For a growing number of enterprises, a migration to the cloud is not a simple matter of deploying an application or two onto Amazon Web Services, Microsoft Azure, or some other hosted service. It’s a multi-cloud strategy that’s a key part of a digital transformation initiative aimed at modernizing business processes.
Deploying a multi-cloud strategy can lead to substantial benefits.
Using multiple cloud computing services such as infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) in a single heterogeneous architecture offers the ability to reduce dependence on any single vendor, says Brian Reynolds, principal with audit and advisory firm Grant Thornton.
It can also improve disaster recovery and data-loss resilience, make it easier to exploit pricing programs and consumption/loyalty promotions, help companies comply with data sovereignty and geopolitical barriers, and enable organizations to deliver the best available infrastructure, platform, and software services, Reynolds says.
“Cost optimization is a huge benefit,” says Glenn Pinnel, CIO at paint producer Benjamin Moore & Co., which moved to a cloud-first strategy several years ago and has never looked back. “It’s not so much that you are spending less by going multi-cloud, but rather you are managing risk far better.”
Having multiple clouds “makes you more flexible and agile, allows for the adoption of best-of-breed technologies, and provides far better disaster recovery,” Pinnel says. “By not being ‘locked in’ to one vendor, we have the flexibility to run certain applications in a private environment, and others in a public environment, while keeping everything connected. Our cloud service providers have the right skill sets to make this all happen so that we don’t have to maintain this expertise in house.”
Like any other major IT initiative, ensuring an effective multi-cloud strategy involves having the right people and tools in place, and taking the necessary steps to keep the effort aligned with business goals. Here are some best practices around this rising trend, according to IT executives and industry experts.
Perform due diligence
A multi-cloud deployment adds complexities that require organizations to develop a deep understanding of the services they’re buying and to perform due diligence before plunging ahead, says Donald Faatz, security solutions engineer in the CERT Division of the Software Engineering Institute at Carnegie Mellon University.
Due diligence includes planning. “Use a cloud adoption framework to provide a governing process for identifying applications, selecting cloud providers, and managing the ongoing operational tasks associated with public cloud services,” Faatz says. “Educate all staff on the cloud adoption framework and the details of using selected CSPs’ [cloud service providers] architecture, services, and tools available to assist in the deployment.”
Moving to a multi-cloud environment might present risks that were not present in current applications and systems, Faatz says. “Check for new risks and identify any new security controls needed to mitigate these risks,” he says. “Use CSP-provided tools to check for proper and secure usage of services.”
A company’s infrastructure should be treated as source code, Faatz says, and change control procedures should be enforced. Procedures will need to address differences in CSPs’ implementations.
Decommissioning of services is also part of due diligence. “The most important part of any application or system to the organization is the data stored and processed within,” Faatz says. “Therefore, it is critical to understand how the data can be extracted from one CSP and moved to another.”
Rethink your IT organization
Enterprises need to separate cloud engineering into its own organization so that it can be fully focused on its mission of expanding and securing workloads in the cloud, says Grant Bourzikas, CISO and vice president of Labs Operations at security company McAfee.
“Growth in public cloud [use] requires new skill sets that may not exist in traditional IT departments, roles like cloud architects, automation engineers and product managers,” Bourzikas says. Companies will need to hire, train, or certify people with these skill sets, and think about how their cloud organization aligns with the business. “For example, do you create a bi-modal structure to separate the cloud organization from traditional, core IT services?” he says.
Like many medium-to-large companies today, McAfee has a hybrid cloud environment, including two public clouds and its own private cloud. It uses the public cloud for both external customer-facing and internal needs, Bourzikas says, and leverages IaaS and PaaS services from its cloud providers. The private cloud is also used for internal and external customer-facing applications.
“We’ve classified our portfolio of applications into disposition categories as part of a global data center consolidation strategy,” Bourzikas says. “Determining which applications will be moved to the public cloud — IaaS, PaaS, SaaS — and which will be moved to our private cloud [is] based on variables like transformation opportunity. Can it be rearchitected to leverage microservices in the public cloud? Is it a pure lift and shift?” Costs and application characteristics are others factors, he says.
Take a full inventory of enterprise applications
Before deploying a multiple cloud strategy, it might be a good idea to perform an assessment of existing applications.
“As a practice, I always recommend first taking a fresh inventory of the application portfolio, assessing the individual application technology stack, how the applications fit into the overall application ecosystem, [and] most importantly the business value these applications bring to the enterprise,” says Thomas Martin, former executive vice president of application transformation at GE, who led the company’s multi-cloud efforts, and is now a consultant.
