A Practitioner’s Guide – Hybrid/Multi-Cloud Adoption for the Intelligence Community
From IC Insider HashiCorp
By Jarrod Gazarek and Tim Olson
Now is the time the hybrid/multi-cloud (cloud) needs to work. To thrive in an era of cloud environments (C2E), organizations are evolving from ITIL-based, operator-driven workflows to dynamic, agile, hybrid/multi-platform adoption, enabling automation, integrated workflows, and shared self-service processes for DevOps. These new dynamic, multi-platform workflows are being adopted to accelerate mission readiness and increase mission effectiveness and excellence. This article will focus on essential practical approaches to effective adoption of cloud addressing some of the challenges discussed in A Leadership Guide – Multi-Cloud Success for the Intelligence Community.
Effective digital transformation practices mean adopting industrialized workflows (proven, established, systematic processes that produce consistent, repeatable, predictable, reliable, desired outcomes at scale) that can deliver new business and mission objectives and value more quickly, on demand, and at a very large scale. An increasingly popular approach to effective IT operations for cloud environments, such as C2E, is the Cloud Operating Model, which helps organizations build foundational technology today that will enable them to industrialize the application delivery process and thrive in an era of cloud computing.
While most enterprises began with one cloud provider, hybrid/multi-cloud architectures offering a wide range of services and resources are being rapidly adopted as the preferred approach to meet varying and increasing mission demands. The cloud presents an opportunity for speed and scale optimization for new “systems of engagement”—the applications built to engage mission users. For most enterprises these systems of engagement must connect to existing “systems of record” — the core business databases and internal applications, which often continue to reside on infrastructure in existing data centers. As a result, enterprises end up with a hybrid — a mix of multiple public and private cloud environments.
The challenge for most enterprises then is how to deliver these applications rapidly, securely, and with consistency while also ensuring the least possible friction across the various IT stakeholders and development teams. Compounding this challenge, the underlying primitives (traditional, established IT data center practices) have expanded and changed, encompassing disparate, complex, and competing operational models (see figure below). These complex primitives are embedded in each layer of the application delivery environment across the various static and dynamic systems.
For cloud computing to work, there needs to be consistent (often referred to as “golden”) workflows that can be reused, repeatedly and reliably, at scale across multiple environments and cloud providers. This requires:
- Consistent workflows (instruction sets) for provisioning
- Identity based security for zero trust frameworks and secure service networking
- Privileges and rights so they can be deployed and run compliant and secured
The essential challenge of Digital Transformation (the hybrid/multi-cloud transition) is the shift from “static” to “dynamic” infrastructures. The implication of this shift is that resources and operations are extended into the dynamic environment and then run on demand using a new set of IT primitives and control points.
Static infrastructure was designed for relatively infrequent updates to production and constant user traffic. In contrast, dynamic infrastructure — built atop APIs with cheap utility pricing — enables rapid horizontal scale and greater resiliency. Cloud-native applications take advantage of these characteristics with different architecture patterns. Each layer of the stack features a different architectural control point:
- Applications – Containers / Continuous Delivery
- Networking – Service Registry
- Security – Identity
- Infrastructure – Instructure as a Code
Unsurprisingly, each cloud service provider offers proprietary services for these control points.
Decomposing this challenge, various changes of approach are implied:
- Provision. The infrastructure layer transitions from running dedicated servers at limited scale to a dynamic environment where organizations can easily adjust to increased demand by spinning up thousands of servers and scaling them down when not in use.
- Secure. The security layer transitions from a fundamentally “high-trust” world enforced by a strong perimeter and firewall to a “low-trust” or “zero-trust” environment with no clear or static perimeter. As a result, the foundational assumption for security shifts from being network-centric to using identity-based access to resources. This shift is highly disruptive to traditional security models.
- Connect. The networking layer transitions from being heavily dependent on the physical location and IP address of services and applications to using a dynamic registry of services for discovery, segmentation, and composition. An enterprise IT team does not have the same control over the network, or the physical locations of compute resources, and must think about service-based connectivity.
- Run. The runtime layer shifts from deploying artifacts to a static application server to deploying applications with a scheduler atop a pool of infrastructure which is provisioned on-demand.
To practically address these challenges, organizations and IT teams often ask the following questions:
- People. How can we enable a team for a cloud reality, where skills can be applied consistently regardless of target environment (addressing the skills gap)?
- Process. How do we position central IT services as a self-service enabler of speed, versus a ticket-based gatekeeper of control, while retaining compliance and governance (adopt platform centric, shared services model)?
- Tools. How do we best unlock the value of the available capabilities of the cloud providers in pursuit of better customer and business value?
Moving from the initial tactical adoption of a single cloud platform to the adoption of a fully realized industrial hybrid/multi-cloud and multi-platform environment is essential to maximize mission effectiveness and reap the benefits and value of adopting the Cloud Operating Model.
Achieving Hybrid/Multi-Cloud Success: Practical Considerations
Given the challenges of hybrid/multi-cloud, organizations are focusing on four key practices to re-position themselves for rapid and effective cloud success:
- Platform Agnostic. Move the architectural control points up and out of any one cloud provider (CSP) and adopt an agnostic platform approach leveraging unified interfaces. Each layer of the stack (infrastructure, security, networking, and applications) is built around a new pattern (or service) establishing standardized control points for all platforms. Focus on workflows that elevate these control points outside of a specific CSP service.
- Shift to platform teams and a multi-platform mindset. Empower platform teams with the right tools to set up and enable the organization for cloud success using the multi-platform agnostic approach resulting in increased agility, flexibility, consistency and effectiveness.
- Equip enterprise teams with best-in-class cloud tools. Adopting and deploying best-in-class vendor tooling with self-managed and appropriate cloud offerings are key to achieving better outcomes across multiple clouds and assist in addressing the skills gaps across IT teams.
- Be pragmatic about vendor lock-in. Ensure the business case for portability is appropriate and understand the costs and mission impact of moving a workload from one CSP to another.
Unlocking the Cloud Operating Model: Practical Approach
As the implications of the cloud operating model impact teams across infrastructure, security, networking, and applications, there is a repeating pattern amongst enterprises of establishing central shared services — centers of excellence — to deliver the dynamic infrastructure necessary at each layer for successful application delivery. As teams deliver on each shared service, IT velocity increases.
The typical journey for unlocking the cloud operating model involves three major milestones:
- Establish cloud essentials – Key to effective adoption of the cloud is the immediate requirement for provisioning cloud infrastructure. This is accomplished by adopting infrastructure as code (IaC) and ensuring it is secure with a platform agnostic secrets management solution. These are the bare necessities that will build a scalable, platform agnostic, and truly dynamic cloud architecture that is future proof.
- Standardize on a set of shared services – As cloud consumption increases, the need to establish, implement and standardize on a set of shared services is necessary to take full advantage of what the cloud has to offer to maximize value, effectiveness, and efficiency. This also introduces challenges around governance and compliance.
- Innovate using a common logical architecture – Effective adoption of the cloud depends on the use of differing and applicable services and resources across multiple platforms and applications making the need to create a common, platform agnostic, logical architecture critical to success. This requires a control plane that connects with the extended ecosystem of cloud solutions and inherently provides advanced security and orchestration across services and multiple clouds.
These shared service layers across hybrid/multi-cloud establish and present an industrialized process for application delivery, all while taking advantage of the dynamic nature of each layer of the cloud. An industrialized approach for application/mission delivery is key to successful cloud adoption that builds on the initial tactical cloud adoption (usually use of a single cloud platform).
HashiCorp enterprise solutions enable the rapid, secure, effective, adoption of the hybrid/multi-cloud delivering increased velocity, security, consistency, and effectiveness while reducing risk, costs, vulnerabilities, and dependencies for maximum mission success.
