Home > Blogs > VMware Operations Transformation Services > Tag Archives: IT strategy

Tag Archives: IT strategy

3 Analogies for Cloud/DevOps Transformation That Can Turn Your Resisters into Champions


By Pierre Moncassin and Peter Stokolosa 

Resistance to change can sideline any project. Customers who embark on the transformation journey towards VMware’s cloud platforms, increasingly often as a stepping stone towards DevOps, inevitably must confront the challenge of resistance to change, which manifests itself in many forms and behaviors.

Fostering a change in mindset towards transformation projects is key to a cloud/DevOps project’s success. No matter how much technical expertise the stakeholders bring to the project success remains elusive until they can be persuaded to adopt not only new tools, but to adapt new ways of working, thinking and participating in the advancement of the project.

We have found that the introduction of meaningful analogies to explain the character  and necessity of change can help to unlock the key to motivational and behavioral changes in project teams.

Resistance to change usually boils down to two main factors:

  • fear of loss – because change involves departing from the known environment (often perceived as a comfort zone);
  • inability to develop a clear vision of the future state and the needed steps to arrive there engenders passive resistance and lack of motivation

Well-crafted analogies can help tackle both factors. Analogies are grounded in known, familiar environments. They are re-assuring because they build a cognitive bridge that begins with the known stage while offering a path to the future.

Next, let us share three frequently-used analogies that have been proven to resonate well with our audiences, when discussing cloud transformation.

Introducing a commercial electric power grid to replace local power generation (as an analogy for switching from physical IT to cloud).

The utility metaphor has been popular since the early days of the cloud – it was actually used well before the cloud era, first appearing in 1961 from John McCarty.

Early in the 20th century, the common approach to generating electricity was to own a private generator.  Switching to the public utility model meant giving up ownership and control of the private power generator.  It implied trusting a third party to provide electricity consistently and reliably, at a reasonable cost

The shift meant a radical change of focus from production to consumption. It meant that consumed resources are now commoditized, pervasive and always available.

It is worth noting that electricity consumption is also associated with simple metering – the ability to monitor consumption and therefore costs in real-time.  This is a useful introduction to the cloud costing models

A retail shop versus a factory (as an analogy for the two teams in a cloud organization: one customer facing and one, infrastructure focused).

One of the tenets of the cloud organization, as recommended by VMware best practices, is to define two teams with complementary objectives.

The first team drives the communication and relationship with the business, we call this the Cloud Service Team. They work closely with business stakeholders and meet customer requirements with innovative solutions. They can be equated to the “retail shop” of the cloud organization – their main task is to provide compelling services (products) that are constantly adapted to customer demand.

The second team manages the overall infrastructure we call this the Cloud Service Infrastructure team.  They can be equated to the “factory” of the cloud organization.  Their objectives include standardization, efficiency and economies of scale in order to deliver cloud services with the best quality/cost ratio.

As with every analogy this one has its limitations.  It understates the agility of the cloud infrastructure services.  As this team progresses towards always-higher levels of automation, their day-to-day activities resemble more the engineering room (focused on design activities) than a traditional production chain (repetitive tasks are automated away).

Cloud Org Model

From Farm to Fork. The modernization journey of agriculture (as an analogy for the evolution of IT roles from managing physical IT to operating a cloud).

(Note – this analogy will resonate best in countries with a strong rural tradition – think of France for example!).

Before the 1930’s, the farm ecosystem was largely run by local family businesses, with small units and limited mechanization.  Farm professions were based close to the place of production: farmer, miller, carter (and many others).  The path from farm to consumers (farm to fork) was relatively short and traceable:  consumers could generally assume that their food was produced locally.  Because production was limited there was a need for more families to farm for a livelihood.

Within a generation farming methods changed while mechanization brought significant increases in productivity, but it also meant that change to the métier of farming was inevitable.  To respond to increasing customer demand, they standardized and consolidated to produce a greater quantity while implementing increased control and norms (quality).

Increases in both automation and market demand lead to sweeping changes in the farming “workplace”.  Many traditional jobs and activities became less relevant or obsolete (eg laborers with horse and carts).  New,  specialized jobs developed , or became significantly more visible: traders, operations managers (for processing factories).  In general, there was a shift from labor-intensive production to sales, marketing, distribution, quality control and standardized, automated production.

