AWS S3 Disruption Explained
AWS S3 Disruption Explained
Journey to the Cloud
A quick heads-up, I’ve tried to capture 6-8 months worth of insights and experiences into this blog post so it is a bit lengthy. Stick with me - I’ve tried to be a succinct as possible.
The concept of ‘Cloud Computing’ is now probably at least a decade old. Over that time it’s matured from ‘someone else just hosts your hardware’ to a ecosystem of platforms & tools which simply aren’t available in an ‘on premise’ model. What started out being about cost savings related to hardware, cooling & power has become about new models of service delivery that are global, always on and feature rich. If you’ve been in technology for a while you will remember the wave of Application Service Providers (ASPs); that’s still how a lot of people think about cloud - as a progression of ASPs.
The unfortunate fact is that many CIO/CTOs still see the cloud as it was half a decade ago - racks & racks of servers with some virtualisation functionality over the top. That’s why I think most have 'moving to the cloud’ on their list of priorities but the actual rate of cloud adoption - especially in government - has been so low. They simply don’t see the real value in it.
Heads up to the vendor community: you’re not pitching the value proposition of cloud right, in my humble opinion.
Cloud isn’t a progression of on-premise technologies - it may have started there but it’s evolved to being a whole new branch of technology. This new branch puts many technology leaders into an uncomfortable situation - having to say ‘I don’t know’ or falling back to old mental models & concepts which simply don’t apply in the cloud world.
It’s certainly something I had to traverse as we made our move to cloud - the things I’d learnt setting up on premise hardware and software wasn’t all that relevant in the world of software defined networking and ‘hardware as code’.
Office 365 isn’t hosted Microsoft Outlook in the cloud. It’s a richer set of productivity tools which at times (with some of the artificial intelligence components) feels like having a personal assistant for every employee in your organisation. Don’t click accept on that meeting - it’s a diary clash. Use the focus feature in your inbox - it will help you ensure you’re always dealing with the priority items first. Are you sure you want to send that email - you’re sending it outside of your immediate organisation. Why not click 'like’ instead of sending yet another reply email? All those things may seem trivial but they add value to the everyday lives of your users.
For the longest time many people have thought of mobility as being about connecting people to the experience they have in the office but from anywhere. When you migrate to cloud you realise that mobility is about work simply being ‘there’ whenever you need it, on your terms. It may seem like a subtle difference but it fundamentally changes the way you approach things.
Platform providers such as Amazon Web Services allow you re-think how you build and run digital services. Things such as serverless architecture, microservices, APIs and event driven platforms such as Lambda completely redefine how digital services are delivered. Chatbots and artificial intelligence allow you to forget about 'antiquated’ things like user interfaces and allow your users to simply speak with you application. Rod Drury demonstrated the work Xero - who are the leading edge of harnessing some new AWS technology - are doing with chatbot technology at the recent Xerocon. And all these tools are ‘evergreen’ - they change and improve on an almost weekly basis.
Over the past 6-8 months our agency has been quietly forging a path to the cloud. Everything new we’re are doing is based on a genuine 'cloud first’ principle and we have steadily implemented a number of services using public cloud technology AND the all of government assurance advice which so I hear so many people talk about being prohibitive to cloud adoption. It isn’t.
The guidance and advice - including the cloud assessment tool - are based on information security good practice. To effectively use the tools you need to see them as an enabler (just like the brakes on a car are enablers to go faster) and have a reasonably mature approach to organisational risk management. It’s essential to remember that the move to the cloud is about enabling digital business as much as it is about a change in technology - you will need the buy-in and support of your top table to make the transition and realise the benefits of cloud.
Understanding the types and classifications of the information your organisation handles is central to starting your shift to the cloud. Data security and sovereignty requirements do become more stringent the higher you go up the classification stack and there definitely isn’t a ‘one size fits all’ approach. Like anything risk related its about understanding the risk in the context of the end to end product or service. Sometimes it makes sense to accept a reasonable risk if it creates a better customer experience, at other times you run straight into a wall. Cloud is an ever changing space and embedding these risk management practices into your organisation is an essential part of making the shift.
As with all templates the focus should be about the process you go through - not on filling in the template. Robust organisational risk management will require your tier 1 & 2 leaders to sign off on the process you’ve gone through and accept any residual risks. It’s about creating risk understanding & awareness and then moving forward into accepting the risks (as an organisation) where the benefits outweigh the risks.
