2021 Cloud Technology Management Insight Report

Introduction

Businesses know cloud-native technologies can make them more nimble and reactive to market changes, and even improve their time-to-market. Cloud migration—and optimized cloud environment management—is another fundamental building block of legacy modernization and all its competitive potential. Unfortunately, complete and successful migration is still rare, as many technology teams encounter challenges with complexity and scale once underway. The resulting stalled or shortened projects can cost organizations heavily in lost investment, operational overspend, and future opportunity.

Levvel’s research analysts talked to hundreds of technology leaders to better understand the challenges of moving technology workloads to the cloud. We found that many companies struggle to overcome issues like security concerns, training and development costs, and implementation complexities. A lot of these roadblocks arise because of an incomplete understanding of and approach to cloud technology. In many cases, cloud service providers and cloud-based solutions solve many of the challenges organizations face, and at a much lower cost. Delaying or minimizing cloud migration is counterproductive to organizations’ business objectives.

This report provides the action plan needed to take full advantage of cloud technology. It covers the benefits of modern, optimized cloud and how cloud solutions can help a business achieve its goals. It highlights the main issues organizations face when deploying cloud environments and offers solutions to overcome these challenges. It also serves to help decision-makers fully understand the “why” and “how” of cloud migration before embarking on expensive/complicated initiatives, and it provides a guide to building a migration and cloud management plan.

Executive Summary

Research conducted in the creation of this report revealed that the majority of North American organizations are still migrating their systems to the cloud, but some face challenges in completing migration or properly optimizing their cloud presence. The main factors that impede an organization’s ability to migrate fully or effectively to the cloud are migration process, cloud management, and security. According to our data, businesses that are migrating to the cloud, on average, experience greater efficiency across technology operations when their workloads are hosted in the cloud.

The Insights

Primary data insights include:

• 70% of organizations are currently migrating to the cloud (indicating those that have embraced or are in the process of migration), and 12% are fully cloud native
• Most organizations have migrated at least 50% of their platforms to the cloud, but many are struggling to continue migration
• 43% of organizations are operating in a hybrid cloud model, while 34% have adopted private cloud
• 38% of organizations report that they have chosen their current cloud environment because it is the best solution for their needs, but data indicates that many respondents’ current environments are exasperating their difficulties in technology management
• Security concerns prevail in a variety of technology and cloud-related areas and have a large influence on organizations’ decisions on if and how they migrate
  • The majority of respondents (54%) named security as their main driver to conduct a cloud migration initiative, while 60% named it as the greatest barrier to migrating workloads
  • Increased security was among the most reported benefits of cloud migration (53%)
• Organizations’ top reported benefits from migration match their top drivers to migrate—specifically, improvement in deployment times, security, data insight, and collaboration—reflecting that they achieve their business goals after migrating
• Challenges in product development decrease with cloud adoption, as organizations are less likely to rank specific issues as “very challenging” as they migrate workloads
• Organizations with optimized cloud—specifically those in a public cloud environment, using a single cloud provider, and with a high migration rate—report considerably lower IT spend on average than those with non-optimal cloud
• Figure 1 shows there is a positive correlation between cloud migration and operational efficiency (1) — organizations with higher cloud migration rates also have higher overall efficiency in their technology processes
• As some outliers in Figure 1 indicate, high migration does not always result in high operational efficiency. Rather, it is dependent on organizations using optimized migration strategies, environments, and management

(1) To illustrate the positive effect of cloud migration, Levvel used factor analysis to analyze five efficiency indicators and construct an operational efficiency metric. The alpha score is 0.78, indicating the internal consistency of the measure is high. The five items are the following:

• Software delivery times
• Frequency of software release schedules
• Software development vendor costs
• Time to integrate with 3rd party systems
• Time provision new infrastructure

The Takeaways

Levvel’s research concludes that organizations with an optimized cloud presence can release products more quickly and possess overall greater market resilience. Levvel has identified the following components of optimized cloud; organizations with several of these items tend to gain the aforementioned benefits.

• Public Cloud Environment— While hybrid and private cloud is the most commonly chosen hosting environment today, they bring much less value to the organization than public cloud environments. With the right migration plan and expertise, public cloud hosting is more cost efficient, effective, and secure than other hosting models, and the services that cloud providers offer are far beyond what can be used with hybrid or private cloud.
• Single Cloud Provider— When organizations are using more than one cloud service provider, they experience higher overhead, disorganized infrastructure, and redundancy across systems. Consolidating platforms with one cloud provider streamlines management of processes and teams and leads to lower IT costs.
• Cloud Security Services— Today’s public cloud service providers offer cybersecurity capabilities far beyond those possible with on-premise systems, and taking advantage of these services is crucial for sustainable security management,lower spend, and lower risk. Organizations that have migrated to the cloud report improved security as their top benefit.
• Optimized Workload Architecture— Sustainable cloud migration and management requires a holistic and intentional approach to moving workloads to the cloud, rather than a simple “lift and shift” approach. This entails architecting, designing, and enabling workloads and systems to operate successfully in the cloud as they are moved, as well as conducting regular workload assessments.
• Automated Infrastructure Management— An optimized cloud presence brings agility in how it enables an organization to swiftly and safely evolve their technology environment and products with market needs. The combination of cloud technology and infrastructure management processes, like Infrastructure as Code (IaC), allows teams to make changes to their products without putting systems or security at risk.
• FinOps Approach— Cloud financial management, or FinOps, are frameworks that bring together technology, business, and finance professionals to increase the business value of cloud. The results of adopting FinOps are improved synchronicity and transparency across technology management and business goals; it can improve efficiency around product development and delivery because it aligns those that fund, design, and create the products. Adopting this strategy is another way organizations can transform and transfer during cloud migration, which is a component of optimized cloud.

