The University’s Carolina Next strategic plan calls for adopting a multi-cloud systems and services strategy as a way to reduce costs and increase research flexibility. Toward that initiative to transform administrative operations via a multi-cloud strategy, ITS has been pursuing multiple initiatives to cultivate the proper use of cloud computing technologies at the University.
Over the last year and a half, the ITS Infrastructure & Operations (I&O) cloud engineers have collaborated with Research Computing, the Information Security Office, Networking and other ITS engineering resources to establish secure boundaries by which the University’s research and administrative units can safely explore cloud-based technologies.
We asked John Mack, Assistant Vice Chancellor of ITS Infrastructure & Operations, to discuss his group’s efforts to advance cloud computing at UNC-Chapel Hill.
What is I&O’s cloud strategy?
We aim to provide a safe cloud computing environment with all the built-in security safeguards and to offer our partnership as a utility to help units in their cloud journey.The use of cloud computing at Carolina is not new. Most of us know that our campus Microsoft 365 applications — email and Word, for example — live in the cloud and that ITS has nearly finished moving the University to WordPress in the cloud. Roughly, where would you say we at the University are in this cloud journey?
A unit’s cloud journey is determined by its cloud strategy and its ability to execute on that strategy. There are five stages of cloud adoption (Experimentation, Foundation, Migration, Transformation and Optimization). Also, keep in mind there are 90 available products and services offered via the Google Cloud Platform, Amazon Web Services features 175 products and services, and Azure boasts a total of 600. A unit can be operating in one or more of the cloud adoption stages depending on its service delivery plans. ITS has done a lot of foundational work for information security. Our next phase is to weigh our options for production migrations.What is I&O’s role in influencing technology adoption or assisting with transformational initiatives?
Transformations can be challenging as new technologies and foreign processes may threaten established norms, create confusion, and generate resistance between support teams and end users.Also, accommodating the will of the customer with little control or oversight can create unintended security gaps. We strive to be helpful, apply expertise where needed, and we always seek a balance in our approach to keep friction to a minimum while protecting the organization from data loss and financial harm.
Information security is paramount as you advance cloud computing. How can you best support research and administrative cloud initiatives while confronting the risk associated with cloud computing?
Our key solution is to engineer a structured process and build an environment with guardrails for information security.Inherent in the foundational structure of our safe cloud computing environment is the security design. Our engineers have placed a lot of emphasis on designing for three classes of sensitive data to allow for a balance in protection and customer flexibility. One design option is for non-sensitive information, which imposes fewer controls and extends more rights to the customer. Another level of data design offers additional controls based on the individual scenario. The customer may have certain rights and privileges, but not as much as the non-sensitive designed solution. The third option is even more restrictive and is also evaluated on a case-by-case basis depending on the customer needs.
Your team’s cloud efforts have focused on the three of the most prominent cloud providers — Amazon Web Services, Azure and Google Cloud. What role do these platforms play, why are they a focus for ITS, and how is ITS using them?
The relationships with these service providers existed prior to the I&O foundational work to create a more secure cloud computing environment. Several business drivers precipitated those relationships including customer demand, availability and simplicity of services, computational and analytic capabilities, and office productivity. Also, AWS, Azure and GCP are well known as the top three cloud service providers and they are representative good options for our campus. ITS leverages Azure for Microsoft 365 and for hosting our disaster recovery data backups. We host Tableau in AWS and we host approximately 100 active research projects in GCP.How can campus benefit from I&O’s foundational work in GCP, AWS and Azure?
We have streamlined account provisioning. Today, users may now benefit from our Account Vending Machine (AVM) for AWS and Project Vending Machine (PVM) for Google or GCP projects. Work is underway to provide the same structured process for Microsoft Azure. Within the vending machine processes, we leverage infrastructure-as-code tools to provision and configure accounts and projects with cloud providers, which is initiated by a ServiceNow ticket request.How have you been able to ensure that customers don’t have to jump through a lot of hoops to get started?
We have worked with the Information Security Office to be able to set defaults that better address National Institute of Standards and Technology (NIST) standards and have centralized infrastructure and security logs to assist the Security Office and I&O teams with finding anomalies and errors in cloud environments.We know you quite respect and appreciate the work your team and ITS colleagues have accomplished to advance the University’s cloud efforts. Would you like to recognize them?
The core Cloud Engineering/Operations/Security group responsible for the foundational design and some of the recent and impactful cloud related projects are Brent Caison, John Godehn, Chuck Crews, Bruce Messick, Patrick Murphy, Wes Emerson, Ethan Kromhout, Alex Everett, Dave Eiselman and Jared Perdue. We have also benefited from ongoing collaboration and expertise from Tim McGuire, Rob Zelt, Bill Schulz, Jeff Roach, Stephen Braswell, Richard Hill and Danny Shue.