How We Went Infrastructureless

“Many people ask us, how can a tech company actually survive without infrastructure in its office?”

In today’s connected world the traditional sense of a business working in an office with a myriad of unhelpful IT staff simply doesn’t cut it. Businesses need to be nimble and fast paced and simply can’t perform when their IT infrastructure doesn’t reflect the same principles.

At JUICE we realized that limiting staff on their devices led to roadblocks in performing effectively. Things like, not being able to curate updates or having to ask IT for a password reset periodically – quickly became time wasters, taking away focus and time from the staff member and IT team. This led to a need for change, not in the way processes were followed, but from the ground up, defining the infrastructure that put in place those processes. A large part of these sorts of roadblocks come from outdated technology and/or infrastructure that isn’t up to snuff at keeping pace. Having servers on-site that need to be maintained, upgraded and regularly patched, requires time, effort and potential down-time – All of which simply isn’t an option when you’re a fast paced and nimble technology company.

Here comes the cloud…

The cloud has been a scary word for many businesses and rightly so, as local infrastructure hasn’t really kept the pace that companies like Amazon and Google have been rapidly setting. A traditional IT setup for an office of a 100, would likely consist of multiple physical servers, with a virtualization layer, upon which multiple virtual servers exist. There’s likely a Directory for users and authentication, DNS and DHCP, Update servers and any other additional Application servers the business may need. Along with this is generally a cabled and wireless network with arbitrary layers of security. This all costs a lot of capital expenditure to purchase and many man hours to maintain, however with the influence of the cloud on many of these services, it’s not easy to connect everything and pin that connection to a person.

The main concern is generally security, followed by uptime and availability. These two concerns have taken quite a few years to be mastered in the big bad cloud world, which is evidently, not so bad anymore. Every cloud service we introduce into our business, has the ability to be securely connected via API to our cloud identity service. This service is hosted by two of the 3 major cloud offerings and follows strict AICPA and SOC controls to ensure auditable security.

A people approach to the problem

Considering the above, we decided to strip everything away and take a people approach to how we tackle IT and its associated infrastructure. This meant starting with the idea of people having an identity and that identity linking them to the services and applications they’d need for their role on a day to day basis. This meant looking at on-site infrastructure the same way, could it be connected to the identity service, was it still needed considering this new approach? These were all questions that we spent time answering along with considering the security impacts of each item.

We decided on a mostly Operational expenditure and a requirement that where possible daily tasks should be automated and everything should be connected. This meant migrating staff to a cloud directory, moving files to the cloud and removing the need for a traditional VPN connected to the office. Applications were also all migrated to the cloud, again following the requirement of SOC compliance from each vendor. It all starts with our HR department onboarding people within our HRIS, of which flows into the cloud directory (eliminating the potential for IT to misspell a name etc). All pertinent information about the person is passed to the directory with  the intent of curating what the staff member should have access to. This process follows strict rules and delegations based on department and job title along with some manual checks from the IT team.

Applications are now pinned to departments and job titles, and provisioned “automagically” as needed (ie, only if the user logs into it) – meaning we’re only licensing for what we’re using. As many users won’t use all of the services provisioned to them, we apply the JIT (just in time) method via SAML or OIDC and secure API.

The big bang…

Yes traditional IT folk will ask how we curate updates, or secure our company data etc – and the answer is, Microsoft and Apple do (we simply added an extra layer in the past, by approving them, often being far behind in security updates). From time to time this can bite us, with large version changes etc, but we communicate frequently with our staff and teach them the knowledge they need to understand when to update etc. As for the data, if a laptop were to walk out of a coffee shop, or be left on an airplane, it’s simply remotely locked or wiped and the second its back online, it has no access to the services where the data is held. Again we teach our staff not to store things locally and unsecured and show them the best process to follow to keep safe, rather than not educating them and trying to catch all the balls when they fall, because we have to remember we are dealing with people and reality is- balls will fall.

We’ve found this approach to work extremely well for JUICE, it fosters ownership for staff and free’s the IT team to focus on helping people and planning for the future. We’re no longer bogged down worrying about our backup schedule or whether the UPS batteries are frequently changed. #WIN

Does it work?

The answer is…. YES! We’ve successfully supported over 100 staff in multiple locations, with an FTE count of one, yes one IT staff member. It’s not without challenges though, we have a major reliance on office internet (though who doesn’t) – and should there be a significant outage with any of our cloud vendors we would be impacted. However considering 2017 compared with 2015 (cloud vs local), the amount of times our staff members were impacted went from multiple, to one. During a major AWS outage, that couldn’t be avoided (by half the world).

We rely heavily on staff taking full ownership of their devices and treating them as their own, which works really well. We’ve put the power in their hands, for updates and software installs – along with allowing them access to company applications anywhere they are. Of course all secured via our cloud offerings at a much more attainable rate than we could secure local infrastructure.

So now onto the mission of renovating our server room into a beer fridge – I mean priorities people!