Data Summary

For this report, approximately 500 professionals involved in or with knowledge of technology management departments and processes—including team members, management, and executive roles—were surveyed. These respondents represented organizations from various industries and segments, with annual revenues of at least $100 million. Sample sizes vary across data charts and visualizations, as logic dictated the questions that respondents received according to their familiarity and previous responses.

The remainder of this report offers detail and data to support the above insights and takeaways, as well as strategies for embracing cloud best practices.

The Enterprise Value of Cloud Migration

Achieving Business Objectives with Cloud

Not all organizations recognize the true value of cloud adoption. In fact, assessing cloud migration impact is often either very straightforward, such as simply counting the number of systems that have been migrated, or very complicated, such as trying to create the perfect combination of provider, certifications, and infrastructure in a cloud environment to emulate best practices. While the elements in both assessments are important and fundamental for cloud migration and management, to be laser-focused on KPIs is missing the point. The true impact of optimized cloud is in how it enables the organization to achieve its business objectives.

When survey respondents in management, leadership, and executive roles were asked about their drivers to migrate to the cloud (Figure 2), results showed their top goals are those that help build more resilient, risk-averse companies and lead to faster time to market—both outcomes embraced by competitive organizations that understand the connections between technology and enterprise value.

Fortunately, the top reported benefits of cloud migration almost exactly match the top reported drivers (Figure 3), pointing to the substantial ROI of cloud migration. By strengthening and modernizing core applications—and enabling them to run securely and efficiently with less oversight and cost—organizations are also empowering their development teams to create and release products faster. By removing technical debt and improving collaboration, organizations are enabling their IT and finance teams to refocus their talent to more strategic initiatives. When organizations adopt cloud computing, they ultimately adopt revenue growth, better operating margins, and improved working capital.

Some organizations don’t see the full picture. When asked about their cloud environment, many respondents in leadership positions believe they are doing fine. These companies are missing the connection between modern technology strategy—like cloud adoption—and business success.

What are the reasons for the disconnect? Many times, it can be a result of siloed internal teams, such as between product and IT, and different perspectives on cloud management strategy. It can be an antiquated outlook from executives on digital strategy in general, or one that is shaped by a stronger effort to save costs rather than drive revenue. Sometimes, in preparing to migrate to the cloud, reshaping culture must be done before refactoring code.

There are a few powerful data points that change drivers can use in their organization to build a better understanding of the value of migration, including around spend and product development. For example, research finds, the more migrated a company is, the better their operational efficiency. They spend less in almost every area across technology management. Figure 4 shows that overall IT spend decreases with migration. The line in the figure increases briefly during migration, reflecting the costs of migration initiatives, as well as operating hybrid cloud environments, but assumes a downward trajectory as migration is executed further.

Table 1 further details the change in IT spend. The most expensive technology management is with hybrid cloud, which often requires a costly mix of systems, labor, and vendors to maintain both environments. After moving from hybrid to high migration, spending is much lower (in most categories) as compared to low migration. In some areas, like talent, spending increases between low and high migration, but the value of the overall spend changes when considering other factors. Specifically, increases in labor go toward talent that can contribute to more strategic initiatives and maintaining cloud technology, while overhead costs of assets and capital greatly decrease with migration.

Table 1

(2) Employees dedicated to managing cloud tech or on premise systems

Migrating is not just about savings—by migrating to the cloud, organizations are often able to redirect resources to areas that drive revenue, like product development. Many organizations measure their agility by their time to market, seeing a direct correlation between their ability to make and release competitive products with their enterprise value. Research indicates that cloud migration has a direct impact on many areas of operational efficiency related to the software development lifecycle, including making and delivering changes and in scheduling releases (Figure 5).

Although these data points are valuable, they alone are not enough to enable an optimized cloud presence. Many organizations face migration challenges or uncertainty on how to improve cloud security, environment, and management. Other organizations are almost fully migrated but would like to confirm that their cloud strategy aligns with best practices and enables enterprise value. Education (as provided in the rest of this report) and iterative evaluation are key for those at the start, middle, and final stretch of their cloud optimization journey.

Challenges and Solutions To Successful Cloud

The main reasons that cloud technology adoption does not succeed are related to the migration process, cloud management, and security factors. This section outlines how organizations approach these three areas today and offers best practices and strategies for optimizing each.

The Migration Process

The success of migrating to the cloud depends on the decisions and actions taken during this process. Unfortunately, resource constraints, including in budget, talent, and knowledge, cause many companies to make less than optimal choices on cloud environment, providers, and workload migration methods. These choices either result in inefficient outcomes or cause the projects to stall, downgrade, or fail.

For example, many companies use the wrong methods to deploy and manage cloud environments. Some migrate their key workloads to the cloud using antiquated methods that do not support modern cloud-native practices and patterns and do not solve old problems. Others are not properly equipped internally to manage or maintain the cloud environment they’ve set up. Some companies limit their migration roadmap to only a few workloads to avoid complexities because they don’t have the expertise or resources to overcome these challenges. Others haven’t yet recognized the business value of further migration.

Most respondent organizations are currently migrating to the cloud, but few have fully migrated (Figure 6). In fact, almost one-third of respondents report they have “embraced” a hybrid cloud model, meaning they may not intend to become fully cloud native.

On average, respondent organizations have migrated at least half of their platforms to the cloud (Figure 7), but reported challenges and hesitance—and the large group of hybrid users—indicate that market ubiquity for full migration is still far off.

