Episode 35
Securely Migrating to the Cloud -- Insights from the American Cancer Society Experience
As more organizations embrace cloud-based services, securely migrating to the cloud is becoming an important capability. Keith Weller, former Vice President, Enterprise Technology Services, American Cancer Society (ACS), spearheaded a highly successful migration initiative where they transitioned a 5000-square-foot donation processing on-premise data center to the cloud. Keith and his team completed the implementation on time (in eight weeks), under budget, and helped the organization realize savings of $18 million in real estate and $2 million in technology costs (projected over three years). In this podcast, Keith shares some highlights of this cloud migration best practice.
Time Stamps
00:49 -- Keith, share some highlights of your professional journey.
03:27 -- Provide the listeners with a context for what led the American Cancer Society to consider moving to the cloud.
07:56 -- Based on a discussion that we were having to plan this podcast, you mentioned that you will have to get it done in about three months. Is that correct?
11:03 -- Is there anything else that you would like to share, by way of highlights, when you all were planning the migration and then implementing it?
15:52 -- Talking about the security aspect of the migration, you mentioned following the NIST cybersecurity framework, and complying with the PCI DSS requirements. During our planning meeting, you shared some of the accomplishments under the categories of identify, protect, detect, respond, and recover. Would you like to provide listeners with certain specifics, like what they should be mindful of when they have to undertake such an initiative?
18:04 -- You mentioned the migration vendor. I'm sure listeners might be curious to know how to identify such a vendor. And what factors go into the selection process? And how valuable did you find their service?
20:59 -- For this particular migration initiative, you all decided to go with Microsoft Azure. I assume that is because American Cancer Society was heavily invested in the Microsoft platform, and it made logical sense to stay with the same ecosystem to reduce application dependency-related challenges. Is that what your advice will be for organizations looking to identify a suitable cloud service provider? How should they go about the cloud vendor selection process?
23:15 -- Keith, what is your thought on the challenges that I gleaned from the State of the Cloud report? Do you agree with them?
28:25 -- I think that maybe the SLAs should be written up in a manner and a fashion whereby there should be more joint responsibility and joint accountability. The service provider and client should work as a team to ensure the data is safe, and secure, and there's a constant review to ensure the security level and posture are being maintained. What are your thoughts?
31:57 -- Anything in particular that you want to touch upon in the context of the phased migration effort?
37:47 -- So Keith, I'd like to give you the opportunity to say a few final words before we close our discussion for today.
Memorable Keith Weller Quotes/Statements
"Being in the cloud actually makes it a lot easier to govern your security, have better visibility of your assets, and make quicker security improvements."
"If you're trying to do very challenging, time-constrained work, having everyone engaged and bought into the process is very important. And having a clear vision and goals is also important."
"It would be nice if the three big cloud providers were more engaged as a team, securing data and helping make sure that they partner with their customers to ensure that's done right."
"And it's not just infrastructure people, it's not just security people, but it's also important for Development and QA to understand those core principles of security."
"Every dollar that's spent on operational costs is a dollar taken away from cancer research or services."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, The University of Georgia. As a Duke University
Introducer:Visiting Scholar Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion today will revolve around
Dr. Dave Chatterjee:securely migrating to the cloud. Our guest speaker Keith Weller
Dr. Dave Chatterjee:is the Chief Information Security Officer at
Dr. Dave Chatterjee:International Market Centers. He has had some great experience
Dr. Dave Chatterjee:leading American Cancer Society's (his previous
Dr. Dave Chatterjee:employer), cloud migration initiatives. I've had the
Dr. Dave Chatterjee:pleasure of knowing Keith for a while, he's been a guest speaker
Dr. Dave Chatterjee:in my professional MBA class, he talked about this cloud
Dr. Dave Chatterjee:migration initiative in my class, and I felt that this was
Dr. Dave Chatterjee:a best practice that could benefit the wider professional
Dr. Dave Chatterjee:community. So I'm delighted that Keith is going to be spending
Dr. Dave Chatterjee:some time on the show today, talking about this initiative.
Dr. Dave Chatterjee:Keith, welcome! Before we get into the details, please share
Dr. Dave Chatterjee:some highlights of your professional journey.
Keith Weller:Thanks, Dave. I'm really happy to be here. So
Keith Weller:yeah, over the past 20 years, I've had experience in security
Keith Weller:and infrastructure, primarily in the FinTech nonprofit, and now
Keith Weller:currently real estate retail sectors. The last three years,
Keith Weller:I've been focusing mainly on security and cloud. In previous
Keith Weller:roles I have built out offshore BPO and an internal SOC
Keith Weller:capability for FinTech, which was one of the Forbes fastest
Keith Weller:growing companies list for over five years straight. I developed
Keith Weller:infrastructure and security for a leading edge SaaS platforms
Keith Weller:for the financial and health services customers. In my
Keith Weller:American Cancer Society (ACS) role, I consolidated, cost
Keith Weller:optimized, and made highly available infrastructure for a
Keith Weller:segment at American Cancer Society, nonprofit that unified
Keith Weller:organizationally for the first time in 100 years. With that I
Keith Weller:saved over 20 million per year. And one of the big projects
Keith Weller:which we're all probably talking about was migrating 5000 square
Keith Weller:foot donation processing on-premise data center to the
Keith Weller:cloud in eight weeks. As part of that, I help them mature the
Keith Weller:speed of business capabilities and our security posture. And
Keith Weller:the past year, I've been with International Market Center,
Keith Weller:where I have greatly improved the security posture, including
Keith Weller:security oversight for launch of a global buyer seller ecommerce
Keith Weller:marketplace.
