Change controls are key to enterprise cloud successby John Grange
The conventional wisdom about enterprise cloud adoption has always been that big companies are too big and too security conscious (paranoid?) to use the public cloud. No matter the cheap scale or business agility it provides, their concerns about data privacy, governance, and control will always keep them from making the public cloud leap. Well, today we know that this isn’t exactly the case anymore. Azure, AWS, and now Google have touted growing enterprise adoption of their respective cloud platforms. But the majority of enterprise cloud migrations are still in front of us and the long tail opportunity is enormous. This begs the question: what is the key to enterprises finally gaining a level of comfort with the public cloud and how can they ensure success?
Very simply, the fear of not being able to control change is what initially kept enterprises away from the public cloud in the first place. So it should come as no surprise that the companies that are seeing the greatest success in the public cloud today have evolved their legacy change controls to be relevant in an automated cloud environment. Change control is paramount in the cloud because when provisioning is automated, data and computing are distributed, and their is little friction to activating resources at scale, there exists a tendency for environments to become disordered. We like to call this data center entropy, and to be fair, it exists in on-premises data centers as well, it’s just magnified by the very nature of the public cloud.
It’s much more challenging to prevent a public cloud environment from becoming disorganized and unmanageable as opposed to traditional infrastructure. Simple things like naming conventions, that provide great utility in tracking and auditing, are very difficult to maintain when cloud services can be provisioned with ease by anyone and with default values (that may or may not violate your internal policies). It’s also important to recognize that the automation and speed that the cloud provides are the source of it’s real advantage, so you want to be able to track changes while allowing your organization to fully leverage powerful capabilities. The bottom line is that you can’t look at change control through the same lens as before.
To be successful you’ll want to incrementally look at each part of your infrastructure operation (network, storage, keys, VM images, VM provisioning, OS configuration) and determine the best way to track and alert to change based on factors like frequency of change, risk, and regulatory requirements. All changes should be tracked, to be sure, but you’ll want to be judicious about alerts to cut down on noise. For example you should track VM creation/de-allocation, however, in a cloud environment VMs are going up and down frequently so maybe you don’t want to be alerted to every single operation. But a change to, say, port rules on a subnet? That change carries serious risk potential for your network and the overall security of the environment so you’ll want to track it and know about it right away. Looking at the environment holistically and identifying how you interact with each component and service helps you determine the appropriate way to address change within the context of a fast moving, always changing cloud platform.
By tailoring change controls to the specific components you begin to have meaningful visibility into your public cloud data center. Because your public cloud data center is completely programmable and extensible, you gain the ability to have much more control over your environment than you ever did on-premises. There is great power in having such nuanced visibility and control over your environment and that translates into enhanced security, better uptime, and improved efficiency.
Change control is at the heart of making a public cloud environment production ready. Being production ready, to me, is tantamount to being successful because if you’re only putting non-essential workloads into your public cloud environment your organization has probably reaped very few cloud advantages. Like everything else cloud related, good change control in the cloud involves rethinking existing processes to meet new requirements that have a different set of capabilities and constraints. Where I see companies fail is in trying to force legacy change controls (and other processes) on a cloud environment which slows things down, mitigates any benefits, and limits the ability for an enterprise to be successful in the cloud.