The cloud transformation engine
Some 15 years into the cloud revolution, it’s clear that there’s tremendous value enabled by adopting cloud—more than $1 trillion just for Fortune 500 companies. Almost all of that value comes from business innovation and optimization rather than IT cost reduction. Rapid growth in cloud infrastructure spending (the top three cloud service providers reached $100 billion in combined revenue in 2020) still represents a small fraction of the global $2.4 trillion market for enterprise IT services. Capturing the potential value requires a cloud transformation engine that is made up of three mutually reinforcing and constantly evolving elements.
- 1
Strategy and management
Defines, shapes, and manages the overall cloud strategy and program. Includes the overall economics, an effective cloud-services architecture, a responsive operating model, and a pragmatic security and risk-management approach. Explore strategy and management - 2
Business-domain adoption
Moves and transforms functionality and services from each business unit onto cloud platforms in a way that creates business value at acceptable risk and at a pace that meets the investment and benefit profile for the business domain. Explore business-domain adoption - 3
Foundational capabilities
Establishes the cloud environments iteratively and enables the developer experience through operations and security automation that ensure service quality and efficiency as companies scale their cloud environments. Explore foundational capabilities
1 Strategy and management
2 Business-domain adoption
3 Foundational capabilities
Cloud operating model
Define the high-level target operating model and what it means for your developers’ experience, skills needed, level of automation, sourcing approach, and governance.
Click to expand
Cloud services and architecture
Define the standard patterns and underlying services required to host workloads efficiently and effectively.
Click to expand
Cloud risk and security management
Design the target security and risk-management posture (eg, automation, security sophistication for developers, data, and tooling choices).
Click to expand
Cost optimization
Build the capabilities to optimize service-mix and consumption models.
Click to expand
Strategy and plan
Define the business and IT value at stake and the related cloud economics for your organization.
Lessons & Considerations
Those who have succeeded think of cloud in terms of business transformation not as an opportunity for next-gen hosting. They are relentless in identifying the value, assessing the drivers of that value, and prioritizing business domains (eg, finance, supply chain) that can generate significant value from cloud. Some $340 billion to $430 billion of value comes from rejuvenating IT (eg, cost optimization of application development and maintenance, improving resiliency, back-office digitization), while $360 billion to $770 billion is possible through innovation (eg, accelerating adoption of advanced technologies, accelerating product development and scaling, democratizing access to computing power).
Questions to Ask
- What types of benefits would be most compelling to business leaders?
- Which business domains would benefit the most from cloud platforms in terms of agility, innovation, scalability, and resiliency?
- What is the best way to engage the CEO and other members of the senior team on cloud opportunities and plans?
- How should you most effectively communicate a target state that will capture the organization’s imagination?
Lessons & Considerations
Cloud-cost economics are devilishly complicated, given scaling characteristics, sunk costs, balloon costs, and shared costs. Many companies see different teams come up with radically divergent perspectives on the relative cost of cloud versus on-premises hosting. And the scale of benefits can vary ten times between different business units and business domains.
Questions to Ask
- How do existing architectures (eg, phase-in investment life cycle) impact overall economics?
- How do plans about SaaS adoption and vendor road maps for packaged applications impact potential cloud plans?
- What economic factors in current plans would impact and potentially improve cloud business cases (eg, need to refresh systems or facilities, major re-architecture programs)?
- What are the most attractive business cases based on synthesized investments and benefits analysis?
- How can you align the value investment and risk?
Program management and value assurance
Drive relentless execution against common targets and sustain conviction.
Lessons & Considerations
Driving cloud value is a truly cross-functional program, requiring active change and participation from business leaders, developers, infrastructure managers, security, compliance and other enabling functions over two to three years. A traditional, waterfall-style program used for data-center migrations is not fit for purpose. Success requires breaking everything into a series of three- to four-month month sprints, with initial sprints focused on minimum viable products (MVPs).
How CIOs and CTOs can accelerate digital transformations through cloud platforms
Questions to Ask
- Who should lead the cloud program overall?
