nico brandt, azure customer succes lead finance ...€¦ · tse cloud first strategy has 3 broad...
TRANSCRIPT
Nico Brandt, Azure Customer Succes Lead Finance & Government Industry
18-5-2020
Cloud Adoption Framework for Azure | Overview
Agenda
● Why is cloud adoption important?
● Overview: Microsoft Cloud Adoption Framework for Azure
● Real life experience at TataSteel
● How Capgemini can help
Why is cloud adoption important?
91%
Digital transformation
1Research Report, ISACA, Information Systems Audit and Control Association, 2018
68%
85% 64%
Overview:Microsoft Cloud Adoption Frameworkfor Azure
Achieve balance. Deliver modernization.
Deli
Control &
StabilitySpeed &
Results
ReadyPlan AdoptDefine Strategy
ManageGovern
Migrate
Innovate
Thank You
Together we make the difference
The TATA Steel Europe state-of-the-art Cloud Competence CenterMay 2020
Evert de Vos Chief Enterprise Architect
Introduction
14
Evert de Vos
Chief Enterprise Architect TSE
▪ Application and Infra landscape
▪ Digital Strategy
▪ 37 years with Tata Steel Europe and
predecessors
TSE cloud first strategy has 3 broad themes
15
Redirect all new
infrastructure
investments to
Cloud
All new data &
analytics use cases
on Azure,
All new applications
on SaaS, or built
natively on Cloud
PaaS
Design for Cloud by
default (automated,
API-connected,
fault-tolerant,
secure)
Ring-fence the
existing DC, and
migrate
Freeze on any on
premise
infrastructure
investments
Migrate existing
workloads in
phases, with a
preference for Cloud
PaaS
Build Cloud
expertise (Center of
Excellence)
Buy, borrow, or build
Cloud expertise to
sustainably operate
on Cloud
Re-define the
service & incident
mgmt. model to
cover both on
premise and Cloud
workloads
Ringfence the datacentre and migrate
▪ Develop a Business case
▪ Develop and test a transformation strategy
▪ If the datacentre is outsourced align with the managing partner
• Discuss and agree “What is in it for them”
• Deal with Pushback
▪ Because of a different set-up of the outsourcing model there was no business case for datacentre migration
16
▪ Start with a CCC as a disruptive Team
– Embeding a CCC in a classic IT
organization does not work
▪ Everything is faster
▪ Everything is different
▪ Much more is feasible
– Standard classic IT procedures and way
of working will be an obstacle
– Pushback of the existing IT organization
▪ Make sure there is high level management
support
Build Cloud Expertise
17
▪ A use case that has the potential to deliver
significant value
▪ A use case that needs new technology and
speed
– Develop a roadmap and setup Agile
Devops teams
– Be prepared for failures, not
everything will work right the first
time
▪ Populate the teams with people that are
eager to learn
18
Start with a lighthouse use case
Create the most Digital & Analytics enabled steelplant
19
▪ MVP’s, sprints, find out what works and
what not
▪ Don’t be afraid to fail. You can quickly
repair and adopt ( Infra as a code)
– So much technology, many ways to
build a solution
– Step by step
▪ Step away from “Application development
and transfer to maintenance”
▪ Setup DevOps teams who are responsible
for development and Operations. “Infra as
code” makes that feasible
20
Doing and Learning
▪ Platform, Features, Customer, Security
teams
– Make sure that your people are
skilled in IT to the widest possible
extent
– Above all, make sure they are eager
to learn
– Seduces them by pointing out all the
new techniques the can play with
21
People
▪ Do not build a Datacenter in the cloud
▪ Make sure there is a maximum amount
of self service available for all the team
that work in the cloud eco system
▪ Build standard products (Features) that
are available for all teams
▪ Features need to be fully configured and
need to have simple deployment scripts
22
Automate
▪ Building VM’s , Databases etc, is IAAS,
in the end you build a Datacenter
▪ The best is SAAS, but with a CCC focus
on PAAS
▪ In all cases build scripts that allow
reproducible activation of standard
components
▪ Do not accept development teams on the
Azure Portal (reserved for CCC)
▪ To keep control give Every development
team their own software development
pipeline (Azure Devops)
23
SAAS, PAAS avoid IAAS
▪ Develop a training
▪ How is the cloud configured
▪ What are the Features
▪ How does the automation work
▪ Application processes, self-service
(integration with Service Now)
▪ Software deployment
▪ The Security framework !