It’s worth noting, the path from production to consumers became considerably extended. Consumers have very little awareness of where their food is grown (unless specific labeling shows this sourcing information).  Although the system required to deliver the product became more complex, the consumption aspects of the product were simplified.

Compare this to ‘traditional’ ways of running IT in technical silos.  IT tends to be operated by silos of local expertise with numerous, labor-intensive tasks.   As a correlation of silos (fragmentation of work), there is little standardization and the path from production to consumers tends to be short . IT tends to be “sourced locally,” so consumers may be familiar with the hardware and cabling as well as with the administrators who operate the platform.  We have all heard stories of business users walking over to the IT administrators to resolve their problems (rather than raise a ticket with a remote service desk!).

As cloud automation is introduced, these tasks and roles will evolve along similar trends:

  • Standardization of processes and architectures
  • Leverage automation throughout
  • Increased consumer expectations (measurable, formalized service levels, control over costs, agility)
  • The path from production to consumers is significantly extended. In most instances cloud consumers are not aware of the location of their physical IT. There is a separation of accountabilities so that business lines do not usually communicate with systems operators – they would liaise via the service desk (for routine operations) and via the Cloud Service team (for more complex requests).

The technical transformation leads to new or transformed IT roles:

  • Focus shifts from production (hardware, infrastructure) to consumption (cloud services). The new cloud organization requires increased effort on “marketing” of cloud services and “distribution” (teams focus on finding ways of making the services consumable e.g. publishing them on self-service catalog portal).
  • There is growing demand for automation specialists who can translate the technical knowledge into workflows and scripts.
  • New roles emerge: such as Service Blueprint Manager, a specialist with skills to leverage automation in tools such as VMware’s vRealize Automation.
  • Traditional Computer Operations roles evolve, requiring more coding skills.
  • The mission of IT teams changes from “maintenance” to value creation.
  • Consumption is facilitated and simplified.

All in all – analogies are a powerful tool to help overcome resistance to change. One caveat though: do not over-use them as they risk becoming oversimplified, losing their pertinence and distracting from that main issue of how an organization must adapt to address inevitable change.


  • Start from the point of view that resistance to change is predictably human and normal. It is part of the change process cycle and it is not a problem. It can turn into one, however, if it is not dealt with correctly
  • Leverage analogies in order bring a concrete dimension to abstract concepts such as cloud services; they can help to advance projects, but adapt your references with sensitivity to the audience’s culture, maturity and environment.
  • Set clear remit for using your analogies. Keep in mind that all analogies have intrinsic limitations. Although they are useful tools to walk across the cognitive bridge, they have a limited shelf-life when it comes to get across a given message to an new audience – so their use should be focused.


Pierre Moncassin is an operations architect with the VMware Operations Transformation global practice and is based in Taiwan.

Peter Stokolosa is an operations architect with the VMware Operations Transformation Services and is based in France.

3 Steps to Create an Automation Roadmap

Ahmed_croppedAutomation RoadmapBy Ahmed Al-Buheissi

Automation is at the heart of any cloud implementation.  It provides fast provisioning, resource monitoring and self-healing, capacity adjustment, and automated billing.  Also, automation will ensure consistency, prevent errors and free-up valuable staff time to work in more innovative projects.

But in order to embrace automation, the organization needs a roadmap. This roadmap needs to be based on an understanding of the current state of the organization, in terms of technology, people and process. You must also examine where the organization will want to be in terms of automation and define “to be” state. The roadmap creation process will determine what tools, skills and services are required to achieve the automation target, and then schedule these improvements to achieve the requirements.

With a comprehensive roadmap, the organization can be well-prepared for the journey, in terms or time, budget and resources.

Three Steps to Create an Automation Roadmap

There are three recommended steps to take in order to create the Automation Roadmap:

  1. Assess Your Current State: Using industry best-practices, you need to start off by assessing the organization’s current state in terms of:
    1. Technology
      What technology is available and fully adopted, in areas such as virtualization, self-service, automation and orchestration? Even DevOps-related tools should be assessed.
    2. Process
      Are related process and policies documented and implemented? For example, Service Definition, Request Fulfilment and Release Management.
    3. People
      Specific skills and roles are necessary for running an automation-oriented infrastructure. Some of these roles include Service Architect and Infrastructure Developer, which need to be documented, formalized and assigned.
    4. Interactions
      Ensure that proper interaction procedures are in place, such as interactions between groups, to the business, and to service providers.
  2. Get Your Priorities Right: You need to identify potential processes for automation, in areas such as IaaS, PaaS, Proactive Operations and capacity Monitoring. Once these opportunities are identified, they need to be evaluated and prioritized in terms of process, impact and readiness.
  3. Put it all on the Map: Now that we know where we are and what we need, we can put it all on a time-line chart. When creating the roadmap some consideration needs to be given to the length of time for the roadmap, as well as time and order required for implementing tools and processes.

