John Nelson, Director of IT-Infrastructure & Operations, Coherent
We began our journey to cloud-based applications and infrastructure in earnest with the renewal of our Microsoft Enterprise Agreement in June 2014. Like many organizations, we had piecemeal deployments of SaaS applications but no integrated strategy for ‘the cloud’. We identified noticeable operational opportunities due to Microsoft’s heavy focus on promoting their cloud capabilities for the Office 365 and Azure platforms. Throughout 2014, we looked at better ways to take advantage of our current investments and started to formulate strategic plan to shift workload off-premise, incorporating our strategic partners and solutions as effectively as possible. The resulting approach focused on three key characteristics comprising our overall on-premise and cloud strategy: Security, Infrastructure Ecosystem, and Opportunity for Disruption.
Security is a paramount component for every solution that we implement, so we focused on ensuring the we had a robust architecture based on identity and digital rights management. With Microsoft Active Directory Federation Services (ADFS), Azure Active Directory, Azure Multi-Factor Authentication (MFA), and Microsoft Intune, we developed a cohesive identity platform for Microsoft Cloud services that essentially extended our internal identity management capabilities while shrinking operational complexity, lowering costs and reducing the number of solution providers. Initially, ADFS and Azure AD provided full integration with our Microsoft Azure and Office 365 cloud tenants just like they were simply extensions of our data centers, but with some better tools for visibility into authentication and authorization activities. Over time, we plan to extend the Azure AD platform to be the portal for many if not all SaaS apps that support the SAML 2.0 standard. Azure MFA provides a flexible solution integrated directly with ADFS that allows us to ensure the identity of anyone accessing corporate resources. Intune provides us the capability to ensure the devices that access corporate date are trusted and that the data can be removed if any device becomes compromised or untrusted in any fashion.
Another component for security is the Azure RMS digital rights management platform to extend RMS externally. With this, we can apply policy to any document and ensure that data is only accessed by authorized individuals and that the authorization can be removed at any time. Currently, this is limited to a subset of Microsoft data types and PDF files but there are partners we are looking into that extend this feature set to other document types as well as build a natural workflow to ‘guide’ business users to applying appropriate policies as needed.
Developing a comprehensive plan with just one provider or solution is ineffective, so our focus has been on identifying best-of-breed products that have the potential to naturally integrate with existing solutions. For enterprise services, we have a mixed approach now with a set of core on-premise infrastructure to support business critical applications across two key data centers for redundancy in addition to cloud offerings. Decisions on workload placements are based upon detailed analysis regarding security (physical, logical, identity management, data privacy), solution effectiveness (service levels, performance, capacity, fit for business needs and , usability), operational support requirements, and cost. Like many companies, ‘natural fit’ items such as talent and performance management, CRM, and ITSM platforms were early quick wins for cloud migration. We also found that some newer capabilities, such as our custom-developed Manufacturing Execution System (MES), were simpler to build on Azure Cloud services to support a global capability. Our approach for all services now comes down to the following criteria:
• Software as a Service (SaaS) – What can SaaS application give us that we cannot build and maintain effectively ourselves (cost vs. capability)?
What risks exist with our data being managed by a third party? What types of controls do the providers have to protect our corporate information and employee privacy? How is the data being accessed and processed and by whom? Is the audience geographically dispersed? Office 365 fit all the criteria for moving core productivity applications to the cloud and is expected to significantly reduce infrastructure capital and support costs over time.
• Platform as a Service (PaaS) – What building blocks can we use to accelerate development? How does the PaaS solution reduce operational overhead? What cost, performance and/or data privacy/ management issues exist? Azure App and Database services pro¬vided us a perfect platform for developing our MES systems and will be our platform for our web presence as well.
• Infrastructure as a Service (IaaS) – Do we need new rapid development environments that the cloud can provide? How effectively and quickly can we provision a DevOps environment for existing business applications? Are costs higher or lower using IaaS? Testing out new functionality and capability on Azure VM’s has been key for us in accelerating our ability to deliver faster. In addition, StorSimple devices have reduced our backup and recovery costs and provided greater flexibility in capacity management.
• On-Premise Infrastructure and Application Services – What is the business criticality of the system? What operational and cost efficiencies are gained with an on- premise solution? Are performance and availability characteristics easier to achieve with an on-premise solution? Our Oracle environment is primarily on-premise. We have the ability to rapidly provision new development environments across both UNIX and Windows as well as provide better overall performance today.
Opportunity for Disruption
The concept of cloud services has been around for more than 20 years, arguably longer if you consider that fact that outsource providers have essentially been providing some of those services since the inception of the IBM mainframe in 1952 and EDS selling time-sharing on them starting in 1962. Companies like Salesforce, Google, and Amazon popularized the concept or purchasing time for an application or compute capability in a simple utility-like manner that earlier providers were never able to effectively achieve.
"Our focus has been on identifying best-of-breed products that have the potential to naturally integrate with existing solutions".
The number of cloud services providers continues to grow, putting pressure on the providers to innovate as well as drive prices down for services that can be commoditized (such as virtual machines and storage). Many of these new capabilities provide IT with new solutions that are completely different than existing methods force organizations to look at different ways to more effectively solve business challenges and lower operational costs. This pattern of innovation is driving commoditization of infrastructure through development of Platforms and turnkey integrated SaaS applications. Microsoft, in particular, continues to invest and innovate incloud services – both within the Office 365 and Azure spaces. Key areas we are watching are PowerBI and Cortana Analytics.
Our Cloud/On Premise hybrid strategy focuses on taking advantage of key capital investments internally as well as optimizing operational expenses for cloud services based on the value both IT and the company can realize. Identifying and monitoring new potentially disruptive solutions for business challenges helps us drive innovation. Each solution is balanced against the ability to manage cost, complexity, performance, reliability, availability and business impact. Every solution – whether on-premise, in the cloud, or a hybrid– is firmly grounded in security, ensuring systems are protected from attack, data is protected effectively, and appropriate identity management controls are in place.