Nico Brandt, Azure Customer Succes Lead Finance & Government Industry

18-5-2020

Cloud Adoption Framework for Azure | Overview

Agenda

● Why is cloud adoption important?

● Overview: Microsoft Cloud Adoption Framework for Azure

● Real life experience at TataSteel

● How Capgemini can help

Why is cloud adoption important?

91%

Digital transformation

1Research Report, ISACA, Information Systems Audit and Control Association, 2018

68%

85% 64%

Overview:Microsoft Cloud Adoption Frameworkfor Azure

Achieve balance. Deliver modernization.

Deli

Control &

StabilitySpeed &

Results

ReadyPlan AdoptDefine Strategy

ManageGovern

Migrate

Innovate

Thank You

Together we make the difference

The TATA Steel Europe state-of-the-art Cloud Competence CenterMay 2020

Evert de Vos Chief Enterprise Architect

Introduction

14

Evert de Vos

Chief Enterprise Architect TSE

▪ Application and Infra landscape

▪ Digital Strategy

▪ 37 years with Tata Steel Europe and

predecessors

TSE cloud first strategy has 3 broad themes

15

Redirect all new

infrastructure

investments to

Cloud

All new data &

analytics use cases

on Azure,

All new applications

on SaaS, or built

natively on Cloud

PaaS

Design for Cloud by

default (automated,

API-connected,

fault-tolerant,

secure)

Ring-fence the

existing DC, and

migrate

Freeze on any on

premise

infrastructure

investments

Migrate existing

workloads in

phases, with a

preference for Cloud

PaaS

Build Cloud

expertise (Center of

Excellence)

Buy, borrow, or build

Cloud expertise to

sustainably operate

on Cloud

Re-define the

service & incident

mgmt. model to

cover both on

premise and Cloud

workloads

Ringfence the datacentre and migrate

▪ Develop a Business case

▪ Develop and test a transformation strategy

▪ If the datacentre is outsourced align with the managing partner

• Discuss and agree “What is in it for them”

• Deal with Pushback

▪ Because of a different set-up of the outsourcing model there was no business case for datacentre migration

16

▪ Start with a CCC as a disruptive Team

– Embeding a CCC in a classic IT

organization does not work

▪ Everything is faster

▪ Everything is different

▪ Much more is feasible

– Standard classic IT procedures and way

of working will be an obstacle

– Pushback of the existing IT organization

▪ Make sure there is high level management

support

Build Cloud Expertise

17

▪ A use case that has the potential to deliver

significant value

▪ A use case that needs new technology and

speed

– Develop a roadmap and setup Agile

Devops teams

– Be prepared for failures, not

everything will work right the first

time

▪ Populate the teams with people that are

eager to learn

18

Start with a lighthouse use case

Create the most Digital & Analytics enabled steelplant

19

▪ MVP’s, sprints, find out what works and

what not

▪ Don’t be afraid to fail. You can quickly

repair and adopt ( Infra as a code)

– So much technology, many ways to

build a solution

– Step by step

▪ Step away from “Application development

and transfer to maintenance”

▪ Setup DevOps teams who are responsible

for development and Operations. “Infra as

code” makes that feasible

20

Doing and Learning

▪ Platform, Features, Customer, Security

teams

– Make sure that your people are

skilled in IT to the widest possible

extent

– Above all, make sure they are eager

to learn

– Seduces them by pointing out all the

new techniques the can play with

21

People

▪ Do not build a Datacenter in the cloud

▪ Make sure there is a maximum amount

of self service available for all the team

that work in the cloud eco system

▪ Build standard products (Features) that

are available for all teams

▪ Features need to be fully configured and

need to have simple deployment scripts

22

Automate

▪ Building VM’s , Databases etc, is IAAS,

in the end you build a Datacenter

▪ The best is SAAS, but with a CCC focus

on PAAS

▪ In all cases build scripts that allow

reproducible activation of standard

components

▪ Do not accept development teams on the

Azure Portal (reserved for CCC)

▪ To keep control give Every development

team their own software development

pipeline (Azure Devops)

23

SAAS, PAAS avoid IAAS

▪ Develop a training

▪ How is the cloud configured

▪ What are the Features

▪ How does the automation work

▪ Application processes, self-service

(integration with Service Now)

▪ Software deployment

▪ The Security framework !

