Cloud is a double-edged sword for organisations in regulated industries. If it’s not handled carefully, it can introduce security and governance risks, especially during largescale adoption. On the other hand, it offers immense benefits in the form of agility, cost effectiveness and quicker time to market. Taking too long to fully embrace cloud has its own consequences, such as allowing rivals who get there first to gain competitive advantage.
Here, we look at how and why risks occur during largescale cloud adoption, then consider practical ways to avoid them.
This post draws on insights from our partner Sourced’s whitepaper Building the core foundations for cloud at scale. It also aligns with our whitepaper Supercharge your cloud migration with DevOps. Both are free to download and well worth a read if you’re developing or fine-tuning a cloud adoption strategy.
Understand the risks of cloud
Cloud adoption is not just about introducing new technology. It also requires new ways of thinking and working which employees may be unfamiliar with. Not all organisations understand or make allowances for this. Yet it’s this transformative aspect of cloud that brings the greatest benefits and – potentially – the greatest risks.
When workloads are based in the cloud, all the resources needed to develop, test and launch new applications become readily available. This is a great enabler of innovation. But it is also a major risk factor for highly regulated industries such as financial services and healthcare. Different parts of the organisation can spin up new environments quickly and independently. Unless this is managed centrally, they may inadvertently bypass important operational controls and processes that underpin security and compliance.
An ad hoc approach to early cloud adoption can also lead to problems later. It often results in technology islands which lack consistency and interoperability. During largescale adoption, applications previously perceived as trailblazers can quickly become a hindrance. If they’re not aligned with strategic goals, they may need to be redesigned to adhere to wider standards. At best, they become complex pockets of technical debt which must be resolved before wider adoption of cloud can begin in earnest. At worst they become a serious security liability.
One of the most significant potential issues when cloud adoption isn’t properly governed relates to unsecured data. Take containers, a key cloud-based technology which allows new instances to be spawned at speed. If they are not managed in line with a centralised security protocol, sensitive company or customer data may become vulnerable. This puts the organisation at risk of non-compliance and severe reputational damage if data is leaked or exploited.
Establish a best practice framework
To avoid or rectify the above issues, we advocate a phased cloud adoption, especially when migrating existing applications or workloads. You don’t have to plan the finer details upfront. However, the journey does need to be managed strategically and prudently from the outset. This is particularly true in regulated industries.
Taking a holistic view and building solid foundations for largescale cloud adoption helps avoid costly mistakes and ensures benefits are realised sooner. Core capabilities need to be implemented with security, governance and compliance in mind.
It’s about putting the fundamentals in place as early as possible, so the environment has the elasticity to scale out and the flexible capacity to scale up in line with needs. Guardrails have an important role to play here. They provide assurance and ensure consistency across critical areas while allowing teams freedom and autonomy to innovate in the cloud.
Introducing DevOps practices is another important factor. A cloud-native, everything-as-code approach eliminates human error and enables new infrastructures to be deployed securely as well as quickly. Every application is built on the same reusable foundation with robust security baked in. When all aspects of the cloud are deployed using automated, pre-defined templates many of the abovementioned risks are eradicated. Taking the opportunity to modernise workloads during or immediately after migration also ensures benefits like agility and cost-efficiency are leveraged.
Decide where to start and how to continue
Building secure foundations is all well and good, but how do you decide what to migrate to the cloud first? The answer depends on various factors and won’t be the same for every organisation. Care must be taken to ensure initial migrations can be executed seamlessly and deliver positive outcomes quickly. The first steps set the tone for cloud adoption at scale; successful outcomes aid buy-in, igniting the change journey.
The ideal candidates for early migration will have relatively low technical complexity, but still generate learnings surrounding security, compliance and technology. For instance, a workload may be experiencing issues surrounding scale, cost or agility that are easily rectified with cloud-native technologies. The workload should also have a direct impact on customer experience, so the business value of migrating is clearly exemplified.
As the journey proceeds, establishing a Cloud Centre of Excellence (CCoE) can be hugely beneficial. The individuals making up this function will vary between organisations, but they should share a hunger for high performance and be committed to cloud best practice. Together, they steer the cloud adoption strategy, ensuring it progresses smoothly and securely. They don’t all have to be cloud technology experts. A major role of the CCoE is facilitating communication so any cultural or process issues are identified and rectified at the earliest opportunity.
Lay strong foundations to get cloud right first time
According the Gartner report Innovation Insight for Cloud Security Posture Management:
“…it is becoming increasingly complex and time-consuming to answer the seemingly straightforward question “Are we using these services securely?” and “Does the configuration of my cloud services represent excessive risk?”
This may ring true for some organisations that host a significant portion of their estate in the cloud. But it doesn’t have to be this way. A pragmatic, strategic approach which embraces cloud-native principles ensures transparency and simplicity across vast cloud environments. It enables better measurement and management of security risk, as well as satisfying compliance and governance objectives.
For organisations working with sensitive data and heightened regulatory requirements, a ‘right first time’ approach is essential. With no margin for error, cloud adoption must be prudent and strategic. Modernising workloads during the journey is an important part of this. It mitigates the risks of largescale cloud adoption, while taking baseline security standards to a higher level. So, teams can innovate freely and enjoy the benefits of cloud, safe in the knowledge that security is sorted.
From avoiding analysis-paralysis to improving cloud cost management, you can read more advice on cloud adoption here.