Dr. Dave Chatterjee:Fantastic. In fact, listeners might be
Dr. Dave Chatterjee:interested in hearing about some of the stats that I've gleaned
Dr. Dave Chatterjee:from the Flexera State of the Cloud report. It's the latest
Dr. Dave Chatterjee:report, the data was collected in late 2021. There were 753
Dr. Dave Chatterjee:respondents, the organizations range from ones with 100
Dr. Dave Chatterjee:employees, right up to once with 10,000 plus employees. So they
Dr. Dave Chatterjee:had a pretty broad cross section of organizations. The
Dr. Dave Chatterjee:respondents were global cloud decision makers and users. So
Dr. Dave Chatterjee:it's a very comprehensive and well done report. They publish
Dr. Dave Chatterjee:it every year, and I follow it religiously. A couple of things
Dr. Dave Chatterjee:I wanted to highlight here, just to further contextualize our
Dr. Dave Chatterjee:discussion, especially the significance of the discussion.
Dr. Dave Chatterjee:First, the fact that cloud adoption continues to become
Dr. Dave Chatterjee:more mainstream, second, heavy users, that is those who are
Dr. Dave Chatterjee:running more than 25% of the workload in the cloud, are up to
Dr. Dave Chatterjee:63%, an increase from 59% in 2021. Also, another interesting
Dr. Dave Chatterjee:finding is that more than half of the respondents are planning
Dr. Dave Chatterjee:to move at least some of their sensitive data to the cloud. And
Dr. Dave Chatterjee:when it comes to cloud challenges, security continues
Dr. Dave Chatterjee:to be the number one challenge for the last 10 years. So
Dr. Dave Chatterjee:therefore, to have somebody like Keith, talk to us about cloud
Dr. Dave Chatterjee:migration, of migrating to the cloud, and how to do it securely
Dr. Dave Chatterjee:is a terrific opportunity. So Keith, coming back to you,
Dr. Dave Chatterjee:provide the listeners with a context as to what led American
Dr. Dave Chatterjee:Cancer Society to consider moving to the cloud.
Keith Weller:Yeah. So before this major migration, we were
Keith Weller:already in Azure for about three years. But it was not a
Keith Weller:significant portion of our of our business processes, we did
Keith Weller:migrate to Office 365, for our email moving off of Lotus Notes
Keith Weller:previously, as well. But the big driver for this was, a lot of
Keith Weller:this happened during the COVID 19 pandemic, American Cancer
Keith Weller:Society is very dependent, or was at the time very dependent
Keith Weller:on in person events. And because of that, we were looking at a
Keith Weller:$200 million per year revenue shortfall. Wow. So across the
Keith Weller:organization, we had to find ways to either make up that
Keith Weller:money through additional revenue opportunities or reduce costs.
Keith Weller:And at the time, we had an on- premise data center that was in
Keith Weller:locally in our headquarters in downtown Atlanta. And it was
Keith Weller:very costs not just the data center that we had, but also the
Keith Weller:real estate that we were in was very costly. So in order to
Keith Weller:vacate that real estate, we also had to vacate the data center.
Keith Weller:By doing that, it would save us about 600,000 per month for
Keith Weller:lease costs, and a data center reduction of 162k. Additionally,
Keith Weller:we were the previous year, we did a digital transformation
Keith Weller:where we moved a lot of our CRM and ERP to SaaS based solutions.
Keith Weller:But didn't we wanted to make sure that we've kind of had that
Keith Weller:that's speed of execution that cloud provided. There are a lot
Keith Weller:of opportunities to overall increase and I feel being in the
Keith Weller:cloud actually makes it a lot easier to govern your security
Keith Weller:and have better visibility of your assets and, and make
Keith Weller:quicker security improvements. So that was another big factor
Keith Weller:of that. And it also allowed us to better enable disaster
Keith Weller:recovery, because this was a systems that we had was for
Keith Weller:primarily for donation processing. So we need a really
Keith Weller:rock solid system. So it allowed us to improve our disaster
Keith Weller:recovery and availability and things like that. So those are
Keith Weller:kind of the big drivers for that project.
Dr. Dave Chatterjee:That was quite an undertaking. And again,
Dr. Dave Chatterjee:based on our discussion that we were having to plan this
Dr. Dave Chatterjee:podcast, you mentioned that you'll have to get it done in
Dr. Dave Chatterjee:about three months. Is that correct?
