How mature is your Cloud?
Google recently shared its cloud adoption framework
It suggests to split your cloud adoption by particular themes(Learn, Lead, Scale, Secure) that cover sponsorship, people, processes, learning, security areas and in and also presented maturity model for those themes.
In a high level those maturity phases presented like this:
And in a little bit deeper dive on maturity of these themes:
- Tactical: Self-Motivated and isolated upskilling only, using sources like online docs and YouTube. Third parties cover for general knowledge gaps and have admin access to the GCP cloud account
- Strategic: Training classes and certifications offered to anyone interested. Hiring started for new cloud-related roles. Third parties provide specialist knowledge and have break-glass admin access
- Transformational: Peer-to-peer culture of continuous learning through wikis, tech talks, hackathons. Updated roles and responsibilities for entire IT staff. Third parties serve as staff augmentation only, without privileged access
- Tactical: Cloud adoption driven by individual contributors within one project team. Collaboration with other parts of IT is difficult. Endorsement from senior management. No extra budget.
- Strategic: Cloud adoption is driven by a small cross-functional group of advocates, working across project boundaries. Collaboration outside this group is difficult. Endorsement and extra budget by C-level.
- Transformational: Autonomous project development teams. Error budgets and blameless postmortems are recognized at the C-level. Org-wide regular progress updates.
- Tactical: All cloud resources are provisioned manually. Solutions run in a long lived VMs, and OS must be maintained. Changes are reviewed manually, are high risk, and are deployed infrequently and manually.
- Strategic: Project foundations are provisioned from templates. Solutions run in the immutable VMs or containers, and access is locked down. Changes are tested automatically, are medium risk and are deployed manually.
- Transformational: All cloud resources can be (re)created at the push of the button, within minutes. Solutions embrace serverless cloud services. Changes are constant, are low risk, and are deployed with a programmatic strategy.
Couple of my notes here. I think migration to immutable infra is very logical step right after cloud adoption. The whole concept was described in the Chad Fowler’s blog and Martin Fowler’s blog and describes approach when instead of patching servers with already existing code you just provision new servers and automatically deploy code there and kill the old ones. This requires API based infrastructure provisioning and application deployments and eliminates needs for patching and similar OPS work and presents next level of cloud adoption maturity.
When executed properly it provides additional level of confidence in the DevOps and cloud space and eliminates mundane OPS activities.
- eTactical: Staff identities are provided solely by your cloud vendor AIM. Overreliance on the primitive IAM roles (owner, editor, viewer). String reliance on perimeter security and implicit trust inside private network.
- Strategic: Staff identities are synced from corporate directory. Predefined IAM roles follow principle of least privilege. Hybrid security model, relying both on the network and application layer.
- Transformational: All service-to-service communications is authenticated and authorized. IAM policies are continuously monitored and corrected. Multiple layers of network security, from internet to VPC subnet.
I like this structure because it gives easy framework for current state assessment and defines next levels of maturity.
Personally I think that Lead and Learns themes are the most critical ones for cloud adoption success and are enablers for Scale and Secure ones.
In conclusion, here is the link to the full framework from Google.
It goes into much deeper details than I've summarized here, is easily comprehensible and will help you to define your path into the cloud.