31 Aug Busting the smoke and mirrors myth: building trust and value in the cloud
Co-authored with Neil Griffiths, Modern Workplace and Security Practice Lead at Eighty20 Solutions
To become a business and workplace that competes in a radically changed world, cloud adoption is a must. Yet there are significant trust and strategy challenges facing Australian organisations as they pivot towards the new working models and cultural mindset shifts cloud technology makes possible.
If cloud migration was off the table for IT teams in the last decade, it’s safe to say it has rocketed up the priorities list since March 2020. Even without COVID-19 forcing the hand of leaders reluctant to get behind distributed teams and faster, more efficient product/service delivery models, the cloud conversation would have been triggered by other inputs driving success. From talent shortages and customer experience to innovation, cloud technology is undoubtedly an X-factor in delivering solutions to support these competitive advantages, as well as the scalability companies need to seize opportunities for growth.
Migration of core systems and data is the foundation of a successful cloud journey — but it’s just table stakes. From there, organizations must ask themselves how they can use the cloud to position themselves for sustained growth in the next three to five years.
Accenture, The Cloud Continuum report, 2021
Solving the trust conundrum
According to Deloitte’s ‘cloud forecast’ from their Technology, Media and Telecommunications Predictions 2021 (Australian edition) 46% of organisations now have a ‘cloudfirst’ policy when it comes to technology investments, with an expected increase to 75% in the next five years. However, projections for a widespread pivot to ‘cloudfirst’ investments conceals a reluctance to do away with traditional IT infrastructure altogether. While there is considerable interest in the potential cost competitiveness and capabilities the cloud can offer, concerns about security persist. In their 2021 State of Cloud Strategy Survey, HashiCorp found 47% of IT professionals surveyed still see security as a top cloud inhibitor. Perhaps this is one of the reasons why McKinsey’s survey on cloud adoption report that large companies host 10 to 15% of their applications in the cloud but continue to host the core of their technology environment in traditional data centres.
In our experience at Eighty20, many organisations are still convinced their on-premises infrastructure is more secure than the cloud. This trust in something we can touch and control is natural, but fails to acknowledge the reality that the cloud might inherently be more secure. Companies that run the “cloud”, such as Microsoft and Amazon Web Services have channelled infinitely more investment and intellectual property into their security than any individual company could possibly manage. This belief that my lock can be trusted more than yours simply because I installed it definitely deserves a closer look.
Cloud Service Providers (CSPs) are doing their part by delivering the documentation and making available dynamic security and compliance information needed to convince senior executives and board members of the inherent security of cloud adoption as well as its business benefits. For example, Microsoft offers extended contract terms for financial services customers, enabling them to ensure the service meets regulatory requirements. Financial services customers opting to join the Financial Services Compliance Program – and their internal and external auditors – can conduct audits on Microsoft business premises, examine the control framework of the service, review its risk management framework, hold one-to-one discussions with Microsoft’s independent auditors and obtain in-depth views directly from Microsoft subject matter experts.
Cloud clearly disrupts existing security practices and architectures but also provides a rare opportunity to eliminate vast operational overhead to those that can design their platforms to consume cloud securely. Taking advantage of the multi-billion dollar investments CSPs have made in security operations requires a cyber-first design that automatically embeds robust standardized authentication, hardened infrastructure, and a resilient interconnected data-center availability zone.
McKinsey Digital, How CIOs and CTOs can accelerate digital transformations through cloud platforms, September 2020
Building at speed for security and value
Having said that, it’s not a case of just dumping data and apps in the cloud and celebrating the cost savings, which would be an elusive goal with a hasty lift and shift approach. Moving to the cloud introduces a shared responsibility model with some definite grey areas as to who owns which parts – which is where most cloud breaches occur. There is also the allure of speed the cloud offers for the quick win of launching a new app or service at scale. However, this can introduce both security and cost control issues that turn early forays into a disaster for future consolidation of all business functions in the cloud.
