Our cloud implementation project teams work with clients to execute their cloud strategies and roadmaps. A key early step in the deployment process is to establish a solid foundation of cloud technologies and processes. We describe these projects as "Cloud Foundations," and include the following objectives:
Finalize naming and tagging schemes
Design and deploy hybrid cloud connectivity
Implement the identity management and permission scheme
Create deployment templates for application infrastructures
Select and deploy operations tools
Let's discuss the key tasks of each objective.
Having a well-designed framework of accounts/subscriptions and billing relationships with your cloud provider(s) provides for both current account and security needs while providing a flexible framework for future expansion or carveouts. We design our client's cloud account structures to meet organizational (business) structure and billing requirements, while taking into account desired account-level security boundaries. Security considerations include natural points of administrative isolation, separation of "blast radius" in the event of critical security events, and account level separation of key security-related services for security/compliance team usage.
Cloud hosting environments frequently require a dramatically extended naming scheme, as virtually every deployed compute, network, storage, and XaaS resource requires a name as part of the deployment process. Additionally, resources can be tagged with key-value pairs, to assist in reporting, assigning security permissions, cost management, and other administrative tasks. We use standard cloud provider naming and tagging schemes, and customize them as necessary for our client's unique business and administrative requirements
As discussed in our Hybrid Cloud blog series, cloud data networks can be very simple, or extremely complex. Our design process includes identification of the key communication patterns (cloud to datacenter, office to cloud, human to cloud, cloud to Internet, etc.), and determining application, security, and scalability requirements for each pattern. The technical and business requirements are factored into the recommended designs which leverage both cloud provider-native services and certain 3rd party network services/devices as appropriate.
The core constructs of identity sources, access rights, rights groups, and account policies should be established early in the cloud deployment process. Most cloud providers enable synchronization from existing directory services (Active Directory) into the provider-specific directory service. This allows reuse of existing identities for a slightly more simple end user experience while allowing clients to maintain full control of the identity management lifecycle. The identity management design should incorporate not only human identities and permissions schemes, but also provisions for access into your accounts by other SaaS products, occasional access by both humans and services (e.g., AWS IAM Roles), and rules for account lifecycle management and access key rotation.
While not all hosted application compute, network, and storage requirements will be known during the Cloud Foundation project, the cloud services anticipated to be used should be selected and configuration templates drafted. These design templates can be used to facilitate future application "infrastructure" designs as well as allowing a quicker transition from the design phase to the deployment of the required resources.
Operating and maintaining cloud deployments frequently require different tools than our client's legacy hosting environments. At the highest level, we divide the tools landscape into tools used for change, monitoring, and protection. Depending on the cloud provider resources anticipated to be used, the state of existing toolsets, and desired level of automation within the new environments, we'll conduct selections of varying levels of detail and complexity. Key initial focus areas include the method for specifying, deploying, and changing the infrastructure-as-code cloud environment, security operations, and identity management.
Additionally, we work to determine the timeline of new tool deployments, dividing the timeline into "maturity levels" designed to deliver certain functionalities at key points of the cloud journey. We take this approach to tools deployment to better allocate resources during the cloud build process, while allowing onboarding of key processes as soon as possible.
Contact us and let’s discuss your cloud challenges – and check back next Wednesday for the next post: Dealing with Cloud Lock-in.