If you are unfamiliar with running a business in the cloud, and you attempt to find a straightforward answer to the question “what is cloud governance”, you could be forgiven for getting confused. We aim to answer the question in terms most people will understand and explain why cloud governance is important.
When you run a business in the cloud, there are a few rules you have to comply with. Generally, these rules relate to personal privacy and data security, and they can vary according to the industry you operate in. Typically the rules are no different from those you have to comply with when you run a business on an on-premises IT infrastructure. It’s only the landscape that is different.
The different landscape is the reason you need to know what cloud governance is. This is because, when you run a business on an on-premises IT infrastructure, you know what your capital costs are and have a fairly good idea about your month-to-month operational costs. You also know departments will be running the software, applications, and programs that have been approved for them.
In the cloud, different departments can develop their own systems and deploy assets with the click of a mouse. You may no longer have to worry about capital costs, but your operational costs can get quickly out of hand without controls in place. Furthermore, the software, applications, and programs deployed by one department may not be able to communicate with those deployed by another department.
A lack of controls not only creates issues with costs and efficiency, but can also raise security concerns. Whereas cloud services themselves are secure, assets that are deployed with poor access controls or configuration vulnerabilities are an invitation to a hacker to infiltrate your network. Previously—with an on-premises IT infrastructure—your business network was protected from many security concerns by a firewall. There are no firewalls in the cloud. This is why you need cloud governance.
Cloud governance is basically a set of rules
To eliminate issues with costs and efficiency, you need to create a set of rules. These rules of cloud governance should consist of budgets for how much departments can spend, guidelines about what software, applications and programs departments can use, and policies for cloud security. Naturally the rules can be flexible, but there needs to be an approval process in place to prevent too much flexibility.
Then compliance with the rules needs to be monitored. This can be achieved via many different types of cloud management software; although, if you operate in a multi-cloud or hybrid cloud environment (or plan to), it is better to use a third party cloud management solution—rather than software supplied by cloud service providers—in order to give you total visibility of all your business’s cloud activity.
As you monitor compliance with the rules, you may notice areas that could be tweaked to improve cost-efficiency or performance. It may also be the case that, as you expand your cloud-based operations, you need to make changes to the rules you have created in order to accommodate new products and services, or to remain competitive within your industry. Processes need to be in place for this too.
Cloud governance is a set of rules you create, monitor, and amend as necessary in order to control costs, improve efficiency, and eliminate security risks. There may be other areas of your cloud operations that require governance, but these will become apparent when you first start pulling together the components that will eventually form your rules of governance.
Before you start creating rules of governance
Before you start creating rules of governance, you need to know what assets are already deployed in the cloud, how they work together, and what security risks exist. The best way of doing this is to use a cloud management solution that gives you total visibility over your cloud account(s) in order to compile an inventory of your assets, analyze their relationships, and identify security vulnerabilities.
You should then optimize your assets for costs and performance to get a starting point for future capacity planning and budgeting. This may involve exchanging one provider´s services for another provider´s service in order to take advantage of discounted pricing structures or more suitable services, but is something you should be able to manage easily with a suitable cloud management solution.
Once your assets are optimized, and you are armed with reports evaluating costs and performance by department, you can then collaborate with different departments in your business to create the rules of governance. As mentioned above, in addition to creating the rules, you have to have processes in place to accommodate flexibility and revisions, and policies in place to govern the security of your network.
Security policies are without doubt the most important element of cloud governance. Without effective policies in place—and effective monitoring of the policies—it is just a question of when, not if, your network will be infiltrated. Security policies not only need to be applied to assets deployed in the cloud, but also to areas such as access control, security groups, and encryption key management.
What is cloud governance automation software?
It is likely that, during your quest for a straightforward answer to what is cloud governance, you have come across the term “cloud governance automation software” and wondered what it is. Cloud governance automation software is a useful element of some third party cloud management solutions that executes predetermined actions when a governance rule is violated.
Whereas some cloud governance solutions can help you audit and optimize your assets, and monitor compliance with the governance rules you apply, cloud governance automation software can be configured to notify you of a violation, request approval for an event beyond the parameters of your governance rules, or automatically terminate an asset. Here are some examples of how it works:
- Let’s say you have allocated a monthly budget to a department. You can create a policy to notify you (and/or the budget owner) when monthly costs to date are projected to exceed the budget so the overspend can be investigated.
- Or, you have stipulated the development team cannot launch non-production Virtual Machines with more than 4 cores without approval. As soon as an 8 core VM is launched, it is suspended until you approve the deployment.
- Or, if during the monitoring process of an AWS account, the software identifies an account with root account API access, the software can be configured to execute a Lambda function to revoke user access and notify you of the violation.
Effectively, cloud governance automation software removes much of the work involved in cloud governance, helps you create a more cost-effective and efficient environment, and alerts you to potential security issues before they develop into serious concerns. It is certainly worth investigating regardless of what size of operation you run in the cloud now you know what is cloud governance.