ldt3208bu determining it’s value proposition in a cloud ......sample raci for defining the...
TRANSCRIPT
Ian Barraclough, Sr. Director Architecture & Engineering, IHS Markit
LDT3208BU
#VMworld #LDT3208BU
Determining IT’s Value Proposition in a Cloud-Based Age: Introducing the Minimal Viable Operating Model (MVOM)
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Copyright notice and disclaimer
2
© 2017 IHS Markit. All rights reserved. For IHS Markit clients’ use only.
These webinar slides are subject to IHS Markit copyright and are being provided to IHS Markit clients only. You are free to redistribute the
slides internally within your organization in the form as made available by IHS Markit provided that all IHS Markit legal notices and markings
are displayed. You are not permitted to reproduce, reuse, or otherwise redistribute the slides or any portion of this presentation to anyone
outside of your organization without prior written consent of IHS Markit.
This presentation is not to be construed as legal or financial advice, use of or reliance on any content is entirely at your own risk, and to the
extent permitted by law, IHS Markit shall not be liable for any errors or omissions or any loss, damage, or expense incurred by you or your
organization.
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
IT Value Proposition in a Cloud-Based Age
3
• This presentation may be of interest to you if
> You have non IT driven flight to the public cloud
> You are struggling to have a seat at the migration table
> Your organization is stuck in the BAU hamster wheel and cannot effectively address the broader public cloud operational requirements
• This presentation will provide you with
> A broad overview of the current state and how we got here
> A methodology that you can put into action
> Several examples of how to apply the methodology to highlight technology, process and prioritization challenges
> A template to enable engineers
• This is not
> Earth shattering – it’s all motherhood and apple pie
> Prescriptive & mileage will vary based upon your organization
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Ian Barraclough – Sr. Director Architecture & Engineering
4
• Based in Denver, CO
• @IHS Markit for 3 years most recently running architecture, engineering and anything in the DC
• In IT since 1987
• Various industries; Insurance, Education, Media, Financial, Software, Information & Analytics
• Fingers on most IT function keyboards
• Led varied IT functions
• Focused on Architecture last 10+ years
• Personal tidbit – you know you live in a small town when your local Sheriff is also the barber on Sundays
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
© 2017 IHS Markit. All Rights Reserved.
Serving 50,000+ customers in 140+ countries including…
Largest
global asset
managers
(50/50)
Largest
global custodians
(10/10)
G20
governments
(20/20)
Global
investment banks
(14/14)
ALL
Largest
hedge funds
(50/50)
Largest US
corporates
Largest
US banks
Largest global oil
companies
49 /50
94 /100
49 /50
of the Fortune
Global 500
of the Fortune
US 1000
Largest automobile
companies in the world
10 /10
>85% >75%
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Resources
Financial Markets
Consolidated
Markets & Solutions
TransportationOPERATIONAL RISK
& REGULATORY
COMPLIANCE
DIGITAL & WEB
SOLUTIONS
MARITIME
& TRADE
AEROSPACE,
DEFENSE &
SECURITY
AUTOMOTIVEENGINEERING &
PRODUCT DESIGN
ECONOMICS &
COUNTRY RISKENERGY
CHEMICALFINANCIAL
MARKETS DATA
& SERVICES
TECHNOLOGY,
MEDIA &
TELECOM
© 2017 IHS Markit. All Rights Reserved.
Addressing strategic
challenges with
interconnected areas
of expertise
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Lets Cut to the Chase
IT is Doomed !!!
7
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
In Actuality There is Nothing to See Here
8
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
9
Stage of Gestation
(Invasions & mixtures)
Age of Expansion(4 core processes)
Age of Conflict and
Crises (widening & deepening contradictions at orbital
levels)
Age of Universal Empire(expanded
reproduction of shares of global markets, influence, power,
resources)
Stage of Decline Stage of Invasions
Definitely Nothing New - Rise and Fall of EmpiresCarroll Quigley’s Cycle – Ages & Stages
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Rise & Falls of Note – Early Networks & SaaS
• Think back to the early networking days of DARPA & ARPANet
> Distributed engineering solutions for specific use cases
> Not efficient to run decentralized
• More recently in the Early2mid 2k’s
> SaaS market exploded
> Think Salesforce – gained market share on the premise of no IT required
> 4-5 years later IT was invited into the room as things needed to integrate and be secure
> Most shops now have operational involvement from IT
10
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Today’s Rise & Fall - The Rise of I/PaaS & Fall of IT?