“This information provides critical insights into how to proceed through the enterprise transformation effort,” Martin says. The first step should be to determine which applications can be eliminated. The next step is to determine which applications have a SaaS-based offering in the market, and to determine whether one of these offerings is a good fit.
The remaining applications become core candidates for public cloud migration, Martin says. “How these applications are migrated should be dependent upon the value that they bring to the enterprise,” he says.
Applications that have only 12 to 18 months remaining in their value lifecycle are solid candidates for re-hosting, Martin says. Those that are deemed to have a longer value lifecycle, are considered to be differentiating, or are driving disruptive market differentiation, should be refactored or re-written to take advantage of modern cloud technologies, he says.
Make integration a priority
When relying on multiple cloud services to deliver business applications to customers and internal users, having strong integration between services is vital.
“Put the right APIs [applications programming interfaces] in place so that systems can work together to create a seamless user experience, with no lags or delays in service,” Pinnel says. “Many of our applications now live across various clouds, both private and public, and we’ll soon be migrating most of our IT infrastructure to the Virtustream Enterprise Cloud, which already hosts our SAP applications,” he says.
Benjamin Moore is rolling out a national account program that will allow customers to order paint in a far more efficient way. To make it all work, the company uses a cloud service for back-end processing, another for the front-end application and still other clouds that are involved in running the website and other related applications.
“All of our infrastructure and apps come together to make this B2B solution work seamlessly,” Pinnel says. “Trying to manage this on a single cloud would be much harder. By going multi-cloud, we can choose the best infrastructures for various applications, depending on where it makes the most sense.”
Manage access and protect data
Using multiple cloud services, including a mix of public and private clouds, presents a host of security challenges. A key to ensuring strong security is identifying and authenticating users.
“Use multifactor authentication across the multiple CSPs to reduce the risk of credential compromise,” Faatz says.
Organizations should also assign user access rights. That includes creating a collection of roles to fill both shared and user-specific responsibilities across the multiple clouds, Faatz says. Companies will need to investigate the differences in how role-based access control could be implemented with selected CSPs.
Another good practice is to create and enforce resource access policies. CSPs offer various types of storage services, such as virtual disks and content delivery services. Each of these might have unique access policies that must be assigned to protect the data they store, Faatz says.
Protecting data from unauthorized access is vital. This can be achieved by encrypting data at rest to protect it from disclosure due to unauthorized access across all CSPs. Companies need to properly manage the associated encryption keys to ensure effective encryption and the ability to operate across CSPs.
It’s also important to ensure that each CSP’s data backup and recovery process meets your organization’s needs, Faatz says. Companies might need to augment CSPs’ processes with additional backup and recovery.
Data security is “a crucial element in managing a multi-cloud environment,” Pinnel says. “It is imperative that you have the right level of security in place to ensure that your data and assets are protected at all times.”
Keep an eye on costs
One of the biggest selling points of the cloud is that it can help organizations reduce costs through more efficient use of computing resources. Services are paid for on an on-demand basis, and the cost of buying and maintaining numerous servers is eliminated.
Nevertheless, in a multi-cloud environment it’s easy to lose track of costs that can then get out of control.
“Carefully consider the cost of managing multi-cloud environments, including human capital costs associated with maintaining multi-cloud competencies and expertise, as well as costs associated with administrative control, integration, performance design, and the sometimes difficult task of isolating and mitigating issues and defects,” Reynolds says.
To reduce these costs and improve manageability, consider deploying cloud management, analytics, and DevOps tools that provide an integrated console that supports administrative control, deployment, scaling, configuration, operation, and management of resources, Reynolds says.
Leverage microservices, native services, and containers
A number of service options are available from cloud providers to help make it easier to move data and workloads to the cloud, and companies should leverage these whenever they can.
“Microservices, enabled by native services such as Lambda, make applications easier to scale, more cost effective, faster to develop, and they reduce time to market,” Bourzikas says. Using native services provided by a cloud service provider “allows for quicker innovation and scaling than is possible with on-premise deployments.”
However, leveraging service provider-specific capabilities can lead to vendor lock-in, so consider the value and commitment of these choices. “Not all applications and compute needs are created equally, and as such, it’s not possible to pick a single cloud platform or strategy that meets all your needs,” Bourzikas says.
In general, a multi-cloud strategy provides flexibility and leverage. “Having multiple [providers] enables you to not be locked into any one, gives you the benefit of innovation and price negotiation,” Bourzikas says. “To fully realize the benefits of multi-cloud, such as workload portability, you must consider your architecture. For example, deploying applications via containers allows for portability.”