The purpose of a cloud governance framework is to ensure cloud costs are aligned with the business’s objectives, innovation is encouraged, and the risk of data loss or regulatory non-compliance is mitigated. In many ways, it is similar to an on-premises governance framework - only the playing field is different.
When you operate any type of IT infrastructure, there are rules in place that cover cost, performance, and security. With an on-premises IT infrastructure, the rules are relatively simple to police. Your costs are mostly fixed, performance is subject to the capabilities of approved software, applications, and programs, and data is protected by a firewall.
In the cloud, it’s a different playing field. Due to the self-provisioning nature of cloud computing, costs can quickly spiral out of control, cloud-based apps can be downloaded without IT approval, and there’s no firewall in the cloud to protect data. You can try to apply the same rules as used in your on-premises IT infrastructure, but you’ll find they are much more difficult to police.
How does a cloud governance framework resolve these issues?
A cloud governance framework doesn’t resolve these issues per se. A cloud governance framework is a cloud-orientated set of rules that takes into account the needs of each department, creates an approval process for the acquisition of software not yet sanctioned by IT, and develops best practices for ensuring the integrity of data.
Ultimately, a cloud governance framework should align cloud costs with the business’s objectives, eliminate Line of Business IT (Shadow IT) without stifling innovation or productivity, and mitigate the risk of data loss or regulatory non-compliance by having rules in place that determine how cloud-based services should be utilized.
The rules created within a cloud governance framework need to have a little flexibility. There’s little doubt they’ll need to be amended from time to time as the business expands, as new services are introduced, and as gaps in existing rules are identified. So, there also needs to be processes in place to amend rules when necessarily.
Policing a cloud governance framework
If developing a cloud governance framework sounds complicated, policing it is even more difficult. Different departments may already be using multiple SaaS solutions in addition to the assets deployed in an IaaS environment by centralized IT. This means the first course of action is creating an inventory of what’s already in use.
The next step, a means of monitoring cost, performance, and security needs to be implemented in order to ensure the rules of the cloud governance framework are adhered to. Without adequate policing, there’s no benefit in developing a cloud governance framework; but, with potentially thousands of services being used by different departments, manual monitoring is out of the question.
A more suitable solution is a cloud management platform such as CloudHealth that collects data from all the services being used by the business to provide total visibility of the IT infrastructure. Once the data has been aggregated, you can use policy-driven automation to police the cloud governance framework and ensure your governance rules are being adhered to.
More about policy-driven automation
Policy driven automation can be used in many ways to police a cloud governance framework. It can alert budget owners when month-to-date costs exceed a certain threshold, it can alert system administrators when assets are under-provisioned and need upgrading to do their jobs, or alert security teams to suspicious activity that may indicate an infiltrator. Using the CloudHealth platform, you could create policies similar to the following:
- If projected month-to-date spend is greater than 100% of budget, send email notification to budget owner.
- If average CPU utilization is greater than 90% for more than one week, send email notification for potential upgrade.
- If a user logs into their cloud account from an unrecognized IP address, send email notification for further investigation.
CloudHealth can be configured to do more than send email notifications. While monitoring your IT infrastructure 24/7, there may be times when email notifications aren’t the appropriate course of action. For example, if multi-factor authentication is disabled on an account with access to sensitive data, it may be better to temporarily revoke user access rather than wait to find out why multi-factor authentication was disabled and then enable it again. Other automated actions can include:
- Terminating non-conforming assets - i.e. an instance with more than the allowed capacity
- Encrypting storage volumes containing unprotected data or revoking unused encryption keys
- Correcting misspelled tags to ensure they conform to business’s tagging policy