Keith Weller:Yeah, that's correct. We were trying to make
Keith Weller:quick decisions and find quick ways to reduce costs. Basically,
Keith Weller:I got a call one day from our head of real estate wasn't
Keith Weller:really super knowledgeable with technology and basically asked,
Keith Weller:How can you get out of the datacenter by the end of the
Keith Weller:month? And I said, Well, that's definitely challenging. I did
Keith Weller:take some videos and pictures just to maybe give a conceptual
Keith Weller:idea of what was in there, because it was 5000 square foot
Keith Weller:data centers, there was a significant amount of work to
Keith Weller:vacate that. But so we did have a aggressive timeline. At first,
Keith Weller:I thought, hey, this is a good challenge. I think we can do
Keith Weller:this. I think this could help the organization if we can do it
Keith Weller:quickly. So I said, let me get back to you. And let's see what
Keith Weller:we can do. The other part of that was that this was a
Keith Weller:business critical system that was responsible for our donation
Keith Weller:processing at a time where our revenue was down. So we cannot
Keith Weller:afford any other kind of hiccups in our downtime. It was a PCI
Keith Weller:DSS regulated environment. So there was a lot of security
Keith Weller:links to that where we had to make sure where we were going
Keith Weller:was set up very well from a security perspective and had
Keith Weller:good security foundations. We actually before that, we didn't
Keith Weller:have really good data and application inventory. So we had
Keith Weller:to work on kind of rationalizing that environment. As you as if
Keith Weller:you just move throw everything in the cloud, it can get quite
Keith Weller:expensive. So the more we could kind of reduce that footprint,
Keith Weller:the better. So we needed to make sure we were very clear on how
Keith Weller:our data and our applications work. So, when we moved up
Keith Weller:there, things would continue to flow. And the, just getting out
Keith Weller:of that on-premise data center was probably the most complex
Keith Weller:effort IT related effort ever undertaken. And it was the most
Keith Weller:difficult part of actually exiting that that real estate.
Keith Weller:So it was it was a big challenge. But I met with the
Keith Weller:team. And I said, and I came up with three months. And I said,
Keith Weller:why can't we do three months. And we basically talked through
Keith Weller:all the blockers, and the options, and we determined that
Keith Weller:if we did an all-hands-on-deck, we could accomplish that. It was
Keith Weller:a challenge for everyone, but we we knew it was important. And we
Keith Weller:basically stack ranked our options. And we tried to
Keith Weller:quantify with the best approach. So that actually helped us think
Keith Weller:through all the challenges and potential timelines. And we
Keith Weller:actually ended up accomplishing the mission and doing it on time
Keith Weller:and under budget.
Dr. Dave Chatterjee:Incredible. As you share this experience, it
Dr. Dave Chatterjee:brings back memories of a few other very successful technology
Dr. Dave Chatterjee:driven business transformations, which were done on time and
Dr. Dave Chatterjee:under budget. One commonality across these transformation best
Dr. Dave Chatterjee:practices is that they were all motivated by a critical business
Dr. Dave Chatterjee:need. In this particular case, as you mentioned, Keith, loss of
Dr. Dave Chatterjee:revenue was the primary driver. And that got everybody involved
Dr. Dave Chatterjee:and engaged. So there was an organization wide buy in. Also,
Dr. Dave Chatterjee:when you say that it was an all hands on deck kind of an
Dr. Dave Chatterjee:operation. And I'm thinking about some of the details that
Dr. Dave Chatterjee:you shared with me earlier. It's very encouraging, that the team
Dr. Dave Chatterjee:comprised off not only the technology people, but also the
Dr. Dave Chatterjee:business people. So there was cross functional involvement,
Dr. Dave Chatterjee:which is exactly how any kind of technology driven change must be
Dr. Dave Chatterjee:managed. And so this is so good to hear. Thanks for sharing. Is
Dr. Dave Chatterjee:there anything else that you would like to share, by way of
Dr. Dave Chatterjee:highlights when you all were planning the migration and then
Dr. Dave Chatterjee:implementing it?
Keith Weller:Yeah. So I would definitely agree, agree that
Keith Weller:buy-in is is key, if you're trying to do very challenging,
Keith Weller:time constrained work, having everyone engaged and bought in
Keith Weller:to the process. And having a clear vision and the goals
Keith Weller:across the whole team is really important. So for sure, when
Keith Weller:when we did this project, everyone was bought in, I was
Keith Weller:the project sponsor, as well as the tech lead. So I was
Keith Weller:responsible for bringing together all these cross
Keith Weller:functional teams and included all of my all key members of IT
Keith Weller:included security, quality assurance, the supply chain,
Keith Weller:legal, then we had people from the business that had to do the
Keith Weller:testing, we had to coordinate with them, we had to make sure
Keith Weller:certain things were done during certain accounting periods of
Keith Weller:the month, so that things wouldn't be affected. So that
Keith Weller:was really important. Additionally, we engaged with a
Keith Weller:migration vendor, because it was obviously a pretty big task, we
Keith Weller:didn't want to kind of learn along the way in eight weeks, it
Keith Weller:wouldn't work. So we engaged with them. And as a kind of a
Keith Weller:combined partner with ACS, we had a combined team. And we just
Keith Weller:had to keep focused, not get distracted. And so we were using
Keith Weller:Microsoft Azure for about three years. A lot of people were
Keith Weller:familiar with it. But there were also new people in IT that were
Keith Weller:kind of learning and we didn't want them to be kind of like
Keith Weller:asking a bunch of questions that weren't, like aligned with kind
Keith Weller:of the mission, right? We wanted to just keep focused, not get
Keith Weller:distracted. And a lot of times, there's decisions that come
Keith Weller:along the way and you want to try and make those decisions
Keith Weller:quick. So it doesn't sort of slow down the process. And we
Keith Weller:try to go with as much as best practice and if there was some
Keith Weller:discrepancy of using best practices, like why shouldn't we
Keith Weller:use it, so it kept us a little focused, better focus that way.
