Google-Cloud-Foundations-Whitepaper-Digital-1

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

W H I T E PA P E R

Laying the
Groundwork
How to Build a Foundation in Google Cloud
Table of Contents

Executive Summary 3

Introduction 4

Where We Are Today 5

How Can I Build My Foundations in Google Cloud? 8

Incremental Approach to Platform Design 13

Cloud-Led Business Change 13

Masthead Applications 13

Path to Production 14

What’s Next 15

Conclusion 16

Laying the Groundwork | Whitepaper | 2


Executive Summary
Enterprises each face different challenges and will all have different experiences
when embarking on a cloud journey. However, Sourced has identified an optimal
approach to deliver sustainable and long-term success in the cloud, whatever
the situation. This paper focuses on the Google Cloud Platform (GCP) which is
rapidly expanding across all major regions. GCP has a differential and unique value
proposition, specifically in application containerisation and data solutions.

Over the last 10 years, Sourced has had the early stages of cloud adoption, ensuring teams gain
privilege of working with a broad set of enterprises maturity within appropriate risk guidelines. The
during varying stages of their cloud deployments. best method to achieve these control objectives
Consolidating this experience, Sourced has refined an is by adopting infrastructure and governance
approach to cloud adoption that focuses on building as code practices that a foundational platform
a strong foundational capability that can centralise can deliver. Additional types of controls can be
compliance while allowing application teams to continually layered and a combination of methods
self-service their infrastructure within appropriate is recommended to achieve the best outcomes.
guardrails. As teams develop cloud maturity, a relaxation of
preventative controls and an increase in detective
Sourced’s recommended approach caters for both controls may be appropriate for certain low-risk
technology and organisational changes that cloud workloads that require bespoke solutions.
introduces into a business; this is defined as cloud-led
business change. A lack of organisational alignment The described approach allows regulated enterprises
when implementing a fundamentally different way of to gain delivery velocity in the cloud while bringing
consuming infrastructure regularly leads to adverse the wider organisation along with them. The benefits
outcomes. The use of an aligned ‘Cloud Centre of of scalability, efficiency and availability can be
Excellence’ (CCoE) rallying around a masthead achieved by any organisation regardless of regulatory
application migration will help draw buy-in from all requirements. The common misstep of seeking rapid
required stakeholders. The masthead will ensure that single-workload migrations can lead to technical
the features developed for the foundational platform debt and minimal reusability, causing a diversion from
are of the highest value, hence controlling scope. the organisation’s cloud strategy and its objectives.
Long-term success for the whole of business change
Another major pillar of cloud success is the layered requires a thoughtful and measured approach in the
security approach. This involves applying governance early stages, that leads to cloud maturity and on to
that focuses on preventative controls during the Cloud at Scale™.

Laying the Groundwork | Whitepaper | 3


Introduction
Google Cloud is rapidly gaining adoption within the enterprise as a result of its
significant investment in cloud infrastructure (currently 67 zones globally) and
subsequent increased maturity of the platform. As a result of this growth, Google
Cloud is gaining traction in markets across the globe while leading with its unique
and differential containerisation and data solutions.

Sourced’s consulting team has delivered Google managing infrastructure as code, Sourced balances
Cloud foundations for our Tier-1 banking clients in the technology strategies of the enterprise. It is
North America and Australia. These foundations imperative to consider the requirements of Central
have provided a consistent landing zone for several IT, compliance, security, and developers, all while
material workloads supportive of their regulatory and operating within appropriate risk boundaries.
compliance considerations. Through our experience
in the industry, Sourced has developed a framework This whitepaper will represent a high-level approach
for regulated enterprises looking to adopt Google to deploying a scalable Google Cloud foundation
Cloud and leverage Google’s differential capabilities which scales to support potentially thousands of
within their business. By leveraging automation, heterogeneous workloads within a large, regulated
aligning tooling, and embedding a culture of enterprise.

