CIOs today are operating in a complex technology and political climate as they architect their IT infrastructures for a hybrid cloud environment of on-premises, private cloud and public cloud computing services used by both IT and end users.

This complexity is reflected in a February, 2017 of more than 1,000 IT executives and practitioners by SaaS cloud services provider Rightscale. Among the survey findings:

• 85 percent of enterprises had a multicloud strategy;
• Cloud users were running applications in an average of 1.8 public clouds and 2.3 private clouds;
• Enterprises were running 32 percent of workloads in public cloud and 43 percent of workloads in private cloud.

The Rightscale survey also revealed that central IT selected public clouds 65 percent of the time, and it advised and decided on private clouds and also on which applications to move to the cloud 63 percent of the time. Despite this, survey results also indicated that business unit leaders were less likely to give authority to IT for selecting public clouds (41%), deciding/advising on which applications to move to cloud (45%), and selecting private clouds (38%).

What these survey findings illustrate is the push-pull between IT assuming a greater role in cloud selection at the same time that end users want more autonomy.

“In today’s scenario where IT is at the core of business innovation, I hear organizations struggling with potentially opposing priorities,” wrote Marco Meinardi, a research director at Gartner in a . “On one side, business users and developers want more agility and autonomy. On the other side, central IT must continue to achieve governance to minimize risks and improve efficiency at scale.”

Defining a multicloud architecture

The task for CIOs, then, is to define an all-inclusive hybrid IT architecture for on-premises and private/public cloud computing for IT and end users. Minimally, this will require expansion in both breadth (going beyond the footprint of an internal data center, and also including private and public clouds) and depth (applications, systems, networks, data and security have to work across multiple cloud and on-premises infrastructures in order to integrate and exchange information with each other, and new tools and connecting fabric are needed to do that).

Getting all of your IT assets to work together seamlessly and reliably for IT and end users, no matter where the assets are, is no small order. This is why: Every cloud an enterprise uses contains a vertical stack of service offerings.

The foundational layer is infrastructure as a service (IaaS), which consists of hardware and operating systems. On top of this foundation is platform as a service (PaaS), which is a middleware of subsystems, such as web application servers or code libraries that developers use for application development. The top layer is either application as a service (AaaS), which allows developers to write applications on the cloud, or software as a service (SaaS), which is cloud-based applications offered by third-party providers.

When a “citizen developer” in an end user department develops an application on his own, he can sign onto a cloud service and develop and deploy the app for use.  This might work well for his department, but if the app later requires integration with other systems and applications in the enterprise, as most apps do, IT will be called upon when that happens.

If the new app only requires integration with on-premises systems, IT can easily effect the integration and data exchange.  However, if data exchange and integration is needed between two different cloud providers, those clouds must be federated.

Nailing the key issues

CIOs and IT infrastructure architects can stay ahead of the game as they evolve their IT architecture by following these five steps:

1. Discover and track all IT assets

At a time when Gartner estimates Shadow IT to be in large enterprises, CIOs and infrastructure architects must meet the challenges of tracking down all of these stealth IT assets. They must do this to complete the end-to-end IT architecture and full asset portfolio, and also to secure IT assets so unauthorized individuals and entities can’t access them.

There are products in the commercial marketplace that automatically as they enter your networks. And there are IT asset management systems that throughout their life cycles. Either choice, or a combination of both, can assist IT in getting a handle on all of the technology assets that are in the company, whether these assets were installed by IT or end users. In today’s environment, CIOs and IT architects should be actively using these asset tracking and monitoring systems.

2. Define architectural integration paths

In a hybrid IT architecture that is on-premises and in the cloud and used by both IT and end users, the paths of systems, applications and data between these designations must be continuously charted and updated. Every time a new application is brought on board, a standard vetting process should assess what the application needs to connect to. Concurrently, IT architecture should be updated to reflect the integration points.

The most common type of integration is one that shuttles data between cloud-based and on-premises systems.

An example is a manufacturing company that uses IoT to track its shop floor servers, industrial robots and mobile IT appliances that are located in remote plants far from headquarters.

Servers and storage placed in the factories temporarily serve as data stores. However, if the company wants to keep its data under strict governance standards, and to integrate and aggregate all data at some point into a single data repository in the corporate data center, or in multiple data stores that are cloud-based and can readily federate and exchange information with each other, IT has to architect for that.

A common IT architecture for IoT scenarios like this is to document local data stores on in-plant networks and servers that temporarily store data; the uploading of this data to a geographically proximate cloud for temporary storage; and ultimately, the shipment of this data into a central data center where it can be aggregated with other data in a single data repository that is used for analytics. The transport middleware that is used to clean, prepare and move data between these various points should be documented in the IT data architecture.

3. Weave in security and governance

One of the risks of shadow IT, and also of IT that occurs at the edges of enterprises, is that it can be exposed to greater security risks than IT that is centrally managed. Gartner predicts that will come through Shadow IT.

One approach to the problem is a zero trust network that automatically requires end users to abide by corporate security rules for accessing and using data by not allowing them to sign on until their identity has been confirmed. If IT uses networks to discover all assets, and then enacts zero trust network security for end users, security exposure can be reduced throughout all IT architecture.

4. Include cloud federation in your IT architecture

Your IT architecture should cover instances of clouds exchanging data between themselves. You are in control of these data transfers if you are using your own private clouds, but you must also architect for data exchanges with public and private clouds of different providers. Industry work is ongoing between these different providers to effect , but they are far from complete. Your IT architecture must account for that—most likely by including cloud-agnostic middleware that is capable of pulling and pushing data between different types of clouds, and between clouds and your on-premises systems. There is that does this, and these connecting middleware tools should be documented in your IT architecture.

5. Create application development sandboxes for end users

Shadow IT doesn’t have to be the enemy. One cooperative strategy for end users and IT is to create application development sandboxesthat end user developers can use to create applications and test them out. Once an application is tested in the sandbox, it can be moved to more formal testing and production environments. If end users have pre-defined sandboxes where they can develop and experiment with apps, they will be far less likely to contact an outside cloud provider for a place to build and try their apps. These sandbox resources should also be documented in IT architectures.

Final remarks

More than ever, IT architecture must be fluid and changeable, especially with end user computing becoming more of a factor in companies.

The good news is that there are tools that assist organizations in discovering and administering all of their data assets. There are also mechanisms that can automate security protocols and move data between clouds and on-premises systems.

In this environment, the goals for CIOs and IT infrastructure architects are to create pliable architectural designs that can easily accommodate evolving needs of both IT and  end users, while also ensuring the seamless security and governance that organizations expect as part of their risk management.