Keith Weller:And that really helped us we we tried to make sure that security
Keith Weller:was ingrained in every step of the process. Again, it was a PCI
Keith Weller:environment, and generally as a security professional, I want to
Keith Weller:make sure that's a foundation of anything we do. Today. We had
Keith Weller:our IT architects that were responsible for helping provide
Keith Weller:the scope of work We had a hybrid environment and making
Keith Weller:sure all the documentation was available. And just having kind
Keith Weller:of that, again, that all-hands-on-deck mentality,
Keith Weller:let's get this done, let's be focused, we had the help of the
Keith Weller:project management team to keep us laser focused as well and
Keith Weller:making sure that we're properly communicating with the business
Keith Weller:partners. Sometimes when you're doing a project this complex,
Keith Weller:you don't want to miss some communication, and people are
Keith Weller:expecting something and then some some form of the business
Keith Weller:comes, comes to a stop, especially one revenue
Keith Weller:generation is so important. So yeah, it was it was I was
Keith Weller:actually very proud of the whole experience just because we work
Keith Weller:all together as a team that just get get important things done.
Keith Weller:And it really helped from a financial standpoint.
Dr. Dave Chatterjee:Yeah, that's quite phenomenal. quite
Dr. Dave Chatterjee:phenomenal. Talking about the security aspect of the
Dr. Dave Chatterjee:migration, you mentioned following the NIST cybersecurity
Dr. Dave Chatterjee:framework, and complying with the PCI DSS requirements. During
Dr. Dave Chatterjee:our planning meeting, you shared some of the accomplishments
Dr. Dave Chatterjee:under the categories of identify, protect, detect,
Dr. Dave Chatterjee:respond, and recover. Would you like to provide listeners with
Dr. Dave Chatterjee:certain specifics, like what they should be mindful of when
Dr. Dave Chatterjee:they have to undertake such an initiative?
Keith Weller:Yeah, so I think the key thing here is making
Keith Weller:sure that your asset, your application is fully documented,
Keith Weller:your data flows are fully documented that you, you want to
Keith Weller:make sure, especially when you're moving and we did a sort
Keith Weller:of a lift and shift to the cloud, that you do not have,
Keith Weller:you're not properly securing various aspects of that data
Keith Weller:flow. So to make sure that proper foundations are in place,
Keith Weller:when we move, move those applications and data to the
Keith Weller:cloud, that's a key thing with and a lot of that is working
Keith Weller:with architecture, application architecture team, working with
Keith Weller:the security team, you know, it being a PCI DSS regulated
Keith Weller:environment, we definitely worked very closely with our
Keith Weller:migration partner, to make sure that we had the right blueprints
Keith Weller:in place and the foundations in place, there's actually PCI DSS
Keith Weller:blueprints that that we used to make sure the foundation was
Keith Weller:right. And also make sure that all of your kind of your
Keith Weller:security configurations are correct, in the firewall, and
Keith Weller:the network security groups and things like that. We did do a
Keith Weller:external pen test afterwards, just to make sure that we didn't
Keith Weller:kind of miss some key NIST security controls. Because
Keith Weller:again, it was it was very important to highly secure the
Keith Weller:environment.
Dr. Dave Chatterjee:Yep. That makes a lot of sense. In fact,
Dr. Dave Chatterjee:you mentioned about this migration vendor. I'm sure
Dr. Dave Chatterjee:listeners might be curious that how do you go about identifying
Dr. Dave Chatterjee:such a vendor? And what, what factors goes into the selection
Dr. Dave Chatterjee:process? And how valuable did you find their service?
Keith Weller:Yeah, so, it sort of starts with the actual, I
Keith Weller:guess from the start, we started with a concept, how quickly can
Keith Weller:we get out of the data center. So we did explore four different
Keith Weller:options. One was a virtual lift and shift to Azure, which was
Keith Weller:our existing cloud partner at the time. Another was we had a
Keith Weller:colocation facility in Austin, Texas, we were looking to
Keith Weller:potentially migrate there. And then we were looking at a
Keith Weller:physical and virtual lift and shift to new equipment in
Keith Weller:Atlanta. And based on all those and kind of our quantitative
Keith Weller:approach to comparing the options, we definitely decided
Keith Weller:that moving to Azure was the quickest and most likely cost
Keith Weller:conscious, the lowest risk, and a lot. And also, obviously,
Keith Weller:being in the cloud allows you to be more quick to innovation and
Keith Weller:things like that. So we started with that. And then since it was
Keith Weller:a nonprofit, we had a Microsoft partner that works with
Keith Weller:nonprofit and government and things like that. And they they
Keith Weller:actually recommended a few migration partners, and we ended
Keith Weller:up going with one that was very experienced with this and they
Keith Weller:actually have they I think they actually created the the actual
Keith Weller:migration tool that Microsoft uses for a lot of these
Keith Weller:initiatives. So they definitely seemed like the right fit for
Keith Weller:us. We were lucky, as a nonprofit, we were able to find
Keith Weller:some funding to make the cost of migration, significantly less,
Keith Weller:which obviously, that helped with the other part of the
Keith Weller:financial discussion. So, yeah, that and they they did really
Keith Weller:well, they were very methodical, you could tell that they've done
Keith Weller:this many times before. And they they, like I said, they helped
Keith Weller:keep us on track. They, they, they did these rapid pace
Keith Weller:migrations. So it helped having that experience. They were very
Keith Weller:technical, too. So there was really no period where we felt
Keith Weller:like we were kind of stuck or kind of couldn't get past a
Keith Weller:hurdle, because they've really had a lot of good answers.
