ldt3208bu determining it’s value proposition in a cloud ......sample raci for defining the...

Ian Barraclough, Sr. Director Architecture & Engineering, IHS Markit

LDT3208BU

#VMworld #LDT3208BU

Determining IT’s Value Proposition in a Cloud-Based Age: Introducing the Minimal Viable Operating Model (MVOM)

VMworld 2017 Content: Not fo

r publication or distri

bution

Confidential. © 2017 IHS MarkitTM. All Rights Reserved.

#LDT3208BU CONFIDENTIAL

Copyright notice and disclaimer

2

© 2017 IHS Markit. All rights reserved. For IHS Markit clients’ use only.

These webinar slides are subject to IHS Markit copyright and are being provided to IHS Markit clients only. You are free to redistribute the

slides internally within your organization in the form as made available by IHS Markit provided that all IHS Markit legal notices and markings

are displayed. You are not permitted to reproduce, reuse, or otherwise redistribute the slides or any portion of this presentation to anyone

outside of your organization without prior written consent of IHS Markit.

This presentation is not to be construed as legal or financial advice, use of or reliance on any content is entirely at your own risk, and to the

extent permitted by law, IHS Markit shall not be liable for any errors or omissions or any loss, damage, or expense incurred by you or your

organization.



bution



IT Value Proposition in a Cloud-Based Age

3

• This presentation may be of interest to you if

> You have non IT driven flight to the public cloud

> You are struggling to have a seat at the migration table

> Your organization is stuck in the BAU hamster wheel and cannot effectively address the broader public cloud operational requirements

• This presentation will provide you with

> A broad overview of the current state and how we got here

> A methodology that you can put into action

> Several examples of how to apply the methodology to highlight technology, process and prioritization challenges

> A template to enable engineers

• This is not

> Earth shattering – it’s all motherhood and apple pie

> Prescriptive & mileage will vary based upon your organization



bution



Ian Barraclough – Sr. Director Architecture & Engineering

4

• Based in Denver, CO

• @IHS Markit for 3 years most recently running architecture, engineering and anything in the DC

• In IT since 1987

• Various industries; Insurance, Education, Media, Financial, Software, Information & Analytics

• Fingers on most IT function keyboards

• Led varied IT functions

• Focused on Architecture last 10+ years

• Personal tidbit – you know you live in a small town when your local Sheriff is also the barber on Sundays



bution



© 2017 IHS Markit. All Rights Reserved.

Serving 50,000+ customers in 140+ countries including…

Largest

global asset

managers

(50/50)

Largest

global custodians

(10/10)

G20

governments

(20/20)

Global

investment banks

(14/14)

ALL

Largest

hedge funds

(50/50)

Largest US

corporates

Largest

US banks

Largest global oil

companies

49 /50

94 /100

49 /50

of the Fortune

Global 500

of the Fortune

US 1000

Largest automobile

companies in the world

10 /10

>85% >75%



bution



Resources

Financial Markets

Consolidated

Markets & Solutions

TransportationOPERATIONAL RISK

& REGULATORY

COMPLIANCE

DIGITAL & WEB

SOLUTIONS

MARITIME

& TRADE

AEROSPACE,

DEFENSE &

SECURITY

AUTOMOTIVEENGINEERING &

PRODUCT DESIGN

ECONOMICS &

COUNTRY RISKENERGY

CHEMICALFINANCIAL

MARKETS DATA

& SERVICES

TECHNOLOGY,

MEDIA &

TELECOM

© 2017 IHS Markit. All Rights Reserved.

Addressing strategic

challenges with

interconnected areas

of expertise



bution



Lets Cut to the Chase

IT is Doomed !!!

7



bution



In Actuality There is Nothing to See Here

8



bution



9

Stage of Gestation

(Invasions & mixtures)

Age of Expansion(4 core processes)

Age of Conflict and

Crises (widening & deepening contradictions at orbital

levels)

Age of Universal Empire(expanded

reproduction of shares of global markets, influence, power,

resources)

Stage of Decline Stage of Invasions

Definitely Nothing New - Rise and Fall of EmpiresCarroll Quigley’s Cycle – Ages & Stages



bution



Rise & Falls of Note – Early Networks & SaaS

• Think back to the early networking days of DARPA & ARPANet

> Distributed engineering solutions for specific use cases

> Not efficient to run decentralized

• More recently in the Early2mid 2k’s

> SaaS market exploded

> Think Salesforce – gained market share on the premise of no IT required

> 4-5 years later IT was invited into the room as things needed to integrate and be secure

> Most shops now have operational involvement from IT

10



bution



Today’s Rise & Fall - The Rise of I/PaaS & Fall of IT?

