Google-Cloud-Foundations-Whitepaper-Digital-1
Google-Cloud-Foundations-Whitepaper-Digital-1
Google-Cloud-Foundations-Whitepaper-Digital-1
Laying the
Groundwork
How to Build a Foundation in Google Cloud
Table of Contents
Executive Summary 3
Introduction 4
Masthead Applications 13
Path to Production 14
What’s Next 15
Conclusion 16
Over the last 10 years, Sourced has had the early stages of cloud adoption, ensuring teams gain
privilege of working with a broad set of enterprises maturity within appropriate risk guidelines. The
during varying stages of their cloud deployments. best method to achieve these control objectives
Consolidating this experience, Sourced has refined an is by adopting infrastructure and governance
approach to cloud adoption that focuses on building as code practices that a foundational platform
a strong foundational capability that can centralise can deliver. Additional types of controls can be
compliance while allowing application teams to continually layered and a combination of methods
self-service their infrastructure within appropriate is recommended to achieve the best outcomes.
guardrails. As teams develop cloud maturity, a relaxation of
preventative controls and an increase in detective
Sourced’s recommended approach caters for both controls may be appropriate for certain low-risk
technology and organisational changes that cloud workloads that require bespoke solutions.
introduces into a business; this is defined as cloud-led
business change. A lack of organisational alignment The described approach allows regulated enterprises
when implementing a fundamentally different way of to gain delivery velocity in the cloud while bringing
consuming infrastructure regularly leads to adverse the wider organisation along with them. The benefits
outcomes. The use of an aligned ‘Cloud Centre of of scalability, efficiency and availability can be
Excellence’ (CCoE) rallying around a masthead achieved by any organisation regardless of regulatory
application migration will help draw buy-in from all requirements. The common misstep of seeking rapid
required stakeholders. The masthead will ensure that single-workload migrations can lead to technical
the features developed for the foundational platform debt and minimal reusability, causing a diversion from
are of the highest value, hence controlling scope. the organisation’s cloud strategy and its objectives.
Long-term success for the whole of business change
Another major pillar of cloud success is the layered requires a thoughtful and measured approach in the
security approach. This involves applying governance early stages, that leads to cloud maturity and on to
that focuses on preventative controls during the Cloud at Scale™.
Sourced’s consulting team has delivered Google managing infrastructure as code, Sourced balances
Cloud foundations for our Tier-1 banking clients in the technology strategies of the enterprise. It is
North America and Australia. These foundations imperative to consider the requirements of Central
have provided a consistent landing zone for several IT, compliance, security, and developers, all while
material workloads supportive of their regulatory and operating within appropriate risk boundaries.
compliance considerations. Through our experience
in the industry, Sourced has developed a framework This whitepaper will represent a high-level approach
for regulated enterprises looking to adopt Google to deploying a scalable Google Cloud foundation
Cloud and leverage Google’s differential capabilities which scales to support potentially thousands of
within their business. By leveraging automation, heterogeneous workloads within a large, regulated
aligning tooling, and embedding a culture of enterprise.
This approach sees the business unit developing a An alternative approach is when the business unit
bespoke approach with minimal involvement from integrates tightly with the centralised IT team to form
the organisation’s Central IT teams. This results in a a CCoE with a mission to build core cloud capability
deployment and operational philosophy tailored to that can be leveraged across the entire enterprise.
the workload itself. This approach can also deliver This will involve a scalable foundation which will allow
short-term velocity but presents difficulties when the the cloud to operate as a platform with the workload
next wave of workloads begin their migration journey. being used as a masthead to drive delivery.
The next workload will see another set of bespoke This approach allows for a consistent control plane
public cloud configuration and this process repeats across the entire fleet of applications and helps
itself until the organisation is left with a complex centralise common functions such as networking,
footprint that introduces significant risk and billing and security. This key element of cloud
operational overheads. Furthermore, visibility of adoption is an essential part of Sourced’s Cloud at
controls becomes unclear and this lack of clarity can Scale™ methodology.
lead to breaches and exposures.
Delivering a foundational platform can be a potentially difficult decision due to longer adoption times. However,
in the context of a broader enterprise cloud strategy, it is an essential ingredient for success longer term.
Operations Security
Minimises operational irregularities and Ensures an enterprise security posture
manual work through a consistent and is applied holistically across the cloud
automated approach to cloud environment
Scale Maturity
Provides a method to scale cloud Provides a secure, consistent and controlled
deployments from one team to any number deployment methodology allowing teams
of teams without a linear increase in to gain significant maturity in public cloud
operational cost within the enterprise’s approved guardrails
Achieving these outcomes builds trust, confidence and predictability for public cloud deployments. Where
manual processes breed complexity, which in turn leads to a higher probability failure, automation provides
predictability and consistency, which in effect is a control. It is worth noting that the two summarised
approaches are typical but not all encompassing.