If you want to learn more about establishing your Automation Roadmap, please join my Quick Talk at VMworld in Las Vegas:

VMworldAugust 28th 2016 –  1pm
“Service Automation Roadmap: Approach and Samples”
Add session SDDC7876 via the VMworld Schedule Builder

Download a full agenda of VMworld breakout sessions that will help IT leaders build a strategy for the digital era.


Ahmed Al-Buheissi is a Senior Solutions Architect with the VMware Operations Transformation global practice and is based in Melbourne, Australia.

It’s All in the Context: Practical Advice for Using IT Benchmarking

Ton van TubergenBy Ton van Tubergen

IT BenchmarkingIn my role as an Operations Transformation Architect, I have been involved in many large and small IT Transformations, addressing people, process, technology, governance and organizational aspects and their dependencies.

As a responsible IT leader, managing uncertainty and risks will be an important part of steering the organization through a transformation. So, they are often asked:

  1. How are we doing compared to others? (Slow/fast)
  2. Are we doing the right things? (Did we bet on the right horse?)
  3. Which step first? (We know we have a lot to do, but where do we start?)
  4. What are lessons learnt from others? (Give us best practices so we do not make the same mistakes.)

One source to get answers and grow confidence is benchmark reports, allowing you to do a quick comparison with your own organisation. Reading benchmark reports is not always an easy job, and often disappointing.

Getting the most out of benchmarking

There are many advantages to benchmarking:

  1. It can trigger and energize the improvement (transformation) of the organization and its services
  2. It provides new insights
  3. It provides early warnings about where an organisation is performing and where it is lacking behind
  4. It can motivate all stakeholders before and after a transformation (when good new scores are available)

But before you start reading benchmark reports, ask yourself the following questions:

  1. What does our organisation want to achieve? Do we have the same (business) objectives and priorities as our peers in the benchmark?  Do we want to be the same as our peers/competitors?
  2. Are we level hunting, or are we focusing on our own business success?
  3. Are the measurements comparable and are the scores relevant for what we want to achieve? What is the quality of the data?
  4. Is there an explanation for different scores?
  5. Are best practices described in such a way that we can re-use them?

The State of IT Transformation Report

Having this framework in mind, let us now have a look into “The State of IT Transformation” recently published by VMware and EMC, a benchmark and analysis about the State of IT Transformation, and talk about how your organization can effectively use this data to further your owns goals.

Sample 1: Cloud Infrastructure – Hybrid Cloud Architecture

Hybrid Cloud ArchitectureThe report states that “most companies are not where they want to be in having a well-engineered hybrid cloud architecture,” and the infographic shows us 2 groups: Overall (N=660, so pretty relevant for you!) and Top 20% performers.

So, you are probably not alone, but how can you accelerate, and relatedly, what slowed you down? There could be a variety of answers (lack of capacity, expertise, sponsorship, acceptance, complexity too high), but even more interesting, what re-usable accelerators did the top performers use?

Sample 2 – Virtualization (%)

VirtualizationThis info graphic shows level of Virtualization in different categories. Progress is compared to 2 years ago (see info graphic in full report).

What you can learn here is that many peers follow a shared pattern: first compute (most virtualized), then storage and application, network and desktop (less virtualized). That’s interesting information, but to identify if they apply to you ask yourself:

  • What is our business-case for virtualization?
  • Based on that business-case, is it wise to virtualize everything (including legacy) to 100%?

Sample 3 – Operating Model

StrategyHere we find big gaps between what peers want and what they currently have.

In our experience, many organizations are struggling with this.  It can sometimes be difficult to answer the questions, “What should my end-state look like and how do I get there?”

