Several weeks ago, I got to visit a Global 50 manufacturer. This organization had a very complex supply chain and manufacturing locations and vendor relationships across the world. It needed to govern the data that flowed between suppliers, customers, and even internal organizations. And it was not appropriate for everyone to see everything.
In the middle of this conversation, the manufacturer discussed the depth of their clouds and cloud vendor relationships and the problems that multi-cloud presented to their organization. Given this, I decided it was time to dig-in on multi-cloud with the #CIOChat.
How many layers of cloud do you have internally and externally?
CIOs had differing answers based upon the complexity of their organizations. Some said that they really don’t think about having a “cloud fabric.” These CIOs use a small number of cloud providers. For them, there are few internal and external providers. Given this, they don’t believe there are layers unless an organization is running hybrid (by virtue several clouds) or there are silos of data located across the organization.
Other CIO, however, say that they are full of complexity. A higher education CIO started this discussion by saying I suspect we have an official number of cloud providers, and then that number is not the number that is actually in use. CIOs with complex cloud environments say that they like to express the problem as layers of cloud. They say that they publish services and consume services. And then our services consume services. It’s not like blankets of fluffy cloud. It’s more like branched constellations.
These CIOs openly asked how many points and services they connect to? It’s not as simple as layers. They suggest that a very large percentage of cloud traffic isn’t going through on premises endpoints. It’s cloud to cloud. These CIOs say that they use dozens of SaaS products for which their implementations are opaque or murky. They say add to this number Office 365, AWS, Google, Azure and more. Internally they may use VMware, but the complexity grows beyond this point.
For this reason, CIOs say they need educate their users. There are easily “dozens” of sanctioned cloud applications in most organizations. The problem, CIOs say, as much as 10% of data uploads in a typical enterprise are going to unsanctioned cloud apps. CIOs believe that these workloads are likely spread across more clouds than anyone realizes. SaaS vendors should count at some level, especially when you integrate across them, and when you assess their capabilities and security. Most organizations are using multi-cloud externally. To be clear, CIO say internal cloud use may tie via hybrid implementations. At this point, CIOs shared that when Amazon had a major outage 1-2 years ago, it was shocking to see how many of their SaaS services were impacted. Clearly, there was no contingency plan.
The use of management fabrics
Ecosystems was seen by CIOs as the operative word. One CIO said that they use a combination of MapR’s Global Data Fabric and Pivotal Cloud Foundry (PCF) to span and simplify their data architecture across five different public cloud offerings and multiple geographic data centers. These multi-cloud data fabrics aim to ensure scalability.
CIOs say the use of management fabrics is on the rise. This is a rapidly expanding space and has a security focused corollary as Gartner and others have started highlighting. CIOs suggest the need for a Cloud Security Posture Management (CSPM). One CIO suggested this is a notable example of how complex the conversation is surrounding cloud. One CIO admitted here to when discussing multi-cloud, they tend to think of the IaaS/PaaS providers but not SaaS providers. This is clearly a mistake because of need for applications to connect higher level business capabilities.
CIOs believe that few companies can afford to take on the overhead of true multi-cloud strategies when it comes to duplicative capability for single application availability. Instead, what is needed are big bets being placed on a central cloud service provier and an ecosystem of secondary providers around that. One CIO described the difficulty as providers rely on providers who rely on providers. One CIO said, in exasperation, said “we thought maintaining our CMDBs was hard for our datacenters to map inter-reliance issues”.
CIO suggest that the sprawl looks more like branches. So, if the trunk (e.g. Amazon) is impacted, what does that mean for service delivery? And what should our business continuity response be after understanding that impact? With the right fabric, CIO say, multi-cloud becomes a revenue-generating component that is integrated with your environment. This allows customers to choose the cloud that offers the right service levels at the right price for the right customer use case.
CIOs suggest that the emergence of internal and external ecosystems is what is driving folks to adopt multi-cloud strategies. Gone are the days of a one-stop shop. Many CIOs are becoming more and more averse to vendor lock-in. Fabrics help drive innovation while ensuring flexibility. And now cloud instances and containers come with real time, constant costs.
How do you audit and govern cloud usage against service model and policy?
CIOs say they mainly use a fabric as the enforcement mechanism for policy. Policy goals should be about applying security and data governance. CIOs with business leaders need to set a core IT strategy and use it to drive what is done. They need to partner with procurement and other areas to provide some control, and then leverage this to control enterprise data. Many organizations, however, don’t have the ability to accurately forecast cloud demand.
Meanwhile, it is important that CISOs consider using the FAIR Institute Model for risk identification. This can provide great insights to better quantify risk including where data is uncertain. Overall this requires regular due diligence against what was scoped and how has it changed with time. Data should be protected per cloud. Disaster recovery should, also, be per cloud. This increases complexity but should limit the scope of failures. Audit is clearly one of the most challenging aspects to cloud for regulated functions that have compliance requirements.
Some CIOs say audit should be the same way you would audit and govern your private data center. If you don’t have a consistent audit service model then it’s going to be very difficult to scale as you move to a multi-cloud model. There will always be slight adjustments, but you need consistency. For small and medium size organizations who have gone down the cloud road, managing multi cloud is like trying to find the ends of the yarn after kittens have gotten loose in the yarn shop.
Managing disaster recovery (DR) across the complexity of multi cloud?
CIOs stress that the cloud enables IT organizations to design for failure, but too many still treat the cloud just like their old data center. Cloud makes this easier, not harder, when cloud is implemented properly.
CIOs insist that it is a mistake to treat the cloud like physical infrastructure. An emphasis on infrastructure as code makes full backups less important. This, also, makes rebuilding an infrastructure a lot easier than coding it and then keep it somewhere. CIOs say you must accept as part of the deal with each provider up front–geographic diversity, timing, tests, and retrieval. Cloud providers are working very hard to take this off the able – especially the largest cloud service provider. For this reason, CIOs suggest that AWS is investing in the Guard Duty, security console. CIOs say SkyHigh and CWS, can give universal visibility for audit.
One CIO said here regardless of how you think of management, I’m not sure we do it. This can be a big challenge on-premises due to the expansion of polyglot persistence, local storage vs. SAN vs. hyperconverged, etc. Cloud reminds CIOs of the early VM sprawl.
One CIO asked here about disaster recovery. They said we have no backups. It’s a mesh of pointers and metadata. Every vendor does it from poor to amazing. If you can’t do select* from table, you have to trust the vendors.
With this said, CIO say you should test frequently to ensure you have built-in DR and business continuity (with real data). Most cloud vendors will have API integrations you can leverage for DRaaS. This will help with audits as well. If it’s not driving business revenue, then you should outsource it. If you are thinking disaster recovery in a cloud world, you are way behind and asking for a world of hurt. Today, data management is key and far more sophisticated.
Does regulation force multinational organizations into an increasingly complex multi cloud fabric?
CIOs say that most multinational organizations already have complex fabrics to manage prior to public cloud options. Cloud makes it simpler in some ways, but more complicated in other ways. Where it might force multi-cloud is where you have a sovereignty issue in a country that doesn’t have your cloud service provider of choice.
Regulation is often forcing regional complexity intra-provider. When you start doing major business in ‘red flag’ countries, a higher level of thinking needs to take place. Cloud has been the tactical response to GDPR for some organizations that couldn’t make the grade (on time) on-premises. In general, regulations are behind the technology and they don’t adequately consider what we all work with.
One thing that CIOs are abundantly clear about is AWS doesn’t know your applications. AWS doesn’t know your business. You do. But they then make it possible to spin up most major locations, and they are following new privacy laws.
Multi-cloud is only going to grow the complexity of running the IT. While public cloud promises many things – better scalability, better security, and the list goes on, it does create risk for CIOs that do not know their enterprise architecture or when a vendor outage could impact customers. It seems to me at least the time is now to expand upon existing notions of CMDB and Asset Management. I look forward to ITIL 4’s thinking on this matter.