SECURE CLOUD TRANSFORMATION
THE CIO'S JOURNEY
By Richard Stiennon
Introduction Section 1: Transformation Journey Chapter 1: Mega-Trends Drive Digital Transformation Chapter 2: Moving Applications to the Cloud Chapter 3: From Hub-and-Spoke to Hybrid Networks Chapter 4: Security Transformation Section 2: Practical Considerations Chapter 5: Successfully Deploying Office 365 Chapter 6: A Reference Architecture for Secure Cloud Transformation Chapter 7: Perspectives of Leading Cloud Providers Section 3: The CIO Mandate Chapter 8: The Role of the CIO is Evolving Chapter 9: CIO Journeys Section 4: Getting Started Chapter 10: Creating Business Value Chapter 11: Begin Your Transformation Journey Appendix Contributor Bios Author Bio Read Offline: Open All Chapters in Tabs eBook
Free Audiobook
Hardcover
Chapter 5
Successfully Deploying Office 365
“Office 365 gives us more features, lower cost, and more capability like OneDrive and Teams.”
Alex Philips, Chief Information Officer, National Oilwell Varco
Email is still the killer application of the digital age. Companies like Hotmail, Yahoo!, and Google rode the crest of the email wave for consumers while Lotus and Microsoft battled for dominance in the enterprise. Microsoft won the enterprise battle, hands down, with Outlook penetrating most organizations as the standard email client and Microsoft Exchange Server the primary email server.
Microsoft also dominates in the world of client software for office productivity with the Microsoft Office Suite including Word, Excel, and PowerPoint. The other tech giants, Apple and Google in particular, have their eye on Microsoft’s markets and Google challenged Microsoft directly when, in 2006, it introduced G Suite, a collection of tools that were completely cloud based and paid for by subscription. G Suite had all the advantages of SaaS: always updated, always backed up, and easy to collaborate within the platform, but it lacked many of the advanced features required by power users.
Being the incumbent in practically every business and government agency in the world, Microsoft had time to transition to the cloud, but they needed to move quickly and it wasn’t going to be easy. New leaders are born when mega-shifts take place and few companies have been able to successfully pivot. Microsoft is one of those few companies and Office 365 is a result of its cloud journey.
Microsoft’s response to G Suite is Office 365, introduced June 28, 2011, and it is changing the landscape of information technology in the enterprise. Over 70% of the Fortune 500 have already transitioned to Office 365. By the fourth quarter of 2017, revenue from Office 365 surpassed that of the traditional Microsoft Office products. Revenue from Office 365 is growing at 40% percent a year while the number of seats is growing at 28%. The number of monthly active users for Office 365 is 135 million commercial users and 30.6 million consumers (Q3, FY2018).
As enterprises make the transition to Office 365, they are faced with challenges, both from a networking perspective and a security stance.
Why are enterprises adopting Office 365?
Like other SaaS applications, Office 365 has a compelling business case. It includes the combined functionality of email, file sharing, video and voice conferencing, and storage, all with no servers, hardware, networking, or layered-in security products in a data center.
Lower total cost of ownership (TCO). Factor in all the costs associated with maintaining applications, updating them whenever there are new patches available, writing the complicated firewall policies so they work across the corporate network, providing disaster recovery, and scaling the server hardware to accommodate growth.
- Familiar User Experience. Office 365 provides a familiar user interface to a generation of office workers who have used Outlook. Very little training is required to make the transition. The other features such as Yammer, SharePoint, Calendar, and Skype for Business are easy to find and use.
- Integrated functionality. As a SaaS offering, it is easy for Microsoft to integrate functions in Office 365. The APIs, data structures, and backend processing needed to do this are transparent to your IT staff. It is not their responsibility.
- Frequent enhancements. Microsoft can acquire new companies, such as Yammer, and quickly add its functionality to the Office 365 platform.
- Future-proof. The pace of new feature additions gives a customer confidence that future capabilities will be introduced in a timely manner.
- Elastic. The underlying architecture is maintained by Microsoft, so growth in email volume, or an increasing number of Skype users, should not impact performance.
The fast adoption rates of Office 365 are the best indicator that Microsoft is doing something right. But what are some of the issues with transitioning to Office 365?
Challenges Office 365 creates for enterprise
Office 365 is one of the primary applications driving network transformation. It has unique challenges that must be addressed with special routing, security, and bandwidth optimization.
The number one challenge of migrating to Office 365 is providing a seamless user experience. How users access Office 365 will define their experience. If you have a traditional hub-and-spoke network architecture, you are probably backhauling all your Office 365 traffic from remote branches or users, either over MPLS or a VPN. Then that traffic is routed out from your data center to Microsoft Azure. This architecture lends itself to delivering a less than optimal experience and is the driving factor for Microsoft’s recommendation of a direct-to-cloud connection.
Figure 5.1 Legacy hub-and-spoke is the wrong approach with Office 365
“Office 365 is one of the primary applications driving network transformation. It has unique challenges that must be addressed with special routing, security, and bandwidth optimization.”
When Kelly Services transitioned to Office 365, it sent Office 365 traffic directly over the internet to each branch. Kelly Services soon found that it needed to maintain over 700 rules in each of its branch and data center firewalls to ensure Skype for Business worked. If Microsoft adds or updates IP addresses as it expands its cloud infrastructure, all of those rules in all of those branch firewalls in every location will have to be updated quickly, or the service will be impacted.
Office 365 can be used to replace many desktop applications such as Outlook and the Microsoft Office suite. These productivity applications are different from a typical SaaS product. They need an open state with persistent connections, but typical web proxies, load balancers, and firewalls between the user and Microsoft Azure are traditionally set to time-out inactive TCP/IP sessions, often in less than two minutes. This can lead to productivity problems such as hung sessions, which should be addressed by setting longer session times for Office 365 traffic. That means that as many as 12 to 20 sessions are open in the firewalls for each user, which can quickly add up and potentially surpass the firewall’s ability to maintain state.
Because of these issues, Microsoft has provided its guidance to improve user experience with Office 365, published in its Office 365 Enterprise documentation.10
1. Differentiate traffic meant for Office 365 by destination IP address and route it from the user’s location. In other words, do not backhaul Office 365 traffic to a hub over MPLS.
2. Provide local DNS (Domain Name System) because the corporate DNS may be in a different geographic region and force the user to connect to a distant Office 365 node. Or, the user connects to a local node but the user's traffic first flows to the corporate servers.
3. Avoid network hairpinning and optimize direct connectivity. The goal is to get to Microsoft’s Office 365 infrastructure as directly as possible with the fewest number of hops.
How to deploy Office 365 successfully?
There are three steps required to successfully transition to Office 365. They are the basis of cloud transformation.
Step 1. Secure local internet breakouts
The first step for most organizations is to fix the network. This means a consistent way of getting from a user’s device to Office 365. The most efficient way is to go direct-to-cloud. This is initially accomplished with local internet breakouts for Office 365 and other SaaS applications and internet destinations.
Figure 5.2 Direct-to-cloud: secure local internet breakouts across all locations for every user
Local internet breakouts come with a security burden. To address those issues, connecting through a secure cloud service is required. That connection not only saves from deploying a bunch of security appliance hardware or spinning up VMs all over the place, it happens to solve the issue with the hundreds of ports and policies required for Office 365 to work. The secure cloud service maintains those rules for all of its customers and updates them in real time. From the branch office or data center, you just need a simple set of rules that directs Office 365 (and internet) traffic to the nearest node of the secure cloud service.
Step 2. Local DNS for Office 365
Often overlooked when deploying local internet breakouts is DNS. You may have issues if you maintain DNS back in the data center. Even though users are going directly to the internet, they have to wait while their DNS requests make that hairpin detour. A DNS server located in another region may not provide the optimal IP address and people in a remote region may find they are accessing Office 365 in a Microsoft data center that is far removed from them. While traditional security appliances were never designed to resolve DNS, it’s imperative that the cloud security service offer DNS resolution or can override DNS to provide a local connection.
Figure 5.3 Local DNS for Office 365—faster local connections
Step 3. Bandwidth allocation and prioritization for Office 365
When Kelly Services, a large workforce augmentation company, re-architected its network to accommodate local internet breakouts for 870 locations, the company determined that it should have a minimum 256 Kbps upload speed per user in each office. This would ensure that the Office 365 collaboration features would work smoothly. A simple metric can help you size the broadband connectivity you will need. An office of thousands of people may need multiple broadband connections.
The significant cost savings which result from reducing the number of MPLS circuits can fund the acquisition of higher broadband speeds. On top of that, replacing security devices at remote offices will reduce how much you pay a managed security service provider or your internal costs for managing those devices.
With direct-to-cloud connections over broadband to a security service you can now deliver a consistent user experience regardless of where the user is connected—at the branch office, headquarters, or even a coffee shop.
While local breakouts help enhance the user experience, you may find that when users are watching YouTube videos or sports events online, Office 365 performance may suffer. There are two reasons for this: a) streaming applications such as YouTube tend to subsume all the available bandwidth; b) the last mile tends to be the bandwidth bottleneck. To mitigate this, cloud security services that sit before the last mile can be leveraged for bandwidth shaping by application class, and to allocate higher bandwidth to mission-critical business applications over the internet. A typical bandwidth policy is to set the Office 365 traffic at 40% of the available bandwidth for a given location. More importantly, Office 365 should be throttled at an upper bound, say 50%, to prevent a OneDrive sync from bringing down the network.
Figure 5.4 Prioritizing Office 365 over other applications on local internet connections
CIO Journey
National Oilwell Varco
Office 365 Migration at Scale
Company: | National Oilwell Varco |
Sector: | Oil and Gas Manufacturing |
Driver: | Alex Philips |
Role: | CIO |
Revenue: | $7.3 billion |
Employees: | 25,000 computer users |
Countries: | 65 |
Locations: | over 600 |
Company IT Footprint: National Oilwell Varco is a globally distributed company with plants or operations in over 600 locations. Of its large computing workforce of 25,000 employees, 70% are mobile with laptops.
“Forced by necessity, we had to figure out how to embark on our own journey to modernize and adopt new technology to our business.”
Alex Philips, Chief Information Officer, National Oilwell Varco
National Oilwell Varco (NOV) is a manufacturer of oil well equipment, such as drill heads. This is a story of how NOV took a pragmatic approach to the cloud when it needed to get rid of legacy technical debt. NOV's goals: more capabilities and lower costs. Cloud transformation helped NOV power quantum changes in its IT infrastructure, even during challenging economic times while still delivering. Alex Philips is the Chief Information Officer at NOV. In this next journey, he shares how his team found a way for its globally distributed organization to be secure while upgrading the tools and processes it used in the cloud.
In the words of Alex Philips:
I was CISO of National Oilwell Varco (NOV) when the bottom dropped out of the oil and gas market. Spot prices for crude plummeted below $30 per barrel. I had a long career at NOV, working my way up from system administrator. Over that time I had established trust with the executive leadership and my teams. I had 20 people in my security team with plans and budgets to grow that to 40. Shortly after the crisis hit, our CIO departed and I stepped into the dual role of CIO and CISO. My primary task? Cut costs. Do more with less.
The downturn impacted the entire oil and gas exploration industry, including our customers. Once profitable at $70 per barrel, everyone needed to cut costs to face a new reality. Part of the response was the digitization of oil and gas exploration. The mantra was “more data.” We began to instrument our products. We could save on wear and tear and replacement costs for our customers. Of course, they were making decisions—using data—that allowed them to make better choices about where and when to drill. Over time, the industry has achieved profitability at $40 per barrel.
NOV Footprint
As a company, we had beefed up our IT security in the 2010 to 2014 timeframe. It was time to think about a refresh cycle, but many of our larger locations were upgrading from 1-gigabit to 10-gigabit networks. There is a huge cost difference in security appliances to make that transition and to handle 10-gigabits of traffic. We were looking at a $2 million investment just to maintain the same capability. And what about the OPEX to maintain all that gear? How could we reduce that?
It started with Office 365
I remember everyone was talking about the cloud. Microsoft was pushing really hard on Office 365. We had almost a hundred Microsoft Exchange servers globally to maintain that contained over a petabyte of email storage. It was going to cost $12 million to continue down that path of managing our own email, and it was only growing larger. I remember deciding, “Let’s just give our email to Microsoft to manage.”
So we began that journey, a change to the way we did business in IT. Before the downturn, we had purchased all of our own servers and did everything in-house. The downturn got us thinking and led to a strategic pivot towards the cloud.
“An interesting fallout from this transformation to the cloud is that we actually expanded our technology footprint.”
I remember thinking, “All these security appliances, this is ridiculous.” All of those mobile employees did not work behind those security appliances. They were going directly to the internet. With the Zscaler cloud service, we could protect them no matter where they were.