What is important to remember is that you should not think about transformation as going from one static state to another, but develop your organization in an agile never ending change, responding to changes in business needs and technology opportunities during the journey.

Practical advice for leveraging benchmarks

The first step is to trace and understand the best practices in the benchmark, and why they worked well in these organizations. But that does not mean that all best practices are transportable. That’s like a heart-surgeon saying, “Every excellent beating heart can be transplanted to any patient”.

Even if best practices are available and credible (no coincidence), they still need an expert judgment to decide what and how to re-use them effectively.

What’s in it for you? A lot, keeping in mind the advantages I discussed before, but you need to invest in understanding the background of the research and how it could apply to you.  It can be extremely valuable to talk to those who participated or the experts in a similar workshop.

It’s important to get outside help with this process.  Someone impartial with expertise in this area can advise you on what is working, what could be done better, what is coming up next and how they’ve seen other organisations overcome similar challenges to yours.  To leverage our experience, contact your local VMware representative to engage with VMware Advisory and Operations Transformation services (OTS).


Ton van Tubergen is a VMware Operations Transformation Architect and is based in the Netherlands. 

Surviving Change: 12 Organisation Transformation Principles to Help You Cope

Craig SavageBy Craig Savage:

Change Organisation TransformationIn my role as an Operations Transformation Architect, I get the privilege of working with many different organisations in many different markets and geographies, and as our team are closely knit, we share a lot of knowledge and experience amongst ourselves and globally after each engagement we undertake. What follows are some of the key principles that we believe can and should be applied across all the large IT organisation transformation projects we see.

  1. Understand that transformation is EXPENSIVE – in terms of time, money and emotional energy.
    1. Time – any cultural change will take time, traditions need to be re-made, new balance created (many times) and new roles will take time to settle.
    2. Money – your people will need to gain new skills and competencies; you will also need to reflect on your compensation model.
    3. Emotional energy – Some people thrive on change, others find it very hard work so being aware of how the process is affecting your people and making sure you keep everyone is engaged is crucial.
  2. Realize that every transformation journey is different – there is no “one size fits all” as every company has a different culture and a different diversity in their people, as well as a uniquely evolved process framework to take into account. That said, there are a lot of common elements, that if treated similarly to architectural building blocks, can be re-used
  3. Culture change must be a primary priority and must be led top down. Realistically assess your current culture before beginning – decide what to keep, what needs to be transformed and what will have to be scrapped. Get outside help!
  4. There is a great deal of value in structuring the programme effectively – it really needs to be about constant, small and iterative changes that drive towards a larger goal. One huge project with fixed milestones generally runs into issues, whereas a programme with a clearly defined end state, with multiple smaller, short projects or a more Agile-esk sprint structure will deliver earlier realised outcomes at lower cost.
  5. You will need to change the way you recognise and reward your people – people management and the skills of acquiring and retaining the right people will become increasingly valuable. Keep the management structure focused on performance, development and reward management, managers should be mentors and coaches. Doing this allows for people to hold different roles in different teams without the artificial tribal boundaries that tend to arise in the older models.
  6. Be transparent about the changes taking place – people will be uncertain anyway, and we have seen countless times how destructive rumours can be, whereas every time we have seen openness and clear communication we have seen a far easier transformation journey. Be mindful that local laws, unions, etc. can often inhibit this, so sometimes you will need to be creative in order to keep your people informed and engaged without exposing your company to additional risk.
  7. You will likely need to increase headcount while you transform, unless your current team are grossly under utilised or your current process model is very inefficient. Get help understanding when and how to flex your teams.
  8. Encourage innovation, value it highly and find ways to make it valuable to yourself and your teams. Encourage people to hold multiple roles, increasing the skills and capability diversity and capacity across your team.
  9. Identify and work with your resistance fighters – they may have a valid concern and they definitely have passion, find a way to make them part of the change.
  10. This may sound terribly obvious – keep your current environment running! Alienating your business by delivering bad (or worse) service now will not help.
  11. Understand you are no longer the sole provider of IT for your organisation, no matter how much may seem to be true, your business will already be taking some IT services from other providers. Work towards becoming the broker of these services and being your organisation’s preferred IT provider.
  12. Technology can only effectively transform an operation when the people that operate it and the processes that they carry out are able to take full advantage of that technology. In our experience, implementing technology and expecting the people and process change to take place organically fails almost every time.

