- CAF draft

doc/source/caf/adopt/data-migration.rst

@@ -0,0 +1,38 @@
+Data Migration
+--------------
+
+With the expansion of the mobile Internet has come explosive growth in
+data. Data forms and data processing requirements have also undergone
+profound changes. In addition, application silos and data silos have
+become the biggest obstacles to enterprises' digital transformation. The
+main reasons for data silos include:
+
+-  The information channels of different departments generate different
+   data storage formats.
+-  Departments define data based on their own business. As a result,
+   there is no standardized definition of data and the same data may be
+   given different meanings.
+
+In data governance, we may face challenges such as scattered resources,
+data unavailability, and siloed applications.
+
+.. image:: ../../assets/caf/image53.png
+
+The following are the most urgent issues that enterprises need to
+address:
+
+-  Quickly integrating new and historical data to avoid information
+   silos
+-  Processing and analyzing various types of data with different value
+   densities in a cost-effective, efficient, and real-time manner to
+   meet business requirements
+-  Turning data into assets and paving the way for data-driven
+   innovation to stimulate business growth
+
+.. toctree::
+   :maxdepth: 1
+
+   data-management-and-analytics-platform.rst
+   typical-data-lake.rst
+   big-data-migration.rst
+

doc/source/caf/adopt/index.rst

@@ -0,0 +1,8 @@
+Phase 3: Adopt
+==============
+
+.. toctree::
+   :maxdepth: 1
+
+   application-migration.rst
+   data-migration.rst

doc/source/caf/adopt/rehost.rst

@@ -0,0 +1,86 @@
+Rehost
+~~~~~~
+
+Rehost, also known as **lift and shift**, is the most common way to
+migrate applications to the cloud without changing the running
+environment of applications. It is usually used for Physical to Virtual
+(P2V) and Virtual to Virtual (V2V) scenarios. It can help companies
+quickly migrate applications such as SAP, ERP, and CRM to the cloud.
+
+Open Telekom Cloud provides three rehosting solutions:
+
+Application redeployment
+************************
+
+In this solution, applications can be redeployed on ECSs or BMSs. This
+solution is ideal for stateless applications that do not involve data
+migration. The OSs of cloud servers can be changed as needed, for
+example, if an old OS is no longer supported. This solution is
+recommended when a new OS is required, but this means the applications
+will be offline for a time.
+
+Image import & export
+*********************
+
+By exporting system images of source servers and then importing those
+images to the cloud as private images, you can quickly create cloud
+servers with the same OSs and other details as your legacy servers. This
+solution is a good choice when you need to migrate on-premises servers
+that do not have too much data on them. The servers will have the same
+OSs before and after the migration, but there will be a fair bit of
+downtime.
+
+Server Migration Service (SMS)
+******************************
+
+SMS can migrate applications to the cloud and synchronize incremental
+data to minimize the downtime. However, the OS cannot be upgraded during
+the migration.
+
++--------------+---------------------+---------------------------------+
+| Object       | Migration Method    | Pros and Cons                   |
++==============+=====================+=================================+
+| Virt         | Redeployment        | -  Easy OS change               |
+| ual/physical |                     |                                 |
+| servers      |                     | -  Long downtime                |
++--------------+---------------------+---------------------------------+
+|              | Image import &      | -  OS consistency               |
+|              | export              |                                 |
+|              |                     | -  Long downtime                |
++--------------+---------------------+---------------------------------+
+|              | SMS                 | -  OS consistency               |
+|              |                     |                                 |
+|              |                     | -  Long downtime                |
++--------------+---------------------+---------------------------------+
+
+Take a typical three-layer application architecture as an example. The
+following figure shows how the architecture is different before and
+after the migration.
+
+.. image:: ../../assets/caf/image45.png
+
+Rehost has the following benefits:
+
+-  The application architecture is consistent before and after the
+   migration, so you know the original technology stack still work.
+   Rehosting ensures the migration of your applications can go smoothly.
+-  If the databases were built using Open Telekom Cloud ECS, the database
+   licenses can be reused in commercial database scenarios to save
+   money.
+-  Applications are deployed across AZs, so you can configure DC-level
+   HA.
+-  With Open Telekom Cloud ELB and Auto Scaling, services can be flexibly
+   scaled to adapt to workload changes.
+-  ELB replaces traditional offline hardware load balancing devices and
+   the network ACLs replace traditional hardware firewalls, further
+   reducing the hardware investments required.
+-  The O&M is simpler. CES provides comprehensive O&M monitoring of
+   cloud infrastructure, and LTS provides quick collection and analysis
+   of application logs.
+-  The reliability is enhanced. CBR backs up cloud servers for restore
+   or other server issues.
+-  The security is hardened. HSS protects cloud servers, WAF filters web
+   application traffic, and DBSS hardens cloud databases.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/concluding-remarks.rst

@@ -0,0 +1,17 @@
+Concluding Remarks
+==================
+
+The CAF white paper is a cloud migration strategy based on best
+practices derived from Huawei Cloud customers' cloud migration cases and
+based on our own IT migration. It outlines four stages: migration plan,
+cloud construction, application setup, and system governance and O&M.
+CAF provides full lifecycle guidance for enterprises migrating services
+to the cloud, including service plan, preparation, architecture,
+organization, management, and O&M. It aims to help enterprises smoothly
+migrate services to the cloud and ensure that services can run
+efficiently on the cloud. In addition, the risks of migrating to and
+using the cloud are reduced, while the value is increased.
+
+If you have any comments or suggestions while reading this white paper,
+we sincerely welcome you to send them to our official website. We will
+keep working to improve.