Cloud Environments

The hosting environment a company selects has a great impact on the success—and price—of migration. Figure 8 shows that the hybrid cloud is the most popular approach among respondent organizations, followed by private cloud (34%) and public cloud (23%).

Organizations choose their cloud environment depending on a few factors, including their current state parameters, their perception of each cloud model, and the talent they have on hand to manage the environment. Survey results show that overall, organizations typically choose an environment because they believe it is the best solution for their workloads and because of security drivers (Figure 9).

When it comes to hybrid models, organizations are much more likely to be guided by time constraints than those that choose other environments. For some companies, hybrid models are a “band-aid” method, allowing them to get by until they can more fully migrate their workloads, but, for others, it is intentional. Among those who have selected hybrid, 48% reported embracing the hybrid cloud model versus 52% who report they are still migrating and might be heading toward a fully public or fully private approach.

Private cloud is most often selected for security reasons, particularly for organizations in more regulated industries, such as insurance and banking. Industry requirements drive organizations to delegate security and infrastructure management to a third party with compliance and security expertise. For this reason, private cloud solutions like Rackspace, which manages workloads for users, remain popular among many companies.

Choosing hybrid cloud environments is typically driven by hesitancy to relinquish control over processes and data, or by constrained resources that make smaller migration projects, or those with seemingly less risk, more palatable to the business. For example, a hybrid model is an appealing solution for businesses that want to keep certain business-critical workloads on-premise while migrating smaller, decoupled, or new workloads in the cloud. This approach is also appealing for older companies in more established industries, such as transportation, or those with more pressing concerns over data security, such as in financial services or healthcare. Although private and hybrid approaches are appropriate in rare circumstances, they are usually the least efficient and most costly in the long run.

Only 23% of respondents are migrating to the public cloud, but this is likely due to the newness of cloud technology compared to the legacy systems and other workloads large corporations tend to possess. In general, hesitancy to adopt public cloud comes from incomplete knowledge of the offerings and value the platforms provide. For example, while security concerns are a major reason for selecting a cloud model, those that chose private or hybrid are likely unaware of the security controls public cloud affords. With the proper expertise, public cloud has much stronger security provisions than other hosting environments.

That being said, without that expertise and with limited resources in other areas, many organizations do not feel that a public cloud solution is feasible. Organizations may also lack the resources to properly transform other aspects of legacy dependence or to manage the public cloud environments long term. The key to overcoming this barrier is to understand the true costs associated with a non-public cloud presence and to assess the effect that delaying migration has on a company’s tech debt.

Strategies and Considerations

Demonstrate the True Costs There is a significant difference in organizational spend between hybrid, private, and public cloud platforms. Table 2 shows that in all categories, public cloud is the cheapest option, including labor, assets, new product development, vendor costs, and licensing and support.

Table 2

(3) Employees dedicated to managing cloud tech or on premise systems

Another indication of the value of public cloud is organizations’ reported savings. Those with public clouds are more likely to report they saw a reduction in overhead expenses than those using private or hybrid models (Figure 10).

Organizations also have slightly fewer unplanned outages in the public cloud than with other environments (Figure 11). Frequent outages not only hurt security control, they can also damage customers’ satisfaction and potential market standing.

Finally, it is important to illustrate that stalled or disrupted migration projects are another drain on resources, and that data indicates that hybrid cloud hosting can create more issues in migration than other environments. Organizations using hybrid cloud are most likely to report that they aren’t migrating certain workloads because of blockers found during the migration process itself (Figure 12). While hybrid approaches may seem cost conscious at the outset, they can potentially cost a company much more in the long run.

Understanding the Exceptions

Figure 11 shows that security concerns are once again a crucial factor with workload migration. This comes again to a lack of resources—even if a company is aware of the benefits of public cloud for strengthening security, they cannot always afford talent able to manage that environment. Using that example, there are cases when hybrid and private cloud environments are, in fact, the better solution than public cloud, even if temporarily.

Should an organization lack expertise in public cloud management, a privately managed cloud such as Rackspace may be the more appropriate solution. Similarly, organizations that have legacy systems in place but do not have the resources required to migrate these to the cloud, may benefit most from a hybrid cloud solution. That said, this solution is generally only considered to be best practice in circumstances where time and budget constraints are of utmost importance, or the solution requires edge computing or contingent on the Internet of Things (IoT). Organizations should consider a long-term strategy for future cloud optimization that includes working with a public cloud provider.

Evaluating and Selecting A Cloud Environment Some organizations hesitate to migrate workloads for fear of the impact it will have on other systems or lines of business, especially if the organizations have many business-critical workloads running on legacy systems. They may fear that the learning curve for their in-house personnel is too high, and a large-scale migration would be risky.

One solution that allows an organization to thoroughly evaluate their workloads and expertise before selecting a cloud platform solution is to build out an environment replica (Blue/Green testing) for testing before migrating. Only after testing succeeds should traffic be slowly routed to the newer environment. Duplicate environments, however, are very expensive and time consuming to architect and host, and for this reason, rehosting and replatforming can be used instead of re-architecturing.

When selecting an appropriate cloud environment, it is important to, at minimum, consider the following:

• What requirements does this application need to run? (E.g, dependencies including other coupled services, minimum CPU, network configurations)
• What are the Recovery Point Objective (I.e., how much data can be lost before impacting business operations) and Recovery Time Objectives (I.e., how long should it take to restore an application after an outage) of the application(s)?
• Who will own the infrastructure components of the application?
• What are the cost and time requirements?

