Traffic Light Protocol alike Security Reference Architecture for Azure

Introduction

The way how organizations categorize/handle classified information can vary significantly. Where it can go from about 6 categories towards a more “limited” set of 3 to 4 categories. Where you see that some government organizations have even tried to reduce this in an effort to make it more accessible.

 

So for today, we’ll be looking at how we can handle sensitive/classified information in Azure. And to ensure you that you Azure implementations can facilitate sensitive data.

 

Side Story : Security should be like a roundabout

Though I don’t remember which conference talk it was… One visual has always stuck with me when talking about security. Imagine security like road infrastructure. Having a complex situation might be needed at times, though it will increase the risk that the drivers (~users) will make mistakes.

Continue reading “Traffic Light Protocol alike Security Reference Architecture for Azure” →

Azure Virtual Machines – Two major cost optimizations everyone should know!

Introduction

For today I’ll show you two major cost optimizations for your Azure Virtual Machines ;

• Reserved Instances
• Windows Licensing

 

As the baseline for the cost projections, I’ll be using a commonly used “D2v3”-machine (deployed in West Europe & currency set to Euro) ;

For the Cost Optimization calculations, I’ll be using VMchooser, which returns the following results ;

So what to make of this? Let’s dive into those two topics!

Continue reading “Azure Virtual Machines – Two major cost optimizations everyone should know!” →

FaaS & Serverless – Vendor lock-in or not? Consider the cost of the full application lifecycle

Introduction

In my current role at Microsoft, I often talk about the possibilities in regards to application modernization. A typical ask in this space is to what kind of service they should use as a underlying platform for their own services. Where this commonly results in a (brief) discussion about VMs vs Containers vs Serverless/FaaS. Today’s post is about my personal take on the matter.

 

Setting the scene

First let’s start with setting the scene a bit… For today I’ll try to focus on the application modernization landscape, where the same goes for the data platform stack. Here you can pretty much interchange “Functions” with “Data Lake Analytics” and “Containers” with “HD Insights”. Though we’ll not go into that detail, in order to reduce the complexity of the post. 😉

When looking towards the spectum, the first thing to acknowledge is the difference in service models. Here we mainly have two service models in play ;

Continue reading “FaaS & Serverless – Vendor lock-in or not? Consider the cost of the full application lifecycle” →

Azure : IT Governance in the cloud

Introduction

During the weekend I saw the following tweet passing by …

Hosting company Verelox has had all their customers dedicated and virtual servers wiped. Their statement: pic.twitter.com/XvAQcofJKu

— Kevin Beaumont (@GossiTheDog) June 10, 2017

Apparently, a hosting company (allegedly) got all their data wiped by an ex-admin. Now I can imagine people thinking that this is something that is part of the territory when it boils down to cloud. So I wanted to write a blog post entailing what you do to set up a governance structure in Azure. Here I’m aware that the above tweet is more related to the security aspect of governance, it’s a part of it nevertheless.

 

Governance?!?

Let’s get started on our scope… IT Governance can cover a lot of ground. In essence, the goal is to assure that the investment in IT generates business value and the risks that are associated with IT projects are mitigated. Though I found that CIO.com has a nice definition on it ;

Simply put, it’s putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT’s performance. It makes sure that all stakeholders’ interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it’s making.

So let’s take a look at how we can put an enterprise-grade structure around the management of Azure!

 

TL;DR = Azure Enterprise Scaffold

For those who want to skip the post below… When talking about governance in Azure, the best place that summarizes it the following page in our documentation ; “The Azure Enterprise Scaffold“.

Continue reading “Azure : IT Governance in the cloud” →

DevOps : What’s the impact on my ITIL/COBIT/… based shop?

Introduction

When talking to customers about DevOps, I often get the two following questions ;

• Does this mean I have to get rid of ; ITIL / COBIT / … ?
• Do I have to start moving people around and creating new units?

The quick answer is ; No.

A typical parabel in any project methodology is  ;

How do you eat an elephant? Take snack sized bites and work your way through it.

And the same goes for DevOps!

