The Inner Circle

 View Only

  • 1.  Simple effective cloud adoption and strategy

    Posted Aug 21, 2021 05:18:00 PM

    Hi All,
    As line two looking and cloud risk, I want to know what strategy / architecture can be adopted for a customer (banking) who has so far adopted cloud in a fragmented manner with no centralized model (dump things here and there, open tenants here tenants there across AWS, Azure, Google) causing whole painful and time-consuming yet inefficient cloud / tenant reassessment for risk and security teams every time they open a tenant or introduce a cloud service, etc. With the aim to achieve simplification and consistency across cloud controls and ongoing cloud assurance and assessment. I am looking for a recommendation / strategy to rectify what is already in place and avoid ad-hoc ineffective cloud adoption as business initiatives come up. A robust model / approach to address above mentioned challenges. Please also share any article / resources for this matter.
    Thank you in advance.



    ------------------------------
    Rys Mans
    Cyber Manager
    Banking
    ------------------------------


  • 2.  RE: Simple effective cloud adoption and strategy

    Posted Aug 23, 2021 08:11:00 AM
    Hello Rys,

    You have raise a very valid point. I have seen numerous organizations adopting adhoc approach or project based cloud adoption strategy, which works in short time but creates a huge management problem if it does not follow a well planned, and consistent approach. It could lead management issues, be it related to operations, security or cost. The biggest challenge that I have seen is since cloud workloads are not mainly dependent on on-premise datacenter so each project team can pick and choose cloud to their liking.
    Organization do understand the cost-benefit factor when it comes to comparing cloud with on-premise data centers, but at the same time if they do want to truly benefit from it, they should induct Cloud Practice leaders or qualified cloud architects, give them authority and mandate to draft business driven cloud frameworks so that each project team and stakeholders should strictly follow it. 
    CSA CCM is one such framework that can help but it is more align to security. Others are more vendor driven. I can surely help with giving high level pointers based on my 6 years of Cloud Architect professional experience.

    ------------------------------
    Shaharyar Shaikh
    Principal Cloud Architect
    Oracle Corporation
    ------------------------------

    Original Message


  • 3.  RE: Simple effective cloud adoption and strategy

    Posted Aug 24, 2021 09:36:00 PM
    Rys,

    If your main concern is related to security, then of course CSA material is unequaled.

    If you want to read about a systematic approach to cloud business case, adoption, deployment and governance, then please look at the various guides and papers at www.omg.org/cloud  (under "Published Deliverables").

    If you want guidelines that are specific to financial institutions, then:
    1. CSA has a financial services WG
    2. ANSI X9 is preparing a standard called X9.125, which will be at the intersection of security/privacy and the financial vertical. I can get you a working draft if you ask.
    4. Mick Talley from University Bank, who is part of that committee, could probably give you some direct advice (he likes to talk, so it won't be hard to get him going...): [email protected]

    Regards,
    Claude Baudoin
    Omg remove preview
    Working Group
    The OMG Cloud Working Group publishes vendor-neutral guidance on important considerations for cloud computing adoption, highlighting standards, cloud customer requirements, and best practices to foster an ecosystem of open, standards-based cloud computing technologies. The Working Group publishes OMG discussion papers.
    View this on Omg >


    ------------------------------
    Claude Baudoin
    cébé IT Knowledge Management
    Co-Chair, OMG Cloud Working Group
    https://www.omg.org/cloud
    ------------------------------

    Original Message


  • 4.  RE: Simple effective cloud adoption and strategy

    Posted Aug 23, 2021 08:31:00 AM
    Hello Rys,

    This is something I've also been looking into. One book by Gregor Hohpe that is on my reading list, but I haven't gotten to yet so I can't give a complete opinion, but reviews seem good is:
    Cloud Strategy - A Decision-based Approach to Successful Cloud Migration - The Architect Elevator

    Best wishes for your success in this endeavor.

    Robert

    ------------------------------
    Robert Pereira CCSK
    ------------------------------

    Original Message


  • 5.  RE: Simple effective cloud adoption and strategy

    Posted Aug 23, 2021 08:33:00 AM
    I think it is unlikely in an org which has shown a track record of decentralized decision making that you will get support for new, centralized control, unless there is some catastrophic security event, or maybe regulatory pressure. (Having been in the heavily regulated big banking world years ago it seems odd that they would allow such ad hoc adoption, perhaps this is a small bank.)

    I would however check for confirmation bias - why/how is it ineffective? Simple for the security team or simple/effective for users? Just because it doesn't follow whitepaper best practices is that demonstrably bad? Is it just the security team who is inconvenienced but the business is agile and running smoothly? are there real concrete security issues disrupting the business or just hypothetical FUD? Data for any of these concerns? Data on why something else would be better? Does the maturity level of the business match the maturity level the security team is trying to be?

    I think your concern is valid but often the security team is disconnected from the business.  Those have to be integrated for anything to be effective long term. Security should be an enabler of growth not a constraint. If there is an unwillingness to integrate from either side, well you have your answer. Maybe time to look for better prospects elsewhere.

    ------------------------------
    Robert Ficcaglia
    CTO
    SunStone Secure, LLC
    ------------------------------

    Original Message