Adopting Multi-Cloud Services with Confidence

Transcript

1. Adopting Multi-Cloud Services with Confidence The Complete Cloud Summit 2020

   September 15, 2020 Kevin Hakanson Director of Customer Success & Principal Cloud Solutions Architect https://www.linkedin.com/in/kevinhakanson/

2. Poll: Multi-Cloud What is your opinion on multi-cloud? 1. Multi-Cloud

   is a good strategic idea 2. Multi-Cloud is a good tactical idea 3. Multi-Cloud is a bad idea 4. I don’t have an opinion on Multi-Cloud 2

3. Excerpts from Multi-Cloud is the Worst Practice by @QuinnyPig •

   … the idea of building workloads that can seamlessly run across any cloud provider or your own data centers with equal ease. • Load balancers work differently on every cloud platform, so being multi- cloud means you’re running your own with nginx or HAproxy. • Companies don’t want to hire generalists who are broad across multiple providers; they bias for specialists who are good on one particular platform. • In practice, every “we’re multi-cloud” story I’ve ever seen in the wild means “we’re over 80% on our primary provider, then have a smattering of workloads on others.” Bad Idea? Source: https://www.lastweekinaws.com/blog/multi-cloud-is-the-worst-practice/ 3

4. • From Multicloud Scenarios in Azure Documentation • Multicloud adoption

   should be contained to where it is required based on technical needs or specific business requirements. As multicloud adoption grows, so does complexity and security risks. • Possible Scenarios • Mergers and Acquisitions • Targeted Workloads • Technology Expertise • Cloud Migrations (from on-premises or another provider) • … Fact of Doing Business? Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/multicloud-improvement 4

5. Definitions (for this presentation) Cloud-Native • building applications and using

   services specific to a cloud platform Cloud-Agnostic (or Cloud-Neutral) • building applications which can be moved between cloud platforms • using services independent of a cloud platform 5

6. Cloud-Native Cloud-Agnostic Source Code Repositories AWS CodeCommit Azure DevOps Repos

   Google Cloud Source Repositories GitHub GitLab Bitbucket CI/CD Pipelines AWS CodePipeline Azure DevOps Pipelines Google Cloud Build Jenkins GitHub Actions CircleCI IaC Templates AWS CloudFormation Azure Resource Manager (ARM) Templates Google Cloud Deployment Manager Terraform Pulumi serverless framework Building Applications – Infrastructure as Code 6

7. Poll: Cloud Adoption Who is leading your cloud adoption strategy?

   1. IT is leading our cloud adoption strategy 2. Business is leading our cloud adoption strategy 3. IT and Business are co-leading our cloud adoption strategy 4. We are still determining our cloud adoption strategy 7

8. 8 8 Provides guidance, tools, and best practices that help

   organizations align their business and technical strategies in order to accelerate a successful cloud adoption. Cloud Adoption Framework

9. • Organizes guidance into six areas of focus called perspectives

   • Each perspective is made up of capabilities describing “what” a stakeholder owns or manages • Each capability provides guidance related to skills and processes • Assists in developing action plans and creating work streams AWS Cloud Adoption Framework 9 Source: https://aws.amazon.com/professional-services/CAF/

10. • Builds a structure on the rubric of People, Process,

    and Technology • Evaluates four themes during the three phases of cloud maturity • Tactical • Strategic • Transformational Google Cloud Architecture Framework 10 Source: https://cloud.google.com/adoption-framework/

11. • Provides best practices, documentation, and tools needed to successfully

    achieve short-term and long- term objectives. • Align strategies for business, culture, and technical change to achieve their desired business outcomes. Microsoft Cloud Adoption Framework for Azure 11 • Full lifecycle framework, supporting customers throughout each phase of adoption by providing methodologies. Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/overview

12. Thoughts • Each Framework has a different approach and adds

    value to the ongoing conversation about multi-cloud adoption • A common understanding that alignment between Business and IT is needed for successful cloud adoption outcome • People and their ability to grown technology skills and changing behaviors and processes are likely your limiting factor • Reminder that Security plays a central and going role during cloud adoption, and is compounded by multi-cloud strategy 12

