The idea that there is one “perfect” cloud destination is like looking for a pot of gold at the end of a rainbow. You think you are heading towards it and realise you never get to it as it does not exist.
As a tech industry, we are guilty of latching onto the ‘cloud du jour’ suggesting a version that we think is ‘smartest’– and love it when this translates into the latest buzz ‘cloud-first’ or ‘cloud-only’.
But rather than looking for a cloud nirvana that might not exist, it is far more critical that organisations recognise that they and their infrastructures are unique. This is especially true when it comes to deploying the cloud; a restrictive approach to the cloud-born out of an attachment to a strategy you once decided was ‘smart’ could mean you don’t get the right solution for the organisation (and its needs). Alternatively, you might find that your deployment never gets out of the pilot stage because what was initially considered ‘smart’ is suddenly out of sync with more recent demands.
Instead, the correct approach will likely be found by building and establishing the right foundations for the cloud to ensure that you can be agile in delivering organisational benefits while meeting security and compliance needs.
The success of a new strategy is dependent on its adoption within an organisation. It does not matter how much has been invested in it; it will likely not last if it does not have a natural fit with your organisation’s culture. The same applies to cloud strategy. Selecting a cloud strategy with ‘buy-in’ from your team is essential. They need to understand why it has been chosen, how it will benefit them, and their work. Once established, it is more likely to be used and adopted. This is why hybrid cloud has resonated with so many organisations; it allows organisations to say ‘and’ rather than be restricted to “either/or” and considers their current status and the future.
Once it has the necessary buy-in, the foundations upon which the cloud strategy will sit must be agreed across the organisation. The cloud has driven technology decisions out of the IT department as a broader set of internal stakeholders see its benefit and can deliver solutions out to the IT team – from a marketing team building a new website in the cloud to the finance team moving their processes online to comply with HMRC regulations. However, this can potentially increase risk within an organisation as these non-traditional teams who can spin up and manage their own cloud may have limited experience in implementing the necessary IT security, compliance and access. This makes it even more critical for these foundations to be solid – from a security and compliance perspective – to protect the broader organisation in the long run.
As a result, no matter if you follow a public, private, hybrid, or multi-approach, providing the broader organisation with a set of guardrails to guarantee a baseline of security and compliance is vital. Whether that is by the IT department enforcing a set of rules before a cloud is launched by a team outside of their own or by using an off-the-shelf solution that can take the sting out of the initial set-up and running, organisations must be clear on what must-haves they need to consider and create a cloud that is right for them, right now.
Should the former approach be taken, bearing in mind the limited experience that some may hold when launching a cloud to support their project, there must be clarity on the individuals who can manage and adapt their cloud and adhere to said rules. For example, it may make sense for only some of the finance team to have access rights. Clarifying access management restrictions from the outset, in turn, will enhance security within the cloud. But it is by no means the only way to protect the cloud.
Guaranteeing data security is more important than ever. Due to its elastic nature, workloads in the cloud can expand and contract regularly. As such, perimeter security is vital to protect the organisation and its workloads. There is a lot of debate about whether perimeter security is relevant to the cloud or if a zero-trust model might be more suitable. However, when considering the foundation of building a cloud that is right for an organisation, if the security procedures in place adhere to governance and compliance needs, that is enough to get you started. However, any more than that can (and in some cases should) be considered on a case-by-case basis, depending on the data sensitivity.
The final step in establishing a solid foundation for the right cloud is compliance. Like the guardrails around access management, a similar approach must be taken to guarantee that how you use the cloud sits comfortably with your organisation’s compliance procedures. This clarity will mitigate organisations’ varying levels of compliance requirements – whether you are in finance or part of the public sector network. When it comes to compliance, organisations must ensure they have the appropriate controls in place from the outset. Initially, this likely needs to sit with the IT team, who can have complete oversight of all activity taking place within the cloud. Still, depending on the disparate nature of what’s being done within the cloud, it might make sense to consider how this can be outsourced so that it doesn’t become a full-time job for your internal team.
By considering these very individual elements, organisations can create and build a cloud environment that works for them. While this does involve upfront work, this clear and considered approach will allow organisations to see the benefits in the long run as they will have created a cloud environment that is as unique as they are and doesn’t jump on the hottest cloud trend when there might have been a better option for them.