Timo Ahomäki explains how to recover from the complexity paralysis.Check your cloud maturity
These issues largely follow a pattern familiar from previous years. While regulatory compliance, vendor lock-in and transition project costs hinder both mature and not-so-mature organisations, there were two other perceived barriers I wish to specifically address.
Among CMI respondents, the biggest barrier to cloud adoption by non-mature organisations is complexity of integration with current IT infrastructure. While not the toughest issue for mature organisations, integration complexity is still seen by them as a intermediate barrier, on par legal compliance, for example.
But this is completely understandable. Complex, distributed systems are complex, of course. This complexity can seem bewildering, especially when transitioning from predominantly tightly coupled, on-premises architectures. Often, in addition to clean APIs, tightly coupled architectures also lack well-established Identity and Access Management (IAM) regimes that manage distributed access, relying instead on direct access within a trusted perimeter.
Too often, organisations migrate to such environments through lift-and-shift projects to avoid refactoring of the applications. This approach, however, can lead to even more headaches – as well as loss of much of the elasticity and cost benefit available through cloud delivery. Instead, biting the bullet and refactoring the legacy applications into clearly defined functionalities that are meaningful from a business perspective will allow functionalities suitable for cloud delivery to be segregated from those that are not. Even without employing cutting-edge microservices approaches, such up-front investment may lead to better management of complexity and higher ROI for both cloud and on-premises delivery.
Perhaps the most surprising discovery in the latest CMI survey was the finding that cloud-mature organisations perceive IT security as their biggest barrier to further cloud adoption. Non-mature organisations, while recognising the issue, see security as one of many problems on par with vendor lock-in or transition costs, which initially seemed like a contradiction.
Cloud maturity, as measured by CMI, does not necessarily mirror cloud usage. It is therefore possible that some mature organisations have done their homework and have indeed found insurmountable security issues. This is, however, somewhat unlikely as a general statement outside of specific regulated environments. Given that the technical security measures offered by cloud platforms match or exceed those available for most on-premises environments, we should look elsewhere for an explanation.
One possibility may well be the relative immaturity of cloud security as a practice among security professionals. Similar issues of complexity that surface in IT integration discussions may well be at play here. The rapidly evolving cloud environments – with their unfamiliar security concepts – require new thinking in setting up security controls and, frankly, in the whole concept of trust and thus security risk in a shared responsibility environment.
In this light, I again advocate for breaking problems into pieces. There is not – and honestly never has been – a one-size-fits-all set of security controls for all environments. A careful analysis of the security risks and how to mitigate them will reveal where cloud services offer new benefits and where they do not. At best, the vast availability of security tools in cloud environments enables organisations to markedly improve their security postures. However, mature organisations know when and how to utilise the cloud.
As noted in my previous blog, one key to reaping the rewards of the cloud is having a cloud strategy derived from the overall business strategy of the organisation. Understanding the drivers and inhibitors of the business will help place cloud opportunities and challenges in their proper perspective. Integration complexity and security are two examples of seemingly technical challenges that cannot be solved without a linkage to business strategy. As is always the case with managing complex systems, an elephant is best eaten in pieces.