13. Poll: Cloud Center of Excellence (CCoE) What has been your

    experiences with Cloud Center of Excellence (CCoE)? 1. I have a positive opinion and experiences with a CCoE 2. I have mixed opinions and experiences with a CCoE 3. I have a negative opinion and experiences with a CCoE 4. I don’t have any substantial experiences with a CCoE 13

14. Organizational Cloud Adoption 14

15. Cloud strategy Align technical change to business needs Cloud adoption

    Deliver technical solutions Cloud governance Manage risk Central IT team Support from existing IT staff Cloud operations Support and operate adopted solutions Cloud Center of Excellence Improve quality, speed, and resiliency of adoption Cloud platform Operate and mature the platform Cloud automation Accelerate adoption and innovation Cloud security Manage information security risk Required Cloud Adoption Functions Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/ 15

16. Organizational Structure Maturation Stages 16 Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/organization-structures Accountable for technical

    solutions, business alignment, project management, and operations for solutions that are adopted Accountable for platform maturity, platform operations, governance, and automation

17. Central IT 17 Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/organization-structures Risky Phase of Organizational Maturity

    • Subject matter experts in operations, administration, automation, and security • Opportunity to grow and adapt OR Threat to existing model? • Force alignment with on-premises approaches?

18. Cloud Center of Excellence (CCoE) 18 Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/organization-structures Modern cloud-first

    operating model • Focus on self-service and democratization with centralized governance, security, platform, and automation • Mutual agreement to modernize IT processes will be required from business and IT leadership • Unlikely to occur organically and often requires executive support

19. Poll: Responsibility for Cloud Security Who has the most responsibility

    for cloud security? 1. The Cloud Provider is the most responsible 2. The Cloud Customer CCoE is the most responsible 3. Each Cloud Customer “workload” team is the most responsible 4. Everyone is equally responsible 19

20. Shared Responsibility Model 20

21. 21

22. A landing zone is a well-architected, multi-account AWS environment that's

    based on security and compliance best practices. AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure. Source: https://aws.amazon.com/controltower/features/#Landing_Zone Azure landing zones are the output of a multi-subscription Azure environment that accounts for scale, security, governance, networking, and identity. Azure landing zones enable application migrations and greenfield development at an enterprise scale in Azure. Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/refactor 22 Cloud Provider Responsibility for Security “of” the Cloud Customer Responsibility for Security “in” the Cloud Platform Responsibility for Security “of” the Landing Zone Workload Responsibility for Security “in” the Landing Zone

23. • Corporate IT (Platform) Standards and policies that apply to

    all cloud workloads including the management hierarchy of cloud accounts across cloud providers. • Regional or Business Unit IT Can apply an additional layer of governance with additive policies and standards. • Cloud Adoption Teams (Workloads) Detailed decisions and implementation about applications or workloads within the context of governance requirements. Multiple Layers of Governance 23 Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/guides/complex/multiple-layers-of-governance

24. 24 AWS GCP Azure Organization (Root) Organization AD Tenant (Root)

    Organization Unit (OU) Folder Management Group Account Project Subscription Resource Group Resource Resource Resource

25. Thoughts Conway’s Law “Any organization that designs a system (defined

    broadly) will produce a design whose structure is a copy of the organization's communication structure.” — Melvin E. Conway • Your Organization Unit / Folder / Management Group hierarchy doesn’t need to mirror your current organizational structure. • What problems does a future re-org or M&A leave you with? • Consider a structure organized by workload 25

26. Source: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/methodology 26

27. • A tag is a label consisting of a user-defined

    key and value attached to resources as metadata • Tags help you organize your resources and can enable cost allocation, automation, and access control • Tags can be IT aligned • Workload, application, function, or environment • Tags can be Business aligned • Accounting, business ownership, or business criticality Resource Consistency - Tags 27