In analyzing these points, the service offerings and cost of public, private, and hybrid cloud solutions can be much better compared. For example, if Recovery Time Objectives (RTO) is a focal point for a business, a managed cloud (private or public) may be a better solution, as cloud platform providers, like Amazon or Rackspace are more able to guarantee service uptime than with hybrid cloud. However, if the infrastructure owner is someone internal with little experience in public cloud, perhaps a hybrid solution is most appropriate in the near-term.

Cloud Providers

One of the most common and identifiable signs of a disjointed migration—and another cause for stalled projects—is when organizations take a multi-cloud approach to migration, managing more than one environment with different cloud platforms. Multi-cloud scenarios typically arise when organizations move workloads to the cloud over different periods of time, in different areas of the business, or without formal migration plans or guidelines. Regardless of reason, using multi-cloud in this way is inefficient and expensive, as it results in a disjointed architecture and unnecessary overhead.

Cloud offerings can take many forms and are categorized as either Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Table 3 reflects the popularity of different cloud technology providers among respondent organizations. In the IaaS realm, respondents indicated that they overwhelmingly preferred AWS Cloud Suite and Microsoft Azure to competitors like Google Cloud. That said, many organizations appear to be utilizing more than one IaaS solution; for example, 37% of respondents using AWS also reported using Azure.

Table 3

Data shows that 44% of companies are using more than one provider overall. Many organizations choose to occupy multiple clouds in order to avoid vendor lock-in; in practice, lock-in is unavoidable (particularly when using databases) and required to fully benefit from a cloud platform’s unique service offerings. When an organization avoids making a commitment to one provider, it can result in a significant time investment and an ever-increasing amount of engineering that is keeping the environment functional.

This time and effort detracts from time that could be spent innovating as a business or taking advantage of individual provider service offerings that could streamline efficiency and even reduce costs. In addition, multi-cloud results in redundancy of functionalities, as many of the leading cloud providers offer very similar breadth of services; it also requires more oversight and knowledge requirements and perpetuates silos across technology teams.

Running a multi-cloud solution can become disorganized should vendors follow different protocols, as each cloud has its own portals, APIs, and processes. The more cloud-specific adaptation that is needed, the more complex managing multi-cloud becomes. Aside from complexity, multi-cloud solutions have a larger attack surface and can potentially open a company up to new cybersecurity threats and vulnerabilities.

C-suite officials are often unaware of the detrimental effects that a disjointed multi-cloud environment can have on the organization at large, particularly with budgets. In fact, multi-cloud organizations spend more on IT management costs than those with a single provider (Table 4). The differences in capital costs are especially stark.

Table 4

(4) Employees dedicated to managing cloud tech or on-premise systems

Strategies and Considerations

How To Assess a Cloud Provider To properly assess which cloud provider is the best choice for an organization, it is imperative to first determine target attributes and services. Cloud provider attributes include features like a flexible pricing model and portability, while services are specific technical offerings like serverless computing and containerization.

Figure 13 shows that security and reliability are the most important attributes to the majority of respondents. Affordability, portability, and interoperability are also very important to many organizations.

With respect to services, those noted as most valuable fall overwhelmingly in the security/compliance sphere (Figure 14). Fortunately, there are premium security offerings that can be enabled in the public cloud to protect data and maintain compliance standards if configured correctly.

As noted earlier, the leading public cloud providers have many of the same features and services, but there is still enough difference in business model and customer engagement methodology that each are worth carefully evaluating. An organization should identify their target attributes and services according to their current state parameters, but they shouldn’t overlook the ultimate goal of finding a provider that enables their clients to be more nimble. Security is very important, but so is a platform that enables software teams to deploy products to market quickly or that offers advanced data analytics so businesses can make more informed and innovative decisions.

Moving From Multi-Cloud Environments With time and the right strategies in place, consolidating cloud operations to one provider is doable and valuable. To consolidate a cloud presence, organizations can use industry-standard strategies for evaluating migrated workloads. Below is a summarized example of AWS’s “6 R’s,” (5) a set of popular evaluation considerations used by organizations that are optimizing their cloud presence. According to the guidelines, organizations should consider:

• Rehost: Also known as “lift and shift,” this is used when a fast migration and scale is required quickly to meet a business case, such as a data center lease termination. This is typically done with a third party cloud migration tool.
• Replatform: This is only making a few changes to the cloud in order to see results but without changing the core architecture of the application. AWS gives one example as this using a database migration service to transition data into a cloud provider.
• Repurchase: This is a decision to move to an entirely new solution. Services like AWS or Azure Marketplace curate a digital catalog when you can buy, deploy, and manage third-party software natively in the cloud.
• Refactor: This process entails altering the way an application is architected and developed. It is typically done using cloud-native features.
• Retain: This decision essentially entails “doing nothing, for now.” Sometimes workloads are not ready to be migrated; that said, as more workloads are migrated to the cloud, this decision may need to be revisited.
• Retire: This involves decommissioning unneeded portions of the IT portfolio; identifying assets that are no longer useful and can be turned off or replaced with a cloud native service saves money and directs attention toward maintaining the resources more widely used.

(5) “Migrating to AWS”, Amazon Web Services, awsstatic.com

Workload Migration

Oftentimes, organizations migrate workloads through a phased approach; workloads to be migrated are selected using criteria such as cost, criticality, required downtime, or other parameters. Selecting the appropriate workload is often a careful balance between risk, cost, and urgency. Some organizations have a formal process for selection, but many do not and are subject to selecting workloads based on the prioritization, funding, and circumstances of their business at a given time.

According to respondents, cost and low security requirements are the top decision-making criteria when determining which workloads to move (Figure 15). With low security regulations being a top migration characteristic, this indicates that organizations will avoid workloads that require extensive security requirements to operate in the cloud, as this effectively lowers perceived risk of migration. While it is true that highly secure environments are more complex to migrate, when they are properly re-architected, the risk can be mitigated.

