When O’Reilly Media surveyed companies about their cloud usage in the first quarter of 2020, 88% of survey respondents said that their organizations were using cloud in some form, and most used a combination of cloud and on premises options. At least 49% of organizations continued to host some of their applications on premises, and of the various cloud options available, public cloud services were the most popular choice.
During the COVID-19 pandemic, use of cloud services has surged. Organizations have scrambled to keep their operations moving. They’ve done this by moving to work-from-home employees who communicate with each other and with customers through internet and cloud services.
Surging cloud adoption is delivering mixed results for many companies. This is driven by the positive fact that clouds are easy to sign up for, so many organizations just start using them; and the negative reality that many companies still lack a hybrid IT architecture plan.
Here is an example:
A financial services company I work with had approximately half of its applications running in an in-house data center. As new IT services and software became available in its market, both IT and end users in the company began signing up for these cloud services. Most of the services they subscribed to offered sign-in portals to their clouds, so little thought was given to the integration of these new cloud apps with the existing systems in the company for purposes of data exchange or security and governance. In some cases, the same information was being reported to different segments of company users by different systems. This created an organizational nightmare, because now users using different systems were getting different results for the same thing. This made it difficult for cross disciplines in the company to arrive at a consensus for a critical business decision.
IT recognized that it had to work on a “unification strategy” that not only ensured that everyone was working with single source of data truth, but that the company was getting all of the actionable insights and value from its data that it could, appropriate security and governance -- and an overall IT architecture that documented every single IT resource, whether cloud-based or in-house.
The big question was: where to start in the quest to achieve these goals?
Step One: Defining an overall hybrid architecture
A company hybrid IT architecture includes those in-house applications and data your company already runs, but also the additional cloud-based data and applications you choose to deploy on the cloud. It’s insufficient to develop a schematic of your in-house IT without broadening this schematic to also include outside cloud resources.
IT management should also understand the ramifications of using different types of cloud-based IT.
Cloud offerings are divided into three fundamental categories: SaaS (software as a service), IaaS (infrastructure as a service) and PaaS (platform as a service). Knowing when to choose SaaS versus IaaS or PaaS is vitally important.
The advantage of SaaS is you get a vendor with specific business expertise in running the data and the applications you’re signing up for. An example is Salesforce, which excels in sales support software.
The disadvantage to SaaS is that you might experience vendor lock-in. What if you decide to use another system? What if you have a need to move data from the vendor’s system to your own? Are you able to easily get all of your data from your existing SaaS vendor if you choose to migrate to another system altogether?
A second option is IaaS, which gives you on-demand access to more compute, storage and network resources as you need them -- and also the ability to decommission these resources when you no longer need them.
The advantage is you don't need to permanently invest in on-premises IT resources when you might only need them for a short period of time. For instance, if you’re a retailer and the holiday season is your peak order time, you might want to increase order processing compute resources. At the end of the holiday season, as sales decrease, you might want to get rid of this temporary extra compute. IaaS, where you pay for only what you use, gives you this flexibility.
The disadvantage is that your IT team is not in direct control of the add-on IT resources. Managing to your own internal security and governance standards could prove to be problematic. Clearly, there is some additional risk to manage -- but the flexibility of scaling your compute up (and down) might justify that risk.
A third option is PaaS, which provides an entire hardware and system software “virtual environment” that enables your software developers to write and test applications before they go into production.
The advantages to PaaS are financial and operational.
It can take many hours from your most highly compensated staff to configure, populate and install a full test database for software developers. This is further complicated by the fact that many developers are working on different applications and different databases, so the internal setup must be done again and again.
By moving to PaaS, the PaaS vendor provides these services and resources to you. This saves time and money. It also helps to eliminate the frustration your developers feel when they find themselves waiting for tech support to install the resources that they need for doing their work.
The disadvantages to PaaS are similar to what they are for IaaS. There are security and governance hurdles you may need to overcome. An additional risk with PaaS is that you are developing new applications for your company that may contain valuable intellectual property (IP). When you engage with a PaaS vendor, it’s important to include provisions for safeguarding your IP in the contract.
Step Two: Managing an overall hybrid IT architecture
As soon as your organization begins to adopt cloud solutions, the scope of your IT reaches beyond the walls of the company's data center and into a myriad of vendor-controlled solutions for hosting and processing your data. In some cases, very small companies might opt to have the cloud vendors manage their data and apps, as well as the security. For mid- and large-scale companies, a laissez faire approach to cloud vendors is not acceptable. These companies have the IT staff and expertise on board, so the task of that staff becomes not only managing the day-to-day health of in-house hosted data and applications, but also that of those apps and data hosted by outside cloud vendors. The latter is accomplished by meeting with cloud vendors before you sign up with them, exposing to them what your data maintenance, security and governance requirements are, and then putting together a collaborative team of vendor and in-house IT staff to run and oversee the apps and data you choose to deploy on the vendor’s cloud.
Step Three: Applying a uniform set of policies
Inside of your data center, there are security and governance policies in place that staff performs to and that auditors periodically review.
It’s up to IT to extend these governance and security policies to the cloud.
Several of the inherent security and governance risks in cloud models were discussed above. And while there is no shortage of cloud vendor security and governance horror stories, organizations have the ability to limit their risk if they take advantage of the security and governance tools that many cloud providers avail.
AWS, Microsoft Azure and others give their customers the ability to configure security and governance. The problem thus far has been that companies deploy their apps and data on the cloud -- but they fail to finish the job by also using cloud tools to configure for security and governance. This leaves them at the mercy of whatever security and governance controls the vendor uses by default.
Failing to configure for security on the cloud should not be an option. If corporate IT does not have cloud security configuration as part of its cloud deployment process, IT procedures should be rewritten to include it. This unifies hybrid IT architecture because all data systems, data and other IT resources are operating under the same policies -- a central caveat of any hybrid IT hybrid architecture.
For more on hybrid architectures and cloud adoption: