It’s rare you find a definitive guide to cloud governance best practices. This is because different organizations have different objectives at different stages of their cloud journeys. Due to the rapidly evolving landscape of the cloud, what could be a best practice today may be unthinkable tomorrow.
If you search for information about cloud governance best practices, you’re likely to come across a handful of articles discussing tagging policies and cost management - and not much else. The reason for this is that cloud governance - the rules under which your organization operates in the cloud - is fluid; and whereas tagging and cost management should be implemented at every stage of a cloud journey, virtually every other rule is subject to change.
If you’re familiar with on-premises IT governance, the fluidity of governance in the cloud may come as a shock to you. Whereas, on-premises, the infrastructure is virtually static, there’s often a long approval process for software acquisitions, and data is protected behind a firewall; in the cloud, there’s “click-and-launch” provisioning, line of business “Shadow IT”, and a much greater exposure to security threats. Plus, due to the rapidly evolving landscape of the cloud, everything happens much faster.
Cloud Governance Frameworks
Cloud governance best practices usually change as organizations move from planning and evaluation, to proof of concept and migration, to cost control and asset optimization, to cloud maturity. It seems somewhat ironic that the best place to implement cloud governance best practices is at the start of a cloud journey; yet most organizations tend to think about cloud governance only once they start encountering issues with cost control or approach cloud maturity.
Nonetheless, the frameworks on which organizations build their cloud governance structures are mostly the same. They start by aligning cloud operations with the organization’s business strategy - usually through a “cloud center of excellence” which consists of personnel from procurement, finance, business operations, IT, security, etc., so every department of the organization is represented. Then, there’s a process of defining the rules under which the organization will operate in the cloud.
Developing Cloud Governance Best Practices
Once the rules are defined, best practices for governing the organization’s operations in the cloud can be developed. Most businesses’ cloud governance best practices consist of identifying rules for which preventative controls can be implemented and then putting the preventative controls in place - for example, enabling multi-factor authentication of user accounts to prevent unauthorized access in the event of login credentials being stolen or exposed.
To enforce rules for which there are no suitable preventative controls, a system of continuous monitoring and auditing needs to be implemented. Along with this system, there needs to be processes in place for checking compliance with the rules, and remediation workflows if the rules are not followed - or if a situation arises for which no rules have been defined. It all sounds very complicated; but in reality there is an easy solution - policy-driven automation from CloudHealth.
Policy-Driven Automation from CloudHealth
A lot of organizations already use automation in their cloud operations; but typically for deploying assets in the cloud rather than governing their operations. CloudHealth’s automation capabilities make it possible for organizations to apply “policies” to their cloud operations to act as preventative controls, or to act as a solution for monitoring and auditing activities in the cloud. In the latter case, if a policy violation is identified, CloudHealth can be configured to take a variety of actions. Here’s some examples:
- If one of your governance rules is that Personal Identifiable Information (PII) should always be encrypted, you can apply a policy for CloudHealth to encrypt storage volumes tagged PII
- If another governance rule is that instances should only be launched in U.S. regions, you can configure CloudHealth to terminate any instance launched outside the U.S.
- If you want to prevent users accessing cloud accounts from outside the organization, you can apply a policy that blocks logins outside a specified IP range.
- With regards to monitoring and auditing, you can set up notifications for when cloud spend increases suddenly or is projected to exceed a monthly budget.
- You can also set up notifications for when instances are over-provisioned, when data can be moved to lower-tier storage, or when committed use discounts are under-utilized.
Policies can be added, revised, or removed with the click of a mouse on CloudHealth’s user-friendly console, plus they can be applied by individual user, department, or organization-wide. Furthermore, CloudHealth can be used not only to enforce cloud governance best practices, but on-premises best practices as well. If you have issues analyzing data from disparate sources, speak with our team of cloud experts about getting total visibility of your entire IT infrastructure.