Perform a risk analysis
One of the components of a Business Case Analysis is a risk analysis. Agencies have the option to remain on-premises, to leverage Azure Commercial, or to leverage U.S. Sovereign Clouds.
As part of a Business Case Analysis, the Department of Defense requires the completion of a risk assessment and analysis on the basis of cost, schedule, and performance.
Examples of risk
While migration to the cloud or modernization of workloads includes potential risk, remaining on-premises and continuing to maintain existing workloads run there also incurs inherent risk.
Some risk considerations include:
| Risk Type | Questions | On-premises | Microsoft US Sovereign Clouds |
|---|---|---|---|
| Advanced Tooling | Is there additional software you must procure and become familiar with in order to run workloads in this environment? | Sometimes | No - Tooling is provided (portal, CLI, PowerShell) |
| Application Suitability | Can older/legacy workloads continue to be supported? Will the workload need to be distributed? Does the workload benefit from the scalability and elasticity that the hardware provides? How will you mitigate risk of supporting the workload? | Depends. There's a large capital investment required to implement hardware that can scale when a workload requires it. There's inherent risk that the workload may never need to scale to meet this demand. | Microsoft assumes this risk by already procuring and making hardware and software available to address scale. Most workloads, including mainframes, may be successfully migrated to U.S. Sovereign Clouds. |
| Cost Controls | Are there mechanisms in place to ensure costs are controlled? | Depends on the organization | Yes, Microsoft Cost Management and Billing, budgets, quotas, and Azure Advisor provide these capabilities. |
| CSO Readiness | Is the Chief Security Officer prepared to oversee the security of workloads? | Depends on the organization | Microsoft provides security, compliance, identity training, and readiness for existing customers at no charge. This helps them to secure workloads running in U.S. Sovereign Clouds. Additionally, Microsoft provides Security, Compliance, and Identity Cloud Solution Architects at no charge to ensure customer workloads operate in the most secure and compliant manner possible. |
| Cybersecurity | Are there different cybersecurity tools, processes, and procedures in place to ensure the overall security of the workloads deployed? | Depends on the organization. | Provided as part of the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Cyber Defense Operations Center (CDOC). Additionally Microsoft provides Security Cloud Solution Architects at no charge to existing Microsoft customers. |
| Data Access | How is data access granted or revoked? Who has access to data? | Varies | Data is secure by default. Access to data is only provided when it's granted by using either role-based access controls (RBAC) or attribute-based access control (ABAC). |
| Data Governance | How is data and access to data governed? How is data discovered? How is sensitive data classified? How is data lineage tracked and maintained? | Depends on the organization | Provided by using Azure Purview to manage and govern on-premises, multicloud, and SaaS data. |
| Data Ownership | Is data being inspected or monitored? Is the type of data being examined or tracked? Who may lay claim to ownership of the data? | Depends on the organization and implementation | From Azure customer data protection: "Microsoft doesn't inspect, approve, or monitor applications that customers deploy to Azure. Moreover, Microsoft doesn't know what kind of data customers choose to store in Azure. Microsoft doesn't claim data ownership over the customer information that's entered into Azure." |
| Executive Awareness | How will executives or leadership be upskilled on cloud workloads and continue to be made aware? | Varies by organization | Microsoft provides Business Decision Maker and Technical Decision Maker sessions regularly at no charge for US Sovereign Cloud customers to provide awareness. |
| Functional Deficiencies | What are the capabilities that are provided by different services, and where are they made available? | Depends. Organizations must document and maintain the services they provide as well as any potential deficiencies, limitations, or capacity challenges. | Microsoft Learn provides a list of the capabilities provided by each service. The service availability dashboard provides a list of services that are available by cloud environment (this is covered in greater detail in another Learning Path). |
| Licensing | How are license costs discovered, negotiated, procured, maintained, and paid for? | The organization is responsible for investigating, negotiating, procuring, maintaining, and paying for licenses for all products and services used within workloads hosted on-premises. | The Microsoft Enterprise Agreement (EA) or Cloud Service Provider (CSP) license agreement provides the terms of the services that are available, and how licenses may be leveraged between environments. Additionally, there are license benefits, such as Hybrid Use Benefit (HUB) and Azure Reserved Virtual Machine Instances that can be used to help save costs. |
| Modernization Costs | How will experience subject matter experts engage to ensure best practices are leveraged for modernization of workloads? | Depends upon whether the organization has support contractors or staff on hand with this experience, and what their labor costs may be. | Microsoft provides, at no charge, resources from the Customer Success Unit to conduct an Architectural Design Session (ADS) to determine how best to modernize workloads, as well as recommend options for delivery (Microsoft Services, Microsoft Partners, etc.) |
| Operational Funding | How will consumption of services be tracked, and how will funding be put into place to pay for that consumption? | Depends upon the organization. | Cloud consumers receive an invoice based upon the services they consume. For some consumption plans, a customer must be on an existing contract. |
| OS Dependencies | If a workload has dependencies on the underlying operating system, how will those dependencies be addressed, mitigated, or removed? | Depends upon the organization | If a workload has dependencies on the operating system, those dependencies can be managed using a containerization technology, such as Azure Kubernetes or Azure Container Instances. |
| Partnerships | Given workforce, staff, and their skills as well as any support contractors, how can partnerships be leveraged to ensure successful deployment and operational support of workloads with the appropriate skills behind them to ensure success? | Some organizations have existing support staff and support contractors, while others don't. | The Microsoft community includes Microsoft Certified Partners as well as Independent Software Vendors (ISVs) to support customers, and to make available software and services through its various marketplaces. Additionally Microsoft has thousands of Certified Partners who are able to meet the unique needs of Government customers. |
| Regulatory Compliance | Does the environment meet current and potential compliance regulations? How will risk be mitigated to continue to meet or support new? Are there subject matter experts on staff to support risk mitigation and implementation? | Some organizations maintain individual or shared resources (ISOs and ISSOs) to validate and ensure compliance of services provided by Microsoft and other cloud solution providers. | Microsoft supports existing regulations and provides staff at no charge to meet new regulations. |
| Support Contractor Agreements | How will risk be mitigated for support contractors in the data center or accessing the data center? | The organization is responsible for mitigating the risk. | Microsoft mitigates the risk by ensuring any support contractors it has in place meet all legal and compliance obligations. |
| Training and Readiness | How will the workforce be upskilled on the workload, supporting the workload, planning, deploying, and supporting the workload? | For on-premises workloads, many organizations will provide a training or support clause as part of a labor contract, and require specialized skills as part of that contract. | Microsoft provides over 50 programs, including the Enterprise Skills Initiative, to existing customers to ensure their adoption of cloud technologies is successful. |
| Virtualization | Do the workloads you operate benefit from virtualization? Will they require rearchitecture or refactoring? Do you plan to virtualize server workloads, client workloads, or both? Which virtualization platforms will you support? | Many organizations will support a single on-premises virtualization technology for server or client workloads as adding additional virtual technologies, including hardware, software, and support, can become very costly. | Microsoft operates its U.S. Sovereign Clouds leveraging multiple virtualization technologies. |
Importance
Performing a risk analysis and assessment for different workloads is critical to not only determine whether the workload is best suited for on-premises or in the cloud, but also which U.S. Sovereign cloud to utilize.
Be sure to leverage the resources Microsoft provides in order to best align your risk analysis with the latest information on U.S. Sovereign Clouds.