The future of cloud-enabled work infrastructure is a tango of multicloud solutions, federated security, and distributed DevOps.
Cloud growth accelerated by COVID-19
COVID-19 has driven a fundamental shift in business-architecture assumptions. Overnight, many organizations have had to shift their cloud infrastructure strategies. In fact, in a Logic Monitor survey, 87% of global IT decision-makers agree the pandemic will cause organizations to accelerate their migration to the cloud, anticipating a decline in on-premises workloads by 2025.1 That accelerated adoption has started already (figure 1). Companies worldwide spent US$34.6 billion on cloud services in the second quarter, up roughly 11% from the previous quarter.2 As Satya Nadella, CEO of Microsoft, states, “We’ve seen two years’ worth of digital transformation in two months.”3
With most of the global workforce remote, major public cloud providers witnessed a huge surge in demand for their services. Such volumes stressed traditional infrastructure (e.g., virtual private networks) and forced organizations to lift and shift to the cloud quickly, leaving room for further optimization. Stay-at-home orders made it difficult, if not impossible, to access on-premise infrastructure highlighting a key infrastructure risk.4 The vulnerability of tightly interlocked business and technology architectures to stress has become apparent.5 For these reasons, we expect to see a shift in cloud strategies toward cloud migration, security, operations, value planning, and DevSecOps (short for development, security, and operations) as well as a retraction of cloud native, container, and serverless initiatives (figure 2).
As organizations respond to COVID-19 with a renewed cloud focus, they face IT complexity, security risk, and operational efficiency challenges. While some organizations are deprioritizing or delaying nonessential cloud migration plans,6 resilient leaders and organizations have an opportunity to modernize their technology backbones with scalable cloud infrastructure.7 When designing an approach, Deloitte’s research has shown that the “magic mix” to resolving cloud complexity is having effective tools (34%), approaches (34%), and people (32%).8 For many organizations, this means reigniting cloud programs and employing new strategies across development and operations (DevOps), federated security, and multicloud solutions for heterogeneous infrastructures to optimize process, mitigate risk, and manage complexity. Organizations that move quickly have an opportunity to rethink how technology is enabling virtual work, workforce, and workplace and to use infrastructure as a competitive differentiator (figure 3).
Organizations that move quickly have an opportunity to rethink how technology is enabling virtual work, workforce, and workplace and to use infrastructure as a competitive differentiator.
Multicloud solutions, not strategies, to support virtual work, workforce, and workplace
Multicloud and hybrid cloud strategies are now the norm, with an industry study finding 93% of organizations using cloud infrastructure are employing a multicloud strategy, 87% of which are using a hybrid (public and private) cloud infrastructure model. As much as 85% of enterprises agree hybrid cloud is the “ideal” IT operating model, with 61% of respondents reporting the need for application mobility across clouds and cloud types as “essential.”9
As such, many organizations have moved beyond the initial challenge of selecting multiple cloud providers, determining what data to store in public or private cloud services, and managing interoperability across their multiple cloud infrastructures. The next frontier in managing cloud complexity will likely be about building on that foundation by configuring tools, software, and technology to deliver a full-stack, multicloud solution—whether that includes identity and access management, network monitoring, metadata management, or artificial intelligence for IT operations (AIOps) to manage workforce systems and platforms used to perform work.10 Multicloud solutions should consider orchestration across these tools and technologies to manage data, resources, and workflows and help ensure the most efficient flow of data across the full solution architecture including storage, databases, platforms, and even security. Only then can the multicloud infrastructure efficiently and securely support business applications to drive value on an application-by-application basis.
The next frontier in managing cloud complexity will likely be about building on that foundation by configuring tools, software, and technology to deliver a full-stack, multicloud solution.