We did not have a sanctioned cloud storage solution at that time. However, the move to Office 365 gave every user a terabyte of storage on Microsoft OneDrive. Now, each user can share data and folders with third parties and be more effective.
An interesting fallout from this transformation to the cloud is that we actually expanded our technology footprint. Ironically, shifting to Microsoft cloud services with secure access from anywhere meant we could also support iPads, Macs, and even iOS phones.
The reaction from our employees was amusing. Here we were slashing tens of millions of dollars from our budget, while at the same time enabling modern tools. Our users were thinking IT was spending so much on all this new stuff, when in reality we were spending dramatically less and delivering more.
Embracing SaaS applications
It’s funny how cloud adoption happens. Often it is organic. Users use new technology before IT gets dragged in. Smartsheet for project tracking and collaboration is an example. Users had flocked to Smartsheet, and the IT group got pulled in to manage identities and access. We have adopted it as a sanctioned application.
We transitioned our limited unsanctioned Dropbox users to OneDrive. We have also seen a massive uptick in Slack usage for collaboration. IT has not embraced it, but thanks to our cloud security service, we are comfortable with people using it even though it is not yet officially sanctioned. We definitely see the shift to cloud applications. We have even begun the journey of moving HR and corporate finance to the cloud.
“It’s funny how cloud adoption happens. Often it is organic. Users use new technology before IT gets dragged in.”
Shifting our HR and corporate finance to the cloud is a major leap for us. These applications are publicly available over the internet instead of in our data centers. I don’t have direct access to the underlying database, and I don’t need to maintain it. Everything is done through APIs that I don’t even have to schedule outages and deployments for upgrades.
A multi-cloud strategy
We are taking a pragmatic approach to the cloud. We don’t have a cloud-first strategy; we have a “cloud when it makes sense” strategy. We need to get rid of legacy technical debt. It needs to be cheaper, and it needs to give us more capability.
And then there are our internal applications. We count over 2,000 official internal applications, and I am sure there are more we don’t know about. We have rarely forced people to quit using an application. At one point we had 70 different ERP systems. It costs millions to change ERPs and is very disruptive. We have learned to live this way and perform lots of consolidation of financials to do the mapping of general ledgers and reporting. We also have a data warehouse that allows everyone to use their existing ERP, while we can see the whole picture.
For public cloud we have adopted a multi-cloud strategy. We do have IaaS on Amazon and Azure and are actively looking at adding Google and Oracle. We are only moving workloads to the cloud where it makes sense. We have started a project to do a full analysis to figure out what it truly costs to host a server in our data centers.
Given that, we are not looking at re-doing most of our applications. When the next cycle of higher oil prices comes, the questions will be, “How do we refactor the business? How do we look at machine learning? How do we look at containerization?” We are at that beginning phase where we are deciding to not make a monolithic big app but rather 20 to 30 micro services that can be tied together, something that is cloud ready.
The cloud delivers more functionality and at a lower cost
Take Zscaler as an example of “just software.” We were able to get rid of our expensive and hard-to-maintain security appliances, while taking advantage of the scale and redundancy of Zscaler. We now point our traffic to two different Zscaler data centers. I did not have the money to do this in the old appliance world as it would have cost twice as much. We get more features, cheaper, along with more capability.
“We were able to get rid of our expensive and hard-to-maintain security appliances.”
Office 365 is the same way. More features, lower cost, more capability like OneDrive and Teams. We are confident that moving HR and corporate finance to the cloud will have the same advantages.
Leveling the playing field with cloud
IT has always been a competitive advantage. It drives the dual objectives of serving more customers and reducing costs.
But now the cloud is leveling the playing field. I worry about how cloud transformation is going to change the competitive landscape in our industry. In the old days, if you were a small “mom and pop,” you did not have data analytics, massive data warehouses, or a digitally collaborative platform. That was reserved for large organizations such as ours with over 20 years of investments in systems, processes, and people. All of a sudden, the small shops can get better IT in the cloud. They don’t have to hire IT people, buy and deploy servers, or build data centers. They can essentially leapfrog us without making a huge investment. To their customers, they have better technology than the large players.
Network transformation with SD-WAN and cloud security
We had eleven internet egress points around the world optimally arranged in the traditional MPLS hub-and-spoke architecture.