doc/source/caf/govern-and-manage/cloud-based-om.rst

@@ -0,0 +1,25 @@
+Cloud-based O&M
+---------------
+
+As services migrate to the cloud, traditional O&M also shifts to the
+cloud. Cloud platforms provide abundant products, massive resources,
+elastic scaling, E2E security, open APIs, and diversified billing. These
+accelerate service development and reduce costs. How does cloud-based
+O&M work, and how can enterprises select and maintain the right
+resources?
+
+Cloud-based O&M does not mean simply transferring IDC capabilities to
+the cloud. Industry surveys show that fewer than 20% of enterprises
+fully utilize their cloud service capabilities. In addition to
+maximizing their resources, they must maintain their cloud services,
+make their data more secure, and quickly respond to changes and faults
+to stay competitive in the digital landscape.
+
+.. toctree::
+   :maxdepth: 1
+
+   trends-and-challenges.rst
+   multi-dimensional-om.rst
+   backup-and-restoration.rst
+   change-management.rst
+   emergency-handling.rst

doc/source/caf/govern-and-manage/index.rst

@@ -0,0 +1,29 @@
+Phase 4: Govern & Manage
+==========================
+
+This section is formulated based on Huawei Cloud's industry experience
+and practices to enhance the availability of enterprises' services on
+cloud, reduce costs, and ensure the safety and reliability of services,
+aiming to provide following benefits for enterprises:
+
+-  Professional capability construction: Provides guidance for
+   enterprises to deeply understand the cost management, security
+   compliance, and O&M governance of cloud services, and helps them
+   build professional management organizations and capabilities.
+-  Cost optimization: Optimizes the costs on the cloud through
+   reasonable resource selection and visualized cost management.
+-  Security compliance: Standardizes the security governance system by
+   referring to related security compliance and governance methodologies
+   to ensure secure running of services.
+-  Stability improvement: Identifies the potential risks, bottlenecks,
+   and availability problems for services based on the analysis and
+   governance methods for cloud O&M to continuously improve the
+   stability of the system.
+
+.. toctree::
+   :maxdepth: 1
+
+   cost-management.rst
+   cost-center.rst
+   security-compliance-and-governance.rst
+   cloud-based-om.rst

doc/source/caf/govern-and-manage/personnel-security-management.rst

@@ -0,0 +1,99 @@
+Personnel Security Management
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section describes how to enhance security through personnel
+management.
+
+Recruitment
+***********
+
+-  Recruited personnel need a basic understanding about the technologies
+   involved and of security management. Arrange a test on this knowledge
+   before formal appointment.
+-  Check the identities, backgrounds, and qualifications of recruited
+   personnel. Archive related materials.
+-  Test recruited personnel's technical skills.
+-  Introduce the roles and responsibilities to recruited personnel and
+   arrange job training.
+-  Sign a confidentiality agreement with recruited personnel to forbid
+   information leakage.
+
+Staff position change or resignation
+************************************
+
+-  When an employee leaves their position, revoke their system
+   permissions.
+-  When an employee resigns, they need to submit any passwords they have
+   been using for company devices. After their resignation, the
+   administrator shall change the passwords as soon as possible.
+-  Resigning employees shall go follow a strict resignation procedure in
+   the HR department and sign a non-disclosure agreement.
+
+Staff appraisal
+***************
+
+-  Regularly conduct training focused on improving security skills and
+   awareness. Managers, regular employees, and third-party managers and
+   users all participate if necessary. Ensure they can identify
+   information security threats and risks, and can comply with security
+   policies.
+-  Conduct strict, comprehensive security audits for personnel in key
+   positions. For system administrators, review their identities and how
+   they are fulfilling job responsibilities. Review their system
+   permissions and job responsibilities, and their compliance with
+   non-disclosure regulations. For other key personnel, check their
+   identities and evaluate their fulfillment of job responsibilities.
+-  Punish those who violate the security policies or regulations. For
+   minor violations, a warning and a requirement to write a formal
+   apology are appropriate. For major violations, relevant departments
+   need to investigate the person's legal responsibilities. If the
+   person responsible for a minor violation comes from a third party,
+   ask them to correct their mistakes and inform their company.
+
+Security awareness training
+***************************
+
+-  Regularly conduct security training. Ask employees to learn about
+   network security and ensure they understand relevant policies and
+   regulations. Ensure employees understand that they will be held
+   responsible even if they meant no harm and even if they violated
+   security regulations unintentionally.
+-  Accurately define the security responsibilities of every position and
+   the punishments for different violations. Arrange meetings to explain
+   important or complex regulations if necessary.
+-  Arrange publicity activities to help employees learn about network
+   security community operations and common violations, for example, by
+   making short videos.
+-  Develop security training plans. Conduct training on basic
+   information security knowledge and job procedures.
+-  Record security training in detail and archive the records.
+-  Ask employees to sign the Information Security Commitment Letter and
+   promise to abide by the company's network security policies and
+   regulations.
+
+Security capability training
+****************************
+
+-  Establish a network security training system based on the industry
+   best practices. Arrange security capability training during different
+   stages, for example, during new employee orientation, during their
+   regular work week, or before promotions. Ensure employees are capable
+   of delivering secure products, solutions and services.
+-  Basic network security training: Develop training plans for different
+   roles and positions. For example, new employees must pass on-the-job
+   training and exams on network security and privacy protection before
+   they become regular employees. On-the-job employees need to take
+   courses as required by their positions. Managers must participate in
+   network security training and seminars.
+-  Precise training: Identify typical security problems in the product
+   development process and those responsible for the problems. Recommend
+   security training programs (including cases, training courses,
+   exercises, etc.) to them.
+-  Drills: Adopt industry best practices, develop a platform for network
+   security drills, and arrange confrontational role playing exercises.
+   Improve employees' security capabilities through practices.
+-  Incorporate network security requirements in the acceptable criteria
+   for jobs and promotion.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/govern-and-manage/security-compliance-and-governance.rst

@@ -0,0 +1,55 @@
+Security Compliance and Governance
+----------------------------------
+
+An increasing number of security and compliance laws and regulations are
+being enacted all over the world. Companies that fail to meet these
+regulatory requirements may face various penalties and suffer
+significant losses.
+
+In accordance with the Cloud Service Cybersecurity & Compliance Standard
+(3CS) of Huawei Cloud, the following measures shall be taken:
+
+-  **Develop governance strategies,** including your organization's
+   security governance goals, roles and responsibilities, executives'
+   commitment, security governance priorities, and core KPIs. Ensure the
+   governance system can be efficiently effectively implemented and
+   continuously improved.
+
+-  **Incorporate** **security control measures into management
+   processes**, so that business departments can better understand and
+   implement these measures in their routine work.
+
+-  **Use tools to facilitate security and compliance governance,**
+   because some measures involve massive workloads. For example, if the
+   responsibilities of a job are changed, all the related account
+   permissions must be modified within 24 hours. To defend against
+   threats in a timely manner, an organization must develop advanced
+   tools, or use the security products or solutions of cloud service
+   providers. Huawei Cloud provides 20+ proprietary security services
+   and 200+ partner security services for you to choose from.
+
+-  **Set up a governance organization** and assign a director to
+   implement governance strategies for network security and privacy
+   protection.
+
+-  **Enhance data security.** Focus on eliminating security risks
+   throughout the data lifecycle. Avoid just emphasizing data security
+   everywhere with no clear focus.
+
+-  **Use metrics to evaluate information security.** Determine the
+   dimensions of your security evaluation, collect the required
+   information, and develop metrics based on the records and statistics
+   generated for the security management activities in your
+   organization. The metrics need to be calculable and reflect the key
+   points in your organizational security governance.
+
+The following sections describe security compliance and governance in
+more detail:
+
+.. toctree::
+   :maxdepth: 1
+
+   security-management-organization.rst
+   personnel-security-management.rst
+   security-pmi.rst
+   account-security-management.rst

doc/source/caf/govern-and-manage/trends-and-challenges.rst

@@ -0,0 +1,84 @@
+Trends and Challenges
+~~~~~~~~~~~~~~~~~~~~~
+
+O&M Trends
+^^^^^^^^^^
+
+As cloud computing and AI become more popular, cloud-based O&M evolves
+with them. Key trends include:
+
+1. Artificial Intelligence for IT Operations (AIOps). As data volume and
+   environment complexity grow rapidly, O&M is increasingly powered by
+   AI and big data.
+2. Cloud-native, microservice, containerization, and distributed
+   technologies mean that labor-intensive O&M no longer meets enterprise
+   needs. O&M systems must be automated to better track and locate
+   faults.
+3. Private cloud, public cloud, and multi-cloud are inevitable choices
+   for many enterprises, so they need a cross-cloud O&M assurance
+   system.
+4. The scope of O&M increases in addition to maintaining systems.
+   Enterprises also need overall planning, HA capability, security
+   system construction, and R&D and product enablement.
+
+Challenges of Cloud-based O&M
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Cloud-based O&M differs greatly from traditional O&M.
+
+Model
+*****
+
+-  Traditional O&M: Enterprises need to build most capabilities on their
+   own. They directly manage computing, network, and storage, and other
+   resources. They take all the responsibility and full control of their
+   resources. However, capability construction is slow and difficult.
+-  Cloud-based O&M: Cloud services provide standard basic capabilities.
+   Based on these services, enterprises build required architectures and
+   O&M capabilities. They use software interfaces or open APIs to manage
+   abstract resources. Enterprises share responsibility with cloud
+   vendors and do not need full awareness of underlying resources.
+   However, capability construction is fast and flexible.
+
+Scope
+*****
+
+-  Traditional O&M focuses on maintaining IDC equipment rooms. O&M
+   environments are rarely changed and therefore familiar to
+   enterprises.
+-  Cloud-based O&M varies by IT development and industry requirement.
+   Environments include offline IDC, private cloud, public cloud, or
+   even multi-cloud. Increasingly complex O&M environments require
+   higher O&M control and skills.
+
+Overall capability
+******************
+
+-  The cloud provides many more products and functions than traditional
+   IDCs. Although O&M personnel are not tasked with underlying
+   maintenance, they need to be familiar with the various cloud products
+   for better selection and usage.
+
+Security risks
+**************
+
+-  Cloud resources are mostly logically isolated, which is riskier than
+   physical isolation. Therefore, proper security planning is crucial.
+   For example, cloud storage must be encrypted to protect data.
+-  The cloud architecture solution is flexible. Most management is based
+   on open APIs, and resource access is by running single commands.
+   Therefore, security needs to be controlled during external access
+   design. In addition, strict audit is recommended for risky commands.
+
+Troubleshooting
+***************
+
+-  Cloud service faults are more difficult to locate. Once microservices
+   are deployed, the relationship between services becomes more complex.
+   Therefore, cloud-based O&M is key to locating faults.
+-  Some faults need to be located with the cloud service support team.
+   Therefore, in-depth communication with the cloud service support team
+   is needed.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/index.rst