24
Onboarding the teams
▪ Using the cloud will make IT cheaper, but it
does not happen by itself
▪ Work Agile, DevOps teams
▪ Develop common standard features
▪ Only use the infra when you need it
▪ Use PAAS
▪ Monitor the costs
▪ Make the costs transparent for the users
25
Managing costs
▪ Your private cloud is as safe as you make
it, all components are available.
▪ Develop a security framework.
▪ For solutions develop a business impact
score, that will determine the security levels
▪ Make sure development teams are aware
of security and understand it
▪ Use the build in security portals of Azure to
manage security
26
Security
The CCC operating model
27
Two Platforms
28
CCC develops and support standard Cloud features for TSE(including DnA)
DnAdevelops and supports a standard central Data Lake for TSE to store and manage data
DevOps teams support faster deployment of Digital in TSE
29
▪ Standard features
▪ Cost Control
▪ Mature security framework
▪ DevOps Pipelines
▪ Self service
▪ Ability to deploy new features quickly
▪ Enabler for Value generation
Many DevOps teams make use of it
▪ Advanced Analytics for manufacturing and
supply chain
▪ EDI (using Logic Apps)
▪ E-commerce Platform
▪ Asset Health Monitoring and IOT
▪ OT specific
The TSE CCC is mature
30
The Advanced Analytics and Digital Steel plant of the future is being built across the full value chain
31
Do you have any questions?
Tata SteelGroup Information systems
www.tatasteeleurope.com
Cloud Competence CenterBest practices building a
Introduction
Eric Zuidweg
Capgemini NL - Custom software Development
Focus: Cloud Competence pre-sales & development
AS/400, Web apps, BPM, Mobile, Azure Cloud
58 yrs, IT: 30 yrs
3 grown kids, 1 grandson
Hobbies: Photography, Bass, Camper
Lock-down-hobby: Tinkering
The challenge: Approach to Cloud ManagementD
o it
Yo
urs
elf Innovative
Discovery
Start Quickly
Few standards
Low cost control
Low security control: RISK
Strong guardrails needed
Serv
ice
Ap
pro
ach Centralised provisioning
Shifting standards
More cost & security control
Support overload
Backlog & delay
Strong guardrails needed
Self
-Se
rvic
e Infra as Code, CI/CD
Standards enforced
Scalable
Predictable
Much effort into scripting
Time to innovate
Cost optimisation
A Cloud Competence Center IS a best practice
• Make company IT more flexible to Innovate faster
• Realising the benefits of the Cloud
• moving from CAPEX to OPEX
• Resources on Demand
Mission
• develop more efficiently, better quality solutions, with higher business impact while being secure and manageable
Strategy
Tactics: Area’s for Best Practices
1. Solution Design
2. IAM
3. Networking & Security
4. Development
5. Service & Cost Management
*Microsoft Cloud principles will shows as blue blocks
Practical approach
• Platform Management
• Security
• Feature Development
• Customer Team
• Solution Design for Business Use Cases
• Scrum, DevOps and SAFe way of working
How: Centralise cloud skills in
• Resource provisioning
• Share experience, standards
• Solution optimization (cost, performance, availability)
Support
1. Solution Design
• SAAS > PAAS > IAAS
• Distributed, Hybrid solutions
• Loose coupling
• Design for Failure & Self Recovery
• Big Data: Bring processing to the data
Service Oriented Architecture
• Lock down Public Services
• Rationale and cost-justification for the solution
• What measures to take when (in process, in transit, at rest)
Risk based approach
4141
Tata Steel Security Controls Overview for Azure Cloud environments v2.0
Experience Center
Baseline Security Level Controls
F1. IAM on all accounts and resourcesF2. Logical Security Zoning – Account levelF3. Tagging of all resourcesF4. Activity and Event Logging
F5. Malware DetectionF6. Tata Steel approved services and versions
High Security Level ControlsThese controls include additional controls or add-on requirements on Baseline Security controls
Usage Terms and Conditions for Experience Center environment;No network connectivity with CIA rated
Virtual Private Networks;No outbound network connectivity with Tata Steel on-premises and with Azure Private;Auto purge (limited time period, non-persistent trial workloads only);No Production Data allowed.