Keith Weller:Because of that experience.
Dr. Dave Chatterjee:That's good to know. And this is very useful
Dr. Dave Chatterjee:information for folks who are planning such a migration. For
Dr. Dave Chatterjee:this particular migration initiative, you all decided to
Dr. Dave Chatterjee:go with Microsoft Azure. I assume that is because American
Dr. Dave Chatterjee:Cancer Society was heavily invested in the Microsoft
Dr. Dave Chatterjee:platform, and it made logical sense to stay with the same
Dr. Dave Chatterjee:ecosystem to reduce application dependency related challenges.
Dr. Dave Chatterjee:Is that what your advice will be for organizations looking to
Dr. Dave Chatterjee:identify a suitable cloud service provider? How should
Dr. Dave Chatterjee:they go about the cloud vendor selection process?
Keith Weller:Yeah, I think I think it depends on the
Keith Weller:organization for for us to be honest, as a nonprofit,
Keith Weller:Microsoft gave us very significant funding for this
Keith Weller:project. In my view, there is some, since we already had O 365
Keith Weller:(Office 365) as well, we were already using their identity and
Keith Weller:access management solution. So there was sort of a tie in
Keith Weller:there, it and again, since we already had that footprint, we
Keith Weller:had eight weeks, obviously, Google and Amazon have great
Keith Weller:products. But if you're trying to do this at rapid pace, it's
Keith Weller:there's a lot less barriers, if you're using an existing vendor,
Keith Weller:where you already have sort of that core foundation in place,
Keith Weller:you already have that relationship in place. But I
Keith Weller:think it's important for organizations to not be stuck on
Keith Weller:one vendor and kind of look at it on a case by case basis, what
Keith Weller:makes the most sense for them as a business. And again, you you
Keith Weller:know, we did a lot of cost analysis. And for sure, in this
Keith Weller:case, the Microsoft Azure was the was the best option. And
Keith Weller:there was a the other thing was we already had some in house
Keith Weller:experience with it. So that also kind of reduced some of the
Keith Weller:barriers. So I think it really is sort of a case by case what
Keith Weller:what fits with that specific business needs. There's a lot of
Keith Weller:great options out there. So yeah, I would always be open to
Keith Weller:looking at what fits best for you.
Dr. Dave Chatterjee:Makes sense. Makes sense. Maybe in
Dr. Dave Chatterjee:this context, I will again, share with listeners some
Dr. Dave Chatterjee:findings from the Flexera, State of the Cloud report. The top
Dr. Dave Chatterjee:four cloud migration challenges are number one, understanding
Dr. Dave Chatterjee:application dependencies, number two, assessing technological
Dr. Dave Chatterjee:feasibility, number three, assessing on-premise versus
Dr. Dave Chatterjee:cloud costs, and number four, selecting the right cloud
Dr. Dave Chatterjee:provider. And in fact, Keith kind of touched upon some of
Dr. Dave Chatterjee:these. And when he talks about going with their existing cloud
Dr. Dave Chatterjee:provider, because they've had good experiences, that hopefully
Dr. Dave Chatterjee:took away one of those challenges. Keith, what are your
Dr. Dave Chatterjee:thought of these challenges that I gleaned from the State of the
Dr. Dave Chatterjee:Cloud report? Do you agree with them?
Keith Weller:Oh, absolutely. Yeah, I mean, the application
Keith Weller:dependency is is key to having a successful understanding that
Keith Weller:application dependency is the key to having a successful
Keith Weller:migration for us. It we did. So we didn't refactor anything
Keith Weller:because of the timelines. But we did a lift and shift. So it was
Keith Weller:basically a virtual machine, a virtual machine. So that did
Keith Weller:help a bit. But there were scenarios when when we did that
Keith Weller:migration up where as much as we try to document things ahead of
Keith Weller:time, and you know how it is you can have a data center and as
Keith Weller:around for years, and then there's certain things that
Keith Weller:maybe something's not captured. And I think one as part of the
Keith Weller:testing there was there was some functionality that wasn't
Keith Weller:working. And it was just because there was some application
Keith Weller:talking to another application, and it wasn't documented. And we
Keith Weller:didn't have the right firewall rules allow that communication.
Keith Weller:So I would say, overall, it's just obviously good practice to
Keith Weller:have that document in real time and keep that for just general
Keith Weller:good practice. The other things were, you know, like I said, I
Keith Weller:already talked about the decision on the on the cloud
Keith Weller:vendor. Sorry, what were the other over two?
Dr. Dave Chatterjee:Sure, sure. The first one was understanding
Dr. Dave Chatterjee:application dependencies. The second one was assessing tech
Dr. Dave Chatterjee:feasibility. The third one was assessing on-premise versus
Dr. Dave Chatterjee:cloud costs.