@@ -0,0 +1,70 @@
+Cloud Adoption Framework
+========================
+
+Digital technologies, the digital economy, and new forms of digital competition are key initiatives for governments and enterprises across the globe to improve their digital services and cloud adoption.
+Before migrating workloads to the cloud, governments and enterprises need to identify and prioritize the workloads.
+They also need to know the value being brought by the cloud and ensure organizational capabilities.
+
+Open Telekom Cloud Adoption Framework (OTCAF) aims to:
+
+* Help organizations that need to go to the cloud clearly define the plan, strategies, methods, and best practices for cloud adoption so that they can systematically prepare for cloud adoption, and govern and manage services on the cloud.
+* Help IT, finance, and security teams determine cloud adoption methods and governance to establish required capabilities.
+* Help various roles achieve business objectives, and support organizations in building digital competitiveness for business success.
+
+The OTCAF is based on references of our experts, partners and customers collected during
+their own digital transformation journey, combined with our industry best practices.
+It is divided into *four* phases as follows:
+
+.. image:: ../assets/caf/image4_1.png
+
+|
+
+Phase 1: Plan
++++++++++++++++
+
+Clarify the motivation for cloud adoption at the management level. It aims to define a cloud adoption blueprint, implementation and plan, and organization assurances. The scope is to address the cloud adoption strategy and convert the goals into action plans.
+
+Phase 2: Ready
+++++++++++++++
+
+Build a Landing Zone and design the cloud architecture in preparation for the cloud adoption.
+Landing Zone is used for unified management and governance of people, finances, resources, permission, and security compliance of multiple business units.
+The cloud architecture may include IaaS, PaaS and SaaS capabilities, cloud management,
+and O&M capabilities, providing features such as high availability, robust scalability, security compliance,
+and cost-effectiveness.
+
+Phase 3: Adopt
+++++++++++++++
+
+Migrate applications and data to the cloud in a proper order, and innovate services on the cloud.
+
+Phase 4: Govern & Manage
+++++++++++++++++++++++++++
+
+Perform cost management, security compliance and governance, and cloud operation and maintenance (O&M) to ensure cost-effective, efficient, secure, and stable services running on the cloud.
+
+Let's see these phases one by one:
+
+.. toctree::
+   :maxdepth: 1
+
+   plan/index.rst
+   ready/index.rst
+   adopt/index.rst
+   govern-and-manage/index.rst
+
+Intended Audiences
+++++++++++++++++++
+
+Migrating workloads to the cloud is for any organisation large or small, public or private a very big
+endeavor that requires the support and collaboration of various departments, people and skills. The
+Open Telekom Cloud Adoption Framework is here to guide those heterogeneous stakeholders in every step
+of the road. The audience that could be benefited from using OTCAF are mainly, but not limited to,
+the following:
+
+-  Cloud architects
+-  Business and technology decisions makers
+-  Product owners
+-  Legal and finance
+-  Information technology specialists on various fields (e.g administration, networking, security, governance)
+

doc/source/caf/plan/cloud-adoption-blueprint.rst

@@ -0,0 +1,74 @@
+Cloud Adoption Blueprint
+==========================
+
+The adoption blueprint specifies the Cloud migration strategy, scope,
+and objectives of key capability development:
+
+Cloud migration strategy
+************************
+
+-  Determine the cloud deployment model: **public cloud** or **hybrid
+   cloud**. Public cloud is more suitable for agile services and optimized
+   costs. Hybrid cloud is a good choice for ensuring low service latency
+   and enhanced security.
+
+-  Define a **single-cloud** or **multi-cloud** strategy. A single-cloud
+   strategy helps build leading capabilities while a multi-cloud
+   strategy allows you to leverage the best capabilities of different
+   cloud providers.
+
+High level of collaboration
+***************************
+
+-  Vertical collaboration between central and local governments (states
+   or provinces), as well as between enterprise headquarters and
+   branches, including business, data, resource, and cloud-edge
+   collaboration.
+
+-  Horizontal collaboration includes hybrid cloud collaboration and DR
+   across regions.
+
+Cloud migration architecture and key capabilities
+*************************************************
+
+Complete the blueprint for cloud migration by layer and module in terms
+of IaaS, PaaS, application enablement, application or SaaS, cloud
+reliability, cloud security, cloud O&M, and cloud operations, including:
+
+-  **Cloud infrastructure:** public cloud and hybrid cloud, multi-cloud
+   management, multi-architecture computing, big data storage and
+   computing, high-performance computing.
+
+-  **Data lake:** data lake house, flexible import to the lake, data
+   governance, data security, real-time self-service analysis, and
+   intelligent data application.
+
+-  **Enabling platforms:** AI, video, communications, IoT, blockchain, and
+   related technologies
+
+-  **Application migration to the cloud:** cloud migration scope and
+   capability objectives
+
+-  **Application innovation (optional):** cloud-native applications,
+   DevCloud, and industry cloud
+
+-  **Cloud reliability:** DR, HA, and related capabilities
+
+-  **Cloud security:** security system for network, host, application and
+   data, operations security, ecosystem security, and industry security
+   certification
+
+-  **Cloud O&M:** resource management, cloud monitoring
+
+-  **Cloud operations:** operations platform, organization, and processes
+
+A detailed cloud adoption blueprint is designed and planned based on the
+current situation of every organisation. The blueprint should be focused on cloud applications,
+cloud infrastructure, application enablement or AI enablement or data
+enablement platform capabilities. In addition, collaboration with
+device-side or edge-side intelligent awareness interaction and
+cloud-network synergy must be considered to ensure comprehensive access
+to data and applications.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/plan/cloud-adoption-dimensions.rst

