By Vicky Glynn, Head of Product, Brightsolid
The idea that there is one “perfect” cloud destination is a bit like looking for a pot of gold at the end of a rainbow. You think you are heading towards it, and realise you never get to it as it does not exist.
As a tech industry we are guilty of latching onto the ‘cloud du jour’ suggesting a particular version that we think is ‘smartest’– and love it when this translates into the latest buzz ‘cloud-first’ or ‘cloud-only’.
But rather than looking for a cloud nirvana that might not exist, it is far more important that organisations recognise that they and their infrastructures are unique. This is especially true when it comes to deploying the cloud; a restrictive approach to the cloud that’s born out of an attachment to a strategy you once decided was ‘smart’ could mean that you don’t get the right solution for the organisation (and its needs). Alternatively, you might find that your deployment never gets out of the pilot stage because what was initially considered ‘smart’, is suddenly out of sync with more recent demands.
Instead, the correct approach is likely to be found by building and establishing the right foundations for the cloud to ensure that you can be agile in delivering organisational benefit while meeting security and compliance needs.
The success of a new strategy is dependent on its adoption within an organisation. It does not matter how much has been invested in it; if it does not have a natural fit with your organisation’s culture, then it will likely not last. The same applies to cloud strategy. It is important to select a cloud strategy that has ‘buy-in’ from your team. They need to understand why it has been selected and how it will benefit them and the work they do. Once that has been established, it is more likely to be used and adopted. This is why hybrid cloud has resonated with so many organisations; it allows organisation to say ‘and’ rather than be restricted to “either/or”, and takes into account their current status and the future.
Once it has the necessary buy-in, it is important the foundations upon which the cloud strategy will sit are agreed across the organisation. The cloud has driven technology decisions out of the IT department as a broader set of internal stakeholders see its benefit and can deliver solutions out with the IT team – from a marketing team building a new website in the cloud to the finance team moving their processes online to comply with HMRC regulations. However, this has the potential to increase risk within an organisation as these non-traditional teams who are afforded the ability to spin up and manage their own cloud may have limited experience in implementing the necessary IT security, compliance and access. This makes it even more important for these foundations to be solid – from both a security and compliance perspective – to protect the wider organisation in the long run.
As a result, no matter if you follow a public, private, hybrid, or multi-approach, providing the wider organisation with a set of guardrails to guarantee a baseline of security and compliance is vital. Whether that is by the IT department enforcing a set of rules before a cloud is launched by a team outside of their own, or by using an off-the-shelf solution that can take the sting out of the initial set up and running; organisations must be clear on what must-haves they need to consider and create a cloud that is right for them, right now.
Should the former approach be taken, bearing in mind the limited experience that some may hold when launching a cloud to support their project, there must be clarity on the individuals with the capability to manage and adapt their cloud who adhere to said rules – for example, it may not make sense for the entire finance team to have access rights. By clarifying access management restrictions from the outset, this in turn will enhance security within the cloud. But it is by no means the only way to protect the cloud.
Guaranteeing data security is more important than ever. Due to its elastic nature, workloads in the cloud can expand and contract on a regular basis. As such, a level of perimeter security is vital to provide protection to the organisation and its workloads. There is a lot of debate around whether perimeter security is relevant when it comes to the cloud or if a zero-trust model might be more suitable. However, when considering the foundation of building a cloud that is right for an organisation, if the security procedures in place adhere to governance and compliance needs, that is enough to get you started. Although, any more than that can (and in some cases should) be considered on a case by case basis depending on the sensitivity of data.
The final step in establishing a solid foundation for the right cloud is centred around compliance. Like the guardrails around access management, a similar approach must be taken to guaranteeing that how you use the cloud sits comfortably with your organisation’s compliance procedures. This clarity will mitigate the varying levels of compliance requirements that organisations have – whether you are in finance or part of the public sector network. When it comes to compliance, it is vital that organisations ensure they have the appropriate controls in place from the outset. Initially, it is likely that this needs to sit with the IT team who can have complete oversight of all activity taking place within the cloud, but depending on the disparate nature of what’s being done within the cloud, it might make sense to consider how this can be outsourced so that it doesn’t become a full-time job for your internal team.
By taking these very individual elements into consideration, organisations will be able to create and build a cloud environment that works for them. While this does involve upfront work, this clear and considered approach will allow organisations see the benefits in the long run as they will have created a cloud environment that is as unique as they are and doesn’t jump on the hottest cloud trend when there might have been a better option for them.