Beyond selecting the right workloads to move and when, it is even more important to properly optimize workloads for their new environment; otherwise, most of the value of cloud migration is lost. A disjointed, incomplete, and non-optimized migration process is costly and detrimental to fully benefiting from cloud service offerings. One large cause of ineffective migrations is a failure to re-architect workloads.

Instead, many organizations attempt to move directly from on-premise to the cloud without architecting the solution or retroactively piecing together services that are hosted on different platforms. This approach is detrimental to an efficient and technically sound deployment. It also results in an unnecessary cost hemorrhage and often hurts the security and sustainability of running workloads in the cloud.

According to survey data (Figure 16), most respondent organizations first opt to re- architect their solutions for security and event management and storage. The security adoption is particularly important to note as SIEM is a large piece of compliance, and the perception that a company will not be able to perform this function in the cloud often prevents organizations from fully adopting public cloud-native technologies.

Strategies and Considerations

Workload Transformation To re-architect workloads, one of the first steps is to identify business criticality and value and to prioritize what is most important to the business. Then, organizations should map out workload dependencies, such as among databases, third-party services, and other in-house applications, and, if possible, decouple any of these to allow for easier and more modularized migration. Another step is to identify the technical debt of current workloads as to gauge the impact of the current state and enable a plan on how to address this.

After these determinations, organizations should create an organized schema for transformation, including all target destination services in the cloud. The scheme should include things like key management, parquet format/files, storage, and network configurations. For example, if currently using an on-premise storage solution, the goal could be to transfer this to S3. If using a local database, options on how to migrate this to Amazon’s Relational Database Service (RDS) should be explored.

Finally, to minimize risk while migrating the workload, a best practice is to architect the new environment while maintaining the old one. Then slowly route traffic to the new environment once it has been verified and hardened.

Assessing Workloads To sustainably manage workloads and ensure that operations are modern and nimble, it is important to create a formal process around assessing workloads. Figure 17 shows that one fifth of respondent organizations currently do not have processes in place to assess which workloads should be migrated; this creates a large barrier to cloud adoption, as the beginning steps are unclear. Without the process of assessing workloads, cloud migration becomes an afterthought, which can, many times, result in a disjointed and inefficient architecture.

It is worth noting that mostly and fully migrated organizations tend to have scheduled assessments or subscribe to a service that recommends changes. Non-migrated companies are statistically more likely to not have any processes in place at all. This goes to show the criticality of establishing regular workload assessments; more modern companies are able to keep up-to-date with cutting edge technology as a direct result of these scheduled assessments.

Cloud Management

When organizations do not adopt cloud management best practices, they do not reap the benefits of cloud environments. This includes how organizations choose to manage their teams, environments, and workloads in a cloud environment.

Environment Management

A few key aspects of cloud environment management are whether they are managed in-house, if cloud teams are centralized, and how often the architecture is evaluated. As depicted in Figure 18, respondents tend to manage their cloud environments either in-house or a mix of in-house and outsourced (i.e., a shared responsibility model).

The majority respondents with in-house cloud teams (68%) reported having centralized cloud management. As seen in Figure 19, centralized organizations also tend to review their cloud architecture more often, which likely results in more efficiency among these companies as opposed to those that do not review their architecture as often.

Strategies and Considerations

Best in Class Management The way organizations structure and manage their cloud environment can have an impact on the degree of control and transparency they have. More diverse management structures (i.e., decentralized management) can increase cloud attack surface, as well as points of failure, which subsequently increases the chance of making mistakes that hurt security or efficiency. Cloud-native companies with in-house teams and a centralized structure tend to achieve more control over processes, although a clear governance approach can reduce issues that may arise from more widespread processes.

There are few best practices organizations can follow to improve environment management. For example, best-in-class management includes automated infrastructure, as well as CI/CD. It also entails optimizing asset management by tracking assets, both physical and virtual, at all times to avoid unnecessary expenses. In addition, regular architecture reviews should be conducted to prioritize modernization efforts and ensure the current application architecture is indeed the most efficient and intuitive solution. At the end of the day, the “best-in-class” cloud presence largely depends on the organization’s unique business parameters and technology management current state, and it should consult with industry expertise to identify its own optimized conditions.

Infrastructure Management

Once infrastructure is deployed, it will need to continually be adjusted in an efficient, fast, and cost-effective manner to meet changing business needs. Many organizations do not account for these constantly evolving requirements, and, thus, changing infrastructure can involve significant downtime and possibly even outages. Poor infrastructure management can affect a company’s competitive standing, while optimized and automated infrastructure management allows an organization to continually respond to changing market needs and requirements in the cloud.

Optimized cloud does have an effect on software development life cycle challenges, which are an aspect of infrastructure management. Figure 20 shows common challenges organizations face when developing software. Organizations that are less migrated and reliant on more antiquated systems find several issues around making changes to software very challenging, including making changes to software quickly, gaining approvals to those changes, and manually copying code for deployment. Data indicates migration has a direct impact on the degree of challenges; on average, the higher the migration, the less challenging teams find these issues. Ultimately, the more migrated a company is, the easier they can make changes to products and the faster their potential time-to-market.

