In January, I posted an article called “Greenfield Opportunity”, which outlined my current career focus as Chief Technology Officer (CTO) at Elanco Animal Health.

Following a successful IPO, Elanco IT is in a unique position to “reboot the enterprise from scratch”. As a technologist, this is a once in a lifetime opportunity, where the weight of legacy architecture and technical debt is lifted, presenting a clean start to build a modern IT ecosystem.

In this article, I will provide insight into our future-state IT architecture. As our story evolves, I am committed to sharing additional details regarding our architecture and technology decisions.

Background

Elanco was founded in 1954, delivering comprehensive products and knowledge services to improve animal health and food-animal production. The vision is simple:

“Food and companionship enriching life. Our vision advances the well-being of animals, people, and our planet.”

The numbers below provide an insight into the scale and complexity of the Elanco business.

  • Severing Customers in 90+ Countries
  • 5800+ Total Employees
  • 150+ IT Employees
  • 60+ Physical Sites Globally
  • 10+ R&D and Manufacturing Sites

With a rich history in veterinary pharmaceuticals, all R&D and Manufacturing sites must be operational 24x7 and adhere to strict compliance and regulatory standards.

IT Principles

With an incredible number of IT decisions ahead, it was first important to establish some basic principles. As a result, we created a set of IT Principles, which aim to drive better strategic decision making, by proactively triggering the right architecture conversations.

There are four principles assigned to each domain, covering Business Process, Information, Application, and Technology.

IT Principles

The rationale behind having only four principles is to ensure that they can be easily consumed and remembered. Historically we have had hundreds of principles, which although are perfectly valid, results in limited adoption.

IT Declarations

Alongside the IT Principles, we have also created the following IT Declarations. These build on the IT Principles, providing a greater level of detail.

  • Hybrid-Cloud: By default, Public Cloud must be prioritised over Colocation Data Centres and Local Compute.

  • Open Source: By default, new applications must prioritise open-source technologies, with proprietary technologies looking to maximise our strategic investments.

  • Custom Developed: By default, new custom-developed applications must embrace a Cloud Native architecture (Twelve-Factor App and FAIR), prioritising FaaS and PaaS.

  • Commercial of the Shelf (CotS): By default, new Commercial of the Shelf (CotS) applications must embrace a Cloud Native architecture, prioritising SaaS.

  • Server Deployment: By default, new IaaS server deployments must be ephemeral (short-lived) and stateless (do not persist a session).

  • IT Automation: By default, new application deployments must be automated, leveraging build tools and/or IT Automation.

  • Datastores: By default, new managed datastores must prioritise open-source technologies, avoiding proprietary/licensed technologies.

  • Integrations: By default, new system-to-system integrations must leverage the Enterprise Integration Fabric.

  • API-First: By default, new applications must leverage open and documented web service-based APIs and/or Webhooks.

  • Client Plugins: By default, new client-side applications must be browser-based, avoiding the use of proprietary plugins (e.g. .Net Framework, Java, Flash, etc.)

  • Internet Accessible: By default, new applications must be accessible via the Internet, secured at source and in transit, removing the need for a VPN.

We do not anticipate 100% adherence to the IT Principles and IT Declarations. For example, within R&D, we have unique software that supports laboratory instruments, which requires low-latency connectivity and must be “air-gapped” for security and resilience.

Modern IT Ecosystem

The high-level diagram below helps to describe our future-state IT architecture. It is purposely “marchitecture” (a combination of marketing and architecture), used to articulate our end-state to a non-technical audience.

IT Ecosystem

The bullets below provide context to the digram, describing our philosophy and key decisions for each area.

  • SaaS: Recognising the limited competitive advantage, all highly-industrialised/commodity capabilities will be positioned for SaaS. Examples would include Productivity, Collaboration, Service Management, Customer Relationship Management (CRM), Human Resource Planning (HRP), etc.

  • Public Cloud: Public Cloud will be prioritised for all application/data hosting, emphasising “up the stack” services. For example, FaaS, and PaaS will be prioritised over IaaS. A preferred Public Cloud provider will be selected, however, the underlying architecture will support multi-cloud.