HashiCorp Enterprise Solutions enables mission outcomes to be delivered with:
- Platform Standardization
- Automated application and infrastructure deployment (IaC)
- Self Service, No Vendor Lock-In (Platform Agnostic)
- Standardized Workflows (IaC Based)
- Efficient, repeatable, predicable, standardized deployments
- Increased accuracy with pre-approved infrastructure
- Increases time to deployment
- Increased developer velocity and app enhancement
- Automated and Consistent Policy Enforcement
- Ensures and Enforces Compliant Deployments (lower risk)
- Minimal remediation required, rapid compliant deployments
- Greatly reduced risk and audit logging
- Automated Integration between Pipeline Components
- Rapid increase in Mission Application Capabilities
- Adoption of DevSecOps and CI/CD methodologies
Practical Adoption of Platform Agnostic Environments and Workflows
The foundation for adopting the cloud is infrastructure provisioning. HashiCorp Terraform Enterprise (Terraform) is the world’s most widely used multi-platform provisioning solution. It is used to provision infrastructure for any application using an array of providers for any target platform. Terraform is designed to integrate with many vendors, services, and tools to provide maximum flexibility and capability that enables a multi-platform provisioning solution.
Terraform is platform agnostic and enables practitioners to adopt essential infrastructure as code (IaC) capabilities across any environment extending their skills and helping to close the ever increasing skills gap challenge. By adopting a standardized, platform agnostic approach, teams can build automated workflows that can scale with the organization, support a wide range of mission demands, and designate the right control points to manage security, compliance, and spend. What started as infrastructure provisioning for a single cloud is now viewed as the modern approach to all multi-platform infrastructure automation. This drives increased agility and innovation by delivering mission value back to the organization.
Platform Agnostic, Hybrid/Multi-Cloud Tooling: Key Terraform Enterprise Value
Practical adoption of a platform centric approach enables support of multiple automated workflows providing organizations, mission owners, and teams/users increased flexibility of deployment options and multi-vendor integrations to meet varying mission needs. Key flexible workflows include:
- Reproducible Infrastructure as Code (IaC)
- Codification allows infrastructure provisioning to be automated, while keeping the definition human-readable and auditable.
- Accelerated innovation / time-to-mission via increased provisioning velocity
- Reduced effort for regulatory compliance around provisioning
- Reduced costs via reduction of provisioning time, and consolidation of provisioning tools
- Reduces cloud spend and consumption costs through efficient provisioning methods, rapidly provision/deprovision resources, enable immutable infrastructure methodologies, policy based cost controls
- Multi-Platform support and automated workflows reduces vendor dependencies/lock-in
- Enables CI/CD automated builds and VCS integration
- Enables flexible self-service IT
- Supports large multi-platform deployments and provides platform agnostic workflows and organizational scale allowing for greater speed and flexibility
- Compliance and Management enabling rapid, secure, mission deployment
- Integrates with multiple tools and vendors enabling flexible deployments
Platform Agnostic Security
Practical implementation of platform agnostic cloud security is a significant challenge. Dynamic cloud infrastructure means a shift from host-based identity to application-based identity with low or zero-trust networks across multiple environments (platforms) without a clear network perimeter. Traditionally, mission teams could rely on high trust internal networks, which resulted in a hard shell and soft interior. With the “zero trust” approach, everything is hardened (trust nothing). This requires that applications, users, and machines/devices, be explicitly authenticated and authorized to access sensitive information/data (secrets) and be tightly audited.
HashiCorp Vault Enterprise (Vault) is purposefully designed and built to solve this challenge. Vault enables mission teams to securely store and tightly control access to secrets (tokens, passwords, certificates, encryption keys, etc.) for protecting users, machines/devices and applications. This provides a comprehensive, platform agnostic, secrets management solution, from the Enterprise to the Edge.