Strategies and Considerations

To optimize infrastructure management, an organization should consider implementing the following best practices:

• Continuous Integration/Continuous Deployment: The goal of CI/CD is to establish a consistent and automated way to build, package, test, and deploy applications6; CI/CD promotes better collaboration and software quality.
• Infrastructure as Code (IaC): IaC is the management of infrastructure (including networks, virtual machines, load balancers, etc.) through code.
• Scalability: Scalability refers to the ability to increase or decrease IT resources as needed to meet changing demand. All applications and databases should be scalable in order to respond to demand on the fly and cut costs at the same time.
• Disaster Recovery: Disaster recovery in cloud computing entails storing critical data and applications somewhere in storage or in a pilot light environment, so this environment can be used as failover in case of disaster__7__.
• Security Information & Event Management (SIEM): SIEM solutions allow businesses to stay alert to potential attacks by collecting, storing, and analyzing security information.

(6) “How Infrastructure as Code (IaC) manages complex infrastructures”, Ian Buchanan, www.atlassian.com

(7) “AWS Disaster Recovery”, AWS, www.ecloudgate.com

Financial Management

Cloud costs management entails both migratory and operational costs, and there are challenges and best practices for managing both. Many respondents reported experiencing unexpected costs during their migration projects. These costs were due to things like server provisioning, extensive projects, and even loss of productivity because of delays. One of the most common issues is around talent management—many respondents reported needing unexpected training or additional hires to succeed in the migration. In all, the possibility of unforeseen migration costs can create resistance to migration initiatives, particularly from finance leadership. As far as ongoing operational costs, these are affected by how a company manages their cloud infrastructure, and whether they have set up teams, processes, and systems according to best practices. It also depends on how budgets are managed and whether there is synchronization between finance and IT. Many organizations report integrated budget management (Figure 21), but some are still conducting segregated budgeting. Even with integrated cost management, it is still important that finance leadership understand the ways in which cloud operations affect the bottom line—this, in turn, affects the success of business decisions in relation to how technology is procured and leveraged.

Strategies and Considerations

Assessing Costs of Migration In order to better predict the cost of migrating, organizations should consider the variables that increase the chances of delays and lengthened projects. For example, this report has shown that implementing hybrid models is more likely to cause mid-project complexities than implementing private or public models. In addition, factors like overstretched teams, compressed timelines, and lack of expertise are known to increase the chances of disruption down the line. Organizations should ensure that their migration plans have been properly mapped and they have chosen the best possible strategies their constraints allow.

Another important factor is to consider the in-house personnel and expertise that is truly needed to pull a successful migration off, as well as sustain the efficiency that the migration affords. Organizations should proactively hire quality talent rather than reactively. They should also consider outside services to streamline the migration if applicable, noting that the upfront cost of 3rd-party assistance will often reduce greater costs down the road.

Adopt a FinOps Approach In order to successfully integrate financial operations with cloud management, organizations should adopt an approach called FinOps. Shorthand for cloud financial management, FinOps is a set of processes for managing operational spend in the cloud. Finops.org defines it as “the practice of bringing financial accountability to the variable spend model of cloud, enabling distributed teams to make business trade-offs between speed, cost, and quality.” Research shows that many organizations have adopted or are adopting FinOps (Figure 22).

While FinOps is described as a cultural movement, from a tactical standpoint, it involves aligning communication between teams that are traditionally siloed. This is so that decisions around cloud provisioning are considered and approved by all—and all parties benefit from the results. This could take the shape of setting alerts when spending in cloud management is too high or implementing centralized logging. One value of FinOps is that it encourages groups to think about their technology management in terms of business outcomes and how it drives revenue.

Security & The Cloud

Security is a top concern for many organizations. It often drives organizations’ hesitations to migrate to the cloud and similarly dictates which workloads are migrated. However, security’s impact on migration is often based on the misconception that the public cloud is not secure. Oftentimes, managing security and compliance in the public cloud is much simpler than doing so in-house. Public cloud providers have made substantial progress in expanding their government, healthcare, and privacy compliance features in the last few years. For example, platforms like AWS and Azure have security information and event management service offerings that streamline auditing and hardening processes. This misconception about public cloud causes organizations to miss out on the true value of adopting cloud technologies.

Security is an issue for organizations beyond cloud migration. In Figure 23, it can be seen that security is overwhelmingly the top IT challenge experienced by respondents, affecting close to 50% of respondents. Behind security follows “maintaining legacy systems;” then “cloud management,” “data management,” and “infrastructure management.” These all have their own unique security challenges as well and are tightly connected with each other.

Improving security can seem daunting to many companies, and the risk of doing it incorrectly can paralyze some teams from continuing migration or migrating certain workloads. But there are many tools, frameworks, and methodologies that make improving security doable and sustainable, many of which are offered with or strengthened by public cloud platforms. Many survey respondents are already using several security best practice methods even though they have not fully migrated, indicating that they may not know the full capabilities available with cloud solutions. A lack of knowledge shouldn’t hold companies back, for, with the right tools and the proper expertise, the migration process is streamlined and low risk.

Strategies and Considerations

Approaching Security in the Cloud Although it is challenging to harden a cloud presence, when the infrastructure is implemented properly, the resulting security is very difficult to penetrate. When approaching the topic of security in the cloud, the following facets should be considered:

• Identity & Access Management: This tool enables organizations to securely manage identities, resources, and permissions at scale so that unnecessary access is not granted to compromise data security.
• Logically isolated networks: Network segmentation provides improved security, better access control, and improved performance.
• Data protection: Data protection services like encryption (both at rest and in transit), as well as key management, are crucial to managing workloads in the cloud.
• Web application firewalls: These provide protection from third-party software bugs and can defend against application attacks.
• Threat intelligence/continuous monitoring: Many platforms offer threat detection by continuously monitoring the network activity and account behavior within the cloud environment. Logging access to services and infrastructure changes should also be part of threat intelligence.

