A crash course in disruption
If businesses needed a reminder of how critical it is to be able to act quickly amid volatile conditions, the coronavirus pandemic has certainly provided it.
The outbreak and its subsequent economic impact have upended long-established business models, supply chains and consumption patterns virtually overnight. Some enterprises are being forced to grapple with demand spikes, others confronting a demand collapse. As more interaction and transactions are forced online, technology resources come under strain. Companies and workforces in many markets have been dealing with more network slowdowns and outages, which reached unprecedented levels as the virus surged. The need for flexible, cloud-based computing architecture, and the resilience and responsiveness it can deliver, has never been more apparent.
Global network outage events
For all the distress the coronavirus has caused, most businesses would agree on a couple of things - it’s not the last crisis they’re likely to face, and in many respects it’s exacerbated pressures that already existed, but were perhaps easier to ignore. Realistically, enterprises have to be ready for disruption as a matter of course.
Whether in technology, regulation, the competitive landscape or customer expectations, the pace of change means every business is regularly called on to manage transformation and navigate shifts to a degree that was unthinkable just a couple of decades ago. Viewed in that context, cloud doesn’t just provide the elasticity to ensure an organization can weather the pandemic and its aftereffects. It grants access to the speed, agility and collaborative capabilities that a digital business environment has demanded for years, and will demand even more in the future. These capabilities come at a cost; cloud requires significant and sustained investment, and a clearly defined strategy. But as some early adopters are demonstrating, the end result is a competitive edge.
Why cloud (sometimes) goes wrong
When cloud is done right, that is. The caveat is necessary because for all the rapid growth in cloud adoption and high-profile success stories, it has to be acknowledged that cloud investments don’t always deliver the expected benefits.
Research has shown up to a third of companies see few to no organizational improvements as a result of cloud adoption. In some cases cloud may create more problems than it solves; in one recent study, 74% of enterprises reported moving an application into the cloud then back into their own infrastructure, primarily due to concerns about security and performance.
Organizations that moved applications back from the cloud
Yet the coronavirus outbreak has also highlighted the ability of some companies - take Netflix or Zoom for example - to leverage the cloud to scale into unprecedented levels of demand, with minimal fuss and seemingly overnight.
So what separates a cloud adopter from a business that’s cloud-centric, or a solid cloud strategy from one that stumbles? According to Thoughtworks experts, it starts with a few guiding principles.
The cloud doesn’t stop at infrastructure
A lot of the struggles with cloud are based on a common misconception. Since many organizations are drawn to cloud initially by promises of limitless storage and processing power, the assumption is it’s a straightforward replacement for in-house hardware. So when the time comes for a cloud migration, “there’s a tendency to say it’s the infrastructure team’s responsibility, and to leave them to it,” says Kief Morris, Thoughtworks Cloud Practice Lead and author of the book Infrastructure as Code.
The reality is that adopting cloud architecture touches on many more layers of the organization. Unless software, networks, systems and practices are optimized for an environment where resources are more dynamic, the enterprise is likely to simply replicate old bottlenecks in the new cloud environment.
“The cloud isn’t simply a change of infrastructure from on-premise to a virtual environment you no longer have to maintain yourself,” says Scott Shaw, Director of Technology at Thoughtworks Australia. “Because everything becomes software-defined, you have to manage it as software. You still need all the knowledge about networking, security and infrastructure. But you have to manage it using software engineering, not infrastructure approaches.”
The upshot is that cloud isn’t a one-time transition, but an ongoing process. Cloud vendors may provide the backbone - but it will be down to the individual organization to ensure their systems and applications thrive in the new environment.
“Software makes assumptions about the kind of infrastructure it’s running on, and with the cloud everything is much more fluid,” Morris says. “When software is built for the cloud, it’s able to handle running on infrastructure that changes without notice. This is key to getting the advantages around scale, because if you take older software and put it on the cloud so it can scale up to five times as many servers, it won’t just magically seize the opportunity. It assumes someone will come and do the installation by hand.”
“A lot of businesses invest in their cloud environments without the engineering practices that we would normally associate with a business-critical asset,” Shaw adds. “Test-driven development, modularization, abstraction, encapsulation, version control, continuous integration - all these things can and should be applied to infrastructure automation if you want to maintain that asset in an optimal state over time.”
See cloud in terms of capabilities
The best way to conceive of cloud is beyond terabytes or units of server time, as “an overall approach to the componentization of technology capabilities that enables developers to build software faster - and that takes away a lot of the operational management burden of those capabilities,” says Ryan Murray, Thoughtworks Director of Digital Platform Strategy.
