Back when I worked for a large bank my manager – a shrewd thinker – was asked what he would do to the IT infrastructure if he had infinite time and money. His answer was that he’d tear it all down and start again. When 9/11 destroyed many buildings in lower Manhattan, some organisations had to do just this.
It’s an interesting thought-exercise because you arrive at a different target state when you think this way, than when you start with an existing set-up and incrementally change your environment.
From what I’ve seen of cloud transformations across different organisations, I’ve found five key areas you need to consider, that are difficult, oft-neglected areas. The way you approach these five depends very much on whether you are starting from scratch or not.
I’ll deep-dive into them in future posts but for now a brief summary (with no particular priority):
Now that platforms, systems, devices etc. are outside your network, how do you identify and provisions users? How do you make sure it’s only Jim who is accessing his iPad and using an approved SaaS provider that uses data from a core internal system? How do you deprovision him and his access when he leaves one Friday to go work at a competitor? The management of identity in the new era requires new platforms and skills. When this area is ignored you start to lose control pretty quickly.
Networks used to be like medieval castles. There was a big wall with guards and a few entrances. Legacy networks were built on this paradigm. But today your device could physically be on a public network whilst logically on a companies network. You could be logically managing your network on someone else’s infrastructure (think AWS VPCs). Some applications will be hosted externally and require access to internal systems.
The medieval city has lost its walls and people are roaming freely. Your data assets need to be locked in suitable safes in different towers, with access by appointment only.
3. Service Management.
Service Management is not sexy. Remember all the guys who won awards and got ‘5’s on their balanced, normalised, bell-curve yearly performance review/scorecard? Never happened.
Problem, Incident, Change management etc., that is ITIL stuff, is still important but now the configuration items you manage could be somewhere else. There are externally hosted partners responsible for parts of your service.
You will need to agree with them how to manage and measure the service levels of their components. And they will have their own service management platform and processes (hopefully). Where are the demarcation lines and how do these service management platforms share data? When a major incident occurs how do you know that everyone has the same information and is working in a coherent fashion?
I heard this best described at a vendor demonstration. Systems of record are being separated from systems of engagement. In the past you had a monolithic system that was both a system of record and engagement.
Today, a system of engagement could be a SaaS provider or a mobile App. How do you get data from one to the other? Also externally hosted systems may need access to core company data. Previously you may have had to integrate platforms across an internal network. Now you need to integrate platforms across many providers and geographies.
5 Vendor Management
Vendor management in the old world was somewhat different to the new. The new world is fluid with expectations of quick on-boarding and off-boarding. The market is bigger with many diverse providers rather than the usual chosen few. There are considerations about data sovereignty, off-boarding etc. that you have never had to consider before. There has to be more collaboration between technology teams and procurement teams to understand how these external solutions work and protect data.
That’s my big five. I haven’t included anything about the server platform, orchestration, storage etc., because I think there’s less impact if you stuff them up. You can always adapt. If you get my five wrong, the consequences are significant. And across all of these big five you need to consider security as well.
As always, thoughts in the comments below.