Author: Tata Steel Azure CCC Security Team - Version: 2.0 - Released: 20181004
Scanning/DetectionB10. Vulnerability & Compliance Management
IAAAB9. Keys & Certificates management
Scanning/DetectionH7. Pentesting on all public endpoints
DataH4. Additional Secure Data at Rest, in transit, in processH5. Data Leakage Prevention
IAAAH6. Additional Keys management
InfrastructureH1. Additional Azure network access H2. Additional Log ManagementH3. Additional Availability Protection
InfrastructureB1. Infrastructure as codeB2. Logical Security Zoning – Network segmentationB3. Azure network access (ingress, egress)B4. Basic DDoS protection
DataB5. Encrypt Data in TransitB6. Encrypt Data at RestB7. Production Data BackupB8. Data Life Cycle Management
Foundation Security Level Controls
DTAP Environments
EC1
EC2
EC3
EC4
EC5
2. IAM, Authentication & Authorisation
Azure AD is key for SAAS/PAAS/IAAS
Hybrid Identity: Onprem AD & Cloud
synchronisation
Open Protocols
• OAuth 2.0, OpenID Connect
RBAC: Groups & Roles
3. Networking & Security
• network peering & hybrid identity
Create an Even playing field
• CI/CD to D, T, A & P
• Disaster recovery and scaling
Treat networking resources as software
• Mix of Internet, PAAS, Vnet, OnPrem Networks
• Firewalls, NSG’s
• All traffic is encrypted
• Detailed zoning via Subnets
Check connectivity in every way
Hub & Spoke Model
Azure ”Private”Subscriptions & DTAP VNets
VDCxx
Networking: Hub/Spoke Model
Management Hub
Factory1
Dev/POC
Experience Center
OnPremise
Factory2
INTERNET
Azure PublicPAAS Services
Legacy0
Legacy1
Express Route
VDC01
Experience Center
4. Feature Development
• For Self-Service
• Naming and tagging standards
• Instrumentation for Security, Logging, Backup, Monitoring, Malware
• Contributer rights only during pipeline execution
Wrappering Control plane in DevOps Extensions
• Enables DTAP, CI/CD
• Enables Recovery and Cost Reduction
Infra as code
• Avoid Bottlenecks
• Start MVP
• CCC members are coders!!
Major activity
4646
IOTDatabricks
5. Service & Cost Management
Selfservice
Modern Service Management
• Adapt ITIL for Cloud & DevOps
• Register assets to the DevOps teams
• Azure itself is the Component Database
Tagging for Cost management
• Show-back, Chargeback
Call to Action
Determine which stage you’re in
• DIY, Service or Self Service?
Learn to apply CCC principles for your Cloud Journey
Sign up for your Deep Dive Session
https://www.capgemini.com/nl-nl/evenementen/deep-dive-session-build-your-state-of-the-art-cloud-competence-center/
Discuss a CCC approach with your Capgemini sales or Microsoft PSS
Info & Links
https://www.capgemini.com/nl-nl/evenementen/deep-dive-session-build-your-state-of-the-art-cloud-competence-center/