Optimally deployed and managed, cloud doesn’t just boost computing power - it redraws the frontiers of what the enterprise can do. “The main benefit of being on the cloud is the new operating models it can give you,” says Ranbir Chawla, Principal Consultant at Thoughtworks.
Virtualization is a good example. At its most basic, cloud can virtualize a mainframe to reduce the need for maintenance or physical space - but why not take it one step further and virtualize the same mainframe many times over, so the old limitations on the number of applications the enterprise can build and manage at once are blown out of the water?
Traditional vs. Virtual Architecture
“The advantage of that is that you can start thinking about innovative release and software development cycles that couldn’t exist when your infrastructure was physical,” Chawla says. “Yet companies don’t take advantage of that virtuality, or ability to experiment.”
Cloud also opens “great opportunities for companies to unlock future businesses by understanding their data,” Chawla adds. More cloud providers are developing platforms that give companies on-demand access to artificial intelligence and machine learning solutions, enabling a ‘plug and play’ approach with components that they might struggle to develop in-house. “It’s hard to do machine learning and AI on premise - it takes knowledge, it takes hardware and it’s a different skill-set. But on the cloud, it’s literally at your fingertips.”
That access paves the way for more data-driven approaches to development where customer feedback is seamlessly collected, analyzed, and directly translated into product enhancements or even new products; and that makes it feasible to spot customer or market trends while they’re still taking shape. In volatile times, anticipatory intelligence of this kind can rapidly become a business’s biggest asset.
Drive organizational change to produce under pressure
Yet these advantages will remain out of reach if teams and workflows aren’t realigned around the cloud environment, to ensure they can tap its speed and agility when it counts. Becoming cloud-native entails organizational as well as technological change.
Take technology governance. Left to manage cloud alone, some infrastructure teams may fall back on the practices that controlled access to on-premise data centers, immediately slamming the brakes on any potential gains.
“We’ve had clients spend millions on a major cloud investment or buy API-driven, cloud native software, and then put a whole team and tickets in front of access to those systems,” says Chawla. “All of a sudden all those benefits of innovation, of immediate accessibility, of experimentation are gone.”
This can be prevented by setting up a governance ‘triangle’ that also involves the security and engineering teams, creating a mix of opposing interests that ensures the approach to cloud strikes the right balance of managing risk and enabling innovation. “Infrastructure is interested in stability, the security group is interested in protecting assets, while the engineering group is trying to go fast and stands to reap significant benefits in terms of speed, agility and capability from cloud,” notes Murray.
Needless to say, any attempt to rope together these - at times competing - actors requires strong support from senior management. “There’s no way you can actually make those three organizations come together and function effectively if you don’t have a C-level mandate that drives the incentives down, as well as the message that the goal of the organization is to ship software as fast as possible within risk, reliability and security constraints,” says Murray. “You also need to change the operating model to allow this decisioning to happen in day to day work.”
In essence management has to ensure that transparency and collaboration are not just the new watchwords for governance, but permeate the development process.
“In the past, once an application was delivered it was handed over to an operations group which would have ways of escalating incidents, and it wasn’t until the very end that the team responsible for maintaining that application might get involved,” says Shaw. “They’re going to need to get involved much more quickly. Development teams will have to change, to add operations into their skillset, to understand how to build software so they can find out what’s going on with it in production and fix problems.”
Business leaders should also be aware of the changes cloud can bring to operating cost models. The assumption is often that cloud will generate savings by reducing the expenses associated with maintaining (and constantly expanding) on-premise infrastructure, but the reality is more complex. What’s more, excessive focus on costs may blind companies to cloud’s more compelling opportunities.
Chawla notes that cloud tends to absorb parts of the budget that companies don’t anticipate, such as software licenses. It also doesn’t necessarily adhere to old annual budgeting cycles. Costs may not be fully visible until projects are up and running, and can (and should) be optimized on a rolling basis.
“There’s much more of a learning curve for finance,” he says. “They can’t just show up once a year. They should be part of the feedback loop, part of your cloud center for excellence, immediately.”
“Cloud delivers primary value as an accelerator, not as a cost savings engine,” says Murray. “Many enterprises will see rising costs unless it’s carefully managed - some due to lack of oversight and some due to seizing delivery acceleration opportunities that use more resources than would have been available on-premise. But given cloud provides such a wide range of utility services, talking about ROI on a cloud investment is a bit like trying to calculate ROI on your electricity investment.”
Ultimately in the cloud journey, as in product development, questions about where or how much to invest, and which projects to prioritize, have to be examined in terms of value to the customer or end-user.
