《谷歌云：2024Google Cloud人工智能應用框架白皮書（英文版）（35頁）.pdf》由會員分享，可在線閱讀，更多相關《谷歌云：2024Google Cloud人工智能應用框架白皮書（英文版）（35頁）.pdf（35頁珍藏版）》請在三個皮匠報告上搜索。

1、The Google Cloud Adoption FrameworkTable of ContentsPart 1:Executive summaryA unified approach to the cloud .2Four themes,three phasesThe Cloud Maturity ScaleFine-tuning your direction with epicsThe Google Cloud Adoption FrameworkGetting started .8Part 2:Technical deep-diveIntroduction .11The cloud

2、maturity phases .11Tactical maturityStrategic maturityTransformational maturityThe cloud maturity scale .14LearnLeadScaleSecureThe epics .27Executive Summary Part 1:Google Cloud Adoption FrameworkA unified approach to the cloudMoving to the cloud offers enormous benefits for businesses.Yet there are

3、 risks as well.The challenge is multidimensional,with far-reaching implications not just for the solutions that will run in the cloud,but also for the technologies that support them,the people who need to implement them,and the processes that govern them.The rubric of people,process,and technology i

4、s a familiar one.But how do you harness it to move forward?As one of the earliest organizations to operate entirely in the cloud,Google has been spearheading projects for years that address this very issue from leadership and people management best practices like re:Work,to engineering-driven softwa

5、re operations methodolo-gies like Site Reliability Engineering,to zero-trust security models like BeyondCorp.It is from work such as this that weve developed a streamlined framework for adopting the cloud.The Google Cloud Adoption Framework builds a structure on the rubric of people,process,and tech

6、nology that you can work with,providing a solid assessment of where you are in your journey to the cloud and actionable programs that get you to where you want to be.Its informed by Googles own evolution in the cloud and many years of experience helping customers.You can use the framework yourself t

7、o make an assessment of your organizations readiness for the cloud and what youll need to do to fill in the gaps and develop new competencies.If youd like a partner on that journey,were here for you.We can help you develop a solid strategy and guide you through the process so that youre capitalizing

8、 on all that the cloud has to offer,driving the innovation you need to streamline internal operations and scale your brand.But whether or not we accompany you on the journey,our framework can help you find your way,from your first project all the way to becoming a cloud-first organization.Take it,us

9、e it,and move forward to the cloud with confidence.You can use the framework yourself to make an assessment of your organizations readiness for the cloud2Four themes,three phasesTo truly develop a cloud-first organization,there are four realms(we call them themes1)you will need to excel in whatever

10、your business objectives.These four themes define the foundation of cloud readiness:Learn:The quality and scale of the learning programs you have in place to upskill your technical teams,and your ability to augment your IT staff with experienced partners.Who is engaged?How widespread is that engagem

11、ent?How concerted is the effort?How effective are the results?Lead:The extent to which IT teams are supported by a mandate from leadership to migrate to cloud,and the degree to which the teams themselves are cross-functional,collaborative,and self-motivated.How are the teams structured?Have they got

12、 executive sponsorship?How are cloud projects budgeted,governed,assessed?Scale:The extent to which you use cloud-native services that reduce operational over-head and automate manual processes and policies.How are cloud-based services provisioned?How is capacity for workloads allocated?How are appli

13、cation updates managed?Secure:The capability to protect your services from unauthorized and inappropriate access with a multilayered,identity-centric security model.Dependent also on the advanced maturity of the other three themes.What controls are in place?What technolo-gies used?What strategies go

14、vern the whole?31 See Stories versus Themes versus Epics to learn more about agile taxonomy.Your readiness for success in the cloud is determined by your current business practices in each of these four themes.For each theme,those practices will fall into one of the following phases:Tactical:Individ

15、ual workloads are in place,but no coherent plan encompassing all of them with a strategy for building out to the future.The focus is on reducing the cost of discrete systems and on getting to the cloud with minimal disruption.The wins are quick,but there is no provision for scale.Strategic:A broader

16、 vision governs individual workloads,which are designed and devel-oped with an eye to future needs and scale.You have begun to embrace change,and the people and processes portion of the equa-tion are now involved.IT teams are both efficient and effective,increasing the value of harnessing the cloud

17、for your business operations.Transformational:With cloud operations functioning smoothly,youve turned your attention to integrating the data and insights garnered from working now in the cloud.Existing data is transparently shared.New data is collected and analyzed.The predictive and prescriptive an

18、alytics of machine learning applied.Your people and processes are being transformed,which further supports the technological changes.IT is no longer a cost center,but has become instead a partner to the business.In the tactical phase,you are reducing costs with a quick return on investment and littl

19、e disruption to your IT organization.This is a short-term goal.In the strategic phase,you increase the value delivered by your IT organization by streamlining operations to be both more efficient and more effective.This is a mid-term goal.In the transformational phase,your IT organization becomes an

20、 engine of innovation,making it a partner to the business.This is a long-term goal.4The Cloud Maturity ScaleWhen you evaluate the four themes in terms of the three phases,you get the Cloud Maturity Scale.In each of the themes,you can see what happens when you move from adopting new technologies ad h