- Should there be a steering committee to oversee progress, and who should be on it?
- How should the cloud-program work be broken down into a set of MVPs and sprints that deliberately build on each other over time?
- What mechanisms should be used to develop objectives and key results and perform quarterly board reviews?
- How do you ensure regulator comfort with the cloud strategy?
- Do you use aggressive value-assurance concepts to manage the migration and new forms of management and measurement?
Business transformation
Identify and transform business processes required to capture value from cloud capabilities.
Lessons & Considerations
Just moving an application to the cloud by itself does not necessarily create value. It has to be combined with business perspectives on how to leverage agility, innovation, or scalability for competitive advantage or operational efficiency. This requires tight integration with business leadership to ensure cloud-transition efforts drive business value. The CEO and relevant business-unit heads must mandate people in their organizations to be product owners and provide them with decision-making authority. At the same time, business managers need to be trained in how to use cloud through advanced training programs (eg, “train the trainer”).
Three actions CEOs can take to get value from cloud computing
Questions to Ask
- What should the roles of business leaders and tech managers be in driving cloud-enabled business transformation?
- What change-management mechanisms will drive behavioral changes required from business managers to exploit cloud-enabled opportunities?
Lessons & Considerations
Local critical mass matters in cloud migration—it is hard to have much success if some of the required systems and applications are on the cloud but a few are still on-premises. For this reason, it’s important to think about transitioning domains (a complete product, service, or function), not applications. Start with migrating one business domain and build a repeatable approach, with supporting skills, that can be rolled out domain by domain across the institution.
Questions to Ask
- What are the most important business opportunities in each priority domain, and how should you prioritize them?
- How should you map business opportunities to enabling systems, and what’s the best way to assess impact of remediation on the overall business case?
Lessons & Considerations
Poorly managed migrations can be 50 percent more expensive than those that are well managed. IT organizations tend to rely on outdated management programs for migrating to the cloud and often have an insufficient understanding of costs associated with consuming apps on the cloud. That becomes expensive quickly.
Questions to Ask
- Do you have a clear understanding of which apps should be migrated (in many cases, it doesn’t make sense to migrate an app)?
- Is your migration linked to your company’s strategy and target technical environment?
Technical deployment and migration
Specify and execute transition of workloads to cloud.
Lessons & Considerations
In the rush to move apps to the cloud, most companies have already started to accumulate technical debt. Many systems in the cloud are unstandardized, manually configured, hard to manage, and insecure. Any technical transition plan needs to account for this technical debt and take aggressive steps to reduce it, or risk running into the same inefficiencies that exist in systems that are on-premises.
Questions to Ask
- What is the unvarnished view of the current state—volumes in the cloud, configurations, processes, governance, and costs?
Lessons & Considerations
Companies face a choice between remediating applications then moving them or moving then remediating. Each option has its own trap. Remediating an application first could lead to it just staying on-premises. But moving it first could mean that the remediation simply never gets done. In many respects, this is a cultural decision, but for either option, a remediation plan and process needs to be in place.
In any event, companies must make security remediations before they move an application, even if they choose to optimize for speed and productivity once the application has already moved off-premises.
Questions to Ask
- Does it make more sense to move an application then optimize it in a cloud environment, or optimize then migrate it?
- What are the minimum set of security remediations required for migration?
Lessons & Considerations
Almost any new application can be run efficiently and securely off-premisis if architected appropriately.
For existing applications, the level of remediation drives both investment and value. Transition costs to “lift and shift” an application, for example, may be only 10 percent of the application’s total cost of ownership (TCO), but costs may go up and agility may not improve at all. In contrast, containerizing an application as you move it to cloud may cost 20–60 percent of the original application’s TCO but can improve productivity by 20–30 percent and enable weekly releases.
Questions to Ask
- Are there edge cases for which new applications will be developed on-premises?
- How much remediation is needed for each type of application—optimized IaaS, containerization, or complete re-platforming?