“When people ask me what infrastructure tools they should have or what cloud features they should use, the questions I have are: What you are trying to achieve, and what do you need to be delivering to users?” says Morris. “If that’s not clear, you need to stop and work out the user journeys, the offerings and the products first. Then bring it down to identifying the software you need to build to deliver on those things.”
Considering the degree of change involved in a cloud transition, particularly for large enterprises, an incremental approach where transformation is pursued in “vertical slices” can be less jarring - and reduces the chances of problems only becoming apparent when it’s too late to alter course.
“Rather than starting with a piece of infrastructure or particular application, start with a customer need, whether it’s to add a new product or feature, or improve an existing product,” Morris explains. “Pull together all the people that are needed to make that happen from across the stacks. Tackle a slice that’s small enough to start with and tractable. The important thing is to get the feedback cycles, to get something out into users’ hands so you get their input and find out whether it worked and what could be better.”
Deliver value in thin slices to support your cloud strategy
Learn to look at security differently
The cloud also necessitates new security practices - though perhaps not in the way business leaders expect. Research shows security vulnerabilities remain by far the biggest concern for companies contemplating a cloud transition, particularly when it comes to the public cloud (that is, cloud services provided by third-party vendors via the public internet). Most fears center on possible data loss and breaches of confidentiality.
The reality is the formidable resources deployed by major vendors make public cloud services far more secure than the typical enterprise systems. “There’s no one on the planet doing infrastructure security better than the major cloud providers,” says Murray. “They know more about security and threats than anyone else ever could, because they’re operating a large part of the world’s internet infrastructure and seeing the attacks first.”
Enterprises need to learn to distinguish between infrastructure security - most of which is outsourced to cloud vendors - and application security, which they must address as they build and manage software on the cloud. Historically, enterprise security teams have been more infrastructure-focused and may lack the software capabilities needed to achieve security outcomes in the cloud environment.
Security in public clouds
“If your security organization doesn’t have a development team that can go in and build and execute the guard rails, or doesn’t know how to leverage the APIs, they won’t be able to secure your cloud,” Chawla notes.
Cloud calls for a more iterative, risk-based approach where security isn’t a series of constraints introduced at the beginning or end of the process, but a shared responsibility, integrated into development through exercises like threat modeling workshops.
“Security people need to be going into development teams and working with them to understand what they see as the important threats, and providing the tools they need to respond,” says Morris. “As a developer, I shouldn’t have to wait until I’ve got a release ready to go for it to be tested to find out whether it’s secure. It’s too late by then - and it’ll be very expensive to fix.”
As with development, security in a cloud environment may require teams to be more collaborative, dynamic, and even to learn new or retool existing skills. But despite that, it shouldn’t be viewed as problematic, or a burden that’s likely to slow the company’s progress - in fact, the opposite is true.
“In the old world of hardware and large monolithic assets, it was considered more secure to throttle change with toll gates and security reviews under the assumption that your existing site was secure and any change might introduce a vulnerability,” says Shaw. “But in the cloud-native world, the faster you can move, the more secure you are. The assumption is that you’re fundamentally vulnerable all the time and an attacker may have already gained access. By continually renewing and rebuilding your hosting environments, you’re always returning to a safe state and able to quickly roll out patches when vulnerabilities are discovered.”
“Cloud (providers) are becoming much more effective at giving sensible defaults or even higher-order services that reduce some of the risk, but there are fundamentally still some spaces in which developers will have access to new tools that they don’t know how to use securely,” says Murray. “However the solution to that can’t be to not go to the cloud, because inherently the cloud can only be more secure.”
“The way to respond is organizational education, organizational structure and making sure operating models get updated for the speed of delivery and tooling cloud provides,” Murray adds. “You should never look at the cloud as a risk to security - only an opportunity.”
Base the vendor and cloud mix on business realities
The rapid growth of the cloud space means enterprises have more options then ever when it comes to cloud structures they can adopt, from private clouds delivered over dedicated networks, to hybrid models that blend private, public and on-premise infrastructure, or multi-clouds that spread resources over multiple vendors and hosting environments.
The optimal choice for any given organization, says Morris, should emerge naturally based on business requirements. “The first thing you need to do is build up the capability and competence in cloud, then start to tackle the bigger picture. It’s rarely a good idea to start at the strategic level and say you’re going to make everything run on a certain cloud, because you don’t necessarily know the best answer in advance.”
Decisions can be dictated by regulatory, business or other conditions. In some markets, only one viable cloud vendor may be available. Multi-cloud strategies can also make more sense in highly regulated industries like finance, where certain mission-critical applications or kinds of data warrant different levels of access or security controls.
