Enterprise Computing and the Public Cloud Dilemma

About Public Clouds

There is little doubt that Public Clouds provide increased speed, agility, scalability, and pay-as-you-go, consumption-based pricing. These are attributes that most enterprises are looking for who want to transform their business and adopt new business models with cloud speed. Most enterprises consider digital transformation as the underpinning for innovating and creating differentiated values. Enterprises also realize that modernizing IT infrastructure is a must for digital transformation, and that Public Clouds provide a great opportunity for infrastructure modernization. A large percentage of enterprises have some workload running on a Public Cloud. However, the adoption of Public Clouds for critical workloads in regulated industries such as Financial Services, Insurance, or Telecommunications has not kept pace with the growing use of Public Clouds by small and medium enterprises. There are a number of well-known start-ups that are born on the Cloud; however, there are very few enterprises that have widely adopted Public Clouds for their mission-critical workloads.

Barriers to a whole-scale adoption of enterprise computing to Public Clouds are often cited around the need for an enterprise-grade, hardened computing environment that provides continued assurance around security, privacy, compliance with regulations, resiliency, and operational readiness. Public Cloud providers have good physical security in place, with readily available evidence, comparable to customers’ own data centers. Cloud providers are quick to act to emerging security threats for the pieces of the platform for which they are responsible. However, when it comes to application environments, it is typically considered the responsibility of the customer who owns the workload to handle the assurance around security and data protection. Conformance to controls is not always that robust. The focus of cloud providers in the past has been on providing varied low-cost computing platforms with a low barrier to consumption, and not necessarily on hardening the application workload environment for individual customers. Cloud providers have recognized the need for enterprise-grade environments and begun to certify their environments for enterprise-type workloads.

Over the years, enterprises have evolved hardened operating environments in their own data centers that conform to their controls around security, regulatory compliance, performance, resiliency, disaster recovery, etc. Enterprises rightly try to look for the same type of operating environments in Public Cloud, and are often deterred by the lack of perceived transparency and control over the workloads running there. Consequently, there is reluctance in moving to Public Clouds. Various studies put the number as less than 30% of critical enterprise workloads that have migrated to the Cloud. It has taken years for enterprises to develop an environment that they can now trust and have confidence that it is a secure operating environment that is fully controlled by them. The general feeling is that this controlled environment cannot be replicated outside the walls of their own data center. This perception is changing as cloud service providers realize that there needs to be an increased focus on providing enterprise-grade operating environments for customers’ application workloads. Public Cloud providers are more and more aware that they need to provide an environment that meets enterprise computing needs and are taking steps to provide environments that are considered worthy of “regulated workloads”.

Practical Considerations

To ease and de-risk their journey to Public Clouds and to start realizing the speed to market, there are some practical considerations for enterprises:

1. Start with a cloud provider that attests to an environment for easily meeting and demonstrating the application of enterprise-level IT controls that conform to industry standards. For example, look for a cloud provider that adopts industry best practices related to Governance, Risk, and Compliance (GRC) Management, has in place a controlled framework for ensuring traceability and evidence of controls conformance, and ongoing compliance with regulations. Enterprises should look at their own controls that are in place for their own data center workloads and map them to the controls in the cloud provider’s environments to see if those controls are already in place, or how quickly the needed controls can be established with an ongoing compliance monitoring. Typically it takes months before an enterprise application can be certified to go into production. On a Public Cloud provider environment that already has a framework for establishing monitoring compliance to enterprise controls for the customer workload as well as the cloud-provided services, this time can be reduced considerably to realize the true benefits of a cloud operating environment.  
2. Enterprises should develop a comprehensive playbook for application teams for risks and controls assessment, management to determine the scope of controls, data classifications and compliance requirements around them, readiness assessment, and acceptance criteria. A playbook will help avoid each team starting from scratch. Enterprises should centralize the evaluation of controls based on workload and datastore characteristics. This should be done using the cloud provider’s assessment framework instead of having splintered groups across the risk and compliance spectrum looking at their own set of controls, often overlapping with other groups, and often in a manual fashion using disparate spreadsheets.  
3. Enterprise architects and infrastructure architects should leverage reference architectures, typically provided by leading cloud providers, to design resilient, secure environments and plan for production-level readiness right from the blueprinting phase of transformation projects. They should plan for a clear separation of management zones and workload zones so that there is a clear separation of duties built into the environment and management activities can be distinct from production activities and are easily auditable. Application teams are often confronted with this fact after the application has been built, leading to a number of cycles being spent on re-engineering for a production environment. The Cloud, because of its flexibility, makes it very easy to consume and get started with resource provisioning. However, if the environment is hardened as an after-thought, it can lead to significant delays in the application getting in front of end-users.
4. Enterprises should establish a light and agile governance framework that creates and promotes proven patterns for use of Public Cloud infrastructure and services that are hardened and vetted to be in compliance with the enterprise’s own controls. Public Clouds have a vast catalog of hundreds of services with different levels of maturity often from a variety of 3^rd party providers. Typically most enterprise workloads make use of a fraction of these services based on the stability, popularity, and skill base existing in the enterprise. Enterprises, as part of their journey to Public Cloud, should establish their own internal catalog of approved cloud services and provide guidance on their usage for internal application teams. This catalog should be an evolving catalog as additional usage patterns are identified. Enterprises should conduct their own proofs-of-concept to assess the viability of use from security, privacy, and compliance perspectives before opening them up for wide use by application teams.  Key aspects include services that make use of constructs like native encryptions with Keep Your Own Keys, transport-level encryptions, and availability in multiple cloud provider zones. These key aspects are good attributes to look for to establish hardened runtime environments.  
5. Enterprises should adopt practices for secure development and deployment using the multitude of tools readily available in Public Clouds. Clouds provide standard build and deploy pipelines with vulnerability checking and static code analysis built-in. Application teams should be guided to adopt making use of features to introduce security principles early on in the development lifecycle. Enterprises should not look to just move workloads from their existing environments and mirror the characteristics on a Public Cloud. Rather, they should re-engineer with agility, modularizing monoliths into independently scalable, observable, resilient, functionally distinct components.  Lowered cost in public clouds should not always be the determining factor. Speed and agility need to take precedence along with security, compliance, auditability at the forefront.

Conclusion

This article explored the use of a comprehensive enterprise-wide approach to risk management, compliance, security, privacy, and operational resilience.  With this approach, enterprises can not only gain confidence in Public Cloud environments for their critical workloads but also reduce the burden of IT compliance as they undertake their journey to Public Clouds.