Most IT leaders agree their future-state IT landscape will be a multi-cloud environment. Figuring out how to achieve that will take some time.
In this interview with Help Net Security, Melissa Sutherland, Senior Vice President at Booz Allen Hamilton, talks about multi-cloud maturity, cloud migration strategies, as well as the evolution of the cloud in the near future.
Organizations have been taking advantage of the cloud for a long time now. Have we reached multi-cloud maturity?
Most federal agencies have begun their journey to implement enterprise cloud strategies, although at varying degrees of maturity. Those at the beginning of their transformations are taking stock of their existing application portfolios, securing an initial infrastructure environment, and planning for cloud migration. Those that are further along have implemented or are leveraging enterprise-grade, secure cloud environments to host mission-critical applications and sensitive data.
Most agencies start this journey by selecting and focusing on their own data centers (private cloud) or a single Cloud Service Provider (CSP). With time, however, agencies find they have applications, services, data, and capabilities across the enterprise that are supported by multiple cloud environments.
As the Federal Government continues to emphasize cloud migration and deployment, we are seeing a notable uptick in interest among technology leaders to better understand the concept of multi-cloud and what it could mean for their agencies. Most IT leaders agree their future-state IT landscape will be a multi-cloud environment. Determining exactly what that future-state will look like, how to achieve it, and how to measure success will still take some time. We haven’t reached multi-cloud maturity quite yet.
What advice would you give to a cloud architect that needs to outline a cloud migration strategy for a government organization? What’s unique to a project like this?
One aspect that is unique to a cloud migration strategy for a government agency is the need to meet a strict set of security standards known as the Federal Risk and Authorization Management Program, or FedRAMP. The U.S. government requires all its CSPs to be FedRAMP authorized to ensure the protection of federal data.
My advice would be to focus on the fundamentals. FedRAMP authorization must come first. Beyond that, most agencies should focus on making sure a few key foundational capabilities are in place and mature to architect for multi-cloud effectively. A few examples of these foundational technologies and capabilities include container orchestration platforms (including containerized applications), enterprise DevSecOps, infrastructure as code, enterprise application programming interface gateways and solutions, and data management platforms, software-defined networks, and cyber automation. Most of these enabling capabilities fall under the principle of “everything as code.”
How can an organization make sure they’re optimizing for maximum cost savings during a cloud migration?
Years ago, emerging cloud discussions included a promise of cost savings by migrating applications to the cloud. Many leaders have since learned that moving applications to the cloud does not typically reduce an organization’s overall IT costs. However, it does provide better value for costs through flexibility, resilience, and security.
For example, the Dept. of Defense (DoD) is addressing this with its Advana data analytics platform. DoD has the largest operating budget in the world to support its sensitive and global mission, and given its operational complexity, has faced a decades-long challenge to conduct an accurate and comprehensive financial audit across thousands of accounting and business systems.
Advana integrates hundreds of business systems across the DoD including financial, medical, personnel and supply chain to drive informed decision-making across the organization through common data models, natural language discovery, and self-service analytics. This unified program helps make data more discoverable, understandable, and useful, empowering defense agencies to increase spending efficiencies, improve decision-making, and meet critical mission and business challenges across the organization.
The Air Force is also using cloud to drive efficiencies with its Platform One software development platform, which allows users to deploy a DevSecOps Software Factory and start solving software problems with a 90% solution day 1, instead of starting from scratch.
Most agencies find the most significant cost savings and the best negotiating power with major CSPs when they procure a larger portfolio of applications and services from a provider. Splitting their portfolios into smaller portions and moving applications across CSPs may reduce their advantage in the current state of cloud economics.
Another cost-related misconception is that being able to deploy applications to multiple cloud environments will allow agencies to shift workloads to the most cost-effective infrastructure. Cloud management organizations can track the everchanging cost structure and incentives of the various CSPs and take advantage of the best pricing.
Unfortunately, this approach is unlikely to provide any cost savings today at the application level because of the additional costs associated with architecting applications to be CSP agnostic and the inevitable migration costs associated with moving an application from one cloud environment to another.
As the market continues to mature and multi-cloud architectures become easier to implement, manage, and migrate over time, this could change. But for the foreseeable near future, cost savings should not be a driver for multi-cloud architectures at the application level.
What are some of the things organizations tend to overlook when it comes to application migration to the cloud?
Some organizations rush their cloud migration, only to discover their CSP does not cover all their needs. That’s why it’s crucial not to overlook the importance of making sure cloud native apps are modular and open, which allows seamless integration of new services in the future.
Organizations should also be careful to avoid overlooking the ways in which their own resources and talent support the multi-cloud journey. By embedding standard development practices and platforms, organizations can accelerate deployments, better utilize their talent, and reduce human error. Rolling out repeatable blueprints and shared services across an organization will allow it to deploy standards and infrastructure as code practices, enabling teams to focus their precious time on delivering custom applications that add value for the organization.
It is also impossible to overstate the importance of cloud security. Applications migrating to the cloud must address a gap between the security controls provided by commercial CSPs and those required by policy.
How do you expect the multi-cloud to evolve in the next five years?
We still live in a world in which most apps and workloads live in data centers. Over the next five years, the expansion of accredited cloud service providers will continue to facilitate more widespread cloud adoption.
CSPs are in a bit of an arms race to secure accreditation at the top secret level, enabling them to service the DoD and Intelligence Community. Increasing levels of cloud adoption within the Defense and Intelligence communities will be crucial to their missions in the coming years.