In a COVID-19 context, what can be especially challenging for multicloud solutions is finding a good application fit for those technologies, quickly. The temptation is often to leverage whatever platform or service is in a hype cycle. However, moving to an application that is not a good fit for any new platform is typically going to fail. Organizations should first understand the application itself, understand the connected data, and the underlying architecture, and then assess if any of these new technologies is a fit. Kubernetes, an open-source project by Google to automate container deployment, management, and scaling, is an example. Flexera’s annual cloud study shows businesses use an average of 2.2 public and 2.2 private clouds11 and 20% of organizations are using Kubernetes in production or for development and testing.12 But that doesn’t mean others should rush to use Kubernetes. Instead, companies could do well to think about what cloud management resources are needed to support the underlying business application—in this case, remote work infrastructures and collaborative working environments—and work back from there to select the right tools that bring the right services (figure 4).
A few key considerations for managing multicloud infrastructure, perhaps even more important now in a pandemic-ridden world, include building common data services, managing heterogeneous infrastructures, resolving endpoint complexity, and embracing new methodologies in IT operations (ITOps) including AIOps.
- On-premise data centers face business continuity risk: Organizations’ inability to access the workplace, including on-premise infrastructure, during the pandemic has made virtualizing the data center a hot-button issue for business continuity risk. If it is done right, there is historical evidence of long-term gains for organizations. For example, a fintech giant saved millions by moving tens of thousands of workloads into the cloud to reduce its data center footprint.13 There are two paths to building common data services: one that consolidates the data into a single physical or logical database or database systems and another that manages the data in a distributed way, leveraging virtualization to look at all the data as a single database, even though they are different distributed databases, using different database models. Whichever approach the organization chooses, the idea is to have a single path to unique customer, sales, product, and other data. This approach can allow organizations to:
- Eliminate redundancy for increased efficiency and managed infrastructure cost
- Understand the database in great detail, along with the metadata
- Select the right database technology to suit their needs, understanding that generally cloud-native databases are the best choice
- Enable the database service with API or web services access
- Implement governance, security, and management services
Virtualized data warehousing has allowed large retailers, such as The Home Depot, to react faster to consumer needs across its supply chain. The Home Depot tracks more than 50,000 items across 2,000 locations, analyzes what items are sold when and where in real time with the internet of things (IoT), the edge and the cloud, and course corrects accordingly.14
- Heterogeneous infrastructure sees shifts in consumption and increased end-point complexity: Organizations are no longer managing systems in a single data center. They’re managing the mobile network, IoT devices, and the edge. Together they amplify data complexity (as in The Home Depot example). This trend toward a heterogeneous infrastructure already was underway, but COVID-19 has shifted consumption models across that network by changing where the workforce is and how work is happening. Those who already had cloud infrastructure benefited from being able to scale down workforce infrastructure costs for their unused infrastructure or increase resources in places where they saw more demand. After all, airlines, retailers, and insurance companies’ business models and workforce needs were all impacted differently by the pandemic and, therefore, their data and infrastructure demands to support the workforce will all be different. For example, due to remote working, cloud consumption at Audi Business Innovation GmbH, a unit of Volkswagen AG–owned carmaker Audi, jumped 12% between March and April, with employees using more of the rented, remote computing power and software tools. Given the organization was in the cloud already, it was able to adjust consumption models and platforms with an expectation to reduce spend by 30%.15 COVID-19 has changed the composition of what work organizations are sending to their off-premise data centers, how they’re accessing networks via nonstandardized channels, and what volume of on-premise IoT, mobile, edge, and cloud data needs to be managed across the network with shifting access points. All of this can increase complexity.
Chances are the company’s infrastructure already was a collection of many different platforms, some hosted on the cloud, and some on premises, so to manage the shift in device consumption due to the pandemic (workers at home on laptops and mobile phones, off the corporate network) organizations need to understand the interfaces, security models, and governance models and go from there. Managing heterogeneous infrastructure often starts and ends with taking an overall system inventory and then creating a management plan to implement cloud operations or cloud operations (CloudOps), which combines network, security, performance, device management, and help desk tasks, can streamline operational process design to a physical operating model inclusive of tools and technologies. Organizations can look to manage end-point complexity by reducing the number of endpoints under management, minimizing the number of system types (processor, operating systems, databases), and using management, governance, and automation tools to manage the remaining complexity.
