Russinovich goes on: “You can take advantage of storage connectivity. Why do I want to buy a new SAN to store data that I'm just backing up? Toss that up in the cloud. And while I'm figuring out how to best secure that data, I can have that data encrypted as it moves to the cloud. So there's low risk; even if I did screw up and that data leaks, it's not putting the business as risk.”
As you work through connecting those lower-risk systems to the cloud, you learn hybrid cloud strategies, Russinovich points out. “New projects that are low risk, like customer-facing sites and marketing campaign things, why put that on premise? For new projects like that, you can move to the cloud. But all that requires understanding hybrid.”
You also need to understand how to enforce security and compliance in a world where you don’t have group policy, and where application developers rather than network architects are managing access controls.
Then you can work your way up to more complex hybrid models where you build the front-end of an application in the cloud but keep the data on premise. “Often, the more sensitive data is the most complicated to move, because so much of my internal company ecosystem is built up around that data being in a certain place and accessed a certain way, and it’s going to cost a lot of money to move everything,” Russinovich points out. “It doesn’t make sense go after the hardest things first; start at the fringe and work your way in.”
To make this prioritization work you need to do data classification, and look at the complexity of your applications and the sensitivity of the data they handle, categorizing which of your applications deal with confidential and proprietary information.
That’s easier than it used to be, points out VCE’s Moulton, because regulatory frameworks like HIPPA, Sox and Basel 3 haven’t just made enterprises take security seriously. “They’ve also established frameworks under which data becomes classified. There’s the recognition that I've got a data set that is valuable, the IT group have given me a framework and some classification tools – and here's a regulator that will regularly audit me to see I'm in compliance.”
Changes in enterprise governance models make hybrid cloud easier, he suggests. “They’ve changed sufficiently that security is no longer an afterthought. It's something they build into their risk models and their risk assessment in a way that takes account of what the security implications are, and how you deal with them.”
Use that when choosing where data and applications will live. “You have to do a risk assessment on whether that place is something you want to wholly own or whether it is somewhere you build a service level agreement with an organization that is massively penalized if that risk assessment proves to expose the company to risk.”
Sign up for CIO Asia eNewsletters.