The other big choice is which vendor (or mix of vendors) to engage. The dominance of a handful of massive cloud providers has fueled much agonizing over the balance of power between vendors and customers, and driven a shift to multi-cloud as more companies seek to hedge their bets.
Worldwide IaaS Public Cloud Services Market Share
Multi-cloud strategies can also benefit the business by providing access to a particular vendor’s strengths, or better pricing arrangements. At the same time, as many firms have discovered, juggling or switching between multiple vendors can significantly complicate the many challenges of cloud deployment and management.
Ideally the enterprise and its primary cloud vendor forge “a very intimate relationship,” Chawla says. “You want the vendor to understand your business, and to care. If you do it right you’re going to have a great opportunity to leverage them again to help you build what you want to build. Managing any cloud vendor, getting your systems up and running, teaching everyone a new way of working is complex. And it’s not linear when you take on the next provider. You have to learn a whole new suite of concepts and processes.”
“Strong commercial and architectural relationships with your cloud vendor can yield a lot of value,” agrees Murray. “Always engage your cloud provider as a strategy partner in your efforts. Large organizations with significant spend can be marquee customers, getting significant discounts and technical support, even driving the cloud provider’s product roadmap.”
Shaw points to business criticality as another important factor to consider. For projects with a defined start and end that aren’t likely to require ongoing maintenance - a website set up for a special event, say - companies can entrust everything to a single vendor and take advantage of all the associated productivity gains with near-complete peace of mind. Longer-running, business-critical assets may be a different story.
Biggest challenge of managing multiple cloud providers
“If you’re building a core system that you’re going to have to maintain for 20 years, you have to understand the relationship you’re entering into. Do you really want to put all your eggs in that one basket? Or put structures in place that lower the risk of having to move the asset to a different vendor some place down the road? You’re going to pay now to build in the portability necessary, or pay later to re-platform, which almost never goes well.”
The guiding principle, says Chawla, should be to pursue portability when there’s a business need - not simply for the sake of it.
“Don’t put half your e-commerce system on one platform and half on another based only on the notion that you might get mad at a cloud provider and walk away,” he says. “Engineering leaders tell us all the time they spent millions of dollars and hours to be portable and never left - and now they look back and see it as a waste. If you’re going to be multi-cloud that’s cool - but there has to be a case, and you’ve got to be able to manage the complexity.”
Brace for more change - for the better
Overall Thoughtworks experts feel companies are just beginning to grasp cloud’s full potential - and in many ways, that’s a great thing.
As cloud technologies develop, the opportunities will multiply. After the coronavirus epidemic has passed, businesses are almost certain to face further upheaval, but cloud will continue to evolve and support the gains in resilience, speed and performance that enterprises need to stay ahead.
Some of the more exciting possibilities will emerge around the expanding frontiers of data - particularly edge computing, the trend of cloud decentralizing and moving closer to data sources to enhance agility and velocity. The massive proliferation of data sources will have consequences for complexity, but will also open new paths for enterprises to build their knowledge of and connections with end-customers.
“The edges of the cloud are going to get a lot less distinct,” Shaw says. “It’s moving into our houses; it’s going to be in our pockets. We’ll see the emergence of a lot more edge devices, as the devices that generate data get more prolific and the quantities of data that we need to gather, store and understand store get bigger and bigger.”
Cloud providers are also hard at work refining higher-level services, whether cloud-based AI or containerization systems like Kubernetes that can vastly simplify the development and management of multiple applications.
“The components that developers can assemble from cloud vendors will get more and more macroscopic, and more and more powerful over time,” says Murray. “You’ll continue to see vendors start to create more verticalized solutions that solve specific business problems.”
The upshot will be massive growth in the technology resources and capabilities companies can access on an on-demand basis, without necessarily needing to know everything about the coding and architecture that underpin these services.
In other words, Morris says, the whole promise of cloud as a versatile, ubiquitous self-service platform will move a lot closer to reality. “If I can write an application, package it, get my configuration, store my data in very standard ways, then I don’t need to go and ask somebody every time I decide to make a new one,” he says. “I know exactly how to do it in a way that’s secure and works correctly.”
This means even as companies grapple with a pandemic, each step to building a cloud strategy now is an investment in future capacity to change and innovate at speed and scale - the ultimate toolkit for an environment that will likely never again be quite ‘business as usual.’ For all the challenges associated with cloud, that makes inaction an even bigger risk.
“Across major industries, everybody is scared now,” says Chawla. “If in your industry there are a lot of companies left to go on the cloud and you're the next one to do it successfully, you’re magnitudes ahead of the organizations that you left behind. It's a massive competitive advantage and it takes just that one courageous C-level executive to pull the plug out and get it done. Make it happen.”