Cloud is a double-edged sword for organizations in regulated industries. If it’s not handled carefully, it can introduce security and governance risks, especially during large scale adoption.
On the other hand, it offers immense benefits in the form of agility, cost effectiveness and quicker time to market. Taking too long to fully embrace cloud has its own consequences, such as allowing rivals who get there first and gain competitive advantage.
Here, we look at how and why risks occur during large scale cloud adoption, then consider practical ways to avoid them.
This post draws on insights from our whitepaper Building the core foundations for cloud at scale, which is free to download and well worth a read if you’re developing or fine-tuning a cloud adoption strategy.
Understanding the risks of cloud
Cloud adoption is not just about introducing new technology. It also requires new ways of thinking and working which employees may be unfamiliar with. Not all organizations understand or make allowances for this. Yet it’s this transformative aspect of cloud that brings the greatest benefits and – potentially – the greatest risks.
When workloads are based in the cloud, all the resources needed to develop, test and launch new applications become readily available. This is a great enabler of innovation. But it is also a major risk factor for highly regulated industries such as financial services and healthcare. Different parts of the organization can spin up new environments quickly and independently. Unless this is managed centrally, they may inadvertently bypass important operational controls and processes that underpin security and compliance.
An ad hoc approach to early cloud adoption can also lead to problems later. It often results in technology islands which lack consistency and interoperability. During largescale adoption, applications previously perceived as trailblazers can quickly become a hindrance. If they’re not aligned with strategic goals, they may need to be redesigned to adhere to wider standards. At best, they become complex pockets of technical debt which must be resolved before wider adoption of cloud can begin in earnest. At worst they become a serious security liability.
One of the most significant potential issues when cloud adoption isn’t properly governed relates to unsecured data. Take containers, a key cloud-based technology which allows new instances to be spawned at speed. If they are not managed in line with a centralized security protocol, sensitive company or customer data may become vulnerable. This puts the organization at risk of non-compliance and severe reputational damage if data is leaked or exploited.
Establishing a best practice framework
To avoid or rectify the above issues, we advocate a phased cloud adoption, especially when migrating existing applications or workloads. You don’t have to plan the finer details upfront. However, the journey does need to be managed strategically and prudently from the outset. This is particularly true in regulated industries.
Taking a holistic view and building solid foundations for largescale cloud adoption helps avoid costly mistakes and ensures benefits are realized sooner. Core capabilities need to be implemented with security, governance and compliance in mind.
It’s about putting the fundamentals in place as early as possible, so the environment has the elasticity to scale out and the flexible capacity to scale up in line with needs. Guardrails have an important role to play here. They provide assurance and ensure consistency across critical areas while allowing teams freedom and autonomy to innovate in the cloud.
Introducing Amdocs practices is another important factor. A cloud-native, everything-as-code approach eliminates human error and enables new infrastructures to be deployed securely as well as quickly. Every application is built on the same reusable foundation with robust security baked in. When all aspects of the cloud are deployed using automated, pre-defined templates many of the abovementioned risks are eradicated. Taking the opportunity to modernize workloads during or immediately after migration also ensures benefits like agility and cost-efficiency are leveraged.
Decide where to start and how to continue
Building secure foundations is all well and good, but how do you decide what to migrate to the cloud first? The answer depends on various factors and won’t be the same for every organization. Care must be taken to ensure initial migrations can be executed seamlessly and deliver positive outcomes quickly. The first steps set the tone for cloud adoption at scale; successful outcomes aid buy-in, igniting the change journey.
The ideal candidates for early migration will have relatively low technical complexity, but still generate learnings surrounding security, compliance and technology. For instance, a workload may be experiencing issues surrounding scale, cost or agility that are easily rectified with cloud-native technologies. The workload should also have a direct impact on customer experience, so the business value of migrating is clearly exemplified.
As the journey proceeds, establishing a Cloud Center of Excellence (CCoE) can be hugely beneficial. The individuals making up this function will vary between organizations, but they should share a hunger for high performance and be committed to cloud best practice. Together, they steer the cloud adoption strategy, ensuring it progresses smoothly and securely. They don’t all have to be cloud technology experts. A major role of the CCoE is facilitating communication so any cultural or process issues are identified and rectified at the earliest opportunity.
Laying strong foundations to get cloud right first time
According the Gartner report Innovation Insight for Cloud Security Posture Management: "it is becoming increasingly complex and time-consuming to answer the seemingly straightforward question 'Are we using these services securely?' and 'Does the configuration of my cloud services represent excessive risk?'"
This may ring true for some organizations that host a significant portion of their estate in the cloud. But it doesn’t have to be this way. A pragmatic, strategic approach which embraces cloud-native principles ensures transparency and simplicity across vast cloud environments. It enables better measurement and management of security risk, as well as satisfying compliance and governance objectives.
For organizations working with sensitive data and heightened regulatory requirements, a ‘right first time’ approach is essential. With no margin for error, cloud adoption must be prudent and strategic. Modernizing workloads during the journey is an important part of this. It mitigates the risks of largescale cloud adoption, while taking baseline security standards to a higher level. So, teams can innovate freely and enjoy the benefits of cloud, safe in the knowledge that security is sorted.
From avoiding analysis-paralysis to improving cloud cost management, you can read more advice on cloud adoption here.