Each cloud platform has their own services that provide the above hardening measures. Learning best practices for each of these services is imperative to implementing these measures properly.

Security Management Methods & Controls Most organizations report a security team, network restrictions, and regular audits as their primary methods for managing security (Figure 24). While network restrictions and regular audits are certainly part of maintaining best practices for security management, a security team, when separate from other IT teams, can actually be counterproductive to hardening processes. When a security team is relied upon for all hardening measures, this leaves room for other IT individuals without security expertise to make changes; this could result in exposing new vulnerabilities for the company. Security should be an integral part of each team rather than an afterthought or a dedicated domain for one team.

When focusing on security controls, the following facets should be considered:

• Network restrictions: Ensure proper firewall lockdowns are in place and that devices with the ability to connect to your network should be allowed to do so. Keep firmware updates current.
• Security assessments: Perform regular security assessments to detect vulnerabilities and ensure compliance status.
• Logging/alerts: Make sure there is a running log of all access and changes made to infrastructure. When appropriate, alerts should be configured to notify the organization of real-time vulnerabilities.
• Encryption: Encryption at rest and in transit are both equally important to protect data stored in the cloud.
• SIEM: Security and event management offers the tools to collect, store, and analyze security information from across an organization. SIEM can be managed with cloud providers like AWS or third party solutions, such as Splunk or a combination of the two.
• Secrets Management: Organizations can use several different methods and tools in this process, all helping to manage digital authentication credentials (e.g., passwords, keys, APIs, and tokens) for use in sensitive parts of the IT ecosystem__8__.
• IAM: It is crucial to use the principle of least privilege to manage identity and access in order to ensure data integrity is not compromised by improper policy management.

(8) “Secrets Management”, BeyondTrust, www.beyondtrust.com

Security Policies

Security standards and frameworks for cloud are very complex and can be overwhelming to many organizations. The risk of managing them incorrectly can contribute to security-based concerns about migrating. However, this complexity can be handled with the right conversations and expertise.

First, it is important for an organization to identify the standards and frameworks that are most relevant to their company and sector. The most commonly adopted standards among respondents are HIPAA and ISO 22301. According to our research, companies tend to require a combination of two security standards and can be grouped in two types of companies. A first set of companies tend to require HIPAA as their main security standard in combination with either FISMA, DFAR, or ISO/IEC 270XX . A second set of companies rely entirely on ISO 22301 in combination with ISO/IEC 270XX, FISMA, DFAR, or HIPPA.

Although popular, in many cases, HIPAA is not required outside of healthcare or healthcare-adjacent industries, while ISO 22301 is suitable for organizations in most industries. The table below offers a high-level overview of standards and frameworks and the industries they most often apply to, as well as some that are important to consider in every sector.

Secondly, sometimes the confusion around security policy and compliance comes from a reluctance to have these conversations at all. However, delaying cloud migration for fear of security risk is somewhat like letting tech debt rise, in that it increases the security risks. As time goes on, requirements get more complicated, and cybersecurity crime becomes more sophisticated. Open and intentional discussions help to clear the vagueness around cloud security and open the door for proactive planning. External engagement is also important, as there are many cloud providers that offer pre-certified services, specifically for different industry and regulatory needs. Overall, organizations should take advantage of the specialized and effective security offerings of cloud technology to alleviate concerns and enable innovation.

The Migration Journey

Optimized cloud migration and management depends on sustainable change strategies and a modern approach to workload transformation. To get there, organizations must identify where they are and where they want to be. Sometimes, they are held back by a roadblock that can be overcome with the right resources. Other times, it requires a fundamental shift in perspective and culture around cloud transformation and ongoing management. In some cases, an organization has a sound migration strategy in place but may be interested in learning more ways to optimize and improve the value outcomes and operational efficiency.

This section includes a migration maturity assessment tool that provides a few next steps for companies.

Archetype 1: Just Starting Out

For organizations that have only migrated a few workloads, these challenges may sound familiar: “We don’t know the providers,” “We are concerned about security,” or “We don’t know which initiatives to begin with.”

Strategies

• Educating: The key areas to focus on when educating stakeholders are those topics that have a major impact on operational efficiency: environment, platforms, management, etc. However, while this report outlined the best practice approaches in each of these areas, a large part of educating is learning how these approaches fit in each individual organization. At a high level, pulling levers like implementing public cloud will improve operational efficiencies in IT, but there is no one-size-fits-all way to go about optimizing a cloud presence. Education entails learning the environment of the internal teams, culture, and processes before and in conjunction with introducing external strategies and tools.
• Creating a Migration Plan: Even with the education and resources, many organizations don’t know where to start. The best first step is to build a migration plan, which should include the initiatives listed in Figure 25. These initiatives can be executed internally with the proper in-house expertise or with the help of a third-party service that can provide tested frameworks and support.

Archetype 2: We Got Stuck

Organizations can get stuck for a variety of reasons. Some companies find that migration was more complex than they thought, or they run out of resources before they are through. Many times, this requires a step back before moving forward; organizations should pause and reevaluate their migration plans.

