Over the past few years, we have assisted mining and manufacturing organisations in adopting the cloud to stay competitive by utilising the latest cloud technologies. We have observed that some organisations prefer to follow a Segregated Model, where there is a requirement to separate the Operational Technology (OT) and Information Technology (IT) environments in the cloud. This is often the case for large organisations where the operational priorities for OT (Integrity, Availability and Confidentiality) differ from IT (Confidentiality, Integrity, and Availability).
On the other hand, other organisations, typically small to medium-sized, prefer to adopt a Converged Model which is simpler, more cost-effective and does not require a separation of the OT and IT environments. These organisations prefer to have a tight integration between the OT and IT. This blog post will discuss the pros and cons of these two approaches.
The Segregated Model
The Segregated Model is often adopted by large organisations that have already segregated their on-premises OT environment from IT and want to maintain this approach in the cloud. To extend this approach to Azure, this requires utilising a dedicated Azure AD tenant for OT. This allows for the application and control of separate security policies, the maintenance of different system life cycles and management methodologies from IT. However, it will result in additional operational and management overhead, as well as duplication of management workloads and licenses. In an earlier post we discussed Extending Operational Technology to Azure in alignment with the traditional Purdue model. It’s worth reading the post to understand how an organisation would adopt the segregated model.
From an Azure management group perspective, we see a fully segregated management group structure as the model utilises two separate Azure Active Directory tenants. This creates full isolation from an identity perspective for the OT environment. A common structure we have seen among organisations, that is based on the Microsoft Cloud Adoption Framework (CAF) reference architecture, is illustrated below.
A common network structure established while using the segregated model is illustrated below.
Pros of the Segregated Model:
- No impact to OT environments from IT security vulnerabilities
- Aligns with the traditional Purdue model
- OT environment separation/de-merge is easier (modular)
Cons of the Segregated Model
- Operational and management overhead
- Duplication of management workload
- License duplication
- Duplication of identities
The Converged Model
The converged model involves utilising the same Azure AD tenant as IT to on-board OT workloads. OT may have separate virtual networks from IT, however, may share the same hub/gateway network. From an identity and access perspective, they may segregate the OT workloads into dedicated OT subscriptions. This approach is becoming increasingly popular due to the overlap between IoT and OT and the cost savings that can be achieved through shared services. However, it also comes with security risks as OT is no longer segregated from IT. This model is often chosen by small to medium-sized organisations that are looking to simplify their environment and reduce the cost of implementation.
From an Azure management group perspective, the access management segregation was maintained as per below. Note that the from an identity perspective they are using the same Azure Active Directory for Identity and Access management in this model.
From a network perspective, OT and IT would share the same hybrid network connectivity. However, OT would have their own dedicated virtual networks specific for OT workloads. A central IT firewall could be utilised to govern the traffic that is routed from the OT on-premises networks that is connected to the Azure OT workload network. A common network topology for the converged approach is illustrated below.
Pros of the Converged Model
- Less administrative overhead to manage.
- Simple architecture
- Cost savings through shared services (infrastructure and connectivity)
- Single Identity and license cost savings.
Cons of the Converged Model
- OT is no longer segregated from IT, which can impact security.
- Deviates from the traditional Purdue model (if it's already being maintained)
Deciding on the right cloud adoption model for OT cloud enablement can be a challenging task for organisations. It requires careful consideration of the specific needs and goals of the organisation. This blog provides the pros and cons for both approaches to allow you to make an educated decision. If you are still unsure and have questions, we recommend consulting with experts to determine the best fit for your organisation.