The journey of a thousand miles begins with one step. – Lao Tzu
Knowing where to start is often the hardest part of any journey. Fear, uncertainty, and doubt (FUD) plague even the most seasoned leaders. Transitioning your organization from on-premises IT to the cloud is no different. Breaches blare across the headlines as a constant reminder of what a misstep can bring.
Let’s be clear: The leading cloud services providers, such as Microsoft, Google and Amazon Web Services, have done a fantastic job of securing their underlying infrastructures. But, as AWS has clearly stated from the beginning, cloud security is a shared responsibility.
In the end, you are responsible for your data and applications and, if you suffer from a crippling breach, it does you no good to point fingers at the cloud suppliers and shout: “It’s their fault.” It’s your brand, your customers, your revenue and your goodwill that is at stake.
So, how do you reap the benefits of the secure, underlying infrastructure offered by the leading public cloud providers? Here are four critical steps organizations should take to be successful (along with a few quotes to offer inspiration).
Step One: Start with Strategy
People are working harder than ever, but because they lack clarity and vision, they aren’t getting very far. They, in essence, are pushing a rope with all of their might. – Dr. Stephen R. Covey
The best-run organizations are always clearly communicating the vision of their desired direction and destination. Making a secure transition to the cloud is no different. If your organization has not taken the time to discuss, debate, agree and concisely document your cloud strategy, do not expect success.
I have spoken with many executives who have a cloud-first strategy, but their planning doesn’t go any deeper than that. Developing a cloud strategy doesn’t have to be a multi-week event. It must, however, involve close collaboration between IT and security teams. The end result of this collaboration should be a clearly articulated one-page document that defines what success looks like. This document then becomes the organizational North Star. Taking the time upfront to get extremely clear on vision and strategy makes for easier decisions down the road.
Step Two: Create a Cloud Business Office
Don’t try to boil the ocean. – Mark Twain, Will Rodgers or Lewis Carroll
When moving to the cloud becomes “just another project,” it will often lead organizations to not appropriately allocate resources. Forming a Cloud Business Office (CBO) will typically address this as it acts as a forcing function. Resources assigned to the CBO should be dedicated and any legacy operational responsibilities removed or greatly scaled back.
There is absolutely a hard cost for organizations taking the CBO approach, but when resourced effectively and guided by a crisply written strategy, it greatly enhances your chance for cloud success. CBOs typically have full-time representation from IT, security and development, with an embedded project manager(s). Part-time representation from other teams typically includes legal, risk, privacy and procurement.
Step Three: Start Small, Ramp Quickly
The bane of many ambitious projects is having an absurdly large scope. Don’t let this happen to your cloud transformation initiative. One of the key outputs from the CBO should be a prioritized list of projects. Prioritization should be based on a combination of risk, complexity, timelines and organizational maturity.
For example, rearchitecting a business-critical application that has protected health information (PHI) should not be one of your first few projects. Typical first-time projects include moving on-premise email to SaaS platforms such as Office 365 and G Suite. Bottom line: While goals within the CBO should be ambitious, those that have the highest risk, complexity and timelines should come at later stages. This will allow IT, security and development teams time to mature processes, skills and tools.
Step Four: Adopt Cloud-Native Security Platforms
All Tier-One cloud service providers offer platform-specific tools to enable your business to rapidly adopt their platform. This is, after all, how they differentiate. The challenge becomes one of “stickiness.” The more closely your organization adopts any one platform, the harder it is over time to avoid vendor lock-in. In the world of SaaS, this is difficult to avoid. However, with IaaS and PaaS there are several options.
The most effective starts with designing applications to be loosely coupled from the platform. This approach should be called out in your cloud strategy. Security teams should also take a similar approach. While each of the Tier-One cloud providers offers a patchwork of slowly maturing native security controls, adopting them is a sure way to guarantee lock-in. True long-term success in the cloud requires loose coupling across all areas, not just applications. Leaders should look to engage with cloud native security platforms whose best financial interests are not with a single cloud but rather in the most diverse set of providers.
Picture the Future
True cloud transformation requires strong leadership and a clearly articulated strategy. Taking the time upfront to paint a vivid picture of your organization’s future makes many decisions down the road straightforward. When IT, security and development teams have questions or the inevitable squabble, the arbiter becomes the strategy. When teams need to know what’s important, how to prioritize or where to invest, reference the cloud strategy.
What many leaders fail to recognize about cloud transformation is that it’s far more than just technology. This is the opportunity to reinvent your business. Don’t miss it and make sure all angles of your approach are as loosely coupled as possible from the underlying platform.