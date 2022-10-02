For companies just starting their cloud journeys, it is no cakewalk. There are many questions to address- how to build a business case, which portions to cloudify, how much to keep on-premise, how to train your teams, and ultimately, how to prepare for that final migration.

Lisa Chan, Head of Software Engineering & DevOps at PETRONAS Digital, in an insightful conversation with us, spills the beans on all these big questions. Lisa leads Group Digital’s engineering transformation initiatives. Her unit handles Agile, DevOps and cloud adoption in a one-leg-kick-all fashion.

She also oversees a portfolio of in-house custom built applications covering disciplines such as health, safety, asset management & integrity, plant data historians and visualisation tools, and various productivity tools for use in the office as well as the plant.

Read on to know more about how PETRONAS Digital is forging ahead with cloud adoption and hands on tips by Lisa for tech leaders to manage cloud deployment.

What have been some of the dominant trends when it comes to cloud adoption by businesses in Malaysia?

I think enterprise migration is a big trend. Once upon a time, every company in Malaysia who was large enough to have one, was very proud of their data centres. But with the hyperscalers coming in, the business case is very clear that over time, it makes no financial sense to continue to have a brick & mortar business like this. Companies are shedding expensive private data centers.

Plus, for most companies, having your own data centers is not scalable. For PETRONAS as well, we have an increasingly internationalised workforce. Now up to 20% of our workforce is non-Malaysian, all over the globe. Hence the data centres now even make less sense as you need to make services available to people all across the globe. So the costs, the internationalisation, and the kind of innovation the cloud provides became tipping factors.

Lots of emerging tech like AI/ML for example, is something you don’t build anymore from scratch but are readily available with leading cloud providers.

Even the observability tooling, insights and FinOps features are built in natively to help companies manage all their workloads in the cloud. These are just some of the key drivers behind massive cloud adoption in Malaysia.

Another factor is the use of the cloud as a competitive advantage (e.g. building a digital business), as opposed to just hosting services. A lot of businesses have started a digital part of their business-which was exacerbated by the pandemic. For instance, traditional banks have launched so many applications for consumer banking. This year, our central bank even approved five digital bank licenses – intensifying the competition in the banking sector.

Strategically, PETRONAS has a goal to be net zero carbon by 2050. And one of the milestones in this direction is that by 2030, at least 30% of our revenues have to come from non-traditional sources. One of the non-traditional sources is digital business and we are now looking to commercialise some of our proprietary products for other companies, where the service might be relevant. This is also driving a lot of cloud adoption for us.

I think these trends have increased the willingness of hyperscalers to open up new regional data centers in Malaysia.

Separately, cloud adoption is also driving up the demand for software engineers/cloud skills/cybersecurity, even in companies that are not selling technology as their primary product.

In your view, what are the key focus areas to keep in mind while choosing cloud computing technology for your organisation? How to decide which aspects of the business to cloudify?



I think for most, business determines the priority based on value potential. And the same is true for PETRONAS. But while the business determines the priority (release dates, investment, which features), Group Digital determines the cloud services needed to build it.

Because we have a hybrid cloud model, we still retain about 10% of our workloads on premise. So the decision is fairly straightforward for us as the default is to go to cloud.

We are a cloud-first organisation. What remains on premise as an exception – say if we have people located in very hard to reach areas with poor internet connection; in that case, we still deploy servers to some of our offshore platforms so that we can run applications that are critical for their work.

Another factor to keep in mind is buy vs. build. One should choose SaaS over custom build wherever possible and commercially reasonable. We also try to stick to low-code development for workflow oriented apps.

Lastly when it comes to legacy vs. emerging technology, most emerging technology will be born in the cloud. We do our best to modernise/refactor active legacy apps as much as possible.

Could you give us an overview of the challenges posed by cybersecurity risks to cloud computing, in Malaysia?

