System Design for the Next Decade
The last few years have seen a huge increase in marketing, publicity and social media postings about ‘next generation’ IT technologies, buzzwords you ‘need to know’, industry trends and how a cloud first strategy must form part of your roadmap or business strategy. So, why the hype, why now, what has changed?
Five years ago (or so), the adoption of any form of cloud was a leap of faith. Businesses retained hardware within their premises and made sure they had the traditional (and most basic) attributes of a secure design; these being a firewall to protect the business from external threats and antivirus and e-mail scanning to safeguard distributed malicious code from wreaking havoc within the network. This also led to knowledge being retained by a few individuals who may have provided some documentation, but most likely ring fenced key information that enhanced their internal value.
IT Managers wanted to see their hardware, see their network and control their firewalls themselves. The skills required by their staff to implement and support this technology was either based on the install and setup guide or was obtained through training courses and only ever developed or exercised in house. With the growing popularity of cloud services or Software as a Service (SaaS), some non-essential services could be trialed outside of the business perimeter but this was normally a bolt on component that we could set and forget.
This simplistic view of IT within the business was supported by the fact that IT is just an efficiency enabler to most businesses, the Internet a knowledge repository and our name or brand within the context of global presence meant we didn’t need to think about IT, architecture or security like other businesses as “we can’t possibly be of interest to the cyber crime community”.
With this legacy approach to design in mind, most small to medium sized businesses were having to compromise design integrity to meet a budget, which is typically based on a cyclical hardware refresh budget that is marginally adjusted to accommodate inflation. So when the focus is to do more with less and upgrade or replace what we already have with a new version of the same design, the idiom ‘buy cheap, buy twice’ applies. For many years this cycle was always determined by performance, my old system is too slow, but this new system will be really fast.
The initial engagement with public cloud ‘design’ normally involves customers taking the principles they know from above and looking to recreate that from available server templates and obtaining a base price to challenge professional services to then come and competitively quote against this artificial budgetary base price in an ever-growing commoditised industry.
This most likely sounds or feels familiar and that (in part) is where the problem originates.
The concept of traditional design, the phrase ‘we have always built it that way’ or ‘we have never had a problem before’ are the reasons why external support services are essential. There is no single right answer, there is no ‘one size fits all’, no silver bullet or single brand loyalty that will provide the performance benefits we always strive for and everything needed to safeguard businesses anymore. Requirements like performance or resilience are well known and understood, but most of the time, throw away statements related to security, integrity, accessibility, future proofing and compliance (with regulatory and legislative bodies) are almost anecdotal, small features or benefits that just happen to have been included.
Today, when faced with a legacy environment that sounds like this, the most desirable approach is to start again (if possible), first and foremost, put the information you hold and the data you control (or process) at the forefront of the design process. Ask questions like:
- What is the value of the data or information we hold?
- What legal or regulatory compliance applies to our holding or processing?
- How do we ensure confidentiality, integrity and availability of the information and systems we are custodians of or that we reply on?
- Do we have the required skills to design the solution in house?
- Have we the industry knowledge of what technologies may be needed?
- Is this solution secure?
- Does this solve all of our problems tomorrow?
- How do we quantify the above?
- What are our deliverable success criteria?
Whilst the solution design and architectural considerations of a scalable infrastructure typically incorporates the same underlying principles that any correctly constructed architecture (on-premise, private, public or hybrid cloud) include, the development of a secure, cloud and SaaS integrated solution now needs a much broader range of knowledge, skills and experience to design properly. We should also never underestimate the importance of security within this process.
Where a fresh start just isn’t practical, a good service provider will be able to make appropriate recommendations for improvement but be careful with the phrase commodity within the IT industry as this has become synonymous with cheap, fast, off-the-shelf products that we can consume. This seldom guarantees quality, confidentiality, integrity or availability. In fact it almost explicitly excludes these to enable a lower cost of entry and remember when you build from commoditised components you are accountable for your own design – you can’t transfer elements of your risk because you wanted the cheapest price.
So where are we going wrong?
This is relatively easy to identify:
- We base our requirements on what we think we know without challenging why they are requirements
- Everything must be cheap, however, don’t you get what you pay for?
- Whenever we want something, we always want it now – this time pressure forces fast paced decision making which oftentimes leads to mistakes or misinterpretations
- Most fundamentally, sometimes people just don’t know what they don’t know
- What this means is, people make mistakes, technologies allow for misconfiguration and most businesses don’t have the knowledge of how to validate success against a multitude of other criteria
So what can we do about it?
Top five things:
- Take the time to fully understand your requirements and define measurable outcomes
- Start with security guidance and advice
- Partner with a trusted service provider and lean on their experience (you may be doing this for the first time, they’ll be doing this for the thousandth)
- Be realistic about the success criteria and always be mindful of:
- Identify overall success based on the achievement of your previously determined measurable outcomes
How do you know who to partner with?
- Check their pedigree, how much industry knowledge do they have and how long have they been in this technology space
- Speak with their thought leaders
- Look for industry recognised accreditations
- Speak with their Data Centre, Infrastructure and Security teams
- Ask to see technologies ‘they’ rely on
IT used to be easy, partly because of simpler requirements, fewer choices or less knowledge but in today’s world, IT is complex, intertwined and constantly evolving. Cloud options of all varieties exist, SaaS, PaaS, in fact “everything as a service”, however real value isn’t just in affordability, ease of use and set and forget, it is in service management, integrated and continuous security, compliance and calibrated evolution. You need a partner who tracks and monitors the technology and threat landscapes and helps move you and your technology along too.
Contact Frontline Consultancy today if you’re about to start a redesign process. We’ll be able to help…