@@ -0,0 +1,99 @@
+Cloud Adoption Dimensions
+==========================
+
+As governments and enterprises have different strategic priorities and
+development phases, the core motivations for them to go to the cloud may
+differ. These core motivations should be determined based on actual
+conditions. It is a good practice to focus on the following three
+dimensions:
+
+IT transformation
+*****************
+
+Currently, IT systems are facing the following challenges:
+
+-  Low IT resource utilization, high costs, and complex maintenance and
+   lifecycle management. Service units and departments use different
+   data centers deployed with various types of servers and storage
+   devices, and applications are bound to servers.
+
+-  Insufficient capabilities of disaster recovery, security,
+   scalability, and maintainability affect service stability and
+   ability to expand on demand.
+
+-  They are too slow to introduce new technologies, such as containers,
+   cloud-native, and blockchain. Current IT systems are limited by
+   insufficient capabilities and by their organization members' lack
+   of experience. They urgently require new capabilities based on
+   mature products and extensive experience on the cloud, so they can
+   modernize and upgrade their IT systems, reduce costs and enhance
+   efficiency, and build IT support capabilities for future industry
+   competition.
+
+-  IT organization transformation.
+   Currently, IT departments are often positioned in support positions,
+   passively supporting business development. However, as the digital
+   transformation of the governments and enterprises deepens, IT and
+   digital capabilities have become parts of planning, R&D, production,
+   sales, service and operation, directly affecting business results and
+   competitiveness. IT departments urgently need to change their roles.
+   They need to be integrated into the production chain. IT departments and
+   awareness, a culture, focused on a service-oriented cloud platform and
+   on transforming their digital capabilities.
+
+Data intelligence and data security
+**********************************
+
+Data has become a new production factor together with traditional
+factors such as land, labor, capital, and technology.
+
+-  In the government sector, data-driven government services and
+   government governance collaboration across departments help with
+   government administration, policy formulation, and decision-making.
+   Data intelligence provides insights and responds quickly to social
+   and economic trends, enhancing public satisfaction and government
+   efficiency.
+
+-  In the financial sector, data intelligence assists in customer
+   marketing, risk control, and product design. It supports the
+   expansion of key services such as supply chain finance and digital
+   currency.
+
+-  In the enterprise domain, data intelligence enables design and
+   testing simulation, intelligent raw materials allocation, intelligent
+   production scheduling, supply chain risk management, and operational
+   visibility. It fully enhances efficiency and reduces risk.
+
+Over time, data platforms have had to provide increasingly more robust
+capabilities. The huge volumes of diverse types of data, the levels of
+access concurrency, the constantly evolving data technologies and new
+application scenarios demand high performance, efficiency, and
+reliability. They demand platforms that can flexibly expand and rapidly
+evolve. The requirements make a cloud service model the obvious choice.
+Cloud service providers provide platforms with these technical
+capabilities. The industry has become focused on scenario-specific
+capabilities related to its own data.
+
+Data security is increasingly related to security of both enterprises
+and governments. Cloud service models facilitate of advanced security
+technologies to centrally manage data security and provide maximum
+security assurance.
+
+Service and business innovations
+********************************
+
+Digitalization drives service innovation. It has been driving advances
+in smart production, services, and operations, as well as innovations
+like the sharing economy and industry chain collaboration, and there is
+capability spillover. Technologies are needed for innovations:
+
+-  New technological capabilities such as AI, IoT and blockchain.
+
+-  Rapid rollout and iteration are required for first-mover
+   opportunities. Cloud service models provide IaaS, PaaS, and SaaS
+   capabilities that are always industry leading, lowering barriers to
+   entry for service innovation, reducing costs, and accelerating
+   innovation.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/plan/cloud-adoption-motivations.rst

@@ -0,0 +1,12 @@
+Cloud Adoption Motivations
+==========================
+
+.. todo:
+
+   fill in an overview
+
+.. toctree::
+   :maxdepth: 1
+
+   cloud-adoption-reasons.rst
+   cloud-adoption-dimensions.rst

doc/source/caf/plan/cloud-adoption-reasons.rst

@@ -0,0 +1,92 @@
+Cloud Adoption Reasons
+==========================
+
+The main reasons for cloud adoption are as follows:
+
+Addressing problems related to software and hardware lifecycles
+***************************************************************
+
+When data centers and servers reach the end of their lifecycles, or when
+multiple data centers are integrated, instead of using traditional data
+centers, this can be a good time to start using advanced cloud service
+models. A cloud service model can also help governments and enterprises
+eliminate the complex lifecycle management involved with the physical IT
+hardware, middleware, and technology platforms used in a traditional
+model.
+
+Enhancing service agility
+*************************
+
+Cloud services enhance service agility in the following ways:
+
+-  Infrastructure resources are obtained as required for timely launch
+   of new services. With physical hardware, you may have to wait weeks
+   or even months for new equipment to arrive.
+
+-  Applications and resources can be added on demand to rapidly scale
+   services up or out as needed.
+
+-  Technical platform services such as middleware, cloud-native, and
+   DevOps can be obtained on demand to accelerate service rollout and
+   help customers gain first-mover advantages.
+
+Reducing IT costs
+*****************
+
+A cloud service model can adjust the amount of resources deployed based
+on service requirements. This flexibility eliminates unnecessary
+expenditures. It also lowers the capability requirements for O&M
+personnel for the infrastructure and related technical platforms, which
+reduces the cost of O&M. In a public cloud model, local data centers do
+not need to be managed or maintained, and cloud resources and cloud
+service capabilities can be obtained as required, greatly reducing IT
+costs. In addition, the trial-and-error costs of trying out a new
+service can be significantly reduced.
+
+Enhancing O&M efficiency
+***********************
+
+Experienced O&M teams with hundreds or thousands of people from cloud
+service vendors provide professional services, significantly enhancing
+O&M quality and efficiency.
+
+Improving reliability and security compliance
+*********************************************
+
+Cloud service models provide highly reliable, secure technical
+capabilities fully compliant with industry regulations, based on a
+robust library of best practices. It also provides assistance with
+policy formulation, organization process development, and standard
+certification.
+
+Supporting global deployment
+****************************
+
+The global resources, networks, and platforms deployed on the cloud help
+enterprises quickly launch new multinational services and collaborate
+with headquarters in terms of services, data, and management.
+
+Building data foundation and data assets
+****************************************
+
+The cloud service model helps organisations build data
+foundations and data assets by using:
+
+-  Advanced technologies such as big data, AI, data governance, and data
+   security.
+
+-  Numerous industry best practices, including data platforms,
+   performance optimization, data governance, organization process for
+   data operation, and data intelligence application.
+
+-  Continuously introducing new technologies to accelerate innovations.
+
+Cloud service models ensure the industry-leading technologies and best
+practices are always available to accelerate service and business
+innovation. For example, cloud-native enables more agile services. AI
+enables more intelligent decision-making and unmanned or less-manned
+production. IoT provides connectivity of everything and intelligent
+sensing, and blockchain enables trusted smart contracts.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/plan/gap-analysis.rst

@@ -0,0 +1,65 @@
+Gap Analysis
+============
+
+Before formulating your Cloud migration strategy:
+
+-  **Review** the current accounts, special requirements, key issues and challenges of the current IT systems.
+-  **Identify** new possible requirements for future service evolution.
+-  **Define** the key cloud adoption objectives as required.
+
+To get a complete analysis, refer to the following **Cloud Maturity Assessment Model**:
+
+.. image:: ../../assets/caf/image6_1.png
+
+Key gap analysis tasks include:
+
+Infrastructure analysis
+***********************
+
+-  Infrastructure resources and configurations, including servers,
+   storage types, basic configurations, resource quantities and usages,
+   lifecycle configurations, virtualization technologies,
+   containerization, and application distribution.
+
+-  Special requirements for performance, security, or operating system
+   or hardware dependencies.
+
+-  Key challenges, such as low availability and complicated maintenance.
+
+Technical platform analysis
+***************************
+
+-  Basic platform details, such as the amount, scale, and usage of
+   middleware, database, data warehouse, big data, and development and
+   test platforms.
+
+-  Special requirements and key challenges. For example, middleware and
+   big data are developed based on open source software, which often has
+   weak performance, poor stability, or no DR capabilities for critical
+   services.
+
+Major application analysis
+**************************
+
+Key applications need to be identified and analyzed to classify key
+requirements for the implementation. This includes systems such as
+channel systems, service systems, mission-critical systems, and data
+related systems. Channel systems require flexible performance scaling
+and fast iteration. Service systems need to be reliable and can expand
+on demand. Mission-critical and data related systems require high
+reliability, stability, and concurrency.
+
+Design for X (DFX) capability analysis
+**************************************
+
+Review the challenges related to DR, security, performance, and O&M.
+
+Evolution of innovation
+***********************
+
+New technologies such as AI, blockchain, and fast iteration based on
+containers, microservices, and cloud-native can leverage the public
+cloud for rapid reconstruction.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/plan/index.rst

@@ -0,0 +1,28 @@
+Phase 1: Plan
+=============
+
+The purpose of the **Plan** stage is to determine the cloud adoption
+motivations, IT status quo, gap analysis, and high-level design planning.
+It includes cloud adoption strategy, cloud adoption blueprint, and cloud
+migration roadmap.
+
+The cloud plan primarily supports grant budget, organizational
+optimization, and talent training. It provides an assurance that the
+people, finances, resources, permission, and security compliance needed
+for cloud adoption are all in place. In addition, the baseline should be
+released to relevant organizations after being approved by the
+management to ensure the right strategy is selected for subsequent cloud
+adoption. *The plan is usually focused on less business
+critical applications with high value as pilot projects*.
+Quick wins help build organizational capabilities and reduce risks.
+
+The plan needs to include the following *five* key tasks:
+
+.. toctree::
+   :maxdepth: 1
+
+   cloud-adoption-motivations.rst
+   gap-analysis.rst
+   cloud-adoption-blueprint.rst
+   cloud-migration-plan-and-implementation.rst
+   organization-and-capability-assurance.rst

