment’s cloud readiness / Mapping and analysis of cloud potential for existing systems and services / There is some awareness of cloud computing, and some groups are beginning to implement cloud computing elements Processes for cloud adoption defined / An approach has been decided upon and is applied opportunistically / The approach is not widely accepted / Redundant or overlapping approaches exist / Informally defined or exists as “shelfware” / Initial benefits realized from leveraged infrastructure

CMM 1 Initial, ad hoc

Analysis

CMM 2 Repeatable, opportunistic

Capability gains

Tooling and integration for automated cloud usage / Affected parties have reviewed and accepted the approach / The documented approach is always or nearly always followed

CMM 3 Defined, systematic

Efficiency gains

Manual federation / Cloud-aware applications are deployed according to business requirements on public, private, and hybrid platforms / Governance infrastructure is in place that measures and quantitatively manages cloud capability Federated, interoperable, and open cloud / Capability incrementally improves based on consistently gathered metrics / Assets are proactively maintained to ensure relevance and correctness / The organization has established the potential to use market mechanisms to leverage inter-cloud operations

CMM 4 Measured, measurable

Increases in velocity and quality

CMM 5 Optimized

Proactive

Source: Open Data Center Alliance Usage Model—Cloud Maturity Model Rev. 3.0

15

2020 © WAVESTONE I THE CLOUD OPTIMIZATION PLAYBOOK

CON C L U S I ON

As we’ve seen in this strategy brief, the biggest challenges in optimizing the cloud today are anything but technical. They’re perennial problems in IT such as governance, communication, collaboration, and accountability. It’s worth remembering, then, that the cloud is only a tool, and a means to an end. Not an end in itself. To succeed is to have a clear objective, and a thorough understanding of all the tools and capabilities at your disposal to meet that objective.

16

THE CLOUD OPTIMIZATION PLAYBOOK I 2020 © WAVESTONE

MAXIMI ZE THE VALUE OF CLOUD

Visit us at wavestone.us or give us a call at (610) 854-2700 to see what we can do for you.

About Wavestone US

Wavestone US provides a peer-to-peer approach to IT optimization and transformation. As the North American arm of Paris-based global management and IT consulting firm Wavestone, it has supported the transformationsof more than 200 Fortune 1000 companies across a wide range of industries. Wavestone US is unique in that it offers a practitioner’s perspective on IT strategy, cost optimization, operational improvements, cybersecurity, and business consulting. It is the company’smission to help clients successfully delivertheir most critical transformations and achieve positive outcomes. Driving businesses forward through digital transformation is what we call “The Positive Way”.

www.wavestone.com

In a world where knowing how to drive transformation is the key to success, Wavestone’s mission is to guide large companies and organizations in their most critical transformation projects, with the ambition of a positive outcom for all stakeholders. That’s what we call “ The Positive Way ”.

Wavestone brings together 3000 employees across 8 countries. It is a leading independent player in the european consulting market. Wavestone is listed on Euronext Paris, and recognized as a Great Place To Work®.

2020 I © WAVESTONE

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18

www.wavestone.us

Made with FlippingBook HTML5