There are many ways to consume public cloud and determining what will suit your organisation best requires
discovery and analysis. This whitepaper discusses cloud foundations as the typical recommended first step,
however, Sourced will always make informed and tailored recommendations that are in the best interests of
the client’s goals.
Sourced will always make architectural decisions based on client needs but often approaches Google
Cloud Foundations leveraging a centralised host project to manage further application or “service projects”
spanning into the host to leverage network connectivity as below:
1 2
A CI/CD pipeline leveraging Google’s native A CI/CD pipeline leveraging third party tooling,
Deployment Manager or Config Connector such as Terraform, which uses a declarative
to deploy infrastructure as code language to define infrastructure as code
The Continuous Integration Continuous Deployment (CI/CD) pipeline, synonymous with platform
automation, is the method in which Sourced links all the automation components together to achieve this
consistent outcome, whether it be leveraging Terraform, Deployment Manager or Config Connector.
Regardless of the tooling of choice, the key to a core foundation is that it maintains configuration
management authority across all cloud deployments. This is paramount to providing the consistency in
applied controls, state management and immutability.
Moving forward, a decision must be made commensurate with the maturity of teams in public cloud
across the enterprise. In line with the measured approach to cloud adoption, Sourced recommends that for
teams taking their first step into cloud, a higher proportion of preventative controls to detective controls is
implemented. There are two main control concepts discussed here that are contextualised to public cloud
deployments:
A preventive control is where the A common example is stopping This is a highly effective approach
deployment automation will have Google Cloud Storage (GCS) buckets for most teams in an enterprise,
embedded controls or opinions to be deployed with access from the providing a stringent risk-based
which will restrict an event from public internet but these controls can approach to cloud consumption
Preventative
occurring prior to the deployment be as granular as restricting the use which assists in providing regulators
taking place. of certain node image versions when such as APRA comfort in your risk
deploying in Google Kubernetes management approach.
Engine (GKE). Preventative controls
can also enforce operational
considerations such as frequency
of backups and deployment
mechanisms such as blue/green or
canary releases.
A detective control is where the In the GCS example, this would This approach is beneficial for teams
deployment automation is relaxed allow the deployment to occur with with a high level of cloud maturity
to allow deployments to take place public internet access enabled. who understand how to identify,
Detective and Corrective
without prevention. A service is Additional responsibility is shifted mitigate, and manage risk when
then used to scan and ‘detect’ any to the application teams to manage deploying in cloud. These teams will
misconfigurations in the deployment these risks but in the context of benefit from the increased flexibility
triggering alerts and workflows. their application. This means a which provides the ability to use
When a critical risk is identified, a brochureware website does not alternative tooling preferable to their
corrective engine or human can have to maintain the same controls application. Vendor applications
then reach into the deployment as a system of record transactional may also benefit in this consumption
after the fact and remediate the database. The brochureware will mode as they often are not built to
misconfiguration. be allowed to maintain ‘public’ support the restrictions put in place
classified information in its public by the preventative approach.
bucket, whereas applications with
confidential data will trigger a
corrective control.
In a multi-modal approach, both In large enterprises, cloud adoption The multi-modal approach naturally
above modes are made available to occurs at different paces. Smaller occurs as cloud maturity increases in
application teams. Depending on the teams with fewer applications and the organisation. There is additional
application use case and maturity, lower cloud maturity will opt for the engineering effort to build and
they can choose the control option preventative approach as it embeds maintain both consumption modes
that suits them best. most of the organisation’s ‘best in the multi-modal approach
Multi-modal
As an example of Google’s capability, Sourced created With four well-defined services, the demo application
a demo application for a recent Google Cloud event. can ingest raw transaction data, locate confidential
This application was developed to demonstrate ways or personally identifiable information, de-identify
Google Cloud can assist with data handling in a these fields and write these transactions to a new
regulated enterprise. destination for analytics purposes.
This example shows how a regulated institute like a bank, can take vast
amounts of transaction data and de-identify any Personally Identifiable The source code for
Information (PII) or confidential information. From here, this data can be this demo application
shared widely in the organisation so different teams can leverage the data is available here.
set to gain insights and make better business decisions.
Sourced recommends structuring a cloud program infrastructure and the foundational platform team
that delivers a masthead application simultaneously or CCoE are at the heart of this change. Allowing
with a scalable foundational platform. These two these teams to operate the platform as a product will
decisions will help align the organisation to rally help the organisation continue to build, operate, and
around the unified goal of cloud delivery. With a iterate on their cloud capability.
common goal and a finite scope, application and
Central IT teams will work more effectively, efficiently This paper introduces a handful of key concepts
and have aligned stakeholders removing common Sourced recommends when consuming cloud. Each
points of friction. Organisationally, changing the organisation is different and there are immeasurable
way teams are structured and work is a must. permutations and alterations that can be made to
Cloud introduces a fundamental shift in managing ensure your organisation’s cloud journey is successful.
Sourced Group
sourcedgroup.com