Category: Cloud Governance

Overrunning your monthly cloud budget is probably the most obvious indicator that you need more governance. However, less obvious signs could be hiding behind your cloud management policies and procedures. We highlight 10 of these signs and how a cloud governance solution helps with each one in this infographic.

(Download Full Infographic)

---

Marianna leads marketing at cloudtamer.io

I’ve previously written about the key pillars of governance@scale that we built cloudtamer.io to address: account management and budget enforcement. Here are the important requirements for the last pillar: compliance automation.

Policies should be set consistently

For compliance to be effective, it’s critical to have a consistent set of policies that govern usage. We often see our customers do a great job of this on paper but it’s another story when it comes to actually enforcing these policies in a way that prevents users from performing an action that would jeopardize the organization’s compliance posture.

One of the major advantages of the cloud is that every action a user performs is executed through an API call, and leading cloud service providers like Amazon Web Services and Microsoft Azure have very robust security controls built in to help define permissions to allow or deny these user actions.  But as an organization’s cloud use grows, applying policies one at a time across all the cloud accounts and subscriptions is probably the most time-consuming activity we see customers perform. And when a cloud service provider releases a new service or has an existing service accredited to satisfy a compliance regulation, the process of updating these policies becomes a laborious task that is seemingly never ending.

We believe that setting up and updating policies must be automated through a cloud governance solution to ensure consistency.

Policies should be combinatory and inheritable

In the same way I recommended that you set a budget and have funds cascade down through your organization to accounts, your cloud governance solution should allow you to set policies once and have those policies be inheritable by accounts within the hierarchy.

A lot of policies are dependent on one another, and it’s equally important to allow these different policies to be combined based on where an account or subscription exists within the organizational hierarchy. For example, a lot of our federal customers need to maintain compliance with FedRAMP. Within AWS, this requires many different policies including:

• • One or more policies to restrict use of deploying workloads to regions outside of the US
  • One or more policies to restrict the services available to only ones approved by the Joint Accreditation Board (JAB)
  • One or more policies that enable and configure specific cloud services like CloudWatch and CloudTrail within the account to audit activity

Beyond official compliance regulations like FedRAMP, an organization may want to set its own policies to govern its cloud use or may not have a need for all accounts and subscriptions to maintain the same level of compliance (for example, FedRAMP Moderate vs. FedRAMP High). Based on where the account lives within the hierarchy, the right set of policies should be applied automatically to save time and reduce the risk of non-compliance.

Policy exemptions should be easy

There are instances where exemptions to a policy restriction are needed – and should be granted. Whether it be to just try a newly released cloud service or to design a new system using a managed cloud service that will be approved for use within the organization before the system is scheduled