With your people heading in the direction of the new and clearly defined way of working, and your processes being re-written and optimised to deliver on that new vision, your organisation will have started off well.

It’s important to get outside help with this process.  This major change requires someone impartial with the skills and experience to advise you on what is working, what could be done better, what is coming up next and to give you ways they’ve seen other organisations overcome those new challenges.  To leverage our experience, contact your local VMware representative to engage with VMware Advisory and Operations Transformation services.


Craig Savage is a VMware Operations Transformation Architect and is based in the UK. You can follow @craig_savage on Twitter.

EMC, VMware Release ‘State of IT Transformation’ Report

The ‘State of IT Transformation’ report takes a look at more than 660 EMC and VMware enterprise customers across 18 industries, and identifies gaps, progress and goals in their current IT Transformation initiatives.

By focusing on data provided by CIOs and their direct reports who participated in a transformation workshop led by EMC or VMware, this analysis provides deep insight into the biggest goals and challenges for organizations who are actually in the midst of an IT transformation.

The full State of IT Transformation Report (PDF) can be downloaded here.

Where do Organizations Want to Improve Most in 2016?

State of IT TransformationCloud Infrastructure

While more than 90% of organizations are only in the early stages of evaluating a well-engineered hybrid cloud architecture, and 91% of organizations have no organized, consistent means of evaluating workloads for hybrid cloud, 70% want to standardize on a hybrid cloud architecture across the organization within the next two years.

Operating Model

Running IT like a customer-focused business is a high priority for IT organizations, but 88% of companies have not begun, or are only in the preliminary stages of developing skills in business-facing service definition, and only 24% have a well developed service catalog in place.

Organizations recognize that collaboration is key to meeting customer expectations, with 95% of organizations expressing that having no silos and working together to deliver business-focused services at the lowest cost this is critical.  However, less than 4% of organizations reported that they currently operate like this.

Agility is also critical to success.  For over half of the participants it currently takes between a week and a month to provision infrastructure resources.  The goal this year for 77% of participants is to be able to do this in less than a day, or dynamically when needed.


Accelerating application development is a high priority for CIOs this year.  68% of the organizations surveyd take 6-12 months to complete a new development cycle.  This is likely due to the fact that 82% of the companies currently don’t have a scalable, infrastructure-independent application delivery framework on which to rapidly and consistently build mobile-friendly, cloud-native apps.

How does your organization stack up?

Are you curious about how the results changed by industry, or by geography?  Read the full State of IT Transformation Report to see how your organization compares to your peers.

If you need assistance identifying the gaps in your own organization, and developing a comprehensive strategy and roadmap for moving forward, contact your VMware Advisory Services strategist or your local VMware representative today.

Building a Holistic IT Strategy Using a Top-Down, Bottom-Up and Middle-Out Approach

Part 2 of the “Cloud Capable – Now What?” Series

Dion ShingBy Dion Shing

The modern business environment is fast, fluid, complex and ambiguous. Businesses in all markets are embattled and face challenges and threats both internally and externally.

In order to adapt, survive and thrive, business strategies should be fluid, adaptable and innovative. From an implementation perspective, strategy should be well communicated to all levels of the organization.

Challenges in IT Strategy Definition

IT StrategyFor many organizations, IT strategy definition occurs infrequently and is based on protecting current position and revenue streams, not taking into account feedback from middle and front line tiers of the business.  Furthermore that strategy is not clearly communicated to the business, or even within the IT organization.

This broken process for strategy definition results in tactics and plans that are often watered down, inadequate and not geared towards leveraging the unique strengths of the company.  For example, a company may say that their strategy is to “improve operating efficiency and provide excellent customer service.”  This strategy only brings their IT department up to par with everyone else, it does not provide any competitive advantage.

To find unique and creative competitive advantages many enterprises adapt an inclusive approach to strategy and develop frameworks such as Top-Down, Bottom-Up and Middle-Out.  This approach recognizes that IT is not only a support function that underpins business processes, but a source of competitive advantage that can provide innovative services that will help drive the strategy and success of the company as a whole.

Top-Down, Bottom-Up and Middle-Out

On their own Top-Down, Bottom-Up and Middle-Out strategies are only partially effective. What is required for effective strategy selection and for the development of rationalized strategies is coordination between all three approaches.