Time and again we see organisations trial new applications on cloud platforms to deliver a quick solution to meet an immediate business need. Some value is realised, but not enough to support the business case to extend cloud capability across the whole technology environment. Going into this pilot phase without the right foundation, expectation, and preparation can also be a nightmare for security, communicating to executives and boards that both cost and risk are two important reasons not to place their trust the cloud.
’Lift and shift’ migrations of existing on-premise applications to cloud can actually increase cost if they are not optimized or remediated correctly. In contrast, companies that have built new systems in the cloud or remediated existing applications to leverage cloud attributes are seeing dramatic efficiency improvements. Early research indicates that developers spend measurably less time on infrastructure and production support and more on business requirements and development when companies move to public cloud.
McKinsey Digital, Cloud’s trillion-dollar prize is up for grabs, February 2021
So what’s the answer? In our experience, slowing everything down isn’t going to help. This is how most larger company cultures are comfortable operating thanks to the typical waterfall approach to IT projects – big changes done infrequently. But as Gregor Hohpe likes to say “slow chaos is not order” and only gives the illusion of greater control. Businesses can still move fast but they need to do so with the end in mind. This is where Eighty20 can help, in supporting leaders and IT managers as they explore each strategic motivation for cloud adoption and turn these drivers into a tactical plan that captures value and includes the security measures needed to protect data during and after transition.
Secure at every level
As we’ve already flagged, CSPs have invested huge resources into developing extensive measures for cloud platforms to provide a secure home for company data and adapt on the fly as businesses change how that data is used. The Microsoft cybersecurity reference architecture, for example, can provide guidance around the compliance and governance across the people, process, and technology pillars, which is reassuring for CIOs and CISOs and the boards they report to.
In spite of these highly advanced technologies and protocols, the biggest risk to data in a cloud environment is still what McKinsey calls ‘human middleware’. Creating comprehensive, fit-for-purpose data practices across the business and driving adoption and compliance by employees is a critical part of security efforts for a cloud adoption. From the systems administration side there are access controls to consider. Who gets access and on what type of device and how do they prove identity? Policy and practice for these functions needs to be simple and yet account for the changes taking place as data moves from file shares and home drives towards a single source of truth in the cloud. This is a significant change management piece that’s vital in limiting risks for a cloud deployment.
As companies try to capture cloud value, they must adopt new security architectures and processes to protect their cloud workloads. Then cloud migration can increase not only the delivery of business value but also the security of their systems and applications compared with the old on-premises world.
McKinsey Digital, Security as code: The best (and maybe only) path to securing cloud applications and systems, July 2021
Cloud is key in the talent stakes
Even in the recent past, adapting quickly to change has been a blind spot for many company and workforce cultures. But with over half the Australian population in lockdown this August, remote and hybrid work have become non-negotiable as a matter of safety. This alone is compelling employees working across all sectors and roles to embrace cloud transitions and the routines that go with them. When employees are physically separate from each other and the resources they rely on to go about their work, turning to the cloud as a means to connect seems natural and inevitable.
Continuum Competitors are using the cloud not just as a single, static destination, but as a future operating model. More than 90% of Continuum Competitors in North America use the cloud to enhance collaboration among employees and encourage ambitious projects that cut across business functions and geographies. They use the cloud to make work more interesting and data-driven by reducing rote tasks and manual maintenance work, or used cloud-based tools to make technology approachable.
Accenture, The Cloud Continuum report, 2021
In this regard, workplace disruption caused by COVID-19 has done companies a favour when it comes to getting their ‘human middleware’ engaged with cloud transformation. And with a new generation of digital natives expecting to engage more with technology as part of their employee experience, delivering on the promise of the cloud to make work less repetitive and more rewarding is now far more important as talent becomes increasingly scarce.
At Eighty20 Solutions, our goal is to deliver technology transformations in a faster, simpler, and more collaborative manner. If you’re looking at an AVD or W365 deployment and are need a partner who will get in the trenches, work shoulder-to-shoulder with your team, and stay the course, while you help your organisation to sustain long-term, strategic technology investments, embrace change, and realise benefits – instead of leaving teams grappling with shiny new technical debt – reach out to us today.