doc/source/caf/ready/account-management.rst

@@ -0,0 +1,50 @@
+Financial Management
+^^^^^^^^^^^^^^^^^^^^^
+
+Open Telekom Cloud provides the accounting management solution for enterprises
+with multiple accounts to help them implement unified management for
+accounts, organizations, funds, invoices, bills, and costs.
+
+Unified Accounting Management for Multiple Accounts
+'''''''''''''''''''''''''''''''''''''''''''''''''''
+
+Accounting management allows multiple Open Telekom Cloud accounts to be
+associated with each other for accounting purposes. You can create a
+hierarchical organization and a master account, add member accounts to
+this organization and associate them with the master account, and use
+the master account to perform accounting management of associated member
+accounts.
+
+1. **Association between master and member accounts**
+
+A new Open Telekom Cloud account can be directly associated with a master
+account or an existing Open Telekom Cloud account can be invited for
+association. On Open Telekom Cloud, a master account can create organizations
+that match your organizational structure and create new accounts for or
+invite existing ones to the organizations.
+
+2. **Funds management**
+
+A master account can allocate its balance and cash coupons to its member
+accounts for resource provisioning. A member account can use its own
+balance for resource provisioning.
+
+3. **Commercial discount inheritance**
+
+After member accounts are associated with a master account, they can use
+the commercial discounts of the master account in their expenditures.
+
+4. **Expenditure query**
+
+A master account and its associated member accounts can log in to Open Telekom
+Cloud to view their expenditures. The master account can view the
+expenditure data of its member accounts after being approved.
+
+5. **Invoices**
+
+A master account and its associated member accounts can separately
+request Open Telekom Cloud to issue invoices for their expenditures. A master
+account can request invoices for member accounts.
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/ready/cloud-architecture-design.rst

@@ -0,0 +1,26 @@
+Cloud Architecture Design
+-------------------------
+
+The most important objective of architecture design is to ensure the
+continuous availability of the system along with the development of
+enterprise services. Architecture design mainly includes the design of
+the application architecture and the technical architecture. The
+application architecture design involves industry-specific features,
+technology stacks, and enterprise development phases. Designing the
+technical architecture is more general. In the following sections, we
+will describe the five aspects of architecture design that affect
+service continuity the most: high availability (HA), scalability,
+performance, security, and cost.
+
+.. image:: ../../assets/caf/image35_1.png
+
+|
+
+.. toctree::
+   :maxdepth: 1
+
+   high-availability.rst
+   scalability.rst
+   performance.rst
+   security.rst
+   cost.rst

doc/source/caf/ready/cost.rst

@@ -0,0 +1,12 @@
+Cost
+~~~~
+
+On-demand resource usage, usage-based billing, elastic scaling, and
+resource utilization determine the costs on cloud. The following figure
+shows the principles of cost optimization design. For details about the
+design content, see section "Cost Management".
+
+.. image:: ../../assets/caf/image41_1.png
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/ready/identity-and-permissions-design.rst

@@ -0,0 +1,80 @@
+Identity and Permissions Design
+-------------------------------
+
+Based on a large number of successfully delivered projects, Open Telekom Cloud
+has summarized the following user and permissions management principles:
+
+-  Establish trust between the enterprise's identity management system
+   (such as AD) and Open Telekom Cloud IAM for federated identity
+   authentication so that enterprise employees can use single sign-on
+   (SSO) for the Open Telekom Cloud console. The enterprise's identity
+   management system can better control the permissions of employees as
+   they are recruited and can revoke permissions in a timely manner for
+   employees who have transferred to different departments or have
+   resigned.
+
+-  Do not use Open Telekom Cloud IAM as the enterprise's user management
+   system. There is no need to create users or user groups on Open Telekom
+   Cloud IAM for enterprise employees who do not interact with Open Telekom
+   Cloud.
+
+-  Do not share passwords with others. Instead, create an independent
+   user and assign permissions to the user for people who needs to
+   manage or use Open Telekom Cloud resources. In this way, all operations
+   performed on Open Telekom Cloud can be tracked and audited.
+
+-  Create user groups based on IT functions and add corresponding
+   employees to user groups that match their responsibilities. For
+   example, in terms of resource O&M and management, apply unified
+   management and O&M principles to improve efficiency. Under the O&M
+   and monitoring account, create user groups based on O&M
+   responsibilities. These user groups include a computing management
+   group, storage management group, network management group, and
+   database management group.
+
+-  Follow the principle of least privilege (PoLP). Grant only the
+   minimum levels of access or permissions needed to user groups. If the
+   responsibilities of a user group change, adjust the permissions of
+   that user group in a timely manner. To simply operations, grant
+   permissions to user groups rather than individual users.
+
+-  The IAM account administrator (with the same name as the IAM user)
+   has high permissions. As such, you should not use this account to
+   access Open Telekom Cloud directly. Instead, create an IAM user and grant
+   permissions based on the PoLP principle to perform routine
+   management, protecting the security of IAM accounts.
+
+Based on these principles, user groups are planned for accounts in
+Landing Zone and corresponding cloud service access permissions are
+assigned to these user groups based on the PoLP principle on Open Telekom
+Cloud. User groups in the enterprise's identity management system are
+mapped to the user groups on Open Telekom Cloud so that they have the
+corresponding cloud service access permissions.
+
+.. image:: ../../assets/caf/image28.png
+
+|
+
+To achieve unified management and control, IT functional accounts of
+Landing Zone need to access and manage cloud resources under other
+accounts through cross-account delegation. For example, a security
+operations account is designed to centrally manage security resources
+and services (such as SA and HSS) across accounts through federated
+authentication and cross-account delegation. The security administrator
+logs in to the console of the security operations account through SSO,
+switches the role to a service account, and then accesses and manages
+security cloud services under that service account.
+
+.. image:: ../../assets/caf/image29.png
+
+|
+
+Another similar scenario is that the O&M and monitoring account can
+access resources in other accounts through federated authentication and
+cross-account delegation to monitor and manage resources across accounts
+in an enterprise.
+
+.. image:: ../../assets/caf/image30.png
+
+.. toctree::
+   :maxdepth: 1

doc/source/caf/ready/index.rst

@@ -0,0 +1,19 @@
+Phase 2: Ready
+=============
+
+To build a highly reliable and available system on the cloud, a
+systematic top-level design framework and unified standards are
+required. Unified planning at the macro level is required to remove
+obstacles to cloud adoption. Based on the industry standards and
+practices, here in Open Telekom Cloud we have developed a landing zone system
+architecture. This architecture is intended to make it easier for
+enterprises to build reliable and systematic capabilities from the
+perspectives of the people, finances, resources, permissions, and
+security compliance. In addition, Open Telekom Cloud has developed an HA cloud
+architecture to ensure high availability of cloud services.
+
+.. toctree::
+   :maxdepth: 1
+
+   landing-zone-construction.rst
+   cloud-architecture-design.rst

doc/source/caf/ready/landing-zone-construction.rst

@@ -0,0 +1,64 @@
+Landing Zone Construction
+-------------------------
+
+The advantages of the public cloud in terms of security and stability,
+service quality, execution efficiency, and cost-effectiveness are
+becoming more widely recognized and accepted by enterprises. More and
+more enterprises are gradually migrating their application systems to
+the cloud and preferentially developing future-oriented, cloud-native
+application systems. An era of cloudification is coming. However, in
+practice, the following challenges are often encountered:
+
+1. How to isolate the security and faults of service units (such as BGs,
+   departments, and project teams) to ensure the isolation of cloud
+   resources, applications, and data between service units
+
+2. How to flexibly adjust cloud resources
+
+3. How to design a network architecture across multiple service units
+   and establish controlled network connection channels
+
+4. How to plan the production, development, and test environments
+
+5. How to share common resources among multiple service units
+
+6. How to centrally manage and control the budgets and costs of each
+   service unit and how to optimize cloud costs
+
+7. How to prevent service units from overusing cloud resources
+
+8. How to divide user groups and how to set permissions for user groups
+
+To address these challenges, Open Telekom Cloud has designed a Landing Zone
+solution to effectively manage service units, personnel, permissions,
+cloud resources, data, applications, costs, and security. A landing zone
+is the area where an aircraft, like a helicopter or an airplane, can
+land safely. Cloud vendors have borrowed this term to describe a place
+where you can smoothly migrate enterprise service systems on the public
+cloud. The Open Telekom Cloud Landing Zone solution helps enterprises build a
+secure, compliant, and scalable multi-account environment on the cloud
+where multiple accounts can share resources and there is unified
+management of the people, finances, resources, permissions, and security
+compliance.
+
+-  **People**: Unified management of service units, accounts, users, user
+   groups, and roles for multiple accounts
+
+-  **Finances**: Unified management of funds, budgets, costs, invoices, and
+   discounts for multiple accounts
+
+-  **Resources**: Unified O&M, monitoring, and management of cloud resources
+   including computing, storage, network, data, and applications for
+   multiple accounts
+
+-  **Permissions**: Unified management of permissions for cloud resources of
+   multiple accounts based on the principle of least privilege (PoLP)
+
+-  **Security compliance**: Unified management of security compliance in
+   accordance with the security compliance requirements of countries,
+   industries, and enterprises
+
+.. toctree::
+   :maxdepth: 1
+
+   landing-zone-reference-architecture.rst

doc/source/caf/ready/landing-zone-reference-architecture.rst

@@ -0,0 +1,21 @@
+Reference Architecture
+----------------------
+
+The people, finances, resources, permissions, and security compliance
+requirements are mapped to the account and organizational structures,
+financial management, network planning, identity and permissions design,
+security protection, and compliance audit.
+
+.. image:: ../../assets/caf/image14.png
+
+The following describes each module in detail.
+
+
+.. toctree::
+   :maxdepth: 1
+
+   account-and-organizational-structure.rst
+   account-management.rst
+   network-planning.rst
+   identity-and-permissions-design.rst
+   security-and-compliance.rst

doc/source/caf/ready/performance.rst

@@ -0,0 +1,44 @@
+Performance
+~~~~~~~~~~~
+
+Performance is a key metric for any software system. It is also an
+important part of cloud design. In performance design, scalability must
+be considered as it is vital to high performance. In addition, solution
+selection, performance measurement, performance monitoring, and
+performance trade-off must also be considered.
+
+Factors that affect the performance of cloud applications
+****************************************************
+
+-  **Compute latency**: the wait time between operations and a direct reflection of cloud computing performance
+-  **Network throughput**: the rate at which data is processed
+-  **Transmission throughput (bytes/second or bit/second)**: a key measure of performance
+-  **Storage input/output operations per second (IOPS)**: a measure of data transmission
+-  **Data concurrency**: the ability to run multiple programs at the same time
+
+Solution selection
+******************
+
+-  Select and combine the solutions that best suit your needs.
+-  Upgrade solution selection methods and optimize the selection of resources and configurations through data.
+
+Performance measurement
+***********************
+
+-  Configure performance measurement and monitoring metrics.
+-  Enable performance tests to be triggered automatically after the fast-running test is complete.
+-  Use data visualization to identify performance issues, hot topics, waiting states, or low utilization.
+
+Performance monitoring
+**********************
+
+-  Determine the monitoring scope, metrics, and thresholds.
+-  Create a full view from multiple dimensions.
+
+Performance tradeoffs
+*********************
+
+- Strike a balance in the architecture for better performance, for example by using compression or caching techniques.
+
+.. toctree::
+   :maxdepth: 1