Attributed to Aditya Anand, VP – Senior practice lead (Cloud Engineering), Infogain
As organizations move to the cloud as the new norm, there are a few considerations they need to make before embarking on this journey. Cloud adoption is a strategic move by any organization to reduce costs, mitigate risk and achieve scalability, resiliency, and global footprint of their IT Infrastructure & Enterprise Applications.
Organizations adopting cloud-based technologies must identify potential security risks, mitigating controls, and data recovery options that are required to keep the data and applications in the cloud secure. Hence, the first and foremost step in the process of cloud adoption is compliance assessment.
Compliance Assessment
The following measures are taken for compliance assessment to ensure the security and accountability of data and applications in the cloud services:
Security
Before moving workload to the cloud, an organization must ensure it is migrated, deployed, and operated in a secure manner. Security in cloud is very different than on-premises. There is a shared responsibility model between the cloud provider and the customer. Depending on the cloud architecture and services being consumed in the cloud, the responsibility of securing those elements will differ between the two parties. There are multiple native cloud services that enable organizations to implement a layered security model from the external/public perimeter all the way to their backend environments, data at rest, federated access controls, data leakage, configurations drifts, etc.
Customers must ensure that their existing IT teams are prepared to embrace the change, in the ways that cloud is operated. This will entail them to upskill/re-skill to understand the cloud services, concepts like IaC (Infrastructure as a Code), DevOps, or CI/CD pipelines to manage environments, and use these principles to ensure the environments are operating securely in the cloud.
In addition, safeguarding sensitive data becomes even more critical when moving to the cloud. One has to establish new policies to allow safe sharing of data internally, externally, third party app integrations etc, while simultaneously protecting that data. It takes a lot of effort, time to remediate a data breach.Its not just a financial burden - but also a reputation risk and future business impact.
Architecting workload in the cloud
The third very important decision is architecting workload in the cloud (Applications, Data/Analytics, IoT, Mobile Apps etc) to ensure the design principles are aligned with the well-architected framework, which has 6 pillars –
- Performance Excellence
- Operational Excellence
- Security
- Cost Optimization
- Reliability
- Resilience/Sustainability
It is very important to pick the right partner on this journey as there will be lot of pitfalls a customer might not be aware of or might not consider in this phase. In the industry, many organizations share such experiences from across customers.
During this phase, another decision customers must make consciously is about the choice of a Cloud provider from multiple perspectives such as - global footprint, services available, cost to operate etc and align with their business strategy (expansion, growth, acquisitions etc.). Some customers might decide to go all in on one direction, while some might go with a hybrid approach. Neither one is right nor wrong, however there is an extra overhead to manage hybrid (multi-cloud) environments due to the skills required to setup & manage, operational structure etc. There is a paradigm shift in how traditional IT operates vs. Cloud Operating Model with implementation of a CCoE (Cloud Centre of Excellence).
Thorough due diligence by the legal team
The fourth point is to ensure there is thorough due diligence by the legal team to ensure organizations are meeting all compliance requirements (regulatory/statutory). There might be data privacy, mining, residency, sovereignty requirements to comply with. Legal team can ensure there are clauses to protect the organization's interest and/or indemnify them for data breaches due to third party data sharing and/or lack of implementation of security controls in their systems. Signing BAA (Business Associate Agreements - HIPAA) agreement. They can help with some pricing discussions if there are any volume discounts, or partner funding programs benefits you can leverage if working with an implementation partner.
In a nutshell, this is not just an IT effort to take an organization to the cloud. All teams, Infrastructure, Applications, Legal, Executive sponsorship, all are required for anyone to be successful on this journey.
There are other things which an organization should also consider while migrating workloads to the cloud, however we have discussed about the top 4 vital, crucial factors above.