• No IT required ….. again
11
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
• DevOps
• CI/CD
• Agile
• ITIL
• Service Mgmt
12
Stage of Gestation
(Invasions & mixtures)
Age of Expansion
(4 core processes)
Age of Conflict
and Crises (widening & deepening contradictions at orbital levels)
Age of Universal Empire
(expanded reproduction of shares of global markets, influence, power, resources)
Stage of Decline Stage of Invasions
We are in the “Age of Conflict and Crisis”
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Product Lines Full Steam Ahead
13
Product teams are getting there
fast, providing value and
subsequently questioning IT’s
value
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
IT’s Infinite Wisdom - We do it to ourselves
14
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Bring On The Dirty Work
15
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Have to Understand Why
Public Cloud Business Drivers
16
Time to Value Agility
Scalability Reliability
What we get if we take
existing practices into
public cloud….
Wild West Stuck in Process
Waste Complexity
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Have to Understand What? Operating Models
• We will have more than one operating model, but
likely less than a hand full
> DevOps
> Colo
> “White Glove”
• Each operating model will be clearly based upon
a RACI
• Each operating model may have slightly different
policies
• Project will define the minimum baseline
components of the operating model –non-
negotiable governance (MVOM)
17
Consistent/
Required
Consistent/
Required
Consistent/
Required
Could Vary
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Sample RACI For Defining the Operating Model
18
Cloud Enablement CPDS Product DevOps InfoSec IOC
Identity and Access Management
AWS Account Management
Networks and Firewalls
Cloud Network Connectivity A R I C C I
Enterprise DNS Management C A, R I C C I
AWS VPC Mangement (incl. subnets) A, R C I C C I
AWS ELB and WAF Management C C I A, R C I
SSL Certificate Management
Cloud Infrastructure
AWS Virtual Infrastructure (EC2) Management C C I A, R C I
AWS Database Administration C R* I A, R C I
AWS Application Management C C I A, R C I
Cloud Security
Cloud Application Security Compliance C C I R A I
Cloud Infrastructure Security Compliance
Application Vulnerability Scanning C C I A, R C I
System Auditing I C I A, R C I
Business Auditing I I A R C I
Service Management
AWS Application/Infrastructure Monitoring C C I A, R C C
System Availability C C C A, R I I
Synthetic Transaction Monitoring I C I C I A, R
Incident Management & Resolution I R C R R A
Discovery and Asset Management C A, R I C I I
Cloud Governance A, R C C C C I
Cost Management
Vendor Management
RI Management
Cloud Applications
Cloud Capacity Planning C C C A, R C I
Application Lifecycle Management I I C A, R I I
Service Assurance
System Disaster Recovery I C C A, R I I
Data Protection
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Enter MVOM
Guiding Principles
19
• Transparency - We provide visibility into the what, why, and when and operate in a way that it is
easy for others to see how actions are performed. We look to provide services in a way that
teams don’t even know they are there. They just happen and they work.
• Predictability – We strive for repeatable processes, outcomes and performance
• Customer driven – We focus on finding out what customers need and helping them to get it. At
the same time we work passionately to earn and keep customer trust
• Innovate and Simplify – We expect and require innovation but find ways to simplify. Challenge
the status quo.
• Speed matters – When appropriate, we focus on iterative delivery. Many decisions and actions
are reversible and do not need extensive study.
• Automate everything
• Policy based management, enforcement & visibility. If we can’t define a “standard” in word we
can automate, its not a policy
• We are a COTs organization and out of the box team, we are not a custom development team
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
How? - Guard Rails
20
•Root Account Management
•Audit Trail configuration
•Access to AWS APIs
•Access to AWS console
•Account strategy
AWS Accounts
•Active Directory Integration
•Policy model
•Audit trail
Identify & Access
•Detailed showback
•Budgets and tracking
•Reserved instances
Cost Management
•Lockdown of AWS VPCs
•IP Space management
•DNS and server naming
•Firewall configuration
•Application isolation
Networks and Firewalls
•SSH User & Group Management
•Server Access
•Security Hardening
•Images
Operating System
•Monitoring integration
•Data protection
•Encryption policies
•Patching policies
AWS Service Policies
Policy-based consistent governance - Look to create consistency where applicable, and to
advance current cloud implementations where we can
•Incident
•Probem
•Change
•Config
•Asset
Service Management
•Access Management
•Encryption
•SSL
Data Protection (DB, S3, etc.)