www.sourcedgroup.com Laying the Groundwork | Whitepaper | 4


Where We Are Today
The largest financial services organisations in The financial services industry can thereby use
Australia are pushing heavily to integrate technology an APRA aligned approach to public cloud risk
into their offerings in order to deliver improved management to provide a target standard when
services and experiences to their consumers. The leveraging public cloud in other regulatory regions
adoption of public cloud is a significant enabler globally.
for this movement. With this push, the Australian
Prudential Regulation Authority (APRA) has been Adherence to regulatory obligations requires
firm but supportive, providing one of the most organisations to undertake a measured approach
mature approaches to public cloud risk management. when consuming public cloud services. Regulated
organisations are required to distil their obligations
An Analysis of the APRA Cloud Computing
(see:READ: into internal policy and eventually, into control
Services Paper Update). objectives. The implementation and assurance of
An Analysis of the APRA Cloud Computing Services
Paper Update these controls or, control management, is paramount
to the enterprise successfully consuming cloud.

Laying the Groundwork | Whitepaper | 5


Technology innovation is primarily driven from the areas in the business closest to the customer, owing to
a desire to compete and maintain an edge in the market. These initiatives become the catalyst for cloud
adoption and from here, the enterprise often goes one of two ways:

Workload Approach Platform Approach

This approach sees the business unit developing a An alternative approach is when the business unit
bespoke approach with minimal involvement from integrates tightly with the centralised IT team to form
the organisation’s Central IT teams. This results in a a CCoE with a mission to build core cloud capability
deployment and operational philosophy tailored to that can be leveraged across the entire enterprise.
the workload itself. This approach can also deliver This will involve a scalable foundation which will allow
short-term velocity but presents difficulties when the the cloud to operate as a platform with the workload
next wave of workloads begin their migration journey. being used as a masthead to drive delivery.

The next workload will see another set of bespoke This approach allows for a consistent control plane
public cloud configuration and this process repeats across the entire fleet of applications and helps
itself until the organisation is left with a complex centralise common functions such as networking,
footprint that introduces significant risk and billing and security. This key element of cloud
operational overheads. Furthermore, visibility of adoption is an essential part of Sourced’s Cloud at
controls becomes unclear and this lack of clarity can Scale™ methodology.
lead to breaches and exposures.

Figure 1. Workload or platform approach

www.sourcedgroup.com Laying the Groundwork | Whitepaper | 6


It should be noted that the workload driven approach can act as a catalyst for change within the organisation.
A responsible approach to building a bespoke cloud capability around a single workload can be a viable
project, however care should be taken to ensure that a more strategic platform approach can be adopted as
use cases for cloud broaden over time.

Delivering a foundational platform can be a potentially difficult decision due to longer adoption times. However,
in the context of a broader enterprise cloud strategy, it is an essential ingredient for success longer term.

Foundational platforms help us achieve several key outcomes:

Operations Security
Minimises operational irregularities and Ensures an enterprise security posture
manual work through a consistent and is applied holistically across the cloud
automated approach to cloud environment

Scale Maturity
Provides a method to scale cloud Provides a secure, consistent and controlled
deployments from one team to any number deployment methodology allowing teams
of teams without a linear increase in to gain significant maturity in public cloud
operational cost within the enterprise’s approved guardrails

Politics Control Pane


Provides consistency in outcomes through Measures against regulatory obligations
automation hence reducing the number of using a single, auditable view of controls
unique assessments, reviews and political
debate required to deliver value add

Achieving these outcomes builds trust, confidence and predictability for public cloud deployments. Where
manual processes breed complexity, which in turn leads to a higher probability failure, automation provides
predictability and consistency, which in effect is a control. It is worth noting that the two summarised
approaches are typical but not all encompassing.

There are many ways to consume public cloud and determining what will suit your organisation best requires
discovery and analysis. This whitepaper discusses cloud foundations as the typical recommended first step,
however, Sourced will always make informed and tailored recommendations that are in the best interests of
the client’s goals.