• No IT required ….. again

11



bution



• DevOps

• CI/CD

• Agile

• ITIL

• Service Mgmt

12

Stage of Gestation

(Invasions & mixtures)

Age of Expansion

(4 core processes)

Age of Conflict

and Crises (widening & deepening contradictions at orbital levels)

Age of Universal Empire

(expanded reproduction of shares of global markets, influence, power, resources)

Stage of Decline Stage of Invasions

We are in the “Age of Conflict and Crisis”



bution



Product Lines Full Steam Ahead

13

Product teams are getting there

fast, providing value and

subsequently questioning IT’s

value



bution



IT’s Infinite Wisdom - We do it to ourselves

14



bution



Bring On The Dirty Work

15



bution



Have to Understand Why

Public Cloud Business Drivers

16

Time to Value Agility

Scalability Reliability

What we get if we take

existing practices into

public cloud….

Wild West Stuck in Process

Waste Complexity



bution



Have to Understand What? Operating Models

• We will have more than one operating model, but

likely less than a hand full

> DevOps

> Colo

> “White Glove”

• Each operating model will be clearly based upon

a RACI

• Each operating model may have slightly different

policies

• Project will define the minimum baseline

components of the operating model –non-

negotiable governance (MVOM)

17

Consistent/

Required

Consistent/

Required

Consistent/

Required

Could Vary



bution



Sample RACI For Defining the Operating Model

18

Cloud Enablement CPDS Product DevOps InfoSec IOC

Identity and Access Management

AWS Account Management

Networks and Firewalls

Cloud Network Connectivity A R I C C I

Enterprise DNS Management C A, R I C C I

AWS VPC Mangement (incl. subnets) A, R C I C C I

AWS ELB and WAF Management C C I A, R C I

SSL Certificate Management

Cloud Infrastructure

AWS Virtual Infrastructure (EC2) Management C C I A, R C I

AWS Database Administration C R* I A, R C I

AWS Application Management C C I A, R C I

Cloud Security

Cloud Application Security Compliance C C I R A I

Cloud Infrastructure Security Compliance

Application Vulnerability Scanning C C I A, R C I

System Auditing I C I A, R C I

Business Auditing I I A R C I

Service Management

AWS Application/Infrastructure Monitoring C C I A, R C C

System Availability C C C A, R I I

Synthetic Transaction Monitoring I C I C I A, R

Incident Management & Resolution I R C R R A

Discovery and Asset Management C A, R I C I I

Cloud Governance A, R C C C C I

Cost Management

Vendor Management

RI Management

Cloud Applications

Cloud Capacity Planning C C C A, R C I

Application Lifecycle Management I I C A, R I I

Service Assurance

System Disaster Recovery I C C A, R I I

Data Protection



bution



Enter MVOM

Guiding Principles

19

• Transparency - We provide visibility into the what, why, and when and operate in a way that it is

easy for others to see how actions are performed. We look to provide services in a way that

teams don’t even know they are there. They just happen and they work.

• Predictability – We strive for repeatable processes, outcomes and performance

• Customer driven – We focus on finding out what customers need and helping them to get it. At

the same time we work passionately to earn and keep customer trust

• Innovate and Simplify – We expect and require innovation but find ways to simplify. Challenge

the status quo.

• Speed matters – When appropriate, we focus on iterative delivery. Many decisions and actions

are reversible and do not need extensive study.

• Automate everything

• Policy based management, enforcement & visibility. If we can’t define a “standard” in word we

can automate, its not a policy

• We are a COTs organization and out of the box team, we are not a custom development team



bution



How? - Guard Rails

20

•Root Account Management

•Audit Trail configuration

•Access to AWS APIs

•Access to AWS console

•Account strategy

AWS Accounts

•Active Directory Integration

•Policy model

•Audit trail

Identify & Access

•Detailed showback

•Budgets and tracking

•Reserved instances

Cost Management

•Lockdown of AWS VPCs

•IP Space management

•DNS and server naming

•Firewall configuration

•Application isolation

Networks and Firewalls

•SSH User & Group Management

•Server Access

•Security Hardening

•Images

Operating System

•Monitoring integration

•Data protection

•Encryption policies

•Patching policies

AWS Service Policies

Policy-based consistent governance - Look to create consistency where applicable, and to

advance current cloud implementations where we can

•Incident

•Probem

•Change

•Config

•Asset

Service Management

•Access Management

•Encryption

•SSL

Data Protection (DB, S3, etc.)