•Firewalls and threat Protection
•Logging as a service
•Vulnerabilty Scanning Lifecycle as a Service
Security and Audit
•Database SupportApplication Support
•Application Standards
Application Management
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
MVOM Conceptual Diagram
21
Public Cloud
IHSM Locations
SecurityServices
Customer Access
15.External Name Resolution16.Certificates
17. Domain/Name Registration18. External Monitoring
Colleague Access
External Data Feeds
Data Distribution
Authentication and
Authorization
11.SIEM12.Edge Security (WAF/IDS/
IPS?)13.End Point Security
14.Vulnerability Scanning28. Firewalls?
29. Firewall Governance included in 4?
30. Penetration Testing31. IS Risk
32. Privileged Identity Mgmt33. Identity Mgmt Automation
34. DDoS Mitigation35. SIEM Logging as a Service
Service Management
5. Event Mgmt6. Incident Mgmt
7. Cost Mgmt8. Change Mgmt9. Asset Mgmt
27. Business Service Management
1.Cloud Portal (SSO)2.Cloud Resource Authentication
22. Email 23.FTP
14. Public Feeds15.Private Feeds
“Data Center” Services
19. Internal DNS 20. Time Resolution(NTP)
21. IP Addressing24. Data Protection (Backups/Legal Holds)
25. Patching26. OS Hardening
3. Data Center Connectivity
Remote Access
4. Public Cloud Governance/Policy
(aka Standards)28. Account/Strategy
Management
*Have Offering-May need to be improved/enhanced, complete high level technical
response, assign to roadmapping*High Priority
*Medium Priority
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
22
Account
Strategy
Tagging
StrategyShared Services
Account
Base Account
Setup
Root Account
Mgmt
IT Default
Access
Server AccessIAM
PoliciesAudit Portal Access
Business Line
ReportingRI Purchasing
Cost
Governance
Security
Services
AccountAccount
Management
Identity and
Access
Cost
Management
IP CIDR
ManagementSubnet Strategy
Data Center
Connectivity
External DNS
Management
Networks and
FirewallsInternal DNS
Management
App Isolation
Policies
Guest Security
Services
SIEM Logging as
a Service
Edge Security
Services
Vulnerability
Scanning as a
Service
Security and
Audit
Infrastructure
Monitoring
Integration
Change
Management as
a Service
Business
Service
Monitoring
Incident/Problem
Management
Service
Management
Operations
Engagement
Model
Data Protection MonitoringSecurity PatchingPolicy
Management Audit
SSL
Capabilities and Prioritization
Executive
Reporting
Operating
System
Hardening
Internal Email
ServicesFTP Services
Customer Email
ServicesRemote Access
Infrastructure
Applications
High
Medium
Low
Federated
Server Access
(Customer)
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Account Strategy Tagging StrategyShared Services
Account Base Account Setup
Root Account
MgmtIT Default Access
Server AccessIAM
PoliciesAudit Console Access
Business Line
ReportingRI Purchasing
Cost
Governance
Security Services
AccountAccount
Management
Identity and
Access
Cost
Management
IP CIDR
ManagementSubnet Strategy
Data Center
Connectivity
External DNS
Management
Networks and
FirewallsInternal DNS
Management
App Isolation
Policies
Guest Security
Services SIEM Logging as a Svc
Edge Security
Services
Vulnerability Scans as
a Svc
Security and
Audit
Event IntegrationChange Management
as a Service
Business Service
Monitoring
Incident/Problem
Management
Service
ManagementOperations
Engagement Model
Data Protection MonitoringSecurity PatchingPolicy
ManagementAudit
SSL
Executive Reporting
OS Hardening
Internal Email
ServicesFTP Services
Customer Email
Services
Infrastructure
Applications
PeopleTechnology-
Enabled
Ext.Federated Server
Access
Process P+P+T
PIM
Primary Component
Policy EnforcementAgent EnforcementConfig Mgmt
DB
Capabilities, Technology & Process
Remote Access
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Develop Customer Driven ‘Services’ via Tech Responses
24
Technical Response ID 18 – Business Service Monitoring
Description
This service provide web site monitoring for our business services to help ensure availability and consistent performance. The goal of this service should be to provide monitoring for all external facing applications. There should be a specific set of alerts and metrics that are
consistently applied for all applications or application tiers.
