Oh, my goodness!, what is CAF or Cloud Adoption Framework and why AWS has a CAF and Microsoft a different one with their own steps for the journey to the cloud, so is it exactly the same cloud adoption approach..or not?
Well, to be honest, there are two Cloud Adoption Frameworks. One of them is the Microsoft CAF to provide the best methodology for migrating IT solutions and embrace the journey to the cloud in many solutions or compute workloads already deployed on premise, or even in a private cloud. Another is the AWS CAF which has a similar approach in terms of stakeholders but more focus on six perspectives common to business while Microsoft takes into account three major factors: business strategy, technology strategy and people strategy.
Anyway keep in mind please, AWS hit first the public cloud so their CAF approach was based on theirprevious experiences where almost no other players where on this market and cloud model. Microsoft came later to bring their own adoption where may be many customers already became experts on these platforms, as NETFLIX migrate to AWS on 2009 for example, before Microsoft even started with their Windows Azure classic portal officially on 2010.
So both giants have different experiences and right now try to do their best to drive their customers on their digital transformation data centers and to leverage their business outcomes on this process.
In this first blog we´ll scratch the surface related to CAF for AWS and Azure. Starting with AWS, let see the pillars. There are 6 perspectives common to business, as we mentioned before but AWS want to separate those with more impact for the technical guys: Platform, Security and Operations from those focus on the HR, lawyers or financial guys: Business, People and Governance.
Microsoft define their initial scope taking as first layer three clear strategies, if you want to compare there are the same stakeholders somehow. Let see, Business strategy, People strategy, Technology strategy. Isn´t sounds familiar?.
If you pay attention to these two approaches to adopt IT solutions to the cloud, you´ll see they´re pretty similar when based their pillars on the people, those users that you want to empower, the business that you want to leverage to a new digital level, probably opening a new channel to their market or developing a disruptive solution, and obviously the technologyto make all that feasible. Those APPs, those web services, those IT solutions deployed with the magic of public cloud, a piece of common sense and through governance, security, efficient operational management and the right platform are now part of your company. May be you can believe it or not, innovation and global go-to-market will provide solid foundation for your business on this crisis. We all know companies seriously affected due to their very traditional IT solutions, their slow reaction to their clients and their incorrect market analysis.
CAF is the perfect allied to gain market by offering consumers and customers greater value than your competitors and providing a consolidated competitive advantage. Applying this framework you will align your CIOs, CTOs, Financial managers, Human Resources, Project managers, IT Architects and IT staff to push all together in the right direction with your Technology front line. The digital transformation needed to put your own footprint on your evolution as company. It´s not magic, it´s IT strategy and once again common sense.
Start the journey to the cloud with me…see you in the next post.
I had the pleasure to start these interviews on our cloud community with Alberto Ruiz Rodas a master and commander professional on security . We spoke about the digital transformation in the context of Spain as well as Portugal, cloud providers, typical security issues, remote desktop tendency, how to adopt security on disruptive technologies on the public cloud, challenges with PaaS or Serverless.
DIGITAL TRANSFORMATION
Ok, I want to clarify, i just want to explain the current situation in Iberia, let’s say, Spain and Portugal. So related to digital transformation the companies are assuming the new scenario, they know it’s convenient for their business. It took sometime till many companies could understand that it is a must protect desktops, or their access through a router to Internet.
So the first approach it was use VPN to connect to their companies and offices, but for example there are some tools on the Internet, quite simple to scan vulnerabilities, some people use it for scanning security and we can call it “Google for Hacking” in a funny way. Well, when the lockdown started in Spain, the Terminal Servers and RDS with 3389 ports opened to the world and exposed to Internet without any kind of protection increased a lot in just a matter of days.
Really, it took many years that people thought about this problem seriously, right now a lot of companies and public institutions are concerned about the security. But as you can see with this example there outside, still you have to struggle with many people that go on without paying the proper attention to it.
Another example, there is a company with all old eighties systems for several tasks related with data transformation which some employees are consulting using a simple “Telnet” command on the internet. The access to those systems was forwarded thought their Telco Router and even the customer says “we never ever had a security issue”. Terrifying if you think that this happens and even to remark there are about between 30.000 to 40.000 RPD access in Spain opened and ready to be attacked. There are 2 which are XP boxes. In some cases, we are providing from Sophos some patches and security tools to OT (Operational Technology) on factories. That’s understandable. But if you are exposing desktops such this one, please take care about it.