Currently, we are on a journey to more of a mesh with SD-WAN. Our network team is excited by the promise of SD-WAN: use software to control the network and deploy low-cost boxes across the network. This gives us internet circuits that are ten times faster than traditional MPLS dedicated circuits, without any impact on quality. With the SD-WAN approach, the data in transit is always encrypted, addressing potential issues we may encounter in many of the countries where we operate.
“Our mantra: You should be able to access your data anytime from anywhere on any device (within reason).”
Our MPLS mandate was that the network had to be reliable, always up. We think with SD-WAN we can failover to cellular or our employees can head to a Starbucks to get access. Considering the fact that our MPLS budget has exceeded $400K per month just to service the 100 United States facilities, there are a lot of financial benefits to be clawed back by moving to SD-WAN, where we point all internet traffic to Zscaler’s cloud security platform. We are also excited about the cost saving potential of applying this to our other 500 global facilities. Of our internet traffic, 20% is Office 365. Another big chunk is YouTube, which we used to block but now allow because users were watching so many work-related instructional videos.
Local internet connections through an aggregator
We had hoped that we could find ISPs for each location, even assumed that a facility manager—who already was responsible for power, water, light, heating, and physical security—would be able to find good internet providers. This was a bit too optimistic and not moving as fast as we hoped, so we found a broker to manage all those connections. It cost a little more, but our management requirements are much lower.
Enhanced security
On the endpoint, we transitioned to whitelisting several years ago. We tried multiple traditional antivirus companies, but they just couldn’t keep up with the threats. We used to have 100 machines a month that had to be quarantined and re-imaged. Now with cloud security and whitelisting, it is one a month. We don’t have a malware or ransomware problem at all.
The number one attack vector is email, so we invested in advanced sandbox solutions for attachments and URL rewrites for links.
Getting executive buy-in for transformation takes work
On the matter of getting buy-in, I am a little bit spoiled. I have been with the company for twenty years, from executive support for PCs to servers, ERP, networks, and architecture. At some point along the way, I led our teams that designed or built most of our infrastructure. As we acquired hundreds of companies, I led the teams to integrate them into our collective whole. I have gained a lot of trust as a problem solver. This is why after we experienced a security incident, they turned to me to build a security team. When it came time to replace the CIO, they turned to me again. You have to establish that level of trust. Deliver on what you say you are going to do and the executive team will trust your direction.
The biggest challenge for me has not been executive buy-in, but it’s getting buy-in from my IT staff. When I put these big audacious goals out there, when I said get rid of appliances and move to Zscaler, I got push back. We had a 90-day deployment proposal from Zscaler. I told my staff they had 60 days and they got it done.
Advice to CxOs—What to do
You have to have pervasive visibility. If you don’t, there is no way to know what is going on your endpoints. Most endpoints are not in your walled garden anymore. Can you even tell if you have a problem?
You need to look at this as a win-win situation. I think we will all end up with a hybrid strategy. Use cloud where it makes sense. That will be different for every company. I can’t see a reason to be locked into any single cloud provider of IaaS.
IT leaders need to understand that the days of simply having IT as a competitive advantage are over. IT is just turning into a cost to do business. Even the guy that digs a ditch has a website and email. You have to figure out how to tie everything together to create greater insights on your business to get back the competitive advantage.
Advice to CxOs—What not to do
I would avoid sticking to the same vendors that you have always used, as their main goal is to preserve or grow revenue, not save you money. Look at all the upstarts. A smaller company can offer amazing technology and support and is not stuck in the old mindset.
Avoid complacency. If something is not working, you have to change. If you committed to something and realize it was a mistake, suck it up and move on. It feels like we had our heads in the sand during the boom times. The oil crash forced us to look at everything and transform how we do business. We experienced a forced wake-up call and we recognize that we still have a long journey ahead of us.
Chapter 5 Takeaways
Office 365 is driving the transition to the cloud for many organizations. While cost reductions and productivity gains may be the result, the business must be cloud-ready before embarking on an Office 365 migration project. Be aware that network bandwidth will skyrocket when you move to Office 365. Ensure that your users can get to Office 365 as directly as possible from each location. This invariably means that local internet breakouts will be needed.
- Pay for local internet breakout with savings from reduced MPLS circuits.
- Look for ways to reduce the number of hops between a user and Microsoft’s data centers.
- Additionally, mobile users will need to get access from wherever they are.
- Use bandwidth throttling to balance Office 365 bandwidth consumption against other critical apps.
- Don’t make the mistake of hosting DNS in the data center.