21、oc,to working with them more and more strategically across the organization which naturally means deeper,more comprehensive,and more consistent training for your people,which in turn means streamlined and updated processes,which in its turn drives innovation.The whole organization gradually transfor

22、ms.When you are fully invested in the cloud,fully harnessing its capabilities,you are then a cloud-first organization.5LearnSecureFear of publicinternet,but trust inprivate networkCentral identity,hybrid networkTrust only the rightpeople,devices,and servicesScaleChange is slow andrisky,ops heavyTemp

23、lates ensuregood governancewithout manualreviewLeadTeams by function,heroic projectmanagerNewcross-functionalcloud teamCross-functionalfeature teams,greater autonomyTacticalStrategicTransformationalFine-tuning your direction with epicsOnce youve determined where you are in your cloud maturity journe

24、y,its time to move forward.To scope and structure your program of cloud adoption,you will implement a number of workstreams(which we call epics2).The epics are defined so that they do not overlap,they are aligned to manageable groups of stakeholders,and they can be further broken down into individua

25、l user stories,making your program planning easier.Heres a look at those epics within the familiar rubric of people,technology,and process.If you can do only a subset of the epics,focus on the ones in the colored segments.Those are the epics that align with Learn,Lead,Scale,and Secure;and so those a

26、re the epics that will define your journey to successful cloud adoption.62 See Stories versus Themes versus Epics to learn more about agile taxonomy.NetworkingBehaviorsCommunicationPeople OperationsIdentity&AccessSponsorshipUpskillingExternalExperienceArchitectureInfra as CodeCI/CDTeam-workData Mgmt

27、.Resource Mgmt.InstrumentationIncident Mgmt.Cost ControlPeopleProcessTechnologyThe Google Cloud Adoption FrameworkAnd those are the three components of the framework Google Cloud uses to guide customers seam-lessly to the cloud:the three maturity phases applied to the four cloud adoption themes,and

28、the epics.With the Cloud Maturity Scale,you determine where you are in your journey to the cloud.With the epics,you devise a way to get to where youd like to be.You can use the maturity scale and the epics with any cloud provider,of course:the framework is technology agnostic.But if youd like to ens

29、ure success,you might consider engaging Google Cloud to be your guide.Working with a Technical Account Manager(TAM),you can perform a high-level assessment of your organizations cloud maturity,which will tell you how to prioritize your training and change management programs,your partner relationshi

30、ps,your cloud operating model,and your secure account configuration.The Adoption Framework streamlines your journey to successfully adopting the cloud.Working within the framework,a TAM can guide you along that journey,from your first cloud project to becoming a fully cloud-first organization.7Learn

31、SecureScaleLeadTacticalStrategicTransformationalGetting startedThe details in the technical deep-dive spell out the foundation for moving forward,but at a high level,the process looks like this.Assess your current cloud maturityIntroduce your stakeholders to the four cloud adoption themes,that is,to

32、 your teams ability to continuously learn,effectively lead,effi-ciently scale,and comprehensively secure in the cloud.Use the summary tables provided for each theme in the technical deep-dive as a reference for discussion.Consider assessing all attributes in the form of a survey for stakeholders to

33、fill out.Ask yourself how far you want to goDiscuss within your team which stage of cloud maturity your business should aim for.Chances are that,to begin with,stakeholders across different levels of your IT organization will not be aligned and that theyll point out that the incentives vs.risks dont

34、yet match their aspirations.Consider focusing on tactical objectives in the near term to serve as a stepping stone for later strategic or long-term transfor-mational objectives.Plan your cloud adoption programTake action on any cloud adoption epic for which youve identified a gap and pay particular

35、attention to the epics that live inside the cloud adoption themes.Keep in mind that your actions are a means to one of four ends:developing a training program,devising your change management program,designing your cloud operating model,or securely setting up your Google Cloud Platform(GCP)account.8T

36、rainingProgramProcessCloudOperating ModelChange ManagementProgramPeopleSecureAccount SetupTechnologyFind the right workloadsEven the greatest degree of cloud maturity is inconsequential without critical workloads in production in the cloud.Start with simple,non-business-critical applications to deve

37、lop the muscles and confidence in your cloud competencies.As you develop your organizations abilities to learn,to lead,to scale,and to secure,you should also be ready to tackle more complex and critical applications in lockstep.Should you begin with workloads?Or with a cloud operating model?A startu

38、p company may have a bias toward action,putting workloads into production quickly and assuming greater operational risk in return.An enterprise with a top-down cloud adoption approach may prefer to first invest in a cloud operating model and playbooks before any workloads are deployed in the cloud.W

39、hich workloads and when are up to you.As you develop your organizations abilities to learn,to lead,to scale,and to secure,you should also be ready to tackle more complex and critical applica-tions in lockstep 9Technical deep-diveGoogle Cloud Adoption FrameworkPart 2:IntroductionThe move to the cloud

40、 can be arduous unless you plan well from the beginning.The Adoption Framework helps you with that planning.The framework comprises the Cloud Maturity Scale,which enables you to analyze where you are now in your journey to the cloud,and the epics,which help you organize how you will get to where you

41、d like to be.The Cloud Maturity Scale measures your organizations readiness for the cloud by considering your current business practices(which it classifies into one of three phases)across four themes.The epics chunk the actions you will need to take into discrete,and discretely measurable,workloads