REMOTE DESKTOP & TELEWORKING COMBINE WITH THE RIGHT SECURITY
There is a tendency on providing VDI platforms to facilitate, let´s say, bring your own laptop (BYOL) solution to private and public sectors as well. I want to believe that the security vector is intrinsic to VDI. I have some customers with VDI farms to make easier the work to the public servants and they can connect with their PCs at home but not losing security or even in the private sector other using thin clients.
However VDI requires protection, even if you are going to shut down and start your virtual desktops each day. If hackers can compromise a VDI platform you are at risk as they´ll have access to sensitive data, so pay attention to patching and maintain next gen antivirus software, even if you face with a Zero day vulnerability that´s important to react quicker and next gen protection will protect you against these new threats.
NEW PUBLIC CLOUD SECURITY CHALLENGES
Public cloud is providing new technologies and features that there weren’t on the private cloud. For example, for us there are some APIs which can be very well integrated with the cloud providers. Most customers are combining cloud providers so we bring value to all of them for example with monitoring security very efficiently on a multicloud environment. Sophos believe in the cloud, Sophos can roll out massively on Azure or AWS Sophos XG Firewalls, as soon as the instances are starting they are autoconfigured with the adequate protection for example Sophos Endpoint and Server next gen protection adding secure posture management tools like Sophos Cloud Optix to provide the right governance on those platforms.
Also containers world and in particular Kubernetes is for us a strong goal and new reality, so we can protect and integrate all in this new strategy that Sophos is delivering to their customer globally.
We have Cloud division within Sophos that can assist our company worldwide. For me it´s a challenge the awesome evolution on public cloud just based on IaaS some years ago, for example, comparing to nowadays with serverless, RBAC and IAM features, etc. It is a new reality to adapt for all of us. Gartner says public cloud has come to stay.
Also, i want to pointed out one fact, there is a new issue “Misconfiguration”. It´s quite curious but Gartner says mostly 99% of security issues until 2022 on the public cloud come or will come from an administrator misconfiguration on their own cloud platform not for the cloud platform itself. Let say, i buy as pay as you go my VMs on the public cloud but 99% of security issues comes from my own IT team. Our posture management tool can leverage security, monitor and provide hardening for storage exposed to internet or external access configure without protection by someone. For instance, it is a typical misconfiguration a public bucket on S3 (an storage component in AWS) with sensitive information exposed to everyone in Internet. It is quite known that companies gathering private data from customers or people had those buckets opened to the world. A very clear data leak even more when by default when you create a bucket on S3 there are private permissions to publish the date to internet. Or even if you create a mongo DB on Azure, some administrators allow some open queries to it.
HYBRID CLOUD AND THE TENDENCIES FOR THE FUTURE
The private cloud will be combined with the public cloud but in the coming years I expect a merge between both of them. It is awesome how the public cloud is providing instances on any region and maybe I have CPU in USA and storage in Ireland. That brings you and exceptional data resilience that it´s very difficult to achieve with the private cloud.
WHAT BENEFITS CAN BRING SOPHOS IN TERMS OF SECURITY IN THE PUBLIC CLOUD
First of all we have to be focus on governance and control on the cloud. With “Cloud Optix” which can extract data from several APIs we can get a very global view of network diagrams and understand in depth the traffic between the instances or even inside those instances and trigger alerts when some components are receiving traffic which is not allow for them within those machines. So with ML and AI we can evaluate or somehow foresee what kind of service is running and understand weird traffic increases, to mention some actions. Another example, in Devops platforms and specifically with IaC (Infrastructure as code), how can we know that those templates are solid and correct in terms of security?. We have integration with JENKINS, GITHUB, BITBUCKET, TERRAFORM to verify that definitions and variables are adequate and there is no risk for the company before they deploy such infrastructure and automate their use.
According to that, when we have governance and control on all the components on the public cloud the best practices for example in Azure say please don´t expose your services to Internet and use a firewalls. In that area we have adopted our firewalls to the cloud. If you check the marketplace you will see Sophos firewalls to buy as pay as you go or even BYOL. We had on these days some customers demanding to increase dramatically VPN access to their IT infrastructure remotely and the best way to achieve it, was to set up automation and deploy massively firewalls (virtual appliances).
To summarize, we provide at a first approach management and governance of the components in the cloud, as a second approach access control with VPN and finally as last approach provide security internally in any component the customer is configuring. We call that “Synchronize Security”, i´ve heard about this concept since 2015 in the international Sophos event, today it is our true cornerstone in terms of security.