Keith Weller:Yeah, so So we, again, we already kind of had
Keith Weller:experience with Azure, we knew a lot of the capabilities that
Keith Weller:were there, we weren't necessarily taken advantage of
Keith Weller:all them. But we did, like the future capabilities that we
Keith Weller:could add. Like I said, we did do a sort of lift and shift. But
Keith Weller:the as the next phase was kind of a refactoring and simplifying
Keith Weller:and lowering the cost of our presence. One thing about the
Keith Weller:kind of comparison of costs, is, a lot of times sometimes people
Keith Weller:throw in the soft costs. And it's not a direct factor from a
Keith Weller:financial perspective. But it is important to be very clear on
Keith Weller:what your costs are. I mean, it took us about just maybe three
Keith Weller:weeks just to firm up that kind of cost comparison and making
Keith Weller:sure we itemize each one. it In our case, it was a little
Keith Weller:easier, because we knew we were just eliminating that data
Keith Weller:center, we were moving out of the facility. So we were able to
Keith Weller:like save on internet costs and various things like that. So it
Keith Weller:did make a lot easier. It can get quite expensive to be in the
Keith Weller:cloud, if you don't manage it well, right. So if you're not
Keith Weller:have good visibility on your costs, you're not using things
Keith Weller:like micro services or partial compute you over over allocate
Keith Weller:compute and things like that. It can be quite costly versus
Keith Weller:on-prem. But I think if you have good visibility into those cost
Keith Weller:factors it and in my experience, it's it's generally cheaper.
Keith Weller:From a security perspective, it's it's easier to manage and
Keith Weller:cheaper, because you kind of have a visibility of all your
Keith Weller:assets, where sometimes in the on prem world, you can kind of
Keith Weller:get the sprawl of systems. And it's just kind of hard to track
Keith Weller:it all and make sure you don't have that security technical
Keith Weller:debt. That happens a lot. So it definitely saved a lot of time
Keith Weller:from engineers support perspective, which I think over
Keith Weller:time allowed ACS to not have as much staff dedicated to the kind
Keith Weller:of caring care and feeding of systems. And it allowed them to
Keith Weller:do kind of more transformative work and help to grow the
Keith Weller:business and things like that.
Dr. Dave Chatterjee:Awesome. In fact, I wanted to re emphasize
Dr. Dave Chatterjee:what you just shared, shared, or you highlighted the importance
Dr. Dave Chatterjee:of managing the cloud. When I talk about cloud in the
Dr. Dave Chatterjee:classroom, I associate cloud as a reflection of the technology
Dr. Dave Chatterjee:outsourcing phenomenon. And when you outsource something, though,
Dr. Dave Chatterjee:cost is often the driver. But in my humble opinion, you outsource
Dr. Dave Chatterjee:something to a service provider, because they are better at it
Dr. Dave Chatterjee:than your organization is or wants to be because your
Dr. Dave Chatterjee:organization has a mission, that the reason they were formed, and
Dr. Dave Chatterjee:that's what they need to focus on. So if somebody else can
Dr. Dave Chatterjee:better manage the tech, let them do it. But having said that,
Dr. Dave Chatterjee:it's also important to recognize that you still have to provide
Dr. Dave Chatterjee:oversight. It's not like out of sight out of mind. You still
Dr. Dave Chatterjee:have to stay on top of security, top of Cloud spend. And this is
Dr. Dave Chatterjee:where Keith I wanted your thoughts. When I look at these
Dr. Dave Chatterjee:breaches happening, like the Capital One, data was breached,
Dr. Dave Chatterjee:they were residing on the Amazon web server. Obviously Capital
Dr. Dave Chatterjee:One is still responsible for their data. Amazon is providing
Dr. Dave Chatterjee:them the server providing them with the details on how to
Dr. Dave Chatterjee:secure it, but I am of the opinion that maybe the SLAs
Dr. Dave Chatterjee:should be written up in a manner and a fashion, whereby there
Dr. Dave Chatterjee:should be more joint responsibility and joint
Dr. Dave Chatterjee:accountability whereby the host, the service provider, and the
Dr. Dave Chatterjee:client work as a team to ensure the data is safe, secure, and
Dr. Dave Chatterjee:there's a constant review to make sure the security level and
Dr. Dave Chatterjee:posture is being maintained. What are your thoughts?
Keith Weller:Yeah, I mean, that would be fantastic. I mean, as
Keith Weller:it as it is, now, the core responsibility of securing your
Keith Weller:data is on the actual owner of the data. So I guess, I guess
Keith Weller:the one, so you said a good few good things. And I'll get back
Keith Weller:to the like, the one good thing is, as a business, you want to
Keith Weller:focus on your core things that you're good at. ACS, they're not
Keith Weller:a IT company, there, so spending a lot of time patching servers
Keith Weller:and, and various care and feeding of data centers was not
Keith Weller:where we wanted to be. But it would be nice if the three big
Keith Weller:cloud providers were more engaged in kind of as a team,
Keith Weller:securing data and helping make sure that they partner with
Keith Weller:their customers to make sure that's being done, right. They
Keith Weller:do provide a lot of great tools for I've been using the SIEM
Keith Weller:(Security Information and Event Management) on Microsoft Azure,
Keith Weller:it's a great tool, but of course, it's very dependent on
Keith Weller:configuring it right, and making sure you have the right logs
Keith Weller:that you're ingesting, and then you have the right rules and
Keith Weller:playbooks and things like that. So it's in there, again, that's
Keith Weller:a lot of dependency on the customer to either do that
Keith Weller:themselves or work with a partner to help with that. Say,
Keith Weller:I think that would be fantastic. If the cloud providers were a
Keith Weller:little more engaged in that, I would be totally for that.
Dr. Dave Chatterjee:Good to hear that. Good to hear that. So
Dr. Dave Chatterjee:we are kind of coming to the close of our discussion. So I
Dr. Dave Chatterjee:wanted to check off a few things. You may have mentioned
Dr. Dave Chatterjee:this Keith, but I wanted to maybe highlight it again. One of
Dr. Dave Chatterjee:the success factors of this initiative that we're talking
Dr. Dave Chatterjee:about, was also the very meticulous phased migration
Dr. Dave Chatterjee:effort. You describe the details in your slide deck, Keith. And
Dr. Dave Chatterjee:I'm going to read off some of the the phases, the first phase
Dr. Dave Chatterjee:involved Assessing Azure, the second phase was Assessment of
Dr. Dave Chatterjee:Readiness, the third phase, entailed creating a landing
Dr. Dave Chatterjee:zone, and the final phase involved the actual migration,
Dr. Dave Chatterjee:migration, plus having a good disaster recovery in place.
Dr. Dave Chatterjee:Would you like to and I know there's a lot of detail, we may
Dr. Dave Chatterjee:not have time for all the details, anything in particular
Dr. Dave Chatterjee:that you want to touch upon, in the context of the phased
Dr. Dave Chatterjee:migration effort?
Keith Weller:Yeah, I mean, for me, just generally, in
Keith Weller:technology, having the right foundations in place, sets you
Keith Weller:up for success later on. Right. So part of part of that is the
Keith Weller:actual assessment of your environment, and what the
Keith Weller:architecture will be, and making sure that you have the right
Keith Weller:standards and controls in place initially, because if you try to
Keith Weller:do that later, then it becomes a more challenging effort. What's
Keith Weller:nice about these all-hands-on-deck type efforts
Keith Weller:is you get everyone engaged upfront, to make sure that
Keith Weller:they're all aligned with that kind of foundation. And
Keith Weller:sometimes if you do that a year or two later, it's already
Keith Weller:sprawled, you already have the parts of your data that you
Keith Weller:don't have visibility into and various, you don't have certain
Keith Weller:policies applied to certain things. So again, I think, since
Keith Weller:we had experience in Azure, but we weren't like experts in it,
Keith Weller:that's why it was it was good to have that partner to help make
Keith Weller:sure that's in place. And then as part of the kind of the
Keith Weller:readiness is making sure that the team from your company is
Keith Weller:able to support it. So and it's important for them to kind of
Keith Weller:have a good understanding upfront. So as we're going
Keith Weller:through the project, it moves quick, more quickly with
Keith Weller:informed people. And then so we did have a lot of we had
Keith Weller:significant training that was done from just first with Azure
Keith Weller:101. And then Azure governance and Azure security because we
Keith Weller:wanted to make sure we put those foundations in place, but we
Keith Weller:wanted to make sure we kept with them We kept, kept governance
Keith Weller:and kept that security mindset. And the understanding that we
Keith Weller:again, we are responsible for the security of our data,
Keith Weller:Microsoft kind of like and the other cloud providers kind of
Keith Weller:like, let you go with that, it's up to you to, to manage that. So
Keith Weller:it was important for everybody in the team. And it's not just
Keith Weller:infrastructure people, it's not just security people, but it's
Keith Weller:also important for Development and QA to understand those those
Keith Weller:kind of core principles of security. So all those people
Keith Weller:were engaged, to make sure that it was it was built into sort of
Keith Weller:our DNA, I guess. And then having having a well defined
Keith Weller:landing zone was important too, because if you don't have your
Keith Weller:resources, some of its just tagging and naming and stuff
Keith Weller:like that, if you don't name those, or tag them, and you kind
Keith Weller:of just put them all over the place, it actually makes it
Keith Weller:harder to manage the costs and things because you're not really
Keith Weller:clear what, what what this resource is for. And it just
Keith Weller:makes it harder for you to manage that. And then the
Keith Weller:landing zone had kind of the kind of lockdown networking IAM
Keith Weller:(Identity and Access Management) structures and Role Based Access
Keith Weller:Controls and the Azure blueprints and things like that.
Keith Weller:A lot of people just think about the migration phase, but those
Keith Weller:those first three phases, I think, are core for long term
Keith Weller:success. And then there's the migration phase, which in our
Keith Weller:case, also included giving DR (Disaster Recovery) fully
Keith Weller:functioning DR, which becomes much easier to enable when
Keith Weller:you're in the cloud. And there's a lot of CISOs that try to do
Keith Weller:implement DR on- prem, and sometimes it just drags out, and
Keith Weller:it's just like knowing the environment and things like
Keith Weller:that, especially as part of the migration, it actually sets us
Keith Weller:up for DR. Because the migration configuration was associated to
Keith Weller:the DR failover. So it helped a lot with that. And if you're
Keith Weller:doing yourself or if you're doing it with a partner, again,
Keith Weller:it's the migration, it's very important to kind of have steps
Keith Weller:planned out, well, you're on the same page with things you're,
Keith Weller:you're engaged with the business because there will be some
Keith Weller:downtime, you're engaged with them as well to make sure that
Keith Weller:the testing is done. And in our case, we wanted to make sure we
Keith Weller:had enough testing during the migration because we were
Keith Weller:shutting down the servers at the end of it. And if we miss
Keith Weller:something, there's kind of no going back. So the testing was
Keith Weller:pretty important for us too. So yeah, I mean, it was it was a
Keith Weller:great project. And I was very happy that we were able to kind
Keith Weller:of work together and kind of use that phased approach, methodical
Keith Weller:phased approach because it allowed us to stay focused.
