Today’s WAF Assessments: A Report from Two Field CTOs
CloudBrew Episode #13
In this episode of CloudBrew, two field CTOs take on the challenge of cloud assessments.
There’s no shortage of well-architected frameworks to assess against, but it's not humanly possible to check 350 best practice items for every workload a client is running, especially when multiple cloud platforms are involved.
Rizwan and Venkatesh, both field CTOs, talk about what they’re seeing around assessments in client environments, the super-powers that are required to leverage assessments at every stage of the sales process, and the three main benefits of an automated cloud assessment solution – namely scalability, automation, and architecture optimization.
Discover how our NextGen Cloud Governance platform brings together Cloud Assessments, FinOps, SecOps, and CloudOps solutions so you can Cloud with Confidence.
Listen to Full Episode
Kaylee: Hello and welcome back to another episode of CloudBrew for first time listeners. My name is Kaylee Raduenz and I am on the Strategic Alliances Team here at CoreStack. Today's topic is going to be today's WAF assessments, a well-architected framework assessment report from two field CTOs. So we'll be really deep diving into well-architected benefits around automation. Before I get into the meat of it, I want to make sure that I give my two guests the opportunity to introduce themselves.
Kaylee: So, Rizwan do you want to go ahead and kick that off and then we can hand it off over to Venky.
Rizwan: Thanks, Kaylee. First off, I very much appreciate the opportunity to be on the show with you. You might not know it, but it's been an item on my bucket list to be on the same stage as you. And now take that off. Anyways, I'm Rizwan Patel, CTO, Chief Technology Optimist. And I think that really accurately describes my passion for unlocking business value by leveraging technology and an innovative customer obsessed thing big paradigm. And I think of the role as kind of a calling cry for the slogan that I think I've heard on TV. A few, The Brave, The Chosen. And with that, I'll turn it over to Venky to introduce yourself.
Venky: Thanks Rizwan. Pleasure to be at the same stage. And Kaylee again, glad to meet you. I'm Venkatesh Perumal CTO at CoreStack, the first and most important thing as part of my role is essentially storytelling. I strongly believe in storytelling in terms of how technology provides a business value and today what we are going to discuss is more about the well-architected assessment. So I am looking forward to this conversation with Rizwan and Kaylee.
Kaylee: Awesome. Thank you guys both for your introductions. So let's get into the meat of things. So, Rizwan, I'm going to shoot at you first. So I have a layered question for you. So as an SI leader, what does Redapt value in well-architected assessments? Like how do you differentiate yourselves? What are some trends you're seeing with your customers? I know that's a loaded question, so I'll give you some time to answer that.
Rizwan: Well, that's tough crowd out here.
Kaylee: I'm just going to hit you all first and then we can really delve into it.
Rizwan: So I think I'm sure your viewers know this, but what I want to do is kind of set the stage a bit. Yeah. So to set the context, the AWS well-architected framework specifically is a collection of design principles, concepts, best practices that help in both and both is pretty important, both in terms of building and operating secure, high performance, resilient and of course efficient infrastructure for a variety of applications. Starting with the workload building block. I think this is really important because sometimes people get tripped on what the workload is. So the beauty out here is that a workload is nothing but a collection of resources, a collection that delivers to Venky's point business value and could be as small as a report or bigger, such as a backend process or even bigger to cover an entire customer facing application. Now, as you may have guessed, I'm a big fan of the working backwards model and I include that in all my conversations, including ones that involve the well-architected framework review. So questions such as Who is really the customer? What is the customer's problem and opportunity? How do you know that the customer needs or wants what they say they need or want? And most importantly, what does the customer experience look like? And what we do is tie the information that's covered from this looking backwards with our own proprietary maturity model process, a process that incorporates four dimensions people, process, of course technology, and most importantly, business priority. And the business priority is the one that I'm pleased to see is now actually incorporated as profiles in the well-architected framework do. And maybe I'll spend a minute or two on what the profile is because like I said, I'm really, really excited about seeing that incorporated in the product. So currently the well-architected framework contains 60 all again, to be more precise, 56 questions and around 351 odd questions if you include the sub questions, choices. And it spans six pillars – cost optimization, operational excellence, performance efficiency, security, reliability and the latest added pillar sustainability and deciding which questions or pillars to focus on when conducting a well-architected framework review.And I'll refer to that as WAFR, since it's easier to pronounce. That is pretty challenging. And this is where the profile concepts like Venky said, the business priority really comes in. They allow us to tailor for a customer specific well-architected reviews based on their business goals. How cool is that? This feature in effect, creates a flywheel in effect, a mechanism for continuous improvement by encouraging customers to review their workloads with certain goals in mind first, and then complete the remaining well-architected review questions. And this notion of continuous improvement, again, pretty important here is in-built into the WAFR to the milestone paradigm and I think is what makes it so well. Removing the notion of a blame game, removing the notion that this is an audit, removing the notion that this is a formal review meeting and gradually to something that you can see is tangible and you can improve upon. And now Venky, I'll turn it over to you to get your insights and perspectives, and then I'll continue again with how WAFR specifically plays an important and effective role in all phases of our customer interaction.
Venky: Absolutely Rizwan, thanks. Thanks for that insight. I think that brings me to the point where why did even the WAFR come into the picture, number one right? And the question goes back to every one of the business who has been continuously asking is, am I getting from the cloud what I was promised? And every time the answer is no, because when they started migrating or moving workloads or creating workloads in the cloud, they were given the promise of cost optimization, security and so on and so forth. But what they really missed out is a guidance, a best practices long overdue from Hyperscalers. And this really started looking into this and which is really, really good, right? And then we know that these best practices by the numbers are huge and AWS has about 350 odd best practice. Similarly with Azure and GCP, they have their own frameworks from a best practices perspective, we need to look at more holistically in terms of each business requires what amount of best practices because not everything is applicable for a set of workload. And we as we know today, the way it is being done is holistically, let me look at your entire footprint of cloud provide you recommendation and you go ahead and fix it. But that's not what is really going to take you to the next phase of your cloud adoption. What what is going to really take you to the next phase is looking more into an individual workload, right? Basically, or a group of workload which provides one business value. So if we talk about banking and financial sector, it could be reconciliation as an application or trading as an application. In terms of travel, it could be reservation as an application, right? Our reporting as an application, look at each application workload and see if they are well architected across these five six pillars now, which is operational excellence and reliability, so and so forth. Once you start looking at each and every workload in these six dimensions, that's when you are going to maximize it. And that's where your outcome of what you really need from a well-architected assessment, really makes sense. And Rizwan, you are spot on it is not a huge task, it's not an audit, it's not a formal thing, but it is kind of the nature of how we want to morph ourselves to embed this process on a day to day basis is what is required. It should not be one done and I'm done. No, because things change. It needs to be done on a continuous basis.
Rizwan: And if I may Kaylee you to tap into, you know what Venky saying also, especially as we talk about how we apply it in a commercial engagement model. And so we do that, you know, across the entire customer lifecycle from sales to customer success. And in fact, like Venky mentioned, to help them increase their cloud adoption. And so the way we do it in pre-sales here is basically as a way to earn trust with the customer, you know, to conduct a WAFR. And you can conduct it not just for workloads that are on a particular cloud, they can also conduct it for workloads that exist on premise as a way to help in the migration efforts. And then also once we've done that, once you establish trust and we actually have an engagement with the customer, we then apply the WAFR for a customer on an existing workload, for an existing initiative that you're working with the customer on.
And to do that, you basically run the well-architected framework review. But more importantly, like Venky mentioned build a cadence to run the review at a regular intervals, be it a monthly, quarterly, weekly, so on and so forth, depending on the workload. And this kind of, you know, running, it continuously demonstrates the value and adds in the build trust paradigm that I referred to in the presales process. And then because we've now established trust, you've shown the value of the well-architected sample review, we can now move into the next piece, i.e. increase the cloud adoption. What I mean by that is kind of applying it on workloads that we don't exist, that we don't manage currently for the customer. And so things down there could be, you know, where we apply cross-selling, upselling opportunities across workloads that may span different domains, different technologies. So for example, devsecops, as a combination of DevOps and SecOps, AI/ML and even industry vertical through custom lenses, and I'll touch upon this later in my discussion and so kind of to summarize that, yeah, the well-architected review can and does have the potential to propel growth from converting prospects to customers to believers and of course eventually to promoters and champions within the organization, helping embody and reinforce principles like trust and customer obsession to the process of helping customers build and deploy faster and importantly, mitigate and reduce risks, which I think is an amazing benefit of the well-architected framework review that sometimes doesn't really get the justice that it deserves, and then to make informed decisions and learn from and implement AWS battle tested best practices, not just once, but as I referenced earlier, continuously within the existing and future environments. And Venky I'll turn it over to you now to get any other insights and perspectives and then continue later on with some of the ways that we differentiate offering from other partners.