All the actors i´ve mentioned before our secure posture management tool, our firewalls and those security components in each instances can speak between them. It makes no sense that a VM compromised or al least at risk can maintain connectivity and allow some traffic with other VM in the same subnet or other networks. So the firewall should protect for this suspicious VM and cut all that traffic. But also, the other VM/instances in the same network segment will be notified and won’t accept traffic from the attacked instance, making a true isolation scenario until the incident is being resolved…
Finally, before this interview we spoke about the productive cloud, we can provide a Sophos cloud specifically designed with or antispam called Sophos Central Email, antimalware or antivirus tools to protect others clouds. We can rapidly be integrated with other cloud provider DLP solutions so we can block or encrypt data, we can prevent users to click malicious links, anti-phising or CEO attacks, sandboxing, etc. But keeping an eye on this as our sandboxing is a cutting edge technology and the most relevant player in the market following many benchmarks and professional product analyzers. That technology can be used for free thanks to SophosLabs Intellix, an API that permits static and dynamic fine analysis.
An important fact it’s we synchronize all our security components together, they work like a soccer team. For instance, if we detect a user sending spamming or malicious data, our Sophos Central Email can block these mails, Sophos Endpoint will isolate the PC connectivity to other computers on the same network combined with XG Firewall which notify the situation to the rest of machines, other network segments or Internet and very quick we can deny traffic during the incident, and as a consequence we will trigger an automatic scanning to verify the victim computer is clean..
SOPHOS STRATEGY – VERTICALS OR CLOUD PROVIDERS
Sophos wants to be agnostic for all the cloud providers, we want to make the admin´s life easier to them. Related to vertical our solutions are open to all vertical, the same if it´s industry, public instances, etc. What it´s important for us is to be flexible and have scalability.
SHARED MODEL RESPONSIBILITY ON THE CLOUD
With “Cloud Optix” we can leverage the trust on the public cloud to the customer on IAAS or PAAS. To be honest, it is not the responsibility for the customer or for the cloud provider but a mix of both and we can be somehow the glue for each other.
For Serveless it is clearly a security challenge, Sophos can protect the containers or containers orchestrators and provide logs analysis for them.
Someone come out to me and ask me if i would like to evaluate some IT services to be migrated to Azure or AWS, even Google or Alibaba..
Yes, definitely, that can happen and may be it is terrifying. But you have probably old legacy applications with no support at all, may be you have operating systems with no support at all, or even may be, and this is the most common driver, you are running out of disk space.
Let´s say your IT provider explains how to backup or how planning a disaster recovery of your Vmware farm and VMs hosted on some private cloud provider which ask you for a lot of money when you want a snapshot or more space for previous backups. Would you open your ears to them?
Let´s say you know your limited infrastructure budget and in the last meeting you attended, your CFO wanted to know how to expand your products to other markets and how you can reduce IT investment and increase the Go-to-Market in other countries. Do you dare to ask about AWS or Azure?
I need to be sure and want a clear roadmap to the public cloud, how to determine if some applications are suitable for the cloud, i want to compare my TCO with the cloud scenario, cloud consumption forecast, and please security, is it really secure?
The journey to the cloud depends on a solid assessment methodology, right tools, right knowledge and licensing experts. Pay attention to that. As far as you have all of that there is no fear at all.
There are lots of simple or quite simple applications which can be migrated to the cloud reducing their hardware profile in many cases oversized. Anyway the Six cloud migration strategies (the 6 Rs) should be follow by the company in charge of your cloud transition projects. On the other hard, please keep in mind: a lift&shift approach without no previous consultancy, no enough discovery of your data center infrastructure, not being focused on challenges and stoppers is something to be worried about.
Another factor to be evaluated it´s your coexistence model with your on premise IT world, private cloud and other SaaS applications which may be have a SSO with your company. Designing the right strategy related to your hybrid cloud and embracing the best of east and west is a must in your roadmap. Don´t forget that.
Finally security. You don´t need to struggle with security as it is more a matter of adoption with the right experts who will guide you in parallel with your workloads migration. It is true that the cloud provider, AWS, Azure or whatever you choose, take care of the cloud (they are compliant with many certifications such as FIPS, HIPPA or ISO2007) but you take care on the cloud of your applications. There are a lot of cutting edge technologies provided by them to minimize efforts and reduce the complexity of your security maintenance. Even there are a tremendous marketplace with all the best thirty party security products aligned with them.
How complex would be my journey to the cloud?, i know there are lots of new functionalities every day.
Yes, we can refactoring some applications in a second phase or we can even modify your DEVOPS model to be more efficient. With governance, we can reduce cost, improve availability and scalability and standardize your deployment of new services. We can work with you on data analytics scenarios with different ETLs or help your with IoT, PaaS and serverless solutions for new web services and so on. But that depends on you and your business needs.
THE CLOUD COMMUNITY BLOG 