Recently, we upgraded our cloud environment. This raises the question, “What is wrong with the environment after an upgrade?” As tools improve, we get new warnings, messages, and analytics. This often leads to a decision to ensure that after the upgrade, all monitoring, alerts, and other diagnostics show green across the board. Is this required, desirable, and even warranted? Wouldn’t it make sense to understand a change between releases first, before blanket acceptance?
This is the dilemma facing many admins, CIOs, CTOs, and others in similar positions of authority. Should we always be green across the board, or blindly follow the tools’ advice? Blind following isn’t always a good thing to do. It can actually break items. What is needed is more information about why things are no longer green after the update. What changed? What’s the cause of the issue? We need knowledge, not glowing green lights.
This is even more true when cloud services get updated, and suddenly your logging, analysis, performance management, and other tools show previously unknown issues and problems. If these are new and no changes have been made, are they related to the recent cloud upgrade? Did something change underneath your application that caused these issues?
One should always question any such changes, understand their impact, and if impact is discovered, modify accordingly. This is especially important with security issues. If a security monitor changes state, then either the cloud provider improved something and the change is for the better, or the cloud provider may have made a change for the worse per your organization’s policy. The “why?” of such changes needs to be fully understood, and updates must be rolled out as soon as possible to fix the problem. Or perhaps it is an issue that is mitigated elsewhere, and documentation is all that is needed.
Either way, the decision to make any change requires knowledge, possibly more knowledge than your cloud provider is willing to provide you. In the latter case, you’ll need to understand your application, alternative security measures, and overall impact.
This is where the drive to get to green has issues. Hybrid cloud, ITOA, and ITaaS platforms are becoming ever more complex. As shadow IT comes into the fold of IT, hybrid clouds get more diverse and more involved. They require more knowledge—and not just knowledge, but understanding across disciplines such as IT operations, development, security, compliance, and yes, even legal.
Cross-Functional Team
The solution is very simple: there needs to be a cross-functional team that manages all cloud relationships, both internal and external. This team would manage the cloud, IT operations, logging, analysis, contracts, and the like. This isn’t a team that says “no,” but rather one that responds “yes.” It is forward thinking and looks out for the organization. The team should have access to people to provide the knowledge to understand the impact of any cloud change.
It sounds like I am proposing a gatekeeper to the cloud, but I am not. I am proposing a team that responds to cloud changes after they happen, ensuring that compliance, security, monitoring, and logging get the proper response. It is a team that does not seek for all tools to show green, but understands why some tools don’t. It can answer or document the reasons why something may or may not be green and what mitigates any issues. This team also opens up the cases that will, when resolved, bring everything back to green once more.
In complex environments, this is not an easy answer. For example, perhaps you have a data loss prevention tool that shows data has been transferred to a third party. At the same time, the performance management tool has showed a change to the performance of a critical application. Would an IT operations person know if they were related when the DLP tool is managed by the security team? Would the security team know if the third party was allowed to receive that data, or would that just be a legal issue? Case in point: they could be related. It is perfectly legal for this to happen and not worth more than documentation, coupled with a change to the DLP tool to not report on such transfers for the duration of the contract.
Closing Thoughts
IT can no longer be an island in the world of the hybrid cloud. The complexities are great, but the knowledge is usually not 100%, and the understanding could be far below par. To combat this, we may need not better tools, but rather new ways of managing our environments, responding to issues, and the like. While new tools will help, they will help more if we know what they’re trying to fix. If we do not know, we cannot tell. Trial and error only goes so far.
Where are you with respect to managing the hybrid cloud?