Multi-cloud landing zone: Build a solid foundation for your multi-cloud estate


Photo of Rob Robinson

Rob Robinson

Head of Telstra Purple LinkedIn

The deployment of cloud services adds a whole new level of complexity to your IT environment. A solid foundation in the form of a secure, reliable, and high-performance landing zone design is the key to multi-cloud success, otherwise, suggest a single cloud solution.

Landing zones (LZs) are not exclusive to any cloud provider but rather an essential concept or guidebook that provides guardrails and governance for cloud deployment. Gartner describes a secure landing zone as “a fully equipped set of hierarchical constructs, policies, network, and identity configurations where infrastructure and platform resources can land safely.”

Determining how applications and data are hosted in the cloud

An LZ governance model allows you to create preconfigured accounts, infrastructures, and domains that align with security and compliance policies, including data security, network design, and identity/access management. It allows you to repeatedly apply best practices to any workload deployed to the cloud. Account visibility also allows for cost control, utilizing enforced tagging.

Well-defined LZ standards make multi-cloud environments more secure by providing a centralized security reference point for all cloud implementations. They ensure services are correctly configured before workloads are deployed to the cloud. At the same time, LZs provide a secure framework for developers to innovate, ensuring that developments do not differ from compliance policies.

No one wants the complexity of using different passwords for different clouds. Suppose an enterprise, for example, is using AWS identity access management (IAM). In this case, a multi-cloud LZ architecture would make this the standard IAM across clouds.

An LZ design can also help to control cloud sprawl by providing enterprises with formal processes. Not having these in place for subscription consumption can result in the uncontrolled proliferation of cloud instances. It should be intrinsic to the migration plan.

Creating a more secure cloud environment

Enterprises are the target of increasingly sophisticated cyber-attacks. Last year, data breach costs rose from $3.86 million to $4.24 million, the highest average total price in the 17-year history of the Ponemon Institute report.

Last year, the most common initial attack vector was compromised credentials, followed by phishing and cloud misconfigurations.

LZ reduces misconfigurations and enforces strong credentials. It is essential to understand, however, that LZ guidelines must be continually revisited and reassessed in line with the growth of the business and fluctuating markets. Changes to tooling, upgrades, and APIs, for example, may need to be made. Or new business solutions such as a threat management solution to detect and respond to increased security incidents.

Speeding up your journey to multi-cloud

Establishing a safe and secure LZ helps realize the benefits of the cloud while steering a course around its complexities. Without it, there is a risk of extended migration schedules, increased cross-team interdependencies, and much higher operating costs.

Accurately deploying security and compliance policies across your cloud estate lets you minimise gaping holes in your security posture and cloud workloads. It also contributes to operational excellence, performance, reliability, and cost optimisation.

Gartner advises that LZ setups should include designing account structures, federation to identity directories, virtual private cloud (VPC) networking, role-based access control (RBAC) roles and rule sets, and infrastructure for monitoring, security, and configuration management. These should be considered an integral part of a migration plan.

Architectural blueprint for a landing zone

It is important to define why your LZ is being built and the business outcomes it needs to deliver. You must have the right plan in place and pull the right skills and team together to construct the LZ plan and manage it on an ongoing basis.

Remember that LZ design should be modular; the first iteration will not be the last. Design it with scalability and business growth in mind.

Creating a LZ can be a daunting task. A single LZ design may be deployed to multiple clouds, but you may not have more than one security policy, for example. It is thus wise to engage with an experienced partner who can help you create an LZ that is consistent and seamlessly integrated across your clouds and your existing environment. As the use of your cloud expands, you need to evolve and implement best practices from your cloud providers and the requirements of new applications. This maintains compatibility now and into the future.

A consultative approach

Building a LZ is complex, and many enterprises face a skills shortage and lack of best practice knowledge. It becomes an even more risky project in a multi-cloud environment as you need to take on board the different technologies and processes.

This process should start with an audit to identify cloud environments and develop an LZ strategy that embraces best practices. A robust roadmap ensure work is prioritized and can be delivered within resource and budget constraints. An iterative approach is considered best practice. This ensures tools and automation are consistent across all clouds.

There is no one template for LZs. There are many best practices and reference designs that will accelerate the process. Everyone is different and needs customising to embrace individual applications, infrastructure, and compliance requirements.

Defining and deploying a LZ for multi-cloud involves creating one LZ standard and deploying it consistently across many clouds. Enterprises that find the prospect of building a robust, agile, and secure LZ to grow with the business would be well advised to bring in consultancy. This will help you create a blueprint for your LZ and ensure you are multi-cloud ready.

Consultants can help draw up a LZ strategy, pinpoint principles, and set out a roadmap for deployment, ensuring automation and tools are consistent across your cloud estate. This will help you manage your resources and users efficiently and easily across cloud environments.

A future-proof mechanism to control your multi-cloud estate

To operate a successful multi-cloud estate, you must proceed in the right direction, but it is never too late to get back on track. This means having a LZ that allows for large-scale migration in an efficient and streamlined manner.

A LZ will improve the quality and speed of service delivery while providing cost control, enhanced governance, and security. It is an essential ingredient in delivering business value.

Telstra Purple at a glance

  • A global telecommunications and technology company.
  • Access to 1,500 certified experts across cloud, security, networks, and modern workspace
  • 30 years delivering transformation in large complex mission-critical environments
  • 4D methodology that delivers major change while minimizing business impact, reducing cost, and mitigating risk.
  • Microsoft Gold Partner and CSP, Azure Expert MSP
  • AWS Advanced Consulting Partner
  • Cisco Gold Partner
  • Equinix Platinum Partner
  • Market leader in cloud connectivity. Noted as a leader in IDC’s 2021 Marketscape for Network Consulting Worldwide.

Related Insights

Link your Enterprise to your Public Cloud

Managing connectivity from traditional networks up to public cloud is becoming increasingly important in the world of Enterprise IT.

Learn more

Microsoft end-to-end Security – Microsoft Priva

Manage the risks of handling sensitive information within Microsoft 365. Microsoft Priva is a privacy management solution that works alongside Microsoft Purview to protect your personal data and manage the identified risks.

Learn more

Microsoft Purview

Microsoft Purview helps you to protect your data and adhere to Compliance and Legal regulations. Flexibility is an important - Purview is able to be used with non-Microsoft tools too. A powerful tool when integrated with the other components of the end-to-end security suite.

Learn more