Dr. Dave Chatterjee:Yeah, absolutely. In fact that as
Dr. Dave Chatterjee:you're talking about testing, I'm looking at the timeline,
Dr. Dave Chatterjee:where you mentioned about doing testing, right from week two,
Dr. Dave Chatterjee:right till the very end, right, right, right till week eight. So
Dr. Dave Chatterjee:constant testing is a huge best practice, I would say. And once
Dr. Dave Chatterjee:again, we don't have enough time to go into all the security best
Dr. Dave Chatterjee:practice details, that you all were able to accomplish. But
Dr. Dave Chatterjee:basically complying with the NIST framework framework,
Dr. Dave Chatterjee:complying with the PCI DSS framework, those are all great
Dr. Dave Chatterjee:accomplishments, and at a higher level bottom line, as you said
Dr. Dave Chatterjee:earlier, you all were able to complete the implementation in
Dr. Dave Chatterjee:eight weeks on time, under budget, and help the
Dr. Dave Chatterjee:organization realize a savings of $18 million in real estate
Dr. Dave Chatterjee:and $2 million in technology costs projected over three
Dr. Dave Chatterjee:years. That's phenomenonal. Working for an organization
Dr. Dave Chatterjee:organization like American cancer society that does so much
Dr. Dave Chatterjee:good. Much needed. I think it's it's indeed a noble cause. And I
Dr. Dave Chatterjee:want to recognize you and your team for doing such great work,
Dr. Dave Chatterjee:which indirectly has helped the global population. Because you
Dr. Dave Chatterjee:want an organization like ACS American Cancer Society to
Dr. Dave Chatterjee:survive and thrive. And these initiatives are essential to
Dr. Dave Chatterjee:allow the organizational engine to be running and be running
Dr. Dave Chatterjee:efficiently and effectively for the long run. So Keith, I'd like
Dr. Dave Chatterjee:to give you the final opportunity to say a few final
Dr. Dave Chatterjee:words with before we close our discussion for today.
Keith Weller:Yeah, thank you again, for allowing me to share
Keith Weller:the journey on this podcast. Yeah, I mean, just just with the
Keith Weller:American Cancer Society, every dollar that's spent on
Keith Weller:operational costs is a dollar taken away from cancer research
Keith Weller:or services, So, whenever you can do something like this and
Keith Weller:help help the organization survive, it's rewarding and it
Keith Weller:just It just helps with the overall goal of eliminating
Keith Weller:cancer as a disease worldwide. So, yeah, I mean, I'll just, I
Keith Weller:guess close with a few things. Again, just any, any rapid pace
Keith Weller:projects, including cloud migration requires kind of that
Keith Weller:all-hands-on-deck cross functional teams working
Keith Weller:together, clearly defined roles and what's success. And when
Keith Weller:that happens, like, really hard things can get done, like things
Keith Weller:that you don't think. And just sort of reiterating, knowing
Keith Weller:your application dependencies is really important. And the data
Keith Weller:flows helps minimize downtime when you're doing this
Keith Weller:migration, and even performance issues. Another thing that I
Keith Weller:want just to close out that with this, this rapid paced
Keith Weller:migration, sometimes you don't want to over test, right? So you
Keith Weller:want to make sure you test the core functionalities and data
Keith Weller:flows first. And then if you can worry about some of the smaller
Keith Weller:or less important test cases later. That's one thing that we
Keith Weller:kind of learned in this project that we're trying to, like, be
Keith Weller:so thorough in our testing, that we start to fall behind in our
Keith Weller:schedule. So what we did was we refocused and we focused on
Keith Weller:those core tests. And then we did the other testing later once
Keith Weller:the actual workloads were uploaded. So that was probably
Keith Weller:one of the biggest takeaways that I got from that. And then
Keith Weller:lastly, just from a security perspective, if you can't really
Keith Weller:protect your, your environment, if you don't have good
Keith Weller:visibility of it. So one of the one of the big things that was
Keith Weller:helpful from a security perspective was adding a SIEM
Keith Weller:tool, I would just say, well, and one thing I learned from
Keith Weller:this is it can get very complex to set this up and make sure the
Keith Weller:use cases and the playbooks are set up. So if if you are a small
Keith Weller:security shop or a small IT shop and maybe consider utilizing a
Keith Weller:partner for that, so yeah, but hopefully, hopefully that was
Keith Weller:helpful in sharing some of my experiences. And it was it was
Keith Weller:really enjoyable to talk about it.
Dr. Dave Chatterjee:It was extremely helpful. I'm sure the
Dr. Dave Chatterjee:listeners will find great value in all your recommendations and
Dr. Dave Chatterjee:sharing your experiences with this cloud migration. Much
Dr. Dave Chatterjee:needed discussion. So thank you again, Keith, for your time, and
Dr. Dave Chatterjee:I look forward to future discussions with you. For sure.
Dr. Dave Chatterjee:Thank you, Dave. A special thanks to Keith Weller for his
Dr. Dave Chatterjee:time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.