28. AWS Azure GCP Name Tag Tag Label Per Resource Limit

    50 50 64 Key Length 128 512 63 Case Sensitive Key yes no for operations yes Reserved Key Prefixes aws: microsoft azure windows Key Restrictions (can vary by service) Valid Characters • letter, numbers, space • _ . : / = + - @ Invalid Characters • < > % & \ ? / Valid Characters • lowercase, numeric, underscore, hyphens • must start with a lowercase letter Value Length 256 256 63 Resource Tagging Limits 28

29. Thoughts • Define an organizational tagging standard early • Use

    lower-kebab-case for tag keys • Define a prefix strategy for standard (platform) tags vs. project (workload) tags • Allows teams to combine organization and project standards without conflicts • Use both reactive and proactive approaches for governing tags • Leverage cloud-native tooling • Understand that cloud providers are not internally consistent • Some services still lack tags, don’t support tag-on-create, or have other limitations 29

30. Well-Architected Framework AWS Microsoft Azure Google Cloud https://aws.amazon.com/architecture/well-architected/ https://docs.microsoft.com/en-us/azure/architecture/framework/ https://cloud.google.com/architecture/framework

    Operational Excellence Operational Excellence Operational excellence Security Security Security, privacy and compliance Reliability Reliability Reliability Performance Efficiency Performance Efficiency Performance and cost optimization Cost Optimization Cost Optimization Note: AWS added Operational Excellence in Nov 2017, and in May 2020 both Microsoft Azure and Google Cloud updated their architecture frameworks to use similar naming. 30

31. Security Pillar “The security pillar describes how to take advantage

    of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.” • 6 Design Principles Source: https://d1.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf “Security is one of the most important aspects of any architecture. It provides confidentiality, integrity, and availability assurances against deliberate attacks and abuse of your valuable data and systems.” • 14 Design Principles Source: https://docs.microsoft.com/en-us/azure/architecture/framework/security/overview “This section of the architecture framework discusses how to plan your security controls, approach privacy, and how to work with Google Cloud compliance levels.” • 4 Strategies + 7 Best Practices Source: https://cloud.google.com/architecture/framework/security-privacy-compliance

32. Cloud-Native (PaaS) Cloud-native (PaaS) Cloud-Agnostic (protocol) Cloud-Agnostic (IaaS) Amazon DynamoDB

    GCP Firestore Amazon RDS for PostgreSQL Amazon Aurora for PostgreSQL Azure Database for PostgreSQL GCP Cloud SQL for PostgreSQL PostgreSQL Amazon ElastiCache for Redis Azure Cache for Redis GCP Memorystore for Redis Redis Enterprise Cloud Redis Amazon DocumentDB (with MongoDB compatibility) Azure Cosmos DB’s API for MongoDB MongoDB Atlas MongoDB Amazon Keyspaces (for Apache Cassandra) Azure Cosmos DB Cassandra API Apache Cassandra Amazon Neptune Azure Cosmos DB Gremlin API Apache TinkerPop Gremlin Databases 32

33. Cloud Provider Service Name OSI Layer 4 OSI Layer 7

    Location AWS Classic Load Balancer X X Regional AWS Application Load Balancer X Regional AWS Network Load Balancer X Regional AWS CloudFront X Global Azure Load Balancer X Regional Azure Application Gateway X Regional Azure Front Door X Global GCP Cloud Load Balancing X X Regional* GCP Cloud CDN X Global “Load Balancer” Thought: Proper Names and URLs are your friend when discussing technology options. 33

34. Poll: Most Useful What cloud model/framework have you found most

    useful? 1. Cloud Adoption Framework 2. Shared Responsibility Model 3. Well-Architected Framework 34

35. Cloud Adoption ++ Business Platform Strategy Plan / Lead Ready

    Govern Workload Migrate / Innovate Well-Architected Security Shared Responsibility Manage / Operate Learn IT 35

36. Closing Thoughts • People and skills are your limiting factor,

    and you need to focus on workloads and business outcomes • A CCoE needs to have multi-cloud visibility into the security and governance across all your workloads and their dependencies whether IaaS, PaaS, or SaaS • Find an independent, trusted partner (specialty consultant or software vendor) who focuses all their time thinking about multi-cloud 36

37. Thank You www.opscompass.com | (877) 970-6879 37