Continue reading “DevOps : What’s the impact on my ITIL/COBIT/… based shop?” →

Best practices regarding the creation of an “RFP” (aka “Request for Proposal”)

The Overall Process

• Study ; The first step… Consider what you want to achieve and what’s life currently like. This might seem as a no-brainer, though you might be surprised how few organisations actually do this.
• RFI ; So you have a great idea? Fantastic! Now compare this with what is currently seen as industry standards and what are common solutions positioned by vendors. My advice here is not to differ too much from the ongoing standards, unless this is really ground breaking or market differentiating for you. Though, in most cases, you are just looking to keep your business running. In the latter case, keep as close to the standard as possible.
• RFP/RFQ ; So we know what we want, and what is possible at this point in time by the market. Let’s select our vendors from who we wish a clear-cut proposal. We’ll go more in detail about this phase later on… So don’t worry. 🙂
• Project ; Once the selection is done and contract negotiations are (near) closed, the project can start. This usually starts with a due diligence by the vendor to check if the assumptions / constraints are still valid.
• Operations ; A lot of people think that operations stops during this project. The reality is far from it, and that’s actually common sense! We do projects to enhance our operational baseline, but the latter is a moving target. We cannot freeze our business for half a year! So be aware of this…

Study
The first step before any project should be a “study”. Do a requirements analysis, update your views on the operational baseline and define the target flag of what you want to reach. Now you can do a fit-gap analysis and see what needs to be done. If the entire matter is way to big… Slice it into smaller / manageable chunks. In the past, we often saw “big bang”-projects which have shifted towards “Roadmaps”. In a Roadmap, the road towards the end goal is mapped via smaller / more realistic paths (projects). The conjunction of all these projects ensure that you reach your path. Though where it might be possible to enter all these projects into one RFP, in most cases it might be more interesting to spread them as your operational baseline is (with due reason!) a moving target.

RFI
Your job is mostly focussed to serving your internal business processes. It is not wrong to say that you are not an expert in the sector you want to purchase from. This is not something to be ashamed of! Though, be aware that your vendor IS an expert in the matter. During the “RFI” (Request for Information”) you are going to study the relative sector from which you are looking to acquire services/products. Research into the products and do not be shy to invite vendors over to discuss their products. Learn to know their (dis)advantages and how they can serve your business. In the end… always translate certain “features” / “technologies” into basic requirements. For instance ; IT Storage projects revolve around “capacity”, “performance”, “availability” & “integration”. Thin provisioning, snapshotting, deduplication, … all revolve around “capacity”. So do not be fooled by the nice “bling bling” that vendors portray and search for the essence of what you want to achieve. During this round, you will also define your list of requirements and selection criteria! So be sure to look for the elements that should compose these requirements/criteria.

RFP/RFQ

Phases

• Start-up ; Invite the vendors to take part and ask them to confirm. After receiving confirmations, send the RFP to all vendors at the same time.
• Round One ; During the first round, you will allow the vendors some time (typically one to two weeks) to process the RFP. At the end of that period, they will need to have sent all their answers to you. You will process these and provide all vendors with a list of all questions & answers. After which, you will allow them again a given period to adjust their proposal to fit these answers. After the deadline, you will do a “downselect” of the vendors to reach the number of vendors you want in round two.
• Round Two ; When going through the answers of round one, you will notice that there are fundamental differences between vendors. Now you will adjust your requirements to align all the vendors towards one target. In addition, you will invite the vendors to explain their proposals into more detail. This will give you a more profound insight into the reality of things. At the end of this round, you will once again to a downselect to reach the last contestants (typically two or three).
• Last Round ; At the beginning of the last round, be sure to provide the remaining vendors with a clear-cut baseline that everyone should meet. Now you do not want any structural differences between the parties anymore where the main focus will be around meeting the target and pricing. Clearly indicate that this should be their “Best And Final Offer” (“BAFO”), which will be presented at CxO level. At the end, choose the party which ranks the highest in relation to your selection criteria.
• Contract negotiations ; After the selection, contract negotiations will start. In some cases, an “LOI” (“Letter of Intent”) will be signed to create a non-linear relation between the contract negotiations and the project start.
• Project Start ; The project will start with a due diligence; Here an investigation will be done by the vendor to check if all the assumptions made (and agreed upon) are valid. After which the project will kick-off!

Be aware that these kind of processes can take up to half a year! So be sure to initiate them with ample time left before your deadline. Also be aware that these things will have a delay and in most cases this is caused by yourself! You still have your regular job to do… and you will get questions that you did not consider and need time to analyze.

RFP/RFQ Document Contents
So how should a typical RFP/RFQ document look?

• Management Summary ; Create a one-pager for executives from the vendors to read through.
• Context ; Why do you launch this RFP/RFQ? Provide an insight into your way of working/environment. How does this project interact with it?
• Timing ; Setup a clear timing table. Each phase should have a clear deadline… An RFP/RFQ is a project so be sure to manage it like a project. This is also important for the vendors to allocate resources towards the process of answering the proposal. It is in your best interest to ensure that they can prepare themself properly.
• Selection Criteria ; Always use (and communicate!) selection criteria. You, and the vendors, should know how you will quote their proposals and make the final selection. Be ware that these will become the core driver for the proposals! If you hand out more than 50% on price, then you will get skimmed down offers.
• Requirements & Product/Service/Project Definition ; Apart from the selection criteria, also be aware that the vendor will provide you the most slim answer to meet your requirements. So if you didn’t define it, you will not receive it! Do not assume anything… This might again look like a no-brainer, though… 😦
• Constraints ; Actually, these can also be considered requirements… Yet be sure to state that a vendor should take certain constraints into account. Do you require a certain transition / honeymoon period? Do their employees need to have NATO-clearance, …
• Pricing Table ; You do not want all vendors to provide their own pricing table… You will not be able to compare apples with oranges. So provide your own pricing table and adjust it according to the feedback from each round. In fact, your RFI phase should have already provided you with ample information to create a pretty stable pricing sheet.

IT Budget : Run, Grow & Transform

One method of coping with your IT budget is by working with the “Run, Grow & Transform – Your business”-model. In essence is sets you to categorize your budget into three areas.

Run covers the general day to day expenses of keeping the IT infrastructure running. Actually, this is your “SIB” (“Stay In Business”). Think in terms of lifecycle management and the human resource costs to maintain your environment.

Grow covers the expenses for expansion of services or growth of the company. Things like extending your virtualization or storage farm probably fall under this category. This budget aims to help the organization introduce new capabilities or improve existing ones.

And Transform covers the costs are made to change your nature. Here you should think of things like implementing a shopfloor system when coming from a paper workflow within an industry. These initiatives might seek to identify, for example, the right technologies for new organizational capabilities; fundamental changes to business processes; or a new product or service offering.

When managing a budget in this manner, you should be able to gather tour full “Run” budget and a part of the “Grow” budget. If you fail to do so, then you have lost the confidence of your board. This part of the budget is in reality the minimal level you need to stay on par. A lower level will force you to start phasing out services from your service catalog!

Organizations that have to trim IT budgets should avoid cutting Run initiatives. Such cuts would introduce operational risk. If an organization already is going through a tough stretch, the last thing it needs is a server, application or network failure. This really is your “Stay in Business” IT budget.

Grow budget items should tie directly to the organization’s strategic initiatives. These initiatives usually are not as mission critical as Run initiatives and often have some time flexibility, which means that they are good candidates for starting early when additional cash is available, or for deferral if cash is tight.

When finances are tight, transform initiatives often are the first to be cut or deferred—unless they are associated with key strategic initiatives that the organization views as essential to its continued operation. Even if the organization doesn’t deem certain Transform initiatives immediately essential, care should be taken when considering cutting or deferring them. That’s because Transform initiatives often are key to the organization’s long-term health. Failure to provide adequate resources to Transform initiatives can stunt an organization’s future success.

Why do we need “IT”?

In today’s world we cannot imagine our day to day lives without technology. This reaches from our personal to our professional experienxce. At a given point, I posed myself the question ;

“What business benefit does IT bring to the table?”

We have sales that makes sure prospects become customers and make sure that they stay wit us. Production creates the product, supply chain optimizes the processes between vendors, … and so on.

After pondering about it, I came to the conclusion that there are two benefits ;

Acceleration
Some call it “Time to market”, others say “Speed of exection”, … But feel free to name it any way you want. In essence the ability to change quickly is where IT needs to prevail. If IT becomes a bottleneck for the organization, the it has lost its main function. And here we see one of the basic aspects why some IT departements are losing the fight for budget. If you are a bottleneck for the company, why should it invest in “you”?

Scalabiliy
IT prevails in automation and automation wins when an economy of scale is at hand. When a company is expanding their operations, then IT will be there to make sure that the costs do not grow exponentially. That is why IT is more native to enterprises and still a bit akward to small business owners.