The strategy is established by senior management, and filters down the ranks. Often implementation is not well supported and results are lacking.


Strategies developed here focused on specific improvement initiatives and address specific needs, they are typically managed by a single group and manager and are effective.

The downside is that the improvement may occur only in a single area, may not be institutionalized and can lead to complexity and inconsistency. Shadow IT and unsanctioned IT Services can occur.


Middle management is where the strategies that enable competitive advantages can be championed and communicated.  The effective Bottom-Up strategies developed at the frontline can be supported, nurtured, advocated for and developed by finding sponsors at the executive level, elevating bottom-up strategies to top-down strategies.  Middle management is also effective at translating Top-Down strategies from High-level language into Operational activities to be executed at the frontline

Combined, these represent a force for developing action out of strategy that ultimately drives innovation and finding the illusive competitive advantages.


Dion Shing is an Operations Architect based in Dubai.

5 Steps to Build a Security Strategy for the Digital Enterprise

From team bonding to micro-segmentation: a 5-step journey to develop a proactive security mindset in your cloud organization.

Pierre Moncassin-cropBy Pierre Moncassin

Only a few years ago security was at best an afterthought for some cloud teams., Everyone in the team thought that security was someone else’ s problem. For some less-fortunate organizations, this mindset did not change until a major security breach occurred with resulting financial losses, reputational damage not to mention job cuts. By that point security did becomes everyone’s problem – but that realization happened far too late.

To avoid this sort of less-than-optimal scenario, let me share here what I see as some key steps to develop security mindset right at the core of your cloud organization

First, why is security in the cloud specifically challenging?

IT security risks have of course existed well before the cloud era. However cloud technologies have brought along a new dimension to the risk. Reasons include:

  • Due to unprecedented ease and speed to provision infrastructure, a new population of business users have become able to provision their own cloud infrastructure. They may not all be fully aware of the corporate IT security guidelines (or may not feel bound to follow them strictly).
  • Fast provisioning in the cloud has often led to a proliferation of “temporary” workloads – many of which are not rigorously controlled.
  • Data in the cloud can be stored anywhere. Users are usually not aware of where their data is located physically, or have no control over that location. Therefore protecting confidential data becomes an additional challenge. Some country legislation, for example, mandate that confidential data from their nationals must remain within designated geographies.

Step 1: Build a broad awareness and knowledge base.

All cloud team members need to understand the basics of security for their cloud platform. That includes not only the enterprise security policy, but also a broad awareness of relevant laws (e.g. data protection) and compliance requirements (e.g. PCI, Sarbanes Oxley).  It also helps to build some basic awareness of common security breaches. In order to incentivise this learning, consider including security training in personal objectives (also known as ’MBO’); include security awareness in new hire onboarding and individual training plans.

Step 2: Break down technical silos

As I explained in on my recent blogs, technical silos occur quite naturally as specialists organize themselves along groups of expertise (networks and servers, operating systems and hardware). However entrenched silos can easily cause gaps in security coverage. This is because hackers are experts at finding fault lines between silos – those tiny gaps or fault lines from which they can launch an intrusion.  They will look for the ‘weakest link’ wherever it might be found (e.g. access password too simple, un-patched operating system patch, lax email security, defective firewall  – the list of risks is long).

Instead of relying on a silo mentality, the team needs to consider security end-to-end, and assume that breaches can occur in any layer of the infrastructure. In the same way as cloud services need to be designed end-to-end across silos, teams need to work together to manage security risks.

Step 3: Involve the business stakeholders

Part of setting up a cloud organization with VMware’s model, involves building close working relationships with business stakeholders. Specific roles within VMware’s cloud organization model will be in place to liaise with the business (eg Service Owner, Customer Relationship Manager).  And security is a key part of this cooperation. Some key aspects are:

  • Establish clearly responsibilities (e.g., who patches the workloads? who checks compliance?)
  • Document the responsibilities and expectations e.g. within the service level agreements;
  • Ensure regular communications about security between business users and cloud team (e.g. are there security-critical applications? Confidential data? What level of confidentiality?)

Step 4: Automate day-to-day security & compliance checks.