Understanding the state of your current environment - and the risks you already have but haven’t thought much about perhaps, like reliance on key individuals - is another integral part. Do we understand our underlying network and security infrastructure well enough to start connecting out to the cloud? Do we have the people & capabilities? In our case we recognised that whilst we understood our technology very well there were gaps (understandably) in our understanding of cloud platforms & infrastructure - so we sought out partners to help us make the move and upskill our teams.
If you feel you don’t understand your current environment well (those thousands of firewalls rules built up over years??) then my advice is to stop - do some housekeeping. A hybrid cloud approach is only as good as the infrastructure that links it together.
We found quite a few vendors were willing and ready to help - the joys of being early adopters, but that was always part of our plan. We didn’t have a significant budget to make the move to cloud so we looked at how we could use resources available from partners and vendors to help us manage our costs.
My team and I spent 3 months before we migrated or provisioned anything really developing an understanding of what cloud really meant (not just assuming it’s about ASP 3.0+) and explaining those benefits to our leadership & management. Understanding, and demonstrating, how cloud links to your organisational strategy and goals is essential at this stage.
At the same time we started on the GCIO assurance processes early - understanding the intent behind the templates and ensuring we were taking our leadership with us. We ran workshops on good risk management practices for all business application owners and integrated risk management into all of our initiatives/projects. We also instilled a clear understanding that you cannot outsource risk.
Being a reasonably risk-averse organisation we decided quite early on that we wouldn’t do ‘big bang’ migrations. For example when we moved to Office 365 we did several rounds of data synchronisation, to confirm everything worked as expected, before doing a final sync when we cut-over from the old email service. It allowed us to move millions of email & calendar items and hundreds of mailboxes with almost no user impact - there was some training required on how to use Outlook for some people not familiar with it.
Part of the change to cloud for us was around digital literacy and getting our people more comfortable with technology. The evergreen nature of cloud products gives people an opportunity to explore new features & functions and figure out what works best for them and their style of working. It builds their confidence in using technology and from what I’ve seen is actually really empowering to the average user. We also work in a sector that had long adopted cloud technologies in schools and so this was an opportunity for us to catch up.
We communicated a lot with our users - I don’t think you can over communicate when making wholesale change - and even then we still had our fair share of users who didn’t read the communications or complete the pre-migration tasks. To some extent we expected that and as a contingency had a great team of both IS people and business champions available throughout the organisation at critical points; like go-lives.
We continue to learn as we go, bringing more and more cloud services online. We are using the toolkit we’ve built along the way to make decisions as we go. Our tier 1 and 2 stakeholders are onboard with what the cloud, platform-based approach to transforming our business means for them and we are continuing to do education & awareness sessions on new concepts and services as we move forward.
The move to cloud has had implications for our IS function. We are lifting our focus from running servers & switches to managing service delivery & the customer experience. We have spent a lot of time with our teams talking about the changes cloud brings and helping them understand what its likely to mean for them. We will continue to focus on people & culture as we move forward.
Making people feel safe is at the heart of the cultural change. We are removing blame from the equation and instead focusing on making trying new things safe and learning as we go. I can’t overemphasize how critical a safe culture is to innovation and high performance. Countless studies have show it to be the major contributor to how well teams work together and get things done.
Our processes and practices are changing too. For example, treating servers as code changes the way you do testing and release management. Serverless architecture simply means you no longer care about servers & environments - they truly become cattle, not pets.
Over the past few months we have deployed a range of cloud services and tools:
- Office 365 incl. Skype for Business (and support infrastructure)
- Single-sign on and identity provider to enable the use of a range of cloud services and mobility
- Mobile device management toolset
- API Gateway and Infrastructure (including API store front) as well as a number of version 1.0 APIs
- AoG ECMS as a Service (ECMaas) on Amazon Web Services, working with the GCIO on making this a catalogue offering available to others
In the coming few months we will go live with a Digital Moderation solution based on Amazon Web Services (using some of the services we have already put in place) and our Digital Assessment solution will be cloud based to support the goal of any time, any where 21st century skills assessment.
We’ve learnt plenty along the way and will continue to learn as we go - I’m happy to talk through our experiences in more depth (coffee and whisky both accepted) and see where you can benefit from what we’ve tried & learned.
In the medium to long term I see us shifting more and more workloads into the cloud and using that change to transform the business and the enabling technology. I don’t think we will ever be in a position to have everything cloud based instead we will run some kind of hybrid model.
We are a good part through a Windows 10 roll-out which wiil bring those evergreen concepts to our desktop, laptop and tablet users and create a platform for further cloud adoption.
What cloud allows us to do is to re-engineer our business to focus on our customers and core, high value business functions whilst having the support functions and services delivered in a modern, dynamic and fit for purpose manner.