We make reference to the Open Web Application Security Project (OWASP) e.g. insecure configurations, injection flaws, improper authentication, using components with vulnerabilities, inadequate logging & monitoring.

PETRONAS is tackling cybersecurity in a few specific ways. Because we have such a diverse range of work loads and our estate is pretty big- we have about 3,000 servers, 900 applications-we take a risk based approach to every application.

Every application goes through a cybersecurity business impact assessment. So we evaluate things like: is the business disrupted if the service is not available? If there is a data breach, does it cost reputational and financial damage? We give a risk rating and depending on it, we can choose to put a severely rated application on disaster recovery or high availability infrastructures. We also have standards around multi-factor authentication and single sign-on. So cybersecurity has a huge impact on the way we design for the cloud.

Another way we safeguard our workloads is through our landing zones- which is both a set of policies and automations that we developed with our cybersecurity teams. So anything that is migrated through either AWS or Azure goes through our landing zone- and is compliant from day one.

How is PETRONAS Digital forging ahead with cloud adoption? What is the focus area in this direction?

You are catching us at a very good time because this is the third year-the last year of our cloud migration program. We’ve been using cloud since 2016, but in a very transactional manner with no enterprise strategy. We started our big migration program in 2019.

By the end of this year, we will be 90% in the cloud. By next year, we would have shut down our data center. For us, like for like, it will be 25% cheaper for us to operate on the cloud as compared to the scenario if we had maintained our on-premise operations.

So the subsequent years will be about things such as paying down a lot of technical debt. Because we have a lot of legacy workloads that we migrated which might not be totally fit for the cloud, so we will probably sunset some of these applications; some we might rebuild or refactor and make them a bit more cloud native. The second thing we will do is to optimise our spends in the cloud- so a combination of rearchitecting or rightsizing.

We also have a lot of focus on new applications that will be coming up as well. And they will be cloud native as much as possible. Another focus we will continue is capability development for all our staff – more than 1,000 have attended some form of cloud training.

Your one piece of advice to Tech leaders to manage cloud deployment?

First is the business case-it’s a huge investment, so one of the things we decided to focus on was the value realisation. Usually, hyperscalers will do the business cases for free because they want you to move onto their platforms. And oftentimes, it will be inflated. So my advice would be to as conservative as possible with the business case and to use real information based on actual bottom-up estimates of how much it really costs the company to operate on-premise versus the cloud. Because a lot of business cases that hyperscalers generate for you are not necessarily based on your own information but benchmarks based on similar businesses in the industry.

Another good thing we did was some early pilots. A lot of people in our organisation thought of migration as a very scary, modern and alien thing to do. But we did this program with AWS where they migrate 20 applications within a 50 day time frame. So the accelerated path gives you an opportunity to behave under pressure and also see what’s it about your change management processes, your cybersecurity processes, that could potentially become blockers when you start your real migration program. So that was a very eye opening exercise for us and it helped people to realise the things we needed to change to get prepared for the real program and helped build confidence. Hence small pilots build migration muscle and confidence before starting the real program.

Another thing is we generated a lot of excitement with the capability development programs. PETRONAS is very generous in this regard and pays for anyone who wants to get certified in cloud.

One thing that I feel we could have done differently was that when we reorganised the cloud center of excellence, we were worried that the team would lose focus on on-premise operations if they focus too much on the cloud. So the team was split between on-premise support and cloud support. In hindsight, I think we should have kept them in the same team. We would have been able to remove operational costs much faster. Hence my advice would be to keep the teams together and make the removal of operational costs (e.g. decommissioning of servers, data center shutdown) part of the migration program.

And my final tip is that hyperscalers are often quite enthusiastic when it comes to investing in your migration. So if your workloads are large enough, by all means, ask the hyperscalers to pay for the services needed to actually migrate everything to the cloud. Because you are going to pay them every year for as long as you’ve got workloads with them anyway- so why not offload that one time migration cost to the hyperscalers as much as possible.