•Firewalls and threat Protection

•Logging as a service

•Vulnerabilty Scanning Lifecycle as a Service

Security and Audit

•Database SupportApplication Support

•Application Standards

Application Management



bution



MVOM Conceptual Diagram

21

Public Cloud

IHSM Locations

SecurityServices

Customer Access

15.External Name Resolution16.Certificates

17. Domain/Name Registration18. External Monitoring

Colleague Access

External Data Feeds

Data Distribution

Authentication and

Authorization

11.SIEM12.Edge Security (WAF/IDS/

IPS?)13.End Point Security

14.Vulnerability Scanning28. Firewalls?

29. Firewall Governance included in 4?

30. Penetration Testing31. IS Risk

32. Privileged Identity Mgmt33. Identity Mgmt Automation

34. DDoS Mitigation35. SIEM Logging as a Service

Service Management

5. Event Mgmt6. Incident Mgmt

7. Cost Mgmt8. Change Mgmt9. Asset Mgmt

27. Business Service Management

1.Cloud Portal (SSO)2.Cloud Resource Authentication

22. Email 23.FTP

14. Public Feeds15.Private Feeds

“Data Center” Services

19. Internal DNS 20. Time Resolution(NTP)

21. IP Addressing24. Data Protection (Backups/Legal Holds)

25. Patching26. OS Hardening

3. Data Center Connectivity

Remote Access

4. Public Cloud Governance/Policy

(aka Standards)28. Account/Strategy

Management

*Have Offering-May need to be improved/enhanced, complete high level technical

response, assign to roadmapping*High Priority

*Medium Priority



bution



22

Account

Strategy

Tagging

StrategyShared Services

Account

Base Account

Setup

Root Account

Mgmt

IT Default

Access

Server AccessIAM

PoliciesAudit Portal Access

Business Line

ReportingRI Purchasing

Cost

Governance

Security

Services

AccountAccount

Management

Identity and

Access

Cost

Management

IP CIDR

ManagementSubnet Strategy

Data Center

Connectivity

External DNS

Management

Networks and

FirewallsInternal DNS

Management

App Isolation

Policies

Guest Security

Services

SIEM Logging as

a Service

Edge Security

Services

Vulnerability

Scanning as a

Service

Security and

Audit

Infrastructure

Monitoring

Integration

Change

Management as

a Service

Business

Service

Monitoring

Incident/Problem

Management

Service

Management

Operations

Engagement

Model

Data Protection MonitoringSecurity PatchingPolicy

Management Audit

SSL

Capabilities and Prioritization

Executive

Reporting

Operating

System

Hardening

Internal Email

ServicesFTP Services

Customer Email

ServicesRemote Access

Infrastructure

Applications

High

Medium

Low

Federated

Server Access

(Customer)



bution



Account Strategy Tagging StrategyShared Services

Account Base Account Setup

Root Account

MgmtIT Default Access

Server AccessIAM

PoliciesAudit Console Access

Business Line

ReportingRI Purchasing

Cost

Governance

Security Services

AccountAccount

Management

Identity and

Access

Cost

Management

IP CIDR

ManagementSubnet Strategy

Data Center

Connectivity

External DNS

Management

Networks and

FirewallsInternal DNS

Management

App Isolation

Policies

Guest Security

Services SIEM Logging as a Svc

Edge Security

Services

Vulnerability Scans as

a Svc

Security and

Audit

Event IntegrationChange Management

as a Service

Business Service

Monitoring

Incident/Problem

Management

Service

ManagementOperations

Engagement Model

Data Protection MonitoringSecurity PatchingPolicy

ManagementAudit

SSL

Executive Reporting

OS Hardening

Internal Email

ServicesFTP Services

Customer Email

Services

Infrastructure

Applications

PeopleTechnology-

Enabled

Ext.Federated Server

Access

Process P+P+T

PIM

Primary Component

Policy EnforcementAgent EnforcementConfig Mgmt

DB

Capabilities, Technology & Process

Remote Access



bution



Develop Customer Driven ‘Services’ via Tech Responses

24

Technical Response ID 18 – Business Service Monitoring

Description

This service provide web site monitoring for our business services to help ensure availability and consistent performance. The goal of this service should be to provide monitoring for all external facing applications. There should be a specific set of alerts and metrics that are

consistently applied for all applications or application tiers.

Business Requirements

• The solution monitors page load speed from multiple browsers

• The solution tracks web page performance from areas around the globe and provides

analytics to help determine the causes of performance degradation.

• External monitoring supports multi-step transactions.

• The solution provides a mechanism to easily create scripts. The creation can be automated, if needed based on the development team release cycles, in order to ensure that test are in sync with the code at all times.

• The solution supports rich internet applications including (Flex, HTML5, Ruby, Java and

.Net). It also supports monitoring API-enabled applications (Rest, Soap, etc)

• The solution tracks and allows for reporting of application uptime from various points around the world.

• External monitoring must integrate with the IT Event Management system.

• The solution provide self-service integration with third party devops tools, lik e DataDog, Slack, New Relic, Splunk. We must consider carefully how an integration with a devops tools impacts the possibility of alerts being generated from multiple

places.

• The solution must provide API access to performance data and uptime metrics for integration into tools like ServiceNow.

• The process for external monitoring must enable self-service where development teams need the ability to frequently make changes, but it must also enable standard business service monitoring.

• The process should also ensure that developers can have flexibility on alerts and alert levels that are generated within a specific set of guidelines.

Inventory of Dependencies/Impacts

Provide a list of all dependencies or area that may be impacted within this solution and external to this solution

Dependency Explanation Delivery Owner

Event Management The solution must be able to send alerts to the event management system for action and triage

SLA Reporting The solution must be able to provide application level up/down reporting if required for SLA reporting tools like ServiceNow

Options Currently Used/Considered

1. DotCom-Monitor

Reason for final solution selection

System (Non-Functional) Requirement Considerations

Provide an overview of the engineering response to how the System Requirements section in the Conceptual Design Document (Level 0) will be achieved.

— AvailabilityServiceLevelRequirement–Thissolutionsmustbe100%percent

reliablesinceitmonitorsourcustomer-facingproducts.Theintegrationwiththeeventmanagementsystemmustbecarefullyconsideredtohelpensurethatthisishighlyavailable.Ormultiplemethodsofescalatingalertsmustbefactoredintothedesign.

— Security–Ideallythissolutionwillsupportavarietyforauthenticationmechanisms,sothatsign-intoaproductcanbeexecutedasneeded.

— Maintainability–Thissolutionmustbesimpletomaintainandmustbeabletobe

maintainedbymultiplepeoplewithintheorganization.— Manageability–Thissolutionmustrequirealowlevelofmanagementandeasily

supportaglobaldeployment.— Scalability–Thissolutionmustglobaldeployments,considerapplicationswhichare

deployedovermultiplegeographicregionsandmustsupport100’sofproducts.

— Interoperability–Thissolutionmustbeabletointegratewithawidevarietyofdevopsproducts.Thealertsmustbeabletoprovidemetadataabouttheapplicationsothatdownstreamsystemscanusemetadataforeventrouting.



bution



Develop Customer Driven ‘Services’ via Tech Responses

25

Logical Solution Architecture

Diagram of solution to be used.

Integration Points

Provide all information for the table below. The table should have an inventory of all planned integrations.

Data Object Integration ID

Originating System

Target System

Integration Methodology

Rationale

Provide a supplemental integration diagram on the inventory above if you feel it

necessary.

Technical Decomposition

This section is used to define the initial conceptual strategy and overview of

implementation. It is the basis for all downstream discussions regarding implementation complexity.

1. Implementation Strategy

Provide a summary of the planned implementation strategy in this section. The goal of this section is to articulate a general engineering approach for the implementation of the solution. It is not designed to provide detailed

implementation direction as much as it used to provide the answer to ‘Why are we implementing this in the following technical manner?’ It is the first place to provide the clarification as to whether the solution is intended as a custom build, package solution or software as a service.

2. Component Solution Diagram

Provide a diagram or hyperlink to a diagram that can represent a full technical inventory of all components that make up a solution. It should show high level

technical interactions, but most importantly it is simply a visual representation of the Technical Architecture Inventory (see below).



bution



bution

ldt3208bu determining it’s value proposition in a cloud ......sample raci for defining the...

Documents