Laying the Groundwork | Whitepaper | 7


How Can I Build My Foundations in
Google Cloud?
Each enterprise cloud platform will differ slightly based on many factors including strategic goals,
geographical distribution and regulatory considerations, however most will follow a common progress as
detailed in this section. Starting from the ground up, Central IT will begin the process of architecting and
designing a cloud foundation which consists of, but is not limited to, the following:

ƒ Organization – Top level hierarchy, Organization, Policies, Billing, Logging


ƒ Shared Networking – VPCs, NAT, DNS, Firewalls, Routes, VPN, Interconnect
ƒ Projects and IAM – Folders, Service Projects, IAM

Sourced will always make architectural decisions based on client needs but often approaches Google
Cloud Foundations leveraging a centralised host project to manage further application or “service projects”
spanning into the host to leverage network connectivity as below:

Figure 2. Scalable host project with multiple service projects

www.sourcedgroup.com Laying the Groundwork | Whitepaper | 8


Given the requirement for consistency in deployment and configuration across the broad set of structures
and resources, automation is naturally introduced into the process. For the Central IT team to implement this
automation when building, deploying, and operating these foundations, the following two options will have
focus:

1 2
A CI/CD pipeline leveraging Google’s native A CI/CD pipeline leveraging third party tooling,
Deployment Manager or Config Connector such as Terraform, which uses a declarative
to deploy infrastructure as code language to define infrastructure as code

The Continuous Integration Continuous Deployment (CI/CD) pipeline, synonymous with platform
automation, is the method in which Sourced links all the automation components together to achieve this
consistent outcome, whether it be leveraging Terraform, Deployment Manager or Config Connector.

“Central IT departments that fall behind in establishing


cloud governance risk security breaches, denial of
service (DoS) attack, loss of control and cloud resources
overspending. Implementing automated governance is
part of transforming Central IT’s role from fulfilling users’
requests to empowering self-service for teams that need
the agility to use cloud services with native tools.”

Gartner, ‘Implementing Governance for Public Cloud IaaS’,


Richard Watson, VP Analyst, Marco Meinardi, Sr Director Analyst, 25 January 2019

Laying the Groundwork | Whitepaper | 9


Given these infrastructure as code methods are common, Google has invested in a valuable initiative to
provide enterprise-ready templates as open source under the Cloud Foundations Toolkit (CFT). Sourced
has had the privilege of directly contributing to this initiative which allows teams to pick up any of the 50+
templates and drop them into their Google Foundations in a modular approach and tuning as desired. The
CFT helps to ensure a reduction of upfront development when building your core foundations.

Regardless of the tooling of choice, the key to a core foundation is that it maintains configuration
management authority across all cloud deployments. This is paramount to providing the consistency in
applied controls, state management and immutability.

Figure 3. Opinionated pipeline concept

Moving forward, a decision must be made commensurate with the maturity of teams in public cloud
across the enterprise. In line with the measured approach to cloud adoption, Sourced recommends that for
teams taking their first step into cloud, a higher proportion of preventative controls to detective controls is
implemented. There are two main control concepts discussed here that are contextualised to public cloud
deployments:

www.sourcedgroup.com Laying the Groundwork | Whitepaper | 10


CONTROL
TYPE DEFINITION EXAMPLE APPLICABILITY

A preventive control is where the A common example is stopping This is a highly effective approach
deployment automation will have Google Cloud Storage (GCS) buckets for most teams in an enterprise,
embedded controls or opinions to be deployed with access from the providing a stringent risk-based
which will restrict an event from public internet but these controls can approach to cloud consumption
Preventative

occurring prior to the deployment be as granular as restricting the use which assists in providing regulators
taking place. of certain node image versions when such as APRA comfort in your risk
deploying in Google Kubernetes management approach.
Engine (GKE). Preventative controls
can also enforce operational
considerations such as frequency
of backups and deployment
mechanisms such as blue/green or
canary releases.

A detective control is where the In the GCS example, this would This approach is beneficial for teams
deployment automation is relaxed allow the deployment to occur with with a high level of cloud maturity
to allow deployments to take place public internet access enabled. who understand how to identify,
Detective and Corrective

without prevention. A service is Additional responsibility is shifted mitigate, and manage risk when
then used to scan and ‘detect’ any to the application teams to manage deploying in cloud. These teams will
misconfigurations in the deployment these risks but in the context of benefit from the increased flexibility
triggering alerts and workflows. their application. This means a which provides the ability to use
When a critical risk is identified, a brochureware website does not alternative tooling preferable to their
corrective engine or human can have to maintain the same controls application. Vendor applications
then reach into the deployment as a system of record transactional may also benefit in this consumption
after the fact and remediate the database. The brochureware will mode as they often are not built to
misconfiguration. be allowed to maintain ‘public’ support the restrictions put in place
classified information in its public by the preventative approach.
bucket, whereas applications with
confidential data will trigger a
corrective control.