Venky: Thanks Rizwan. I think we have kind of summarized this and then what we look at in more into in terms of different dimensions. So Kaylee if you have any questions based on what we have discussed so far.
Kaylee: Yeah, yeah. I think, you know, there is. We've already started to talk about some of the challenges, right. The preconceptions of well-architected the reviews per se. But then also we've kind of talked about the benefits of well-architected just as a review. So I guess this would be a question for both of you. What would you guys say the benefits of an automated cloud assessment solution like CoreStack Assessments? We've seen the challenges, we understand the benefits, but how do we really want to play this out in a real world, real world experience? And you guys can both jump in on either of those.
Venky: Absolutely. Kaylee I think let me talk more from a platform perspective because we as you know, CoreStack is more of a platform company. The way that we look at is, one, how can we make the entire assessment much more seamless? Today, we know out of all these best practices, we clearly know what is the potential where we can automate it and what are the potential where we have to literally be, you know, it has to be manual. Where it really adds value from an automated assessment perspective is an ability for our partners such as Redapt in this particular case is to have the first level of conversation with the customer right? If you are going to suck away too much of a time of the customer where you're just, you know, asking questions for hours and then out of the 4 hours of the session, I don't know whether we will lead to where we want to lead. So what is the best way that we can really provide that benefit to the customer to where they are not investing too much time, but that they are also getting the value is to have as many controls, as many checks automated so that when you go ahead and look at workload, you are the very next day or in couple of hours you are able to go ahead and present the outcome to say, hey, you know what, we have run the assessment and these are the areas where we need improvement.The moment you bring in the ability to go ahead and present the area of improvement, that's where the conversation becomes even more important. Okay, while you are able to provide me this, what happens to the other areas where we can go ahead and fix it. So that's number one. And that's where automated really, really adds value. Number two is the platform should be flexible enough to accommodate any more automation that can be built by the partners itself right? They don't have to depend completely on the platform out of the box capability. They should be able to build their own automation as well because they are the ones who are front ending the customer. They know each and every customer how they behave, what their questions are, what their asks are, what their requirements are, and the platform should enable them to go ahead and do more that’s number two. Number three is ability, providing an ability for them to scale, right? It's not an assessment that we run on one account or one workload, but we are running it on thousands of workloads. So how can a platform really help and summarize this whole scalability in terms of I'm running it for thousand accounts, thousand subscriptions, thousand projects, and you are able to provide a consolidated result where the partner really takes that and goes ahead and have a conversation. So Riz, over to you?
Rizwan: Yeah, thanks. That's a really great segment here, because what I'm going to talk about is kind of, you know, exactly what you said is the way we differentiate our process is through some of our unique nuances that we've added to the strong foundation offered by the tool. And especially and I'll iterate through, you know, what you mentioned to the features offered by CoreStack. So I'll try to go in the same order as you mentioned, number one automation we talk about automation. The way we look at automation is automation is to discovery, to remediation, to reporting and to a continuous lifecycle. And CoreStack really helps us in terms of that, not just the discovery, the other pieces too, but definitely the discovery in terms of know automating the responses to the 350 odd questions and automating it so that like Venky mentioned, it makes the process a bit less rigid, it makes it easier for the customer because hey we've already tried to uplift and fill out the responses to some of the questions. So the automation capability of CoreStack. And the benefits out there and obvious but are listed out anyways are decreasing the discovery time, reducing cost, increasing productivity, and then making these reviews most importantly, more consistent, especially using the benefits and the features offered by CoreStack. And like Venky mentioned, yeah, we then also add on to the automation piece by automating even our own assets. For example, custom lenses. And I know I’ve mentioned custom lenses a couple of times, I promise I touch on this later, but in effect, you know, using our own assets we can then push them to, for example, to code commit as code pipeline, pick them up and to serverless, push it to a to like CoreStack that's capable of looking at this, enhancing it and then creating these, you know, reviews that specific to a customer and could be on one account or could be shared across multiple accounts. The other thing that we do and again, just sticking to the, you know, the discovery piece and the automation is once you've discovered you of course, want to remediate and that's where, you know, a unique nuance of making sure that we apply the smaSMARTFICrtfic principle. When I say SMARTFIC, making sure that, you know, for these the HRIs or the MRIs that we found out, we have a process to fix them in a way that is specific, measurable, actionable, could also be attainable, relevant, time bound. And I add FIC at the end of it being Feedback, continuous improvement, continuous learning, Integrated, and again, going back to what Ve mentioned, integrated with people, process and