- Embracing new methodologies in ITOps including AIOps: Given the need to focus on CloudOps,16 one evolving area within CloudOps is AIOps. In cloud infrastructure monitoring, there has been an evolution from reactive monitoring to predictive monitoring, and now we are moving on to a new era of AIOps.17 The use of AIOps and other modern monitoring and management tools provides the mechanism to create layers of automation that are able to react to events and launch corrective processes (such as spotting packet errors coming from a single network device and temporarily routing around that device until it’s replaced). AIOps tools as well as other operations tools are able to analyze the data coming from all systems and devices to determine when something is failing—and they can do so before humans can. If configured properly, they can detect anomalous behaviors and launch corrective processes. Prior to the pandemic, several AIOps vendors were acquired by infrastructure automation organizations as part of a growing AIOps trend which we expect to continue.18
Federated security for the future of work, workforce, and workplace
While COVID-19’s impact on work, workforce, and workplace has forced IT to manage increasingly heterogeneous infrastructures with new tools and techniques, many infrastructures themselves are facing new security challenges, given that the where, what, and how of work has changed. As IT focus shifts to accommodate the new ways work is being done across altered workplace locations, the very context for security monitoring with an entirely new infrastructure composition—use of home internet, personal mobile devices, etc.—has changed. This has reinforced a need to focus on federated security strategies known for their success in managing distributed, heterogeneous infrastructure security across tiers, and driving situational awareness. Federated cloud frameworks allow organizations to deploy, integrate, and manage multiple cloud computing services.19 They can help define and implement federated security protocols across the application, network and system layers, and the cloud security center. The focus should be on proactive defense monitoring (early warning, command, and control) and managing access point attacks against malware, advanced persistent threats and network intrusions across infrastructure tiers, data storage, trusted platforms, websites, and operating systems. All this should be done to help enable dynamic threat information sharing.20 The US Department of Homeland Security, for example, created a cyber defensive and intelligence-sharing ecosystem that incorporated various defensive technologies (aspects of its moving target defense and cloud systems security) into federations of enterprises across a network of organizations to enhance security against known and novel attacks.21 As federated security has matured, organizations are increasingly focused on web services,22 security-as-a-service for a cloud federation,23 multicloud environment,24 blockchain-enabled frameworks, and network ecosystems25 (figure 5).
These trends will likely continue to develop, in addition to several new ones introduced by remote working orders, triggering new work infrastructure related to trusted network access, perimeter-based security, federated instant messaging (IM), and federated computing down to the end-point level.
- Heterogeneous security for heterogenous IT infrastructure: As organizations look to secure a multitiered architecture encompassing the cloud, the edge, mobile, and IoT, they have to secure each architecture tier against threats specific to that tier. In fact, managing heterogeneous infrastructure requires a heterogeneous security model that is federated across the technology providers for the different tiers.26 At the end-point level, organizations should combine infrastructure monitoring and remediation with DevSecOps, coupled with AI for predictive and automated threat management, monitoring, and resolution, all at the desktop/mobile device level. In a federated security model, organizations are able to reach every infrastructure tier, device, or process and close security gaps with network segmentation. With COVID-19, the attack surface is now larger as the work infrastructure network is more dispersed or distributed, increasing the importance of proactive dense monitoring across all devices that extends beyond “threat detection” to “threat remediation.”