24

Onboarding the teams

▪ Using the cloud will make IT cheaper, but it

does not happen by itself

▪ Work Agile, DevOps teams

▪ Develop common standard features

▪ Only use the infra when you need it

▪ Use PAAS

▪ Monitor the costs

▪ Make the costs transparent for the users

25

Managing costs

▪ Your private cloud is as safe as you make

it, all components are available.

▪ Develop a security framework.

▪ For solutions develop a business impact

score, that will determine the security levels

▪ Make sure development teams are aware

of security and understand it

▪ Use the build in security portals of Azure to

manage security

26

Security

The CCC operating model

27

Two Platforms

28

CCC develops and support standard Cloud features for TSE(including DnA)

DnAdevelops and supports a standard central Data Lake for TSE to store and manage data

DevOps teams support faster deployment of Digital in TSE

29

▪ Standard features

▪ Cost Control

▪ Mature security framework

▪ DevOps Pipelines

▪ Self service

▪ Ability to deploy new features quickly

▪ Enabler for Value generation

Many DevOps teams make use of it

▪ Advanced Analytics for manufacturing and

supply chain

▪ EDI (using Logic Apps)

▪ E-commerce Platform

▪ Asset Health Monitoring and IOT

▪ OT specific

The TSE CCC is mature

30

The Advanced Analytics and Digital Steel plant of the future is being built across the full value chain

31

Do you have any questions?

Tata SteelGroup Information systems

www.tatasteeleurope.com

Cloud Competence CenterBest practices building a

Introduction

Eric Zuidweg

Capgemini NL - Custom software Development

Focus: Cloud Competence pre-sales & development

AS/400, Web apps, BPM, Mobile, Azure Cloud

58 yrs, IT: 30 yrs

3 grown kids, 1 grandson

Hobbies: Photography, Bass, Camper

Lock-down-hobby: Tinkering

The challenge: Approach to Cloud ManagementD

o it

Yo

urs

elf Innovative

Discovery

Start Quickly

Few standards

Low cost control

Low security control: RISK

Strong guardrails needed

Serv

ice

Ap

pro

ach Centralised provisioning

Shifting standards

More cost & security control

Support overload

Backlog & delay

Strong guardrails needed

Self

-Se

rvic

e Infra as Code, CI/CD

Standards enforced

Scalable

Predictable

Much effort into scripting

Time to innovate

Cost optimisation

A Cloud Competence Center IS a best practice

• Make company IT more flexible to Innovate faster

• Realising the benefits of the Cloud

• moving from CAPEX to OPEX

• Resources on Demand

Mission

• develop more efficiently, better quality solutions, with higher business impact while being secure and manageable

Strategy

Tactics: Area’s for Best Practices

1. Solution Design

2. IAM

3. Networking & Security

4. Development

5. Service & Cost Management

*Microsoft Cloud principles will shows as blue blocks

Practical approach

• Platform Management

• Security

• Feature Development

• Customer Team

• Solution Design for Business Use Cases

• Scrum, DevOps and SAFe way of working

How: Centralise cloud skills in

• Resource provisioning

• Share experience, standards

• Solution optimization (cost, performance, availability)

Support

1. Solution Design

• SAAS > PAAS > IAAS

• Distributed, Hybrid solutions

• Loose coupling

• Design for Failure & Self Recovery

• Big Data: Bring processing to the data

Service Oriented Architecture

• Lock down Public Services

• Rationale and cost-justification for the solution

• What measures to take when (in process, in transit, at rest)