Business Requirements
• The solution monitors page load speed from multiple browsers
• The solution tracks web page performance from areas around the globe and provides
analytics to help determine the causes of performance degradation.
• External monitoring supports multi-step transactions.
• The solution provides a mechanism to easily create scripts. The creation can be automated, if needed based on the development team release cycles, in order to ensure that test are in sync with the code at all times.
• The solution supports rich internet applications including (Flex, HTML5, Ruby, Java and
.Net). It also supports monitoring API-enabled applications (Rest, Soap, etc)
• The solution tracks and allows for reporting of application uptime from various points around the world.
• External monitoring must integrate with the IT Event Management system.
• The solution provide self-service integration with third party devops tools, lik e DataDog, Slack, New Relic, Splunk. We must consider carefully how an integration with a devops tools impacts the possibility of alerts being generated from multiple
places.
• The solution must provide API access to performance data and uptime metrics for integration into tools like ServiceNow.
• The process for external monitoring must enable self-service where development teams need the ability to frequently make changes, but it must also enable standard business service monitoring.
• The process should also ensure that developers can have flexibility on alerts and alert levels that are generated within a specific set of guidelines.
Inventory of Dependencies/Impacts
Provide a list of all dependencies or area that may be impacted within this solution and external to this solution
Dependency Explanation Delivery Owner
Event Management The solution must be able to send alerts to the event management system for action and triage
SLA Reporting The solution must be able to provide application level up/down reporting if required for SLA reporting tools like ServiceNow
Options Currently Used/Considered
1. DotCom-Monitor
Reason for final solution selection
System (Non-Functional) Requirement Considerations
Provide an overview of the engineering response to how the System Requirements section in the Conceptual Design Document (Level 0) will be achieved.
— AvailabilityServiceLevelRequirement–Thissolutionsmustbe100%percent
reliablesinceitmonitorsourcustomer-facingproducts.Theintegrationwiththeeventmanagementsystemmustbecarefullyconsideredtohelpensurethatthisishighlyavailable.Ormultiplemethodsofescalatingalertsmustbefactoredintothedesign.
— Security–Ideallythissolutionwillsupportavarietyforauthenticationmechanisms,sothatsign-intoaproductcanbeexecutedasneeded.
— Maintainability–Thissolutionmustbesimpletomaintainandmustbeabletobe
maintainedbymultiplepeoplewithintheorganization.— Manageability–Thissolutionmustrequirealowlevelofmanagementandeasily
supportaglobaldeployment.— Scalability–Thissolutionmustglobaldeployments,considerapplicationswhichare
deployedovermultiplegeographicregionsandmustsupport100’sofproducts.
— Interoperability–Thissolutionmustbeabletointegratewithawidevarietyofdevopsproducts.Thealertsmustbeabletoprovidemetadataabouttheapplicationsothatdownstreamsystemscanusemetadataforeventrouting.
VMworld 2017 Content: Not fo
r publication or distri
bution
Confidential. © 2017 IHS MarkitTM. All Rights Reserved.
#LDT3208BU CONFIDENTIAL
Develop Customer Driven ‘Services’ via Tech Responses
25
Logical Solution Architecture
Diagram of solution to be used.
Integration Points
Provide all information for the table below. The table should have an inventory of all planned integrations.
Data Object Integration ID
Originating System
Target System
Integration Methodology
Rationale
Provide a supplemental integration diagram on the inventory above if you feel it
necessary.
Technical Decomposition
This section is used to define the initial conceptual strategy and overview of
implementation. It is the basis for all downstream discussions regarding implementation complexity.
1. Implementation Strategy
Provide a summary of the planned implementation strategy in this section. The goal of this section is to articulate a general engineering approach for the implementation of the solution. It is not designed to provide detailed
implementation direction as much as it used to provide the answer to ‘Why are we implementing this in the following technical manner?’ It is the first place to provide the clarification as to whether the solution is intended as a custom build, package solution or software as a service.
2. Component Solution Diagram
Provide a diagram or hyperlink to a diagram that can represent a full technical inventory of all components that make up a solution. It should show high level
technical interactions, but most importantly it is simply a visual representation of the Technical Architecture Inventory (see below).
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution