Lisa Chan, Head of Software Engineering & DevOps at PETRONAS Digital, discusses how the company is advancing the usage of the cloud and offers practical advice for tech executives managing cloud deployment.
It is not a stroll in the park for businesses that are just beginning their cloud adventures. There are several issues to be resolved, including how to create a business case, decide which parts to cloudify and which to stay on-premise, train your personnel, and eventually be ready for the big migration.
In an interesting chat with us, Lisa Chan, Head of Software Engineering & DevOps at PETRONAS Digital, spills the beans on all these important concerns. Lisa oversees the engineering transformation projects at Group Digital. Her team takes a one-leg-kick-all approach to managing Agile, DevOps, and cloud adoption.
She is also in charge of a variety of productivity tools for use both in the office and in the plant, as well as a portfolio of in-house, custom-built apps for areas like health, safety, asset management, and integrity.
Continue reading to learn more about PETRONAS Digital’s progress with cloud adoption and practical advice from Lisa for tech executives managing cloud implementation.
What have been some of the key trends in Malaysian companies’ usage of the cloud?
I believe that business migration is a popular trend. Every Malaysian corporation that was large enough to have one once took great pride in their data centres. However, with the entry of the hyperscalers, it is abundantly evident from the business case that it will eventually be unprofitable to maintain a brick and mortar operation of this kind. Costly private data centres are being eliminated by businesses.
Additionally, establishing your own data centres is not scalable for most businesses. We also have a workforce that is becoming more globally diversified for PETRONAS. Currently, up to 20% of our personnel worldwide is not Malaysian. Because of the necessity to make services available to people worldwide, data centres are even less necessary nowadays. Costs, globalisation, and the type of innovation offered by the cloud thus become decisive factors.
Many cutting-edge technologies, including AI/ML, are now widely available from top cloud providers rather than being created from scratch.
Even the observability tooling, analytics, and FinOps technologies are fully integrated to support businesses in managing all of their cloud workloads. These are only a few of the main forces behind Malaysia’s widespread cloud usage.
The use of the cloud for competitive advantage, as opposed to just providing hosting services, is another consideration. Many companies have begun a digital component of their operations, which was made worse by the epidemic. For instance, traditional banks have introduced numerous consumer banking applications. The competitiveness in the banking industry has increased as a result of our central bank this year even approving five licences for digital banks.
Strategically, PETRONAS wants to be carbon neutral by 2050. A significant step in this approach is the requirement that by 2030, non-traditional sources of income must account for at least 30% of our total revenues. Digital business is one of the non-traditional sources, and we are currently looking to commercialise some of our exclusive goods for other businesses where the service may be pertinent. This is also helping us adopt the cloud much more.
I believe that these trends have enhanced hyperscalers’ desire to establish new regional data centres in Malaysia.
Separately, even in businesses that don’t sell technology as their main product, cloud adoption is increasing the demand for software engineers, cloud expertise, and cybersecurity.
What are the main considerations, in your opinion, while selecting cloud computing technology for your business? How do I choose which business operations to cloudify?
I believe that in the majority of cases, company prioritises according to value potential. The same holds true for PETRONAS as well. However, Group Digital chooses the cloud services required to construct it while the business decides the priority (release dates, investment, and specific features).
We still keep roughly 10% of our workloads on-premises because of our hybrid cloud approach. As the default is to use the cloud, the choice is therefore quite simple for us.
We operate as a cloud-first company. As an exception, we continue to deploy servers on some of our offshore platforms so that we can run apps that are essential for their work, such as when we have people in remote locations with bad internet connections.
The decision to buy vs build should also be considered. SaaS should be chosen over custom builds wherever practical and financially feasible. For workflow-oriented apps, we also make an effort to stick with low-code development.
Finally, the majority of emerging technology will be created in the cloud when comparing it to legacy technology. We make every effort to modernise and rework live old apps as much as we can.
Could you give us a general summary of the difficulties Malaysia has with cybersecurity dangers to cloud computing?
