Imagine being a thousand feet in the air on the side of a cliff with no gear or ropes to protect you from falling. Crazy huh? Well, there is a guy named Alex Honnold who does this on a regular basis. You may have seen him on 60 minutes or an AMEX commercial on TV. He is a professional rock climber and is known for soloing (climbing without ropes) up huge rock faces.
Regardless of how you feel about soloing (i.e the guy is crazy, he has a death wish, he is AWESOME, etc) the one interesting part of soloing is the speed he can maintain while climbing. Without having to worry about ropes, placing protection, etc., he is able to complete climbs that would take most competent climbers a day or more, in hours. However, with this speed comes a large amount of risk…one rock hold breaking or one slip of a foot can lead to a fall.
The reality is that most of us “common folk” are not ready or willing to take on this amount of risk. So instead, we are willing to sacrifice speed to ensure that we have less of a chance of falling to our deaths. In rock climbing, this means climbing with a partner, being tied into a rope, and ensuring that we are properly protected from big falls. Climbing with proper protection actually turns out to be a pretty safe activity, but on big walls it means taking days to get to the top, sleeping on the side of the cliff, and having to pack more food, water, and supplies.
At this point you are probably asking yourself, “what does this have to do with managing a cloud environment?” Well, with cloud we are also constantly balancing speed and risk. What are we willing to trade in order to deliver applications, infrastructure, or services faster? What level of risk is acceptable? And more importantly, can we deliver on speed without having to increase risk?
In my time in working on cloud automation solutions, I have found that most discussions initially focus on speed. It takes too long to deliver application infrastructure to the teams building applications, which reduces business agility. Basically, they want things faster. And everyone tends to assume that this shouldn’t be that hard. I can provision a new VM within minutes and spin up a new AMI in seconds, so why does it take our IT department days or longer to deliver?
One reason is that IT departments tend to be risk averse and as a result, have set up controls to try and minimize, risk. Going around the processes to increase speed can have some adverse effects including: exposure to security threats, unprotected and loss of data or intellectual property, applications that aren’t reliable and more.
To address the fundamental problem, which is, “How do I get resources faster?” it is important to breakdown what is required to truly deliver an “enterprise-ready” piece of infrastructure. I break it down into these four buckets:
- Provisioning: Time it takes to stand up compute, network, storage, software
- Orchestration: Time it takes to stitch together the infrastructure elements
- Process integration: Time it takes to ensure proper approval, change management, and configuration management controls
- Management readiness: Time it takes to configure monitoring agents, run compliance scans, and harden OS based on defined security standards
The issue I tend to see is that everyone focuses on #1, the time it takes to provision. However, from an IT standpoint, all four of these are required to “officially” roll out new application infrastructure. By breaking down the time spent in each of these four buckets, you will likely find that less than 25% (often, less than 10%) of the overall time spent is on #1, provisioning. That means that over 75% of the time it takes to deliver services based on #2-4: your ability to automate how infrastructure is stitched together, how it integrates with your existing processes, and how you can ensure it is management ready. If you can figure out how to automate these three buckets in addition to the core provisioning, you can see substantial improvements in your ability to deliver “enterprise-ready” services at the speed the business expects.
The added benefit of focusing on all 4 buckets as part of your cloud delivery strategy, is that speed does not come at the expense of increased risk. In fact, automating orchestration, process integration and management readiness ensures that you have the proper governance and controls in place to reduce risk. Every request for infrastructure is properly tracked and set up in your IT organization structure to be properly managed from day one.
Only a select few are able to solo without feeling the impact of risk. Instead of trying to be the one in a million (maybe billion) that can get away with it, focus on how you can reduce risk without sacrificing speed. For more information on using this approach as part of your cloud management strategy, have a look at www.bmc.com/cloud.