In a multi-modal approach, both In large enterprises, cloud adoption The multi-modal approach naturally
above modes are made available to occurs at different paces. Smaller occurs as cloud maturity increases in
application teams. Depending on the teams with fewer applications and the organisation. There is additional
application use case and maturity, lower cloud maturity will opt for the engineering effort to build and
they can choose the control option preventative approach as it embeds maintain both consumption modes
that suits them best. most of the organisation’s ‘best in the multi-modal approach
Multi-modal

practice’ into each deployment. which is why this approach is not


recommended for an organisation’s
Larger teams or those with higher initial foray into public cloud.
cloud maturity will be able to take
advantage of the detective and
corrective approach giving them
additional freedoms to meet their
control objectives. This, however,
places a larger portion of control
responsibility with the teams
requiring careful consideration.

Laying the Groundwork | Whitepaper | 11


Over time, we witness enterprises beginning with a preventative approach then progressively moving towards
enabling a detective and corrective approach as they gain maturity. Sourced observes that even in high
maturity organisations, there is benefit to maintaining a preventative consumption mode given it services a
larger portion of application teams as opposed to the detective and corrective consumption mode.

Figure 4. Control methods over time

www.sourcedgroup.com Laying the Groundwork | Whitepaper | 12


Incremental Approach to Platform
Design
Cloud-Led Business Change the foundational platform and shared services
that applications leverage. As the CCoE matures,
Efficient technology design and delivery is only additional capabilities are introduced including cloud
made possible if the business is structured and evangelism, internal consulting and training. One of
aligned. Sourced is not only an expert in delivering the fundamental changes that this team introduces
outstanding technology solutions; it also leverages is shifting from thinking of cloud as a project
ten years’ experience delivering cloud in some of the to cloud as a product. A project is a temporary
world’s largest banks and enterprises to execute a and unique initiative to achieve a goal whereas a
cloud-led business change. product is a continual development journey that will
iteratively release new features to its users. Cloud
As part of the Cloud at Scale™ framework, Sourced in an organisation must continually adapt as new
identifies, designs and executes organisational requirements arise, new features become available
change elements to better support the new cloud and as security posture changes. To help control
operating model. A common outcome of this sees scope and ensure development aligns to business
the introduction of a Cloud Centre of Excellence value, especially in the early stages of cloud adoption,
(CCoE). Sourced recommends the use of a masthead
application.
The CCoE organisationally sits in the Central IT team
and operates similarly to an agile product team.
Masthead Applications
Creation of this team occurs before any design
or build activities take place. The team ordinarily As a product delivery team, the CCoE will need
consists of a product owner, a scrum master to make several decisions about how and when
and several cross-functional DevOps engineers. to deliver what piece of functionality/feature. This
The CCoE’s responsibilities begin with designing prioritisation exercise can be difficult if the platform
all elements of the foundational platform, soon is built with no application in mind as features will be
progressing to build activities. The team will then delivered without realised value. If there are several
continue to incrementally iterate on the platform, application team feature requests being considered,
adding further features and automating further there can be a conflict of priorities resulting in
components. inefficient delivery of features. To resolve this conflict,
a masthead application should be chosen which
As applications on-board to the platform, the
allows the CCoE to maintain laser focus on building
CCoE provides an operational capability to support
the most useable features first.

Laying the Groundwork | Whitepaper | 13


A masthead is an application that acts as the tip of ƒ Provide a sound business case grounded in
the spear in driving requirements for the foundation either risk reduction, efficiency, agility, cost or a
platform delivery as it helps prioritise the features combination of the above
that are required for that application to be successful ƒ Be internally facing to avoid the additional security
on the platform. The masthead is one of the first complexities introduced by internet facing
applications to be migrated to cloud that will help workloads
signal change in the organisation. Therefore, the
ƒ If an existing application, have an appropriate
application itself needs to be chosen carefully. An
architecture which does not require significant
ideal candidate will:
uplift to operate in a dynamic and immutable cloud
world
ƒ Be a known quantity in the enterprise so it can
be used to evangelise the cloud and drive adoption
Path to Production
ƒ Be reflective of a typical application in the
enterprise to allow highest reuse of delivered Once complete, the masthead application will signal
features to applications within the business the readiness
ƒ Be appropriately risk weighted, significant enough and availability of cloud in the organisation. The
that the enterprise enforces rigour but not the most CCoE will continually iterate on the platform seeking
critical services such as core banking opportunities to enhance automation, which will
allow for the team’s workload to remain somewhat
ƒ Have strong executive sponsorship and support
static while application on-boarding increases.
willing to drive the migration forward
ƒ Touch on many aspects of the enterprise to help
disseminate a change in thinking as part of the
migration

www.sourcedgroup.com Laying the Groundwork | Whitepaper | 14


What’s Next?
The possibilities when leveraging Google Cloud are Restrictions around data handling and secure data
vast and Sourced has been involved in many ground- handling are often a regulatory requirement, however
breaking initiatives for numerous global Tier-1 banks, these data sets present significant value for analytics
including several industry ‘firsts’. As Financial Services purposes. Providing a method to democratise this
organisations naturally take privacy seriously, these data for analysts, whilst still meeting regulatory
important material initiatives have leveraged the obligations, can be difficult, especially with large data
broad set of services in Google including their key sets. Google, however, has an effective data suite
strengths in data services and containerisation. which greatly simplifies this.

As an example of Google’s capability, Sourced created With four well-defined services, the demo application
a demo application for a recent Google Cloud event. can ingest raw transaction data, locate confidential
This application was developed to demonstrate ways or personally identifiable information, de-identify
Google Cloud can assist with data handling in a these fields and write these transactions to a new
regulated enterprise. destination for analytics purposes.

Figure 5. De-identification of confidential data from transactions

This example shows how a regulated institute like a bank, can take vast
amounts of transaction data and de-identify any Personally Identifiable The source code for
Information (PII) or confidential information. From here, this data can be this demo application
shared widely in the organisation so different teams can leverage the data is available here.
set to gain insights and make better business decisions.

Laying the Groundwork | Whitepaper | 15


Conclusion
The benefits of cloud are well understood which is why you will find a published cloud
strategy in most enterprises today. However, having a defined cloud strategy does not
guarantee cloud transformation success. Cloud providers offer endless configurability
to the multitude of features and services available, which may increase complexity for
enterprises looking to adopt cloud. Without experience and guidance, organisations
may make inefficient decisions, impacting their cloud adoption targets and success.

Sourced recommends structuring a cloud program infrastructure and the foundational platform team
that delivers a masthead application simultaneously or CCoE are at the heart of this change. Allowing
with a scalable foundational platform. These two these teams to operate the platform as a product will
decisions will help align the organisation to rally help the organisation continue to build, operate, and
around the unified goal of cloud delivery. With a iterate on their cloud capability.
common goal and a finite scope, application and
Central IT teams will work more effectively, efficiently This paper introduces a handful of key concepts
and have aligned stakeholders removing common Sourced recommends when consuming cloud. Each
points of friction. Organisationally, changing the organisation is different and there are immeasurable
way teams are structured and work is a must. permutations and alterations that can be made to
Cloud introduces a fundamental shift in managing ensure your organisation’s cloud journey is successful.

www.sourcedgroup.com Laying the Groundwork | Whitepaper | 16


About Sourced
Sourced Group is a global cloud consultancy that helps enterprises make the most
of cloud services with a focus on security, governance and compliance. With offices
in Australia, Canada, Singapore and Malaysia, we provide professional services
for securing, migrating and managing the cloud infrastructure of large enterprise
customers in highly-regulated industries.

For more information, get in touch with us at [email protected]

Sourced Group
sourcedgroup.com

You might also like