- How should you manage latency for closely coupled applications that you move off-premises?
Lessons & Considerations
Transitioning to cloud is a discipline that benefits from putting in place processes and capabilities that can scale. Companies that invest in automation and repeatable transition processes, for example, can reduce one-time transition costs by 20–30 percent.
Questions to Ask
- Should you set up a migration factory or make each application team responsible for remediation and migration?
- How much of the migration can be automated, given existing application architectures, and what tools should be used?
- How long should migrated applications be run in parallel on-premises and in the cloud?
Cloud operating model
Define the high-level target operating model and what it means for your developers’ experience, skills needed, level of automation, sourcing approach, and governance.
Lessons & Considerations
You cannot succeed in the cloud with a traditional IT operating model because IT won’t be able to take advantage of the speed, scale, and flexibility cloud offers. Success requires changing both how IT works and how IT works with the business.
Building a cloud-ready operating model for agility and resiliency
How CIOs and CTOs can accelerate digital transformations through cloud platforms
Questions to Ask
- How much of your existing operations can support, enable and derive value from cloud?
- How much change can each part of the organization—business, development, infrastructure, security, enabling functions—sustain?
- To what extent, can you put a common cloud-native operating model in place?
Lessons & Considerations
Make everything a product, with a stable product-funding model. Products provide business capabilities such as order capture or billing. Automated as-a-service platforms can provide underlying technology services such as data management or web hosting. This approach focuses teams on delivering a finished working product rather than isolated elements of a product. Funding should provide resources required to build underlying capabilities and remediate applications to run efficiently, effectively, and safely in the cloud and actively counter tech debt.
Questions to Ask
- How can you redesign your technology organization around product teams?
- How can you move from a project-based to a product-based technology funding model?
Lessons & Considerations
Be agile everywhere, with a strong focus on DevSecOps and engineering skill sets. Traditional infrastructure, networking, and security teams must adopt iterative ways of working and codification, utilizing modern development practices of continuous integration and delivery and ensuring cloud builds use a layered approach so changes can be applied granularly with limited dependency or impact on applications and workloads.
Agile, reliable, secure, compliant IT: Fulfilling the promise of DevSecOps
Questions to Ask
- What should be the transition model to drive agile processes and practices across IT, not only development but also infrastructure and security?
- What functions will be performed internally—and where can service providers improve economics, provide incremental capabilities, or reduce risk?
- What engineering skill set needs to be augmented, and how do people value propositions and HR policies need to evolve to support this?
Cloud services and architecture
Define the standard patterns and underlying services required to host workloads efficiently and effectively.
Lessons & Considerations
There are a massive number of offerings from cloud service providers (CSPs) and configuration choices, which can overwhelm developers. To counter this issue, companies must create standardized cloud products that developers can consume in order to avoid unmanageable complexity and technical debt in the cloud.
Questions to Ask
- What architectural framework can be used to manage and communicate technology choices?
- What are the standard five to seven patterns that will support 90 percent of applications or workloads?
- Which domains in the architectural framework will be specific to a pattern and which will be common across patterns?
- How will you manage integration across multiple CSPs and SaaS providers for identity, telemetry, and other cross-cutting issues?
Lessons & Considerations
Given how critical developer acceptance and developer productivity will be to the overall business case—in many respects, they are the customers for cloud—it’s crucial to design the service model around developer experience. Focus on redesigning the technology delivery processes end to end, using cloud-native practices to create a “delightful” developer experience.
Building a cloud-ready operating model for agility and resiliency
Questions to Ask
- What are the relevant developer segments, and what would a terrific experience look and feel like for each segment?
- What metrics will you use to measure developer experience and productivity?
- What developer journeys will be most important?
Cloud risk and security management
Design the target security and risk-management posture (eg, automation, security sophistication for developers, data, and tooling choices).
Lessons & Considerations
Compliance is even more complicated than security, given wide-ranging postures across an array of regulatory authorities—there is no schoolbook solution, but progress requires careful attention to regulatory guidance and extensive effort to educate relevant regulators.