42、 that map to the same four themes.The Adoption Framework is derived from Googles experience of helping hundreds of customers make their way to the cloud.By working within the framework,you can ensure that you are making the right choices,both now for current workloads and with an eye to the future,s

43、o that the investments you make today continue to serve you well as you move more and more operations to the cloud.By working within the framework,in other words,you make the most of your resources from that first workload on.The cloud maturity phasesThe Cloud Maturity Scale is based upon the three

44、phases of cloud maturity,as they apply to the cloud adoption capabilities(that is,the themes)you will need to master.These three phases apply to any businesss journey to the cloud,and they are defined by the business practices current at the time:11TacticalStrategicTransformationalBusinesses that ma

45、ke the most of the cloud businesses that use the cloud to drive innovation are businesses that work towards the transformational phase,which is a long-term goal.But you will achieve short-term successes at the tactical and mid-term successes at the strategic phases as well,and in fact each of those

46、two phases is necessary and useful.Looking more closely at those phases makes clearer the benefits of each,and the way that one phase prepares the way for the next.Tactical maturityTactical cloud adoption can achieve the short-term business objective of optimizing cost within your existing IT soluti

47、ons,for example,by optimizing heavily underutilized compute and storage resources or by removing the operational overhead and delay of manually procuring and provisioning resources.As an organization with tactical cloud objectives,you look to execute projects with minimal change to your IT teams(peo

48、ple),your applica-tions and software tools(technology),and your operating model(process).This is an important phase in the journey to making the most of the cloud,and it should not be undervalued.The benefits of a tactical degree of cloud maturity are contingent on the outcome of your total cost of

49、ownership(TCO)analysis3.Should you anticipate only marginal cost benefits from this approach,you may regard your cloud adoption merely as a lateral move and be tempted to aim straight for the strategic phase.Be cautious of making this leap if your business does not already have firsthand experience

50、running production use cases in the cloud today.Just as there is a cost to moving to cloud,there is also great value in the lessons learned through experimentation.The tactical phase lays the foundation for the work you will do in the strategic phase.As an organization with tactical cloud objectives

51、,you look to execute projects with minimal change123 As discussed in McKinsey:Cloud adoption to accelerate IT modernization and True Cloud Justification:Moving Beyond TCO Savings.Strategic maturityA strategic degree of cloud maturity is sufficient to achieve the mid-term business objective of increa

52、sing value delivered by your IT organization.This level is achieved by noticeably improving the effi-cacy and efficiency with which IT teams develop and operate software solutions,as well as by modernizing the architectures of those solutions to take advantage of cloud-native services and platforms.

53、As an organization with strategic cloud objectives,you will likely implement some degree of change to your IT teams(people),your applications and software tools(technology),and your operating model(process).This change can be limited to an isolated part of your IT organization and still be effective

54、,providing a blueprint and early success stories that can be expanded when the IT organization is ready for comprehensive,transformational change.Transformational maturityA transformational degree of cloud maturity is necessary to achieve the long-term business objective of reforming your IT into a

55、sustain-able engine of innovation that powers your business transformation.Rather than a cost center,IT is now a partner to the business.An innovation centers key contribution to the business is the data and insights derived from the transparent and thoughtful sharing of existing data,the collection

56、 and analysis of new data(for example,sentiment,image,voice),and the application of predictive and pre-scriptive analytics(machine learning).You should also apply this data-driven approach to your IT organization itself,iterating on new features in a truly agile fashion,accelerating the speed at whi

57、ch you can deliver innovation.As an organization with transformational cloud objectives,you face the prospect of comprehensively reorganizing your IT organization.Concretely,this means facilitating greater lateral awareness and knowledge exchange and empowering individual contributors or project tea

58、ms to make more decisions13A strategic degree of cloud maturity achieves the mid-term business objective of increasing value delivered by your IT organizationAs an organization with transformational cloud objectives,you face the prospect of comprehensively reorganizing your ITautonomously,measured a

59、gainst agreed-upon service-level objec-tives(SLOs).You take a cloud-first position,in which cloud-based services and best practices are the new norm.To support that,you reward experimentation and individual initiative,even in the event of failure,and understand how to reasonably price the value of w

60、hat is being learned against the cost incurred by your cloud hosting bill.The Cloud Maturity ScaleBringing the three phases of cloud maturity to bear on the four themes of cloud adoption results in the Cloud Maturity Scale,a pow-erful tool for assessing where you are in your journey to the cloud.It

61、does this by measuring your current practices against the known foundations for success.If you make the investment into these foun-dations from the start,you will be supporting your organizations ability to support increasingly ambitious business objectives,complex software solutions,and cloud-nativ

62、e architectures.In other words,you will be supporting your organizations journey to transformational cloud maturity.At this phase,your organization will have mastered the ability to continuously learn,to effectively lead,to efficiently scale,and to comprehensively secure.Getting to that point involv

63、es planning and successes at the two phases preceding.To ensure youre focusing your efforts on the most impactful areas,youll want to understand the four themes in depth,with attributes illustrating how each evolves over time across the tactical,strategic,and transformational phases.If you make the

64、investment into these foundations from the start,you will be supporting your organizations ability to support increasingly ambitious business objectives1415LearnCloud Adoption Epics:Upskilling,External ExperienceYour organizations ability to continuously learn is determined by your efforts to upskil

65、l your IT staff while also taking advantage of the experiences shared by third-party contractors and partners.This two-pronged approach ensures that you apply cloud computing best practices idiomatically to Google Cloud Platform(or any other public cloud provider),tailored to your business needs and

66、 without having to climb the steep learning curve of doing things for the first time.Your staff will be more familiar with your organizations unique idiosyncrasies and understand its technical and cultural nuances,while supporting third parties will have the experience of having completed multiple p

67、rior cloud migrations across a broad spectrum of customer solutions.TRANSFORMATIONALSTRATEGICTACTICALSupporting third parties will have the experience of having completed multiple prior cloud migrations across a broad spectrum of customer solutions16Tactical maturityUpskilling is on a best-effort ba

68、sis,reliant on individual self-motivation and free educational resources like online documentation and YouTube.Third-party contractors and partners are relied upon to deliver essen-tial work required to achieve the objectives set out by the business.They typically enjoy wide-ranging and ongoing priv

69、ileged access to your organizations cloud estate and serve as a first point of escala-tion in the event of a technical question or an operational incident.You expect to be able to achieve tactical objectives with the IT staff you have and are not taking action to hire new staff with prior cloud expe

70、rience.Strategic maturityUpskilling is program managed and offered to any IT role who is directly or indirectly responsible for contributing to a successful cloud adoption.A learning plan has been published,training classes(online or offline)are offered on a regular basis,and achieving formal certif

71、i-cation is encouraged and budgeted for.Third-party contractors and partners provide subject matter expertise to fill the IT staffs remaining knowledge gaps or where the topic is so narrow and deep that it would be unreasonable to expect your IT staff to upskill to that level.These external parties

72、serve as a second-tier point of escalation in the event of a technical question or operational incident that cannot be answered or resolved internally within your IT staff.As such,they will typically have moderated access to the organi-zations cloud estate and be authorized(and audited)to escalate t

73、heir privileges in break-glass scenarios that require quick and determined intervention.You are actively opening new roles and are hiring for people with prior cloud experience to complement the IT staff as it upskills itself on cloud computing best practices.17Each IT staff member is given a GCP sa

74、ndbox project and a limited budget for them to experiment with and test new ideas.Transformational maturityUpskilling is continuous and collaborative.In addition to a regular formal training program,IT teams and individual contributors host regular hackathons and tech talks to maximize knowledge sha

75、ring.Going one step further,IT staff are encouraged to demonstrate thought leadership to the industry through public blog articles and public speaking.This outreach serves a double function of challenging staff to stretch themselves and also to attract new talent to be hired.You have reviewed and,wh

76、ere needed,redefined all roles and responsibilities to reflect the new require-ments of a cloud-first IT organization.Third-party contractors and partners serve primarily as staff augmentation with no privileged access and very few areas of exclusive knowledge.Most technical questions can be answere

77、d internally,and all incident response playbooks can be executed entirely in-house.18LeadCloud Adoption Epics:Sponsorship,TeamworkThe effectiveness of your organizations cloud adoption is determined by the visibility and value of the mandate issued top-down from your sponsors(which include C-level e

78、xecutives as well as middle management and team leaders)and the motivational momentum generated bottom-up from your teams cross-functional collaboration.These two counterparts together are responsible for clearly articulating objectives,making informed decisions,and executing them in concert with mu

79、ltiple functions.Sponsors control which resources are allocated to your organizations cloud adoption efforts and bring stakeholders from different business functions and reporting lines together.However,they must ultimately rely on an agile and cross-functional group of cloud early adopters to pract

80、ically implement their strategy.TRANSFORMATIONALSTRATEGICTACTICALSponsors must ultimately rely on an agile and cross-functional group of cloud early adopters to practically implement their strategy19Tactical maturitySponsorship is limited to senior management from or for one line of business.Their p

81、rimary contribution is delivering the mandate(“sign-ing off”)and passing it down their reporting line to be executed upon.Sponsors only get actively involved as a final point of escalation when progress is otherwise hampered.Cloud adoption progress is driven by individual contributors with a persona

82、l interest in cloud computing for their solution(s).The ability for early adopters to collaborate with other IT roles is subject to the friction of the incumbent org structure and reporting lines.Because the scope is limited to the project or line of business that this team of early adopters is alig

83、ned with and must operate within that budget their output will not be embedded with central IT.Depending on the perspective,the outcome is either a“minimum viable cloud”or“cloud shadow IT.”Strategic maturitySponsorship extends up to the C-level.Each manager in the reporting line has clearly defined

84、objectives and KPIs that support the organiza-tions cloud adoption.Sponsors key contributions include actively reaching out horizontally to other IT or business functions to clear the critical path of roadblocks and visibly and continuously championing the journey.Performance indicators prioritize t

85、raditional IT service-level objectives over the speed of experimentation,innovation,and recovery from failure.Cloud adoption progress is driven by a dedicated cross-functional team(Center of Excellence)of advocates,working across project boundaries.All critical IT roles inside this COE are filled,fo

86、r example,application architect,software or data engineer,networking engineer,and identity/directory admin,across operations,information security,and finance.Team members are committed full-time or part-time,and their job title and their personal performance indicators are updated to reflect their n

87、ew responsibilities.20Cloud adoption may also be complemented by a dedicated technical project manager who is familiar with the IT organization,the stakeholders,and the technology landscape.Transformational maturitySponsorship is comprehensive across the entire C-level to include marketing,finance,o

88、perations,HR,and more,and extends down to all levels of management.They comprehensively and consistently set the tone for a culture of experimentation and innovation within teams.Error budgets for software ser-vices are accepted and understood at the highest level(CEO),and a culture of blameless pos

89、tmortems is fostered throughout the IT organization.Project teams operate in an environment of transparency and open information sharing and enjoy enough decision-making autonomy to be able to experiment ad hoc without having to ask for permission or having to wait for resources to be provisioned.(D

90、ata governance and cost control are now a function of automation,not manual managerial process.)Failures are celebrated for the valuable lessons that the team has learned and will be shared with the wider business for posterity.An individuals mistake is interpreted as a collective or systematic fail

91、ure that must be addressed as a whole,not by reprimanding the individual.21ScaleCloud Adoption Epics:Architecture,Continuous Integration and Delivery (CI/CD),Infrastructure as CodeYour organizations ability to scale in the cloud is determined by the extent to which you abstract away your infrastruct

92、ure with managed and serverless cloud services,as well as the quality of your CI/CD process chain and the programmable infrastructure code that runs through it.Because everything is managed via an API,automation can pay greater dividends in the cloud than in any other environment.Not only does it re

93、duce human toil and serve as automatic documentation,it is also instrumental in making change low risk and frequent-the key ingredient for innovation.TRANSFORMATIONALAll cloud resources areprovisioned manually.Solutions run in long-livedVMs,and OS must bemaintained.Changes are reviewedmanually,are h

94、igh risk,and are deployed infrequentlyand manually.Project foundations are provisioned from templates.Solutions run in immutable VMs or containers,andaccess is locked down.Changes are testedautomatically,are medium risk,and are deployed manually .STRATEGICTACTICALBecause everything is managed via an

95、 API,automation can pay greater dividends in the cloud22Tactical maturityUse of managed or serverless cloud services is limited.Instead,a continued reliance on self-managed,long-lived virtual machines(VMs)provides a familiar computing platform at the risk of entropy(“config drift”),making consistent

96、 and secure operations increasingly hard over time.Because there is more to be managed,there is also more to be measured,increasing the burden of collecting quality,high-frequency events and metrics.Changes to application code and environment configuration are reviewed and controlled manually,for ex

97、ample,by a change advisory board.They are often considered high risk and deployed infrequently,measured in weeks or even months.The provisioning of cloud resources is performed manually via the GCP Web Console or command-line interface(CLI).Infrastructure automation tools like Deployment Manager or

98、Hashicorps Terraform 4 are not leveraged.While the use of the GCP Web Console or CLI is already a great improvement over the manual process of racking and stacking servers,it only marks the beginning of the clouds potential for automation.Strategic maturityVMs are designed to be immutable,thereby gr

99、eatly reducing the scope for change to a system.Environment configuration is baked into ver-sioned VM images,and stateful and stateless workloads are cleanly separated to allow for elastic horizontal scaling.Inside the VM,config-uration values and keys are stored only in-memory,and outside the VM on

100、ly in discrete services like the GCP metadata service,Cloud Key Management Service,or Hashicorp Vault.The risk of change is considered to be mostly moderate.Deployments to production environments are executed programmatically,but trig-gered manually,and can be easily rolled back if necessary.4 https

101、:/www.terraform.io23Application teams go beyond basic monitoring and logging,making use of application performance monitoring(APM),either through Stackdriver or through a third-party solution to deliver near real-time insights into service health under real production loads,24/7.The provisioning of

102、GCP projects includes all associated configurations(like VPC networking,billing account,and Cloud Identity and Access Management policies)and is performed programmatically via Deployment Manager or Hashicorp Terraform,based on a limited set of inputs like cost center,data sensitivity,team ownership,

103、and dependency with services hosted in other GCP projects.Transformational maturityProduction VMs allow shell access in break-glass scenarios for debugging purposes only.Self-managed services are replaced with managed equivalents(for example,Cloud SQL,Cloud Memorystore)or server-less/SaaS alternativ

104、es,where feasible,to minimize the operations overhead of IaaS-based services.The risk of change is considered to be low.Deployments to production environments are executed programmatically and automatically,using phased strategies(canary,blue/green,and so on).Logging and monitoring are comprehensive

105、 and cover every service-level indicator that underpins each service-level objective.All cloud resources are provisioned programmatically via Deployment Manager,Hashicorp Terraform,or directly via GCPs RESTful APIs.Entire production environments can be(re)created within minutes in another zone or re

106、gion.24SecureCloud Adoption Epics:Access Management,Data Management,Identity ManagementIn the narrow sense,the security of your cloud estate is determined by your ability to guarantee who may perform which action on which resource(identity and access management)and your understanding of the data tha

107、t needs protecting,ensuring it is appropriately catalogued,encrypted,and guarded from exfiltration,to name just a few considerations.In the more holistic sense,your security posture relies on the advanced maturity of the other three cloud adoption themes:1)continuous learning of the latest technical

108、 vulnerabilities and security best practices,2)leading by setting measur-able security objectives and rewarding a culture of blameless postmortems,3)scaling through automation which,in turn,minimizes human error and maximizes auditability.Because security is so essential and because it cuts across a

109、ll dimensions and themes,it lives at the very center of the cloud adoption model.TRANSFORMATIONALAll service-to-servicecommunication isauthenticated and authorized.IAM policies are continuousl ymonitored and corrected.Multiple layers of network security,from internet to VPCsubnet.STRATEGICTACTICALBe

110、cause security is so essential and because it cuts across all dimensions and themes,it lives at the very center of the cloud adoption model25Tactical maturityUser identities manifest themselves as Google Cloud Identity5 accounts under an organization domain name,and all consumer accounts for Google

111、Analytics,Adwords,Play,YouTube,etc.are now under the control of the enterprise.These identities are not yet syn-chronized with the organizations central identity solution,e.g.,Microsoft Active Directory,and therefore not governed by a single source of truth.Cloud IAM policies predominantly rely on t

112、he convenience of proj-ect-level Primitive Roles(Owner,Editor,Viewer)rather than following the principle of least privilege.Default permissions allow for any user to create GCP projects and billing accounts.Cloud IAM permissions are not continuously monitored with tools like Forseti Security6,and th

113、e GCP Admin Activity and Data Access logs are not systematically audited.Service accounts can be created freely,and private keys for service accounts are not automatically rotated.An overreliance is placed on the network to establish a secure logical perimeter around all hosted data and applications

114、:firewalls are used as a critical component to restrict access based on contextual infor-mation like the IP address of the client or the port of the application.Communication between clouds and data centers is encrypted using virtual private network(VPN)tunnels by default,with little regard to the e

115、fficacy of inter-application encryption using Transport Layer Security(TLS).VPC Service Controls are enforced around fully man-aged GCP services like Cloud Storage and BigQuery as a matter of principled policy,rather than based on the sensitivity of the data.Strategic maturityUser identities are syn

116、chronized to Google Cloud Identity from a directory service like Active Directory or OpenLDAP,thereby maintaining a single source of truth and a simpler governance model.5 G Suite accounts are Cloud Identity accounts with an associated G Suite user license.6 https:/www.forsetisecurity.org26Users are

117、 authenticated either with the same synchronized password or via a third-party single sign-on(SSO)service.100%of all user accounts use two-step verification(e.g.,SMS or code generator app)to defend against phishing attacks,albeit not with a hardware security key.Cloud IAM policies reference a much m

118、ore granular set of predefined roles,rather than the coarse primi-tive roles.The Project Creator and Billing Account Creator roles have been removed from the organization level to ensure a basic degree of cloud resource governance.The network-based security perimeter(VPC)is augmented by additional s

119、ecurity layers that protect individual services,for example,via Googles global Cloud Load Balancing with TLS configured,Cloud Identity-Aware Proxy,and Cloud Armor.This,in turn,lowers the risk profile of exposing a private service to the public internet.Transformational maturityAll service-to-service

120、 communication is authenticated and authorized.Little trust is placed in the circum-stance that they might share the same virtual private cloud(VPC)and/or VPN.For that same reason,internal firewall rules dont allow for specific IP addresses or ranges but rather for specific service accounts.A compre

121、hensive understanding of the contents of all your data stores provides the threat profiles for which you can design your security and data governance models,considering scenarios of both unauthorized and inappropriate access.100%of all user accounts use a hardware security key7 as their second facto

122、r to effectively defend against phishing attacks.SMS and code generator apps are understood to be insufficiently safe.GCP Admin Activity and Data Access logs are regularly audited through Stackdriver and automatic alerts have been configured to watch for patterns that match your threat profile.Cloud

123、 IAM permissions and firewall rules are continuously monitored and corrected with tools like Forseti Security.7 https:/ epicsOnce youve assessed your cloud maturity,youre ready to translate those insights into actionable pro-grams of work.Thats where the epics come in:clearly defined,nonoverlapping

124、workstreams tied back to the four themes and aligned to your stakeholders.The epics situate the work you will be doing within the familiar rubric of people/process/technology.With the epics,you will design programs to help you solid-ify your maturity in any given phase,or take it to the next level.F

125、or a lean approach,focus on the epics inside the four cloud adoption themes.For an enterprise-grade approach,you will likely want to explore all epics together.NetworkingBehaviorsCommunicationPeople OperationsIdentity&AccessSponsorshipUpskillingExternalExperienceArchitectureInfra as CodeCI/CDTeam-wo

126、rkData Mgmt.Resource Mgmt.InstrumentationIncident Mgmt.Cost ControlPeopleProcessTechnology28Access managementObjective:ensuring that only the right people and services are authorized to perform the right actions on the right resources.Good access management applies the principle of least privilege w

127、ithout stifling those users and resources from legitimately accessing the resources they require to perform their jobs.Cloud IAM,as its called in Google Cloud Platform,relies on strong identity management on the one hand(Cloud Identity)and clean and consistent resource management on the other hand(R

128、esource Manager).As such,access management deals with both natural users and service accounts,the bundling of both into user groups,and the assignment of the many IAM roles that group individual permissions together.ArchitectureObjective:providing best practice recommendations and a forward-looking

129、view of the appropriate cloud compute and storage choices.Cloud architecture ensures that applications take full advantage of the cloud platform capabilities and future-proofs the investment in a cloud migration by selecting appropriate compute and storage choices.For example,to achieve elastic scal

130、ability,cloud application architecture favors stateless(micro)services that are separated from persistent storage.Cloud infrastructure architecture employs software-defined,immutable components to assure repeatability and security by eliminating manual patching and maintenance.It is an essential con

131、sideration for any business that wishes to achieve a step change in the scalability,availability,and affordability of their self-developed applications,data warehouses,and pipelines,and that seeks to increase development velocity as well.BehaviorsObjective:developing a systematic way to understand a

132、nd evolve the behaviors that teams and individuals need to demonstrate to improve willingness to work as a team,communicate with greater empathy for the audience,and retain more knowledge from upskilling programs.Over 90%of our behavior is driven by our unconscious motivations,values,beliefs,and hab

133、its.For suc-cessful cloud adoption,it is critical to address not only the visible or conscious actions and rituals,but to also focus on the change required in mind-set and values.Your ability to learn and lead is predicated on the fact that people are going to adopt/demonstrate the new behaviours:e.

134、g.,collaboration,blameless-ness,psychological safety,prototyping,data-driven decision-making.The end goal is to enable organizations to understand current and desired behaviors and to develop a change journey that allows them to navigate this shift.29Continuous integration and delivery(CI/CD)Objecti

135、ve:automating changes to the system through a CI/CD process pipeline,so that all changes can be tested,audited,and deployed with minimal interruption.In a large,distributed system,there are a lot of unknowns,dependencies,and ownerships,which create uncertainty about whether code changes will work as

136、 intended.For businesses,uncertainty leads to risk and slows down software delivery.A continuous software release process that validates every change continuous integration(CI)and continuous deployment/delivery(CD)builds confidence that any code change will work as intended.Cost controlObjective:ins

137、tilling cost consciousness and soft boundaries with the consumers of cloud resources(architects,developers)by maximizing visibility into the costs incurred in near real time.With no up-front procurement of IT resources to set a physical limit on the amount of resources that an application can consum

138、e and no capex-based,multiyear capacity planning,controlling costs begins with the individual software engineer.Physical limits of procured hardware are replaced by logical resource quotas and auto-scaling configurations.Without appropriate dashboards,alerts,and processes in place,managing the cloud

139、 expenditure for organizations with multiple projects,teams,or business units can be a cumbersome and time-consuming process.In lieu of hard physical resource limits,application owners must choose from one of three strategies and take responsibility for enforcing it:unlimited scaling(e.g.,customer-f

140、acing e-commerce),gradual service degradation(e.g.,internal data analytics),or capped spending(e.g.,developer sandbox).CommunicationObjective:understanding and managing a culture of blamelessness and open communication channels,where sharing failures openly is encouraged and mistakes are treated as

141、opportunities for improvement.In todays fast-paced and complex software delivery process,organizations need to understand that failure is inevitable and treat mistakes as opportunities for improvement.Creating a psychologically safe and blameless workplace,where taking interpersonal risks is encoura

142、ged and where the responsibility for mistakes does not fall on individuals,but instead on systems and processes,is essential.Also key to this approach is the postmortem as a tool that helps promote a culture of blamelessness,continuous learning,and system improvement.30Data managementObjective:under

143、standing and managing what data is being stored,where it originates from,how sensitive it is,and who is accessing it for the purpose of keeping data safe,discoverable,and useful.As an organization,being a good custodian of the data you hold is not just good practice.It makes good business sense as w

144、ell.Poor data management can lead to breaches or other issues that can result in reputational damage for your business or regulatory sanctions.Encryption,classification,loss preven-tion,and adhering to regulatory compliance are just a few of the many considerations that fall under the umbrella of da

145、ta management.External experienceObjective:accelerating cloud adoption by applying best practices and other organizational lessons learned from day one,through experienced subject matter experts.While knowledge can be gained through training and other means,the experience itself of building or imple

146、menting a solution provides insights and strategies to effectively overcome problems quickly,mitigate unforeseen risks,and develop best-fit solutions that address a specific business need.In the early stages of a cloud adoption journey,seeking outside help is often a good strategy,whether from a Goo

147、gle partner,Google Professional Services,our Office of the CTO,or our solution architects.Identity managementObjective:reliably authenticating users or services identity and guarding against loss of credentials and attempts at impersonation.Establishing a persons or devices identity with absolute co

148、nfidence is core to the modern security model in which no single factor is trusted-not the password,not the certificate,and most certainly not the IP address and yet,by combining many factors,can be trusted from anywhere on any network.Incident managementObjective:alerting to,triaging,and rectifying

149、 unplanned service degradations in an orderly and timely manner,both self-sufficiently and with Googles support.When operating a service,there is a strong requirement for efficient and effective delivery of support to business users and customers,and a requirement for quick restoration of service wh

150、en things go wrong.In the case of adopting cloud technologies,there are both skill gaps and process gaps that need to be addressed to ensure optimized solutions,continued uptime,and business value.31The benefits of creating a rigorous support model include minimizing the risk of service outages,mini

151、-mizing the impact of such outages when they do occur,and developing well-architected solutions that make the most of the tools and platforms on which they are built.Infrastructure as codeObjective:automating through code the configuration and provisioning of resources,so that human error is elimina

152、ted,time is saved,and every step is fully documented.Configuration and resource automation through code(also programmable infrastructure)enables hori-zontal and automatic scaling,locking down admin/root access to servers,provisioning developer environments within minutes,and switching over from one

153、stable production version to another without downtime.InstrumentationObjective:measuring resource health and logging events,as well as tracing,profiling,and debugging applications,so that the behaviour of a system can be examined under any circumstance and service-level objectives can be quantified.

154、Comprehensive instrumentation,while essential in any IT operating model,plays an even more important role in the cloud.It provides the metrics by which an application will determine when and how to elasti-cally scale its resources and provides crucial insights to help triage whether Googles services

155、 or your own application is the root cause for an observed poor performance or degraded service.Last but not least,and because every action in the cloud is an API call,comprehensive logging provides a gapless and immutable audit trail of who performed which action to which resource or configuration,

156、which in turn helps make your cloud operations inherently more secure.NetworkingObjective:connecting and protecting services and the flow of data between them via logical boundaries,regardless of a services identity or permissions.Networking is a critical infrastructure component for any business.Th

157、e network connects clients to servers or services,it connects a business to its customers,and it enables employees to complete their work.No business today can function without connectivity not only within the organizations boundaries,but also to customers,partners,and the wider internet.This applie

158、s to businesses of all shapes and sizes,whether infrastructure is fully on-premises,all in the cloud,or a hybrid of both.32People operationsObjective:defining the required organization structures and aligning cloud adopters to the right role,skills,and performance measures to help them fulfill their

159、 new tasks and duties.Alignment of the organizational structure,people,and performance measures ensures that teams are set up to receive the change and embrace their new duties.For example,a company could make a sub-stantial investment in migrating to the cloud,but if the IT,operations,and related b

160、usiness resources dont know how to work with one another or know what is expected of them,then chaos can develop,negatively impacting the return on investment.It is also important to ensure that cloud adopters are incented for executing their new responsibilities and behaviors(e.g.,collaboration,tra

161、nsparency,acceptance of failure,trust)through the performance management process and incentive structures.Finally,it is critical to set organizational goals that are both measurable and able to be influenced by the journey that the organization is on.Misaligned goals and initiatives will have a nega

162、tive impact on the success of cloud adoption.Resource managementObjective:organizing,naming,and setting quotas of cloud resources in order to ensure a structured,consistent,and controlled environment.The ease with which resources can be virtually created in the cloud by almost anybody also poses cha

163、l-lenges in maintaining a clear view and minimizing sprawl across the cloud account.Useful and simple naming conventions and a thoughtful folder and project hierarchy that mirrors the organizations hierar-chy help to federate governance while avoiding anarchy.SponsorshipObjective:passionately and co

164、ntinuously demonstrating executive support for the cloud adoption strategy,so that early adopters have a widely recognized mandate for change.Sponsorship refers to the active and visible support that executives and team leaders give to a cloud initiative or project within the organization.Enterprise

165、 cloud adoption is complex.Strong sponsorship is vital when organizations make the decision to go forward with organization-wide deployments of cloud platforms or applications whose intent is to add value and drive organizational collaboration and velocity.33As the most influential individuals withi

166、n an organization,executives must passionately and continuously demonstrate executive support for the cloud adoption strategy,so that early adopters have a widely recognized mandate for change.TeamworkObjective:building a team that lives and breathes behaviors and culture,which includes high collabo

167、ration and trust,so that cloud technology is utilized in the most optimal manner.Teamwork is driven by thought leadership from the bottom up,beginning with the individual contributor.This thought leadership can take many forms,such as a Center of Excellence,dedicated evangelist roles,or informal cha

168、mpions,and may involve many different avenues of knowledge sharing.Advocacy encom-passes all IT disciplines,from security to architecture,from networking to operations and database administration.What they all share is a forward-thinking and self-motivated interest in cloud adoption best practices.W

169、ithout a critical mass of advocacy,all responsibility for generating cloud adoption momentum rests with the executive sponsors(see the Sponsorship epic).Such a one-sided,top-down push is not only slow to scale but also fails to capitalize on the inherent democratization of IT resources that cloud co

170、m-puting offers.UpskillingObjective:investing in learning,so that the incumbent staff may combine their existing in-depth knowledge about the business and the current IT estate with learnings about new best practices.Cloud computing marks a paradigm shift in IT the likes of which the industry has no

171、t seen since the introduction of virtualization.These new principles and best practices can be studied in many different ways to suit your teams individual learning styles,ranging from instructor-led training courses to self-serve interactive courses and quests with and .Upskilling is about more tha

172、n just understanding the technical theory.Its about applying the learning on the job,self-sufficiently researching solutions to issues online,or reaching out to Google Support and sharing lessons learned with peers,so as to nurture a culture of continuous learning and to grow institu-tional knowledge.