What is Cloud Governance?

As organisations migrate on-premises infrastructure to the cloud and switch from managing capital costs to an OPEX spend model, the realignment of how IT resources are governed is vital to the success of a cloud-first strategy. Cloud governance can be defined as company-wide protocols used to manage spend, ensure resource conformity, speed up deployment, control access, and mitigate security risks.  Best practices for cloud governance are grouped into 5 primary disciplines: Cloud Cost Management, Deployment Acceleration, Resource Consistency, Cloud Security, and Identity & Access Management (IAM).

Cloud Cost Management

Cloud Cost management, also known as cloud cost optimisation or FinOps, is a centralised approach to monitoring cloud environments to improve spend visibility, optimise performance, drive efficient resource usage, and prevent overspend. Cloud cost management is enabled through proper tagging of cloud resources to create transparency and allow chargeback to internal consumers based on actual consumption to promote accountability for decisions that impact the cloud bill.

Cloud cost management strategies can include right-sizing instances, automatic scaling, automated provisioning/deprovisioning, shutting down non-prod environments during off hours, and leveraging cloud vendor discounts for purchasing additional capacity in advance. Other strategies include creating budgets for cloud spend and implementing policies to that require approval for unbudgeted usage. The intent of cloud cost management is to continuously improve the balance between cost, quality, and speed to enhance efficiency and promote innovation.

Deployment Acceleration

Deployment acceleration involves the creation of standardised, reusable cloud assets and code to automate the deployment of new resources. Automated, self-service templates allow DevOps to rapidly deploy new cloud assets and standardise resources across the cloud infrastructure. The Cloud Governance team should partner with DevOps to develop standardised asset configurations that meet the needs of the cloud engineers responsible for resource deployment to help drive adoption.

Deployment acceleration will most likely require an iterative approach to fine tune workloads, improve automated templates, and speed up deployment. A well-defined configuration and deployment strategy along with code repositories will allow organisations to leverage their growing knowledge base to deploy infrastructure-as-code/software-as-code quickly with low risk. Cloud vendors offer cloud marketplace solutions that help organisations quickly set up new, preconfigured assets for specific use cases.

Resource Consistency

Resource consistency is the discipline of consistently configuring cloud resources to manage risks associated with deployment, discoverability, and recovery.  Resource tagging is used to allow resources to be identified by purpose, resource type, creator, owner, and other useful information. Tag enforcement policy is implemented to ensure that cloud resources are consistently tagged and are easily located and identified within the Cloud Architecture. Resource Consistency is key to eliminating shadow IT and reducing sprawl which make it difficult to monitor the cloud environment, accurately allocate costs, and control spend.

Cloud Security

Security is a major concern for companies considering cloud transformation. Organisations can eliminate risks by activating the security capabilities provided by the cloud platform to set appropriate security policies and monitor their cloud environment. In addition to the out-of-the-box functionality provided by your cloud platform, the cybersecurity team should be responsible for the governance and auditing of cloud resources. Your organisation should be able to easily identify and locate sensitive data in your cloud environment to ensure that controls are in place to protect resources from data breaches. Establishing a Security Baseline is a best practice to identify business risks, compliance needs, and additional tools required to secure cloud infrastructure.

Identity & Access Management (IAM)

Most companies have established policies and tools to manage access to sensitive data stored at physical datacentres. Your cloud vendor is primarily responsible for protecting the data in your cloud environment, but it is also essential to implement internal protocols that limit unauthorised access to cloud resources. IAM is the first line of defence against unapproved access to sensitive customer and company data.

Less complex cloud environments can be effectively managed using the account management tools provided by the cloud vendor. Linking cloud authentication to your company IAM directory (Eg. Microsoft Active Directory) will allow larger organisations to define and manage roles, authorisations, and privileges to ensure that each user only has the level of access necessary to perform their role. Establishing an Identity Baseline allows organisations to assess IAM risks and ensure that authentication/authorisation is consistent across cloud platforms.

Cloud Governance Automation Software

In addition to the cloud management tools offer by cloud vendors, there are a variety of third-party cloud governance automation solutions (CloudHealth, Flexera) that execute predefined actions based on cloud governance policy parameters and metrics. Many of these solutions work in tandem with Cloud Cost Management tools to enforce controls that help eliminate cloud overspend. Some of the automated functionality offer by these solutions include deactivating non-production instances during off hours, enforcing instance size based on environment, revoking unauthorised user access, and sending out alerts for governance policy violations. Cloud governance automation software is designed to streamline your cloud governance process and allowing your organisation operate efficiently while eliminating operational and security risks.