As part of operating a VMware cloud, the team will most likely be using tools such as VMware’s vRealize Automation and vRealize Operations Manager. These tools can be configured and leveraged to enhance some of your security and compliance procedures – adding much-needed automation to routine, day-to-day activities that otherwise consume effort and attention. Here are some examples of steps your teams can take to leverage these tools for security & compliance.

  • Ensure that provisioning blueprints are up-to-date with the latest security policy (e.g. patch levels).
  • Configure vRealize Operations Manager’ dashboards to display an aggregate view of compliance risk across your virtual infrastructure. For example, vRealize Operations Manager can be configured with extensions and third party integrations that allow to extend its analytical capabilities across a broad variety of sources including VMware Cloud Air, VMware NSX, Amazon AWS, NetApp Storage (for further details check out: http://www.vmware.com/files/pdf/vrealize/vmware-vrealize-operations-management-packs-wp-en.pdf).
  • Leverage vRealize Operations Manager’ ability to automate and report on compliance checks (the technical capabilities are described in more detail in this VMware blog: https://blogs.vmware.com/management/2015/03/compliance-in-vrealize-operations-6.html).
  • Leverage the potential of automated integration with your support desk. Once detected, compliance or risk issues must be acted upon. These events can be automatically associated to the creation of an incident ticket. I have outline the potential of such integrations in an earlier blog  https://blogs.vmware.com/cloudops/2015/09/cloud-itsm-integration.html
  • From an organizational point of view, what we want is to automate as far as possible the bulk of routine compliance checks and security monitoring, so that the teams can focus on the ‘big picture’ work pro-actively to identify emerging security threats

Step 5: Shift paradigm on network security with micro segmentation.

Whilst the expression “paradigm shift” has been much over-used, it still fits perfectly to describe the evolution from traditional network security to micro-segmentation.

The traditional approach to securing a private cloud’s network is to setup strong security (firewalls) at the perimeter. This is the fortress model of security – highly protected boundaries (perimeter) and a gate to control traffic at the entrance.

The downside is that all “fortresses” share a weakness by construct. To understand why, let’s consider the typical stages of a data breach:

  • Intrusion: attacker finds a breach in the perimeter
  • Lateral Movement: the intrusion is expanded for example, by compromising neighboring workloads or applications.
  • Extraction: potentially sensitive data from the compromised systems.
  • Cleanup/deletion: the intruder attempts to remove traces of the intrusion (deleting log files etc.).

Security Data BreachIn the event where an intruder manages to pass through the security gate, moving from room to room within the fortress becomes relatively easy. In IT terms, once a network’s perimeter is breached and a first workload is compromised, the intruder can often move “laterally” to compromise other workloads with little or challenge, then locate potentially sensitive data to retrieve (‘Exfiltrate’).  There may be other lines of defense within the fortress (traditional network) – but these tend to be static, and once broken the same problem of “lateral mobility” occurs again.

Micro-segmentation allows fine-grained network security that can prevent not only the initial intrusion, but challenge attempts the other stages i.e. Lateral Movement Exfiltration, Cleanup.  The reason is that each ‘room’ (or workload) can be isolated from the other. We could compare this new model to the layout of submarine where each section of the ship is partitioned by watertight doors. Each compartment  (micro-segment) can contain an intrusion. The would-be intruder is just as challenged to move from one compartment to the other, as getting past the entrance door in the first place.

However micro-segmentation means more than fine-grained network isolation. It offers the possibility to tailor security policies down to the workload level, therefore increasing to a new level the control over cloud security.

For example, network security rules can be associated to logical objects like a workload. When the workload is moved from a network location to another, the security rules are maintained – they ‘follow’ the workload rather than being attached to a fixed network address.

Security Rules

Leveraging that potential requires a new mindset – shifting from a static security model to dynamic, fine-grained security. It also requires the cloud team to develop new skills. For example to replace routine configuration skills with automation, traditional network skills need to be complemented with design and programming skills.

Key take aways:

  • Think of security as by essence, teamwork. Encourage your team to coordinate security across silos – users, cloud engineers, security teams.
  • Leverage your automation tools such as VMware vRealize Automation and vRealize Operations Manager – they will help automate some of your security and compliance procedures.
  • Transform your team’s perspective on network security by leveraging micro-segmentation, moving from the traditional ‘fortress’ security model to a dynamic, fine-grained approach.

Pierre Moncassin is an operations architect with the VMware Operations Transformation global practice and is based in the UK.