Increasing multi-platform security, compliance, and provisioning velocity with Policy as Code (PaC)
There are thousands of various policies that must be adhered to when deploying in a cloud environment. Any misconfiguration can expose a risk/vulnerability. To enable secure deployments, all HashiCorp’s Enterprise solutions support HashiCorp Sentinel (Policy as Code/PaC) and provide organizations with secure workflows across the cloud. Policy enforcement is built into the automated workflow and will ensure repeatable, consistent, and compliant infrastructure is deployed across a multi-platform environment. Operations teams can maintain and ensure compliant provisioning velocity while reducing required code review for security teams and support DevSecOps workflows.
Platform Agnostic Teams, Tools, and Approaches: Integration is Key
For successful, practical, robust adoption of platform centric approaches, organizations, teams, and users need to leverage appropriate best in class tools and capabilities from multiple vendors.
All HashiCorp solutions are purposefully designed to integrate with multiple vendors tools and solutions to provide very flexible, consistent, secure mission deployment solutions. From Terraform Enterprise providers (as listed in the Terraform Registry and shown above), CSP’s, containerized platforms (like Red Hat OpenShift, Rancher, Kubernetes, etc), version control systems (like GitLab, GitHub, etc.), monitoring and scanning (like Snyk and Bridgecrew using Terraform Run Tasks), data aggregation tools (like Datadog), management and workflow (Splunk, ServiceNow, etc.), and many support environments. HashiCorp Vault Enterprise integrates with many vendors and well established IT services (such as authentication solutions like LDAP, Active Directory, AWS, Azure, Oracle, GCP, etc.) to provide a robust, flexible, secure multi-platform, Secrets Management solution. HashiCorp has an extensive partner program and network with a primary goal to ensure our customers can leverage the tools and technology required to meet and exceed mission needs. Some common tools and vendors include (but are not limited to):
To practically adopt a multi-platform approach that successfully leverages hybrid/multi-cloud, a common cloud operating model is an inevitable shift for enterprises aiming to maximize their digital transformation and mission delivery efforts. The HashiCorp suite of tools seeks to provide solutions for each layer of the cloud to enable enterprises to successfully make this shift and solve complex infrastructure challenges to meet mission needs. Adopting a modern enterprise cloud environment through the common cloud operating model means shifting characteristics of Enterprise IT:
- People: Shifting to cloud skills (addressing the skills gap)
- Reuse and enhance skills from internal data center management and single cloud vendors and apply them consistently in any environment.
- Process: Shifting to self-service IT
- Platform: Position Central IT as an enabling, multi-platform shared service focused on application delivery velocity
- Tools: Shifting to dynamic environments
- Use tools that support multi-platform infrastructure and support critical workflows rather than being tied to specific technologies.
- Provide policy and governance tooling to match the speed of delivery with compliance to manage risk.
The IC has an opportunity to establish effective and impactful use of hybrid/multi-cloud environments. HashiCorp and our cloud infrastructure automation tooling are purposefully built to help complex organizations successfully deliver mission outcomes at scale across any platform. Ultimately, these standardized shared services across the hybrid/multi-cloud enable an industrialized process for rapid, secure, mission application delivery.
Whitepaper: Unlocking the Cloud Operating Model
Articles by HashiCorp:
- The Multi-Cloud Era is Here
- Getting Started with Zero Trust Security
- Enabling Zero Trust at the Application Layer
- Enabling Zero Trust at the Device/Machine and Human/User Layers
- A Leadership Guide – Multi-Cloud Success for the Intelligence Community
HashiCorp is the leader in multi-cloud infrastructure automation software. The HashiCorp software suite enables organizations to adopt consistent workflows to provision, secure, connect, and run any infrastructure for any application. HashiCorp open source tools Vagrant, Packer, Terraform, Vault, Consul, and Nomad are downloaded tens of millions of times each year and are broadly adopted by the Global 2000. Enterprise versions of these products enhance the open source tools with features that promote collaboration, operations, governance, and multi-data center functionality. The company is headquartered in San Francisco and backed by Mayfield, GGV Capital, Redpoint Ventures, True Ventures, IVP, and Bessemer Venture Partners. For more information, visit www.hashicorp.com or follow HashiCorp on Twitter @HashiCorp.
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.