Risk based approach

4141

Tata Steel Security Controls Overview for Azure Cloud environments v2.0

Experience Center

Baseline Security Level Controls

F1. IAM on all accounts and resourcesF2. Logical Security Zoning – Account levelF3. Tagging of all resourcesF4. Activity and Event Logging

F5. Malware DetectionF6. Tata Steel approved services and versions

High Security Level ControlsThese controls include additional controls or add-on requirements on Baseline Security controls

Usage Terms and Conditions for Experience Center environment;No network connectivity with CIA rated

Virtual Private Networks;No outbound network connectivity with Tata Steel on-premises and with Azure Private;Auto purge (limited time period, non-persistent trial workloads only);No Production Data allowed.

Author: Tata Steel Azure CCC Security Team - Version: 2.0 - Released: 20181004

Scanning/DetectionB10. Vulnerability & Compliance Management

IAAAB9. Keys & Certificates management

Scanning/DetectionH7. Pentesting on all public endpoints

DataH4. Additional Secure Data at Rest, in transit, in processH5. Data Leakage Prevention

IAAAH6. Additional Keys management

InfrastructureH1. Additional Azure network access H2. Additional Log ManagementH3. Additional Availability Protection

InfrastructureB1. Infrastructure as codeB2. Logical Security Zoning – Network segmentationB3. Azure network access (ingress, egress)B4. Basic DDoS protection

DataB5. Encrypt Data in TransitB6. Encrypt Data at RestB7. Production Data BackupB8. Data Life Cycle Management

Foundation Security Level Controls

DTAP Environments

EC1

EC2

EC3

EC4

EC5

2. IAM, Authentication & Authorisation

Azure AD is key for SAAS/PAAS/IAAS

Hybrid Identity: Onprem AD & Cloud

synchronisation

Open Protocols

• OAuth 2.0, OpenID Connect

RBAC: Groups & Roles

3. Networking & Security

• network peering & hybrid identity

Create an Even playing field

• CI/CD to D, T, A & P

• Disaster recovery and scaling

Treat networking resources as software

• Mix of Internet, PAAS, Vnet, OnPrem Networks

• Firewalls, NSG’s

• All traffic is encrypted

• Detailed zoning via Subnets

Check connectivity in every way

Hub & Spoke Model

Azure ”Private”Subscriptions & DTAP VNets

VDCxx

Networking: Hub/Spoke Model

Management Hub

Factory1

Dev/POC

Experience Center

OnPremise

Factory2

INTERNET

Azure PublicPAAS Services

Legacy0

Legacy1

Express Route

VDC01

Experience Center

4. Feature Development

• For Self-Service

• Naming and tagging standards

• Instrumentation for Security, Logging, Backup, Monitoring, Malware

• Contributer rights only during pipeline execution

Wrappering Control plane in DevOps Extensions

• Enables DTAP, CI/CD

• Enables Recovery and Cost Reduction

Infra as code

• Avoid Bottlenecks

• Start MVP

• CCC members are coders!!

Major activity

4646

IOTDatabricks

5. Service & Cost Management

Selfservice

Modern Service Management

• Adapt ITIL for Cloud & DevOps

• Register assets to the DevOps teams

• Azure itself is the Component Database

Tagging for Cost management

• Show-back, Chargeback

Call to Action

Determine which stage you’re in

• DIY, Service or Self Service?

Learn to apply CCC principles for your Cloud Journey

Sign up for your Deep Dive Session

https://www.capgemini.com/nl-nl/evenementen/deep-dive-session-build-your-state-of-the-art-cloud-competence-center/

Discuss a CCC approach with your Capgemini sales or Microsoft PSS

Info & Links

eric.zuidweg@capgemini.com

https://www.capgemini.com/nl-nl/evenementen/deep-dive-session-build-your-state-of-the-art-cloud-competence-center/