business priority and clear and this is basically going back to the working backwards paradigm, making sure that this is clear in terms of what the customer really wants and what the customer can get as a result of conducting this assessment in the environment. The second one that you mentioned Venky, is around and it relates to custom lenses, and this is a feature that was introduced by AWS recently and available of course through CoreStack where you can create these custom lenses with your own pillars, questions, choices, best practice and also improvement plan. And you can tailor the questions in the custom lens to be specific to a particular technology or even industry verticals like travel, tourism, healthcare, media, entertainment, etc. So you really, really need a feature available to us through CoreStack. Additionally, like the existing lenses, you can track progress over time by creating milestones. Going back to what was mentioned earlier around this being not just a one time thing, but a regular cadence occurrence at the customer site. And then using that, we can provide periodic status by generating reports again and again reinforcing the notion of continuous improvement. Some quick metrics around this custom lenses and again, like I said, available to you to through CoreStack is that you can define up to ten pillars. So the six pillars that you have out of the box, you can even extend that to more pillars in your custom lens. You can define up to 20 questions in a pillar, in a custom lens, and you can define up to 15 choices for a question in a custom lens. So like Venky mentioned, lots of room for extensibility. And the final thing that I think Venky mentioned was around scalability, and I'll tap into how that's done. So this concept called review templates and again, an important benefit of leveraging CoreStack, like Venky mentioned, is its scalability and that we can leverage it across all customer sizes, from startups to SMEs to enterprises to greenfield and before CoreStack and specifically before AWS introduced the concept of review templates, performing these WAFRs, especially at large organizations, involved a fair amount of coordination to ensure that we had the right cross-functional participants, increasing not just the time to complete the review, but also invariably make the process less seamless and more expensive. Additionally, historically, there are hundreds of these accounts, teams ended up storing review documents in their own favorite place, which resulted in an opportunity lost around there, not being an easy way to quickly identify risks or spot common issues or trends that could influence improvements. To address this, we have the review templates feature, and what that does is it allows us to perform reviews faster and easier. Specifically, it allows workload users owners rather to automatically populate their reviews with template answers to questions in the tool. These answers serve a sort of shared responsibility contract between the application team and the centralized platform team, security team, finance teams. So the application teams now have fewer questions to answer and these centralized teams have fewer of these to attend. The solution also, another benefit provides centralized reporting to provide a consolidated view of the review conducted across organization, helping again to Venky’s point here to drive consistency and standardization of best practices across teams and workloads.
Kaylee: Awesome, really great insights that just it's almost like CloudBrew is not enough for both of us to really deep dive. But, you know, I think we keep it that way as we give the titbits we give the need to know. So I know we're ending our time here on CloudBrew. As I end all of my episodes, we delved into a lot of really good content.
What would you guys want our audience to take away from our discussion today doesn't necessarily have to be a CTA, but what is the need to know or what do we want them to take away from our discussion? And this could be for both of you. So Riz, you want to jump in. We can have a kind of a double edged sword here.
Rizwan: So I'll jump in since I'm the guest here. So, the way I want to summarize and leave the audience is that obviously in general and by using a product such as CoreStack is a lightweight process. And again, I wanted to reinforce that lightweight process is hours and not days conversation that encourages deep diving. To reiterate, it's a blame free approach and definitely not an audit. The purpose of reviewing this architecture is to reduce and mitigate risks, identify any critical issues that need addressing right now and all areas that could be improved and the output or the outcome of the review is a set of informed actions and priority of executing those actions to improve and elevate the maturity of the workload. In effect, it helps to educate environment for me, these best practices throughout organizations and to use that to make our customers cloud adoption, cloud extension journey so much more enjoyable.
Venky: Thanks Rizwan. I think I'll just take forward from where you stopped. Yes, it is not an audit, right? It's a best practice. It's basically a guidance given to everybody to say how well you can utilize cloud to maximize what you're really looking forward for. More importantly, it's a cultural change, bringing that cultural change where you are able to embed the well-architected assessments into your overall way of functioning in the cloud itself.With that, I will stop it because that's that's what will take you to the optimization that you're really looking for.
Kaylee: Perfect. Thank you both so, so much for taking some time out of your busy day. Rizwan We are so excited that we were able to grab some time from you and to get some insights from you and the Redapt team. So as we close out today, I want to thank my speakers for today and our listeners. So if you guys want to subscribe, we are on all major streaming platforms. If you want to share with your community, please feel free. And until next time, we'll see you. Thanks.
Rizwan: Thanks again.
Venky: Bye