Insight on “Gartner 2013 : Top 10 Strategic Technology Trends”

Source : Gartner Identifies the Top 10 Strategic Technology Trends for 2013

Gartner released their Top 10 Strategic Technology Trends of 2013. Here’s my insight on the relation / impact towards the Benelux market.

Mobile Device Battles
This battle will continue! Where it used to be Apple versus Google… We now see Microsoft coming up with a competitive offering. Here my opinion is that the true battle for the Benelux enterprise market lies between Apple and Microsoft.

Mobile Applications and HTML5
When one takes a look at the “App Stores”, “App Markets”, etc… You’ll notice that most “apps” are mostly frameworks to connect to back-end web services. This way the providers can reuse a lot of their logic for different clients. So I totally follow the vision of Gartner that web interfaces with a low technology impact on the client will be the way of the future.

Personal Cloud
Not sure about this one… People are still very reluctant to bearing costs. Yet the cloud needs to get financed. So where the need is there, I don’t think the wallet will follow.

Enterprise App Stores
Before we get here… I would hope that companies get thinking about a service catalog. That way they would not blindly follow technology, and get things aligned between IT and business.

The Internet of Things
Everything connected! Every device is getting some kind of connectivity towards the network. So I totally follow this vision from Gartner.

Hybrid IT and Cloud Computing
Next year (2013) will be a very harsh year for a lot of companies within the Benelux. Many vendors are repeating (and repeating) the “Cloud”-mantra to a lot of customers/prospects. Time and time again they say that “THE cloud” will reduce the costs of the IT organization. Yet the reality is far from it! Cloud service have a lot of benefits, yet reducing costs is mostly not one of them. Adding functionality is more the thing, yet reducing costs can only be done by reducing services/functionality. In my honest opinion, the only way organizations can reduce costs it to identify (and catalog!) their services. This list can become an argumentation internally in order to justify the IT costs and become a possible starting point to discussed (un)needed services.

Strategic Big Data
I think this is valid for the “Fortune 500”, yet the Benelux market is far too small for this. Some niche players may have a specific need for this (telecom, banking, … marketing agencies), yet most industry / service companies can surely do without.

Actionable Analytics
Analytics is the way to go if you want to optimize your business! Whether it’s an internal department looking to optimize its costs, or the general business looking to go “lean & mean”… How can one optimize, if one does not know how things are running? You cannot compare things without having a monitoring system.

In Memory Computing
This sounds too much like the “noSQL”-movement from last year. Whilst it sounds very nice, most Belgian companies are way too traditional for such technologies. This is mostly due to the fact that no transactional state can be guaranteed…

Integrated Ecosystems
Many companies are noticing that the cloud solutions they have engaged in are islands on their own. Identity management and federation services will move towards this need… Such systems will be able to integrate several islands into one logical system for the user. This as the 5+ passwords to remember are getting a bit too much.

Why IT shouldn’t be run as a business…

Need an out-of-the-box opinion on running it? Check “Infoworld’s Run IT as a business — why that’s a train wreck waiting to happen”…

Intro

“If you board the wrong train, it’s no use running along the corridor in the other direction,” said famed World War II German resistance fighter Dietrich Bonhoeffer. We in IT boarded the wrong train a long time ago. It’s the “standard model” of information technology organizations — the familiar litany that says CIOs should run IT as a business [1], meeting the requirements of its internal customers. This refrain has been endorsed by our holy trinity, too: analyst firms, most consultancies, and ITIL.

Some strong quotes

• There are no IT projects : He likens IT’s proper role to that of an engineer designing a car. “It doesn’t matter if the ‘customer’ asks for the horn on the backseat. Placing it there would meet the specs and ‘satisfy requirements.’ It would also defeat the usability of the horn, render driving the car dangerous, and could lead to a crash that ruins the whole effort.
• Chargebacks? No! Governance… : Chargebacks are an attempt to use market forces to regulate the supply and demand for IT services. If that’s the best a business can do, it means the business has no strategy, no plans, and no intentional way to turn ideas into action.
• So what should we do? : Nobody in IT should ever say, “You’re my customer and my job is to make sure you’re satisfied,” or ask, “What do you want me to do?” Instead, they should say, “My job is to help you and the company succeed,” followed by “Show me how you do things now,” and “Let’s figure out a better way of getting this done.”