Managing “policy as code” (or “security as code”) so you can fully implement DevSecOps is the only way to reconcile the imperatives for security and risk management and the imperative for speed in the cloud. Security as code defines cybersecurity policies and standards programmatically, so they can be referenced automatically in the configuration scripts used to provision cloud systems and so that systems running in the cloud can be compared to security policies.
Security as code: The best (and maybe only) path to securing cloud applications and systems
Questions to Ask
- What degrees of freedom do relevant regulatory jurisdictions provide?
- What organizational structures, capabilities, and messaging will be required to ensure regulator comfort with the cloud strategy?
- What classifications or archetypes can be used to group applications according to business risk based on criticality, data sensitivity, or regulatory exposure?
- How do standards and control objectives differ based on the deployment model (eg, SaaS, serverless, containers as a service, IaaS)?
- How do existing policies, standards, and control objectives need to evolve (eg, for encryption at rest)?
- What new policies need to be created for the cloud environment (eg, for API gateways)?
- How much risk has already been created by existing cloud environments?
Cost optimization
Build the capabilities to optimize service-mix and consumption models.
Lessons & Considerations
A major driver of value capture is transforming the approach to sourcing and consuming cloud. Choices about level of automation and types of cloud services to consume have large impacts on investments required and future-state run rate. Enterprises estimate that around 30 percent of their cloud spend is wasted. Furthermore, around 80 percent of enterprises consider managing cloud spend a challenge. A governing model is needed to continuously evaluate performance, forecast demand, and optimize costs through an IT governance structure that implements FinOps processes.
Unlocking value: Four lessons in cloud sourcing and consumption
Questions to Ask
- What are the major types of applications and at what level will they consume cloud services (eg, serverless, container, virtual machine)?
- What trade-offs make sense in terms of access to capabilities from multiple cloud service providers versus increased implementation cost and complexity?
- How far can the operating model evolve toward automation and infrastructure as code?
- What is the risk tolerance in terms of security, compliance, and vendor lock-in, and how can risks be mitigated?
- What developer journeys will be most important?
Different starting points
Where a company begins its cloud transformation journey, the entry point - the frequency of iterations along that journey - will depend on the context, and the emphasis between the three “rings” of the cloud transformation engine will vary over time. For example:
- One business-services provider lacked the funding or alignment for a major strategic effort. So it initially focused on the business-domain-adoption loop, starting with putting workloads with large benefits from agility on cloud platforms and building foundational capabilities along the way.
- A large financial institution with very stringent security and resiliency expectations invested first in a set of foundational services that would serve as the basis for building critical workloads in the cloud.
- A biopharma company developed a granular, multiyear strategy first so it could negotiate a deal with a cloud service provider and a systems integrator that would fund its transition to the cloud at scale.
Since the three rings are mutually reinforcing, successful cloud transformations require companies to operate across all three rings in parallel. As business needs evolve, confidence increases, and richer external capabilities come to market, companies must continuously evolve their strategy, their adoption approach, and their foundational capabilities.
Case example
One major financial-services organization set an ambitious aspiration to transition more than 50 percent of its applications to the public cloud in five years in order to address resiliency, time to market, and productivity objectives. Realizing that not all business units have a need to move to the cloud at the same pace, it defined a set of different adoption archetypes that met the technical, risk, and operating-model needs of each business unit.
Rather than trying to satisfy all business units at the same time, the cloud foundation was built iteratively, focusing on releases of a minimum viable product (MVP) that could progressively support more and more complex cloud providers, landing zones, and app patterns. For example, the first cloud foundation was built on only one cloud provider, with one landing zone and three application patterns. Because the foundation was built in a modular way, however, the foundation could scale to support multicloud, multiregion deployments for critical applications.
Furthermore, this MVP approach enabled the organization to prioritize scarce cloud engineering talent into a centralized group that could build, from the beginning, the automated security and compliance capabilities crucial to operating in the cloud.