- Trusted access in a remote world: One industry study found that 33% of enterprise security attacks on cloud infrastructure are due to a lack of proper governance and security parameters related to role-based access control.27 Identity access is one of the top vulnerabilities—33% of respondents to a cybersecurity study reported that identity access management roles were impacted by cloud security breaches and top threats (including malware, ransomware, and cryptojacking incidents).28 Centralized security management is a timeless concept for managing security across distributed resources.29 Identity management focused on access privileges remains a cornerstone of securing the network, particularly as the new remote-working conditions have increased the remote network attack surface area. As perimeters vanish, a zero trust approach to cybersecurity can help organizations preserve the integrity and security of their data and assets outside of the perimeter across a range of devices.30 The approach shifts from network-based control to identity-based principles with access controls and identity management as a key focus. With zero trust, organizations take a “never trust and always verify” approach to improve their cyber posture across individuals and devices. The US Department of Defense, for example, has embedded zero-anonymity security features built onto its federated cloud infrastructure. This empowers administrators to monitor, track, and control all software, hardware, and user access to their respective clouds in real time.31 In response to the pandemic, the Cybersecurity and Infrastructure Security Agency announced an interim Trusted Internet Connection Policy to deal specifically with telework.32 Organizations are taking a “never trust, always verify, enforce least privilege” approach to securing privileged identities.33 Cosmo Films, a manufacturing company, has completely transformed its infrastructure from a centralized plant/office unit to a decentralization model with access layers: “We have access layers allotted based on user needs and have given availability and accessibility of our data lake and critical information to users pan-India without any geographical or time-zone challenges,” says Jagdip Kumar, the organization’s chief information officer.34
- Perimeter security of the office: COVID-19’s impact on work location (now home) has made traditional perimeter security models obsolete. The physically protected office no longer has people working inside the perimeter. So, security now needs to factor in access points for those that need remote access, where possible, and virtual alternatives—all these will likely require new security models. Organizations should replace perimeter-level security with device-level security, virtual services, virtual desktops, and remote IoT devices, and secure every component, including object repositories and web services.35
Security now needs to factor in access points for those that need remote access, where possible, and virtual alternatives—all these will likely require new security models.
- Integrated/federated IM solutions: An emerging trend in federated security is the shift away from single-vendor IM solutions to integrated, federated IM solutions to fully leverage the cloud providers’ technology and avoid vendor lock-in. Amazon Web Services and Google Cloud Protocol (GCP) can now be integrated with Microsoft Active Directory, making security management across multicloud infrastructure easier.36 Organizations, for example, can use GCP’s federated integration to integrate with a home Active Directory solution, which enables them to streamline virtualized security communications for faster threat detection and remediation. This shift in how people are collaborating across security is being seen at a much larger scale now across all broader DevOps practices across all of the organization.
DevOps in a distributed world and altered ways of working
Many companies succeed with small cloud migrations, but when it comes to scaling the cloud, they stumble over organizational and process bottlenecks.37 This is where DevOps can streamline processes. DevOps encourages great communication and collaboration (in other words, teamwork) to foster better-quality software more quickly with more reliability. DevOps is a culture shift. Another study found that DevOps plus cloud is a multiplier that improves performance by as much as 81%.38 It’s no surprise then that an industry analyst firm showed double-digit DevOps tools growth in 2019, with worldwide revenue reaching US$8.5 billion.39
The easiest part of DevOps is the technology—automated scripts, continuous integration and delivery, and automated provisioning. Where organizations tend to struggle is transforming existing processes and structures to support automation and drive a culture change across a range of operations. These can be done via change management, deployment, user acceptance testing, security, compliance, and ongoing product strategy.
What’s changed with COVID-19 is that when people and teams are working remotely across nonstandardized infrastructure, processes should change. This is a unique opportunity to build greenfield processes and infrastructure given that pressing organizational needs are outweighing some of the usual barriers. In the postpandemic world, when organizations recover, decisions made now should enable companies to rationalize, standardize, and create more repeatable processes. DevOps strategies should evolve to bring in new, flexible communication and collaboration techniques that factor increasingly fragmented, remote, and heterogeneous work environments (figure 6).
We expect an increased focus on agile release cycles, virtual collaboration tools, hyperautomation, and continuous improvement across the entire product life cycle as organizations continue to shift left toward end-to-end DevOps.