We use the Open Web Application Security Project (OWASP) as an example, citing unsafe setups, injection problems, poor authentication, employing vulnerable components, and insufficient logging & monitoring.
PETRONAS has several distinct strategies for addressing cybersecurity. We employ a risk-based approach to each application because we have such a wide variety of work loads and our estate is so large (it has roughly 3,000 servers and 900 applications).
An evaluation of the business impact on cybersecurity is performed for each application. Therefore, we assess factors like: Will the business be affected if the service is unavailable? Does it cost money and reputational harm if there is a data breach? We assign a risk rating, and depending on it, we can decide whether to place a highly rated application on high availability or disaster recovery infrastructures. We also have standards for single sign-on and multi-factor authentication. Therefore, cybersecurity has a significant influence on how we build for the cloud.
Our landing zones, which consist of a collection of policies and automations created in collaboration with our cybersecurity experts, are another method we protect our workloads. As a result, everything that is moved over AWS or Azure passes through our landing zone and is lawful from the start.
How is PETRONAS Digital advancing the use of the cloud? What is the direction’s primary focus?
Due to the fact that this is the third and final year of our cloud migration programme, you have caught us at a highly advantageous time. Since 2016, we have been utilising the cloud, but only in a purely transactional manner and without an enterprise plan. In 2019, we launched our extensive migration programme.
We will be 90% in the cloud by the end of the year. We would have closed down our data centre by the following year. When compared to the case where we had kept running our on-premise operations, operating in the cloud will be 25% less expensive for us.
Thus, a lot of technical debt will need to be paid off in the ensuing years. We may need to rebuild or rework some of these programmes to make them slightly more cloud native because we migrated a lot of historical workloads that may not be completely suitable for the cloud. The second thing we’ll do is optimise our cloud spending, which will involve either re-architecting or right-sizing.
We also place a lot of emphasis on forthcoming new applications. Additionally, they will be as cloud native as feasible. We will also keep putting effort into improving the skills of every member of our employees; to date, more than a thousand have taken part in cloud training.
What is your best piece of advise for managing cloud rollout for tech leaders?
The business case comes first; as it involves a sizable investment, we choose to concentrate on value realisation as one of our main goals. The business cases are typically completed for free by hyperscalers because they want you to use their platforms. And it will frequently be overstated. Therefore, my recommendation would be to be as conservative as possible when developing the business case and to use data that is based on accurate bottom-up estimates of how much it actually costs the company to run on-premises versus in the cloud. Because many of the business cases that hyperscalers create for you aren’t necessary based on your own data but rather on benchmarks from other companies in the same industry.
We also made some solid decisions by hiring early pilots. Many people in our organisation viewed migration as a very unsettling, contemporary, and foreign activity. However, we completed a programme with AWS whereby 20 applications were moved over the course of 50 days. Therefore, the expedited approach gives you a chance to practise acting under pressure and to identify any aspects of your change management and cybersecurity processes that might prove to be obstacles once your actual migration programme gets underway. So, that exercise was incredibly illuminating for us. It made people realise what needed to change to prepare for the actual programme and helped individuals gain confidence. Small pilots so develop their migrating skills and confidence prior to beginning the actual programme.
The excitement we created with the capability development programmes was another thing. In this sense, PETRONAS is quite kind and will pay for anyone to obtain cloud certification.
When we reorganised the cloud centre of excellence, we were concerned that the team would lose focus on on-premise operations if they focused too much on the cloud. This is one thing that I think we should have done differently. As a result, the staff was divided into on-premises and cloud support sections. I now believe that we ought to have kept them on the same team. We could have cut operational costs far more quickly. Therefore, I would suggest keeping the teams together and incorporating the elimination of operational costs (such as server decommissioning and data centre shutdown) into the relocation programme.
The last piece of advice I have is that hyperscalers are frequently very enthusiastic about investing in your relocation. Ask the hyperscalers to pay for the services required to truly transfer everything to the cloud if your workloads are large enough. Why not offload that one-time migration expense as much as you can to the hyperscalers because you will be paying them annually for as long as you have workloads with them.
