Each organization has a unique journey to the cloud based on its own starting point, its history, its culture, and its goals. This document is designed to meet you wherever you are on that journey and help you build or reinforce a solid foundation around cloud application development and operations, service management, and governance.
At Microsoft, we have been on our own journey for the past decade, and over the past years we have learned important lessons by developing our own internal and customer-facing systems. At the same time, we’ve been fortunate to share the experiences of thousands of customers on their own journeys. This document is designed to share those experiences and distill them into proactive guidance. You do not need to follow these recommendations to the letter, but you ignore them at your peril. Our experience has shown that a careful approach to these topics will speed you along on your organization’s journey and avoid well understood pitfalls.
In the early stages of cloud adoption, many IT organizations feel challenged and even threatened at the prospect of the journey ahead, but as those organizations engage, they undergo their own evolution, learning new skills, evolving their roles, and in the end becoming more agile and efficient technology providers. The result often turns what is perceived as a cost of business into a competitive advantage that makes it possible to redefine long-believed limitations. In many cases, what emerges are new business opportunities.
An important concept covered in this book is a strategy for identifying and moving specific workloads based on their actual value to the business. Some emerge in a new form infused with cloud design principals that were otherwise not available in the past. Others receive targeted improvements to extend their lifetimes. Still others move as-is, using the “lift and shift” approach that requires minimal change. Because of the unique capabilities of the Microsoft Cloud and the Microsoft Azure platform, workloads that must remain on-premises because of latency or compliance requirements can fully participate in the journey because of the ability for an organization to run Azure services on-premises using Azure Stack.
After the cloud is envisioned as a means for the company’s further evolution, the next steps need to be prepared and implemented. Here, envisioning and a clear picture can help you to keep track of your actions and let you prioritize to achieve quick wins while keeping the focus on the digital transformation. Cloud readiness is the next phase. But, to be certain, cloud readiness applies to more than a traditional waterfall project with its highly structured work breakdown structure (WBS). An Agile Scrum approach can be very successful, too, if the cloud vision and the desired outcome are well defined.
Cloud readiness framework
A readiness framework can help you to embed your cloud activities into your existing procedures, operational tasks, and responsibilities to make sure that you, as the enterprise, stay in control of your cloud journey. For some companies, the creation of a readiness framework is a huge task because their existing structures are challenged in a way that is very demanding. But that is the basic principle of the digital transformation.
Azure Active Directory is the identity repository for other Microsoft Cloud services like Microsoft Office 365 and Microsoft Dynamics 365. Many enterprises choose to synchronize all or a major part of their on-premises Active Directory with Azure Active Directory. Microsoft’s recommended technology for this is the Azure Active Directory Connector, which is free of charge. In this way, companies remain in control of their corporate identities. A combination with federation services is possible and very often used as means of stronger control.
Development operations model cloud services
One part of the framework is an operations model that is fit for the purpose of cloud services. The crucial point for many customers is the shift away from an oftentimes years-long, outsourcing model with a huge amount of infrastructure components to an Agile model with a blend of infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). To be clear, a cloud provider is worlds apart from an outsourcing provider, but we have seen customers that needed to evolve to the new way of interaction and defining the responsibilities to operate their new services in the cloud to be successful.
Cost and order management
To achieve a level of cost transparency and to be able to assign certain cost alerts and limits, the Azure monetary model must be integrated in the adopting companies’ processes. We cannot totally describe requirements here, and they can they change in future versions of Azure. Sample requirements are Azure Usage and Azure Rate Cards. These are supported through the Azure Billing API. Azure provides a special billing API, which you can use to build your own solution for billing. Typical scenarios include the following:
- Azure spend during the month
- Set up alerts
- Predict bill
- Pre-consumption cost analysis
- What-if analysis
Security standards and policies
When transitioning to the cloud, security plays a crucial role for all enterprises, and Microsoft is constantly working on the products to adopt to latest developments and support customers’ security requirements where possible.
A good starting point for security and Azure is the Trust Center. Here, customers can take advantage of a collection of resources that are specific to the topic. Customers in highly regulated industries like healthcare, or government entities, need to verify that the services of Azure comply with applicable security controls.
Cloud readiness scopes
Following are typical areas of technology and knowledge:
- Identity: One of the cornerstones of the entire picture of Azure is the identity of a person. Microsoft sees the identity as the control plane of the modern world. Your existing identity structure, which might be based on an on-premises implementation of Active Directory, needs to be reviewed to determine whether it can serve the new purposes described earlier in this chapter such as rights and role models or license assignment.
Many customers use this opportunity to review their current IAM system and modernize it to prepare it for new tasks. A profound knowledge about identities, the relation to Azure Active Directory, and its security options should reside in the aforementioned competence center. Typical areas of interest are around the following use cases:
- Identity integration. What has the company already in place to integrate identities into the application, and is it a more centralized approach or per-application with a relative independent model? For the success of the future identity model, the company must decide which way to go for its identity integration. After the decision has been made, you can build a solution based on that decision. Plan for iterations in the design process to find the best solution and review with your security requirements.
- Authentication scenarios. Will all solutions—whether on-premises or in the cloud—work with an identity that has been given to the user?
- Multiforest considerations. Does your company maintain a multiforest implementation on-premises due to historical or even regulatory reasons?
Development of methodology for cloud integration
One of the major purposes of a Cloud Competence Center in many enterprises is to define standards and develop methodologies for adoption of Azure services. This ensures a higher level of quality and makes sure that a good reuse of knowledge is achieved as well as a permanent alignment with the latest business or security requirements.
Development of cloud-integration blueprints: partners, suppliers, and customers
Some other solutions are designed to cooperate with partners or are aiming directly at the customer. Depending on the business of your enterprise, additional blueprints might be needed to serve as a starting point for solutions that are accommodating that purpose.
Securing the modern enterprise
Securing a modern enterprise is complex and challenging. Microsoft’s cybersecurity portfolio can help you to do the following:
- Increase visibility, control, and responsiveness to threats
- Reduce security integration and vendor management costs
Identity versus network security perimeter
It’s a universal concept: When you want to protect something, build a perimeter around it. Traditionally, in IT this perimeter is at the network level in the form of a firewall. A network perimeter has the purpose of repelling and detecting classic attacks but is reliably defeated by phishing and credential theft. At the same time, your data is moving out of the organization via approved or unapproved cloud services. Last but not least, employees need to keep productive wherever they are, using whatever device they carry with them, meaning that your data might be accessed by unmanaged devices. Matching these new challenges requires you to build a new kind of perimeter in addition to your existing network perimeter: an identity security perimeter.
Data is one of the most valuable assets that companies have, and it is critical that this asset is protected against unauthorized access or hostage takers. Access is controlled by giving authenticated users the authorization to read, change, or delete data. Some data might be less critical than other data; that is, information might be publicly available or strictly confidential.