- Doubling down on agile for increased responsiveness: A shift-and-adopt strategy is the standard for incremental cloud replatforming to cost-effectively enable elastic workflows that scale as needed, saving up-front cost and allowing the cloud environment to grow with need.40 As organizations accelerate their cloud programs—as is the case now—a lift-and-shift approach can work to consolidate data centers or avoid the cost of an infrastructure refresh. Cloud modernization programs can embrace DevOps to align IT development and business operations and to achieve greater delivery agility while maintaining flexibility during times of uncertainty. Continuous build and continuous deployment automation tools are the key features of DevOps currently, supported by test automation tools.41 They are the baseline organizations should consider for an agile cloud migration that delivers speed to market and flexibility during uncertain times, such as now. During such times, organizations should be able to react and respond instantaneously. With COVID-19, there is less appetite for large strategic innovation initiatives and more focus on tactical work that provides immediate value and solves today’s pain points, now.
With COVID-19, there is less appetite for large strategic innovation initiatives and more focus on tactical work that provides immediate value and solves today’s pain points, now.
- The rise of ChatOps: A remote working environment has fed the adoption of project team-focused, cross-departmental, and cross-organizational communication and cooperation tools. Project teams are using Slack, Microsoft Teams, and other internal communication platforms focused on team collaboration for interactive and instantaneous conversations. These support work across virtual teams, a trend accelerated by COVID-19. For example, Microsoft Teams clocked 4.1 billion meeting minutes per day in April compared to 900 million in mid-March.42 Its daily active user base more than doubled to 75 million from 32 million.43 Similarly, during the first quarter of FY20, Slack added 90,000 net new organizations, of which 12,000 were paid customers (28% increase year over year).44
Especially when working remotely, collaboration tools are of immense value at the project level because teams can communicate in real time, develop a centralized knowledge base, and create a consolidated, instant access network that’s accessible anywhere and anytime. If the full-collaboration potential can be unlocked, teams can free up meeting time and move toward more efficient collaboration methods. Project teams can set up channels (define) to reach beyond the group to experts outside of the team to gain warm responses and crowdsource intelligence and push thematic updates into filtered channels and access them on demand. To enable collaboration across technology and business, social business collaboration tools,45 are gaining attention as they allow for real-time engagement with business stakeholders throughout the development process. These tools are especially important as business and technology strategies shift rapidly in response to COVID-19. Last but not least, cross-organization collaboration tools can support remote data center management by connecting stakeholders across organizations for more seamless communication between IT teams and their vendors, and partners and clients.
- Hyperautomation: Automated provisioning is a key DevOps capability that delivers computing capacity on demand without manual intervention, providing the foundation for flexible infrastructure and dynamic resource allocation. This can help get rid of the “toil”46 (any work that is directly tied to running a service that is manual, repetitive, and automatable, and where there’s no enduring value), which is a major roadblock to success. IT automation is core to any DevOps strategy, given the goal is to create automated and repeatable processes. But in a post-COVID-19 world, automation will likely be more important than ever because of the need for continuous learning and improvement. COVID-19 is pushing the need to streamline processes and make them less human dependent, urging organizations to explore next-level value from cloud AI and machine learning services. Additionally, for new initiatives, think about cloud-native applications for new infrastructure, which further automates and streamlines IT and development operations with automated provisioning and zero-downtime deployment, and microservices architectures that manage risk and volatility more easily.47
- Reimagining traditional roles: Cloud has also forced many organizations to reimagine tried-and-true roles, moving away from silo-based domain teams building servers and networks as a single focus and driving toward the creation of a full-stack cloud “platform” team delivering cloud services that developers can use to deliver to their customers in a secure and compliant manner. There is a fundamental mindset shift from an IT command-and-control center model to a customer-centric IT-as-a-service model where IT is supporting a customer-centric, product-focused operating model. This marks a shift from centralized operations support to embedded operations capabilities. These capabilities shift the product team to a very different full-stack team model with shared goals and objectives around a product for greater alignment. Antony Edwards, chief operating officer, Eggplant Software, speaks to this DevOps evolution, stating, “The combination of customer-centric development, microservices, and automated DevOps pipelines pushes the role of developer further away from a coding focus and more toward product design. This evolution mirrors how CAD tools moved architecture from materials engineering to design.”48 In a Flexera study, 73% of enterprises report having a central cloud team or cloud center of excellence49 versed in cloud, microservices, and API technologies.
In addition to the creation of platform teams, the architect is being elevated within the organization to solve multidimensional business challenges given the prevalence of interconnected technologies and devices.50 With COVID-19, manufacturing/consumer packaged goods, health care, education, travel and hospitality as well as state and local governments are seeing the destruction of traditional supply chains. This can provide a unique opportunity for architects to work with the business to build new solutions that enable organizational agility for next-generation supply chains.
- End-to-end DevOps on the horizon: Organizations continue to push forward with a “shift left” DevOps strategy, shifting beyond infrastructure and successfully using DevOps to achieve consistent build and automated testing, despite different environments. Organizations that are further in their journey have embraced DevSecOps for integrated security across development operations—integrating security into the development design process. “Essentially, security becomes a design constraint. The shift-left paradigm … requires security to be built into software instead of being bolted on,” says Shannon Lietz, leader and director of DevSecOps, Intuit. “Shifting left requires everyone knows how to collaborate and understand enough of the context to ensure the safety of software,” she continues.51 Telstra, an Australian telecom company, cited a 20–30% improvement in secure coding skills among its developers.52 Alana Brown, senior director, Puppet, and the creator of the annual State of DevOps report, states, “I think there’s a big misconception that DevSecOps is just about shifting some security tests to the left. That’s not it. This is about fundamentally changing how all of these teams work together and how they collaborate … collaboration really is key, and it really does lead to better outcomes.”53
The next frontier is how to move operations, governance, and customer support to the left. Companies, such as Concourse Labs that recently received US$15 million in series A funding and offers automated cloud compliance, are emerging to address these areas. The platform uses a system of record (including enterprise policy, identity, and cloud usage histories) to generate baselines and predictions and enable automatic detection of anomalous behavior as well as test application releases with proposed remediation guidelines.54
Organizations that are further in their journey have embraced DevSecOps for integrated security across development operations—integrating security into the development design process.
Conclusion: The next frontier is upon us
COVID-19 has affected work, workforce, and workplace in dramatic ways and forced organizations to think about their future infrastructure needs and accelerate their movement to the cloud that can better handle constantly shifting business and workforce needs. Multicloud solutions and hybrid cloud technology strategies are the norm for those already in the cloud and will likely continue to see increased adoption as they enable business flexibility.
The next frontier of managing cloud complexity will likely be developing multicloud solutions that use the right combination of tools, software, and technology to manage cloud services and enable business applications—everything from orchestrating data from virtual data centers to implementing AIOps. These heterogeneous IT infrastructures are seeing shifts in consumption that make cloud—given its flexibility—a favorable solution. At the same time, it creates new access points and a large surface area for cyberattacks. Changes to location have made the perimeter-in-perimeter security obsolete, necessitating a shift to federated security models that can better manage security across infrastructure tiers and devices.
The next frontier of managing cloud complexity will likely be developing multicloud solutions that use the right combination of tools, software, and technology to manage cloud services and enable business applications—everything from orchestrating data from virtual data centers to implementing AIOps.
Finally, ways of working have been altered in profound ways, prompting organizations to double down on DevOps best practices that increase collaboration and introduce new approaches for a distributed world. Organizations can look to double down on agile development, embrace ChatOps for virtual collaboration, automate DevOps processes that continue to shift left, and step into new roles to support an IT-as-a-service operating model. This combination of multicloud solutions, federated security, and distributed DevOps can help create a future of cloud-enabled work infrastructure needed to make virtual business infrastructure work.