Strategies

• Re-assess the remaining workloads: As seen earlier in this report, sometimes organizations select workloads based on the least amount of time required to migrate or the workload with the lowest cost. However, if organizations postpone core, foundational workloads, they are only creating future issues for other, “easy” projects. Organizations can take stock of and assess remaining workloads with new criteria, paying attention to which workloads are essential for the long-term cloud technology strategy and architecture plan rather than for the short term.
• Adjust the migration strategy/plan: As the data has shown, migrating to intentional hybrid cloud environments tends to result in more mid-migration complexities than other hosting environments. This is the time to consider situations like these and determine which issues in the migration strategy may not be optimal. With new information and lessons learned, organizations can rethink their migration strategies for different outcomes. In-process change is just an aspect of an iterative approach to technology management, and willingness to adjust course—rather than soldiering on with an ineffective plan—is a sign of a nimble organization.
• Consider security: Sometimes, organizations halt migration plans because of unforeseen security issues. These generally occur when companies have not properly planned for security during the migration process but viewed it as something to adjust after workloads are in the cloud. When companies don’t prioritize security in choosing a provider and mapping out a migration plan, they are more likely to face problems and increase risk in security management down the line. Organizations should consider and optimize security as they go rather than simply moving processes and determining the implication later.
• Implement and Automate: Some next best tactical steps are to execute on other key initiatives in a technology transformation process in order to optimize workloads as they are migrated and achieve the full value of a cloud presence. These are things like automating infrastructure (e.g., implementing, logging), implementing security and compliance standards (e.g., pre-audit), and automating software development pipelines.

Archetype 3: We Can’t Get Buy In

Internal resistance and low prioritization are issues for many organizations; Figure 26 shows that 47% or respondents report that it is low to mid priority. Fortunately, data also shows that priority increases the more migrated a company is. This indicates that, as they move workloads, the resulting benefits start to appear and help to ensure enthusiasm for continuing migration. But, for those in the messy middle, when implementation costs are high and the value isn’t obvious yet, they will still need to prove their case in order to get stalled or delayed initiatives going again.

Strategies

• Show ROI: One method for overcoming resistance to migration is building a business case showing the enterprise value. The information in the previous section is powerful evidence of the cost and efficiency impact that migration can have. Showing ROI is not only done with metrics on cost savings but also education and illumination—leadership must become familiar with the competitive advantage and the market agility that digital strategy brings.
• Build Internal Support With a POC: Those who are driving a migration initiative should identify and join forces with champions that will fight for their cause. Change drivers can create a Proof of Concept (POC) to showcase to different individuals, working their way up to executive management. The POC can address a problem that the organization is experiencing, such as high cloud spend, no SDLC methodology, or a key process bottleneck point, and demonstrate how a migrated and optimized technology environment will alleviate the issues.

Archetype 4: We’re doing Ok!

Finally, for those organizations just a few projects away from a cloud-native environment, the work is making sure the cloud migration, management, and process lines up with true optimized cloud . This entails confirming that workloads have been reachitected and enabled for the cloud; that cloud software providers are being leveraged to their full potential; that infrastructure management is fully automated so as to enable an extremely efficient and competitive software development lifecycle; that security is managed in accordance with the best provisions cloud can offer. It is also important to identify and track KPIs so as to catch any areas for improvement in the future and to implement consistent policy for reviewing architecture, reassessing workloads, and exploring other innovative technology tools and strategies.

Conclusion

Among the many steps and initiatives involved in digital transformation, cloud migration is perhaps the most widely discussed and embraced, as well as deceivingly straightforward. In reality, without a modern strategy and an optimized environment, organizations miss out on so many of the benefits of cloud and often increase their current issues and costs around technology management. This hit-and-miss contributes greatly to internal resistance to cloud migration and keeps companies in a stagnant state of transformation for years.

While many companies view the cloud as a stepping stone to modernization, optimized cloud migration and management depend on an intentional and nuanced approach, sustainable change strategies, and acknowledgement of the holistic value that a cloud presence brings. It is not a stepping stone but an entirely new path, and, with the right tools, methodologies, and mindset, it is a journey that innovative and competitive organizations should eagerly embrace.

About the Authors

Samantha Rafalowski | Cloud Consultant

Samantha is an AWS-certified cloud architect at Levvel, where she has worked with application development, cloud enablement, and architecture assessment efforts for a variety of clients.She has over five years of experience in technical strategy and delivery for clients ranging from startup to Fortune 500 companies. Samantha specializes in serverless machine intelligence and virtualized resources, and enjoys writing (technical and otherwise) in her free time. She has a B.S. in Computer Science and a B.A. in Spanish from the University of Virginia.

Chris Madison | Cloud Capability Lead

Chris Madison has over 20 years of experience in the design and development of software solutions. As an early adopter of Cloud technologies, Chris has unique insight into constructing elastic solutions across a variety of cloud computing platforms, including Amazon Web Services, Azure, and IBM Cloud. His prior experience as an application and integration architect with IBM Software Group and Watson organizations has developed a customer-centric, disciplined approach to developing strategic plans and application architectures. When not keeping abreast of the break neck changes in the cloud industry, Chris trains to run 50Ks.

CJ Coimbatore | CloudOps Capability Lead

Srinivas “CJ” Coimbatore has over two decades of experience in diverse disciplines such as sales, marketing, software development, architecture and delivery, and has worked with teams in all of the major geographies. He is an effective change agent and is very interested in collaborating with teams that are involved in transforming their process through DevOps. In his spare time, he follows Formula 1 racing teams, rides his motorcycle, and—along with his friends—helps raise money for children with health challenges and for the Pediatric Brain Tumor Foundation, Make-a- Wish Foundation, and Angels Among Us. He hopes to eventually spend more time teaching math and science to children.

Anna Barnett | Research Senior Manager

Anna Barnett is a Research Senior Manager for Levvel Research. She manages Levvel’s team of analysts and all research content delivery, and helps lead research development strategy for the firm’s many technology focus areas. Anna has extensive experience conducting and writing market research on a variety of business and technology areas.

Other Contributors

• Darren Lasley
• Benjamin Hunter
• Belal Bayaa
• Harinarayan Jayaraman
• Daniel Ramirez