  • Colocation Data Centres: Multiple Colocation Data Centres will be provisioned, supporting capabilities that are not commercially or architecturally a good fit for Public Cloud. For example, specialised capabilities from R&D and Manufacturing, which require specific hardware. The Colocation Data Centres will also include access to a high-performance network backbone, providing agnostic Public Cloud connectivity.

  • SDDC: The infrastructure deployed within the Colocation Data Centres will be highly-converged, leveraging “blade-based” hardware that allows compute, storage and network to be scaled independently. All Data Centre resources and services will be software-defined, following modern Software-Defined Data Centre (SDDC) techniques.

  • ERP: Enterprise Resource Management (ERP) will be fully managed (SaaS-like), but hosted in a Specialised Cloud that includes a fibre cross-connect into our Colocation Data Centres. The goal is to exploit the benefits of a fully managed Cloud, whilst also offering the best possible network performance (LAN-like), without creating lock-in with a specific Public Cloud provider (AKA Hyperscale Providers).

  • IAM: Identity Access Management (IAM) will span the Public Cloud and Colocation Data Centres, providing flexibility and resilience. Modern authentication and authorisation mechanisms will be prioritised, enabling single-sign-on and password-less capabilities for end-users. Identity Access Management will form a core part of our Information Security architecture (see Information Security).

  • IT Automation: All cloud services (SaaS, Public Cloud) and the Colocation Data Centres will be fully automated, leveraging Infrastructure-as-Code and Software-Defined techniques. As depicted by the “DevOps Cloud”, the IT Automation will be delivered via a unified suite of proactive services, covering provisioning, governance, budgeting, discovery, testing, security analysis, quality assurance, and change control.

  • WAN: The Wide Area Network (WAN) will utilise an SD-WAN architecture, which simplifies the management and operation of the WAN by decoupling the networking hardware from the control mechanism. This architecture allows for commodity Internet circuits to be provisioned, instead of traditional (costly) MPLS. Cellular also becomes a viable option for remote locations or as a resiliency option.

  • User Endpoints: Applications and services served from the Cloud (SaaS, Public Cloud) will be Internet-accessible, via the web/API. Only specialised applications running in the Colocation Data Centre will require direct network connectivity from a local site or client VPN. As a result, the user endpoints do not require any special software or controls, instead, leveraging the native capabilities of the specific device (AV, Firewall, etc.) This approach simplifies the endpoint architecture, promoting productivity by delivering a “consumer-like” experience. It also enables the use of any device, providing greater choice to the end-user (e.g. Windows, macOS, ChromeOS, iOS, Android, etc.)

  • LAN: Wireless technologies will be prioritised at the local sites, made available via a unified SSID that will intelligently provide the appropriate level of access (see Information Security). R&D and Manufacturing will include strict segmentation policies, allowing for the sensitive workloads to run fully autonomously, without any connection to the WAN or Internet.

  • Edge Compute: In certain scenarios, local (edge) compute will be required, specifically to support latency-sensitive applications at R&D and Manufacturing sites. Where possible, these will run in hyper-converged infrastructure, leveraging software-defined techniques.

  • Information Security: A Zero Trust security model will be followed, rooted in the principle of “never trust, always verify”. To achieve this outcome, multiple technologies will be embedded as part of the wider architecture, including Layer 7 Firewalls, Network Segmentation, Agent-less Network Access Control, Data Loss Prevention, Privileged Access Management and a dedicated Security Operations Centre (SOC). These technologies will be combined with a clear “least privilege access strategy” and appropriate governance, monitoring, auditing, etc.

Conclusion

Overall, I hope this article has provided some insight into our future-state IT architecture, hopefully providing a robust foundation for a modern “Digital Business”.

We have ambitious goals regarding our use of Public Cloud, API-First approach, IT Automation, and Software-Defined techniques. However, have also attempted to be pragmatic, ensuring that the architecture can mature with the business.

Finally, it is important to recognise that modern architecture is only one piece of the puzzle, with new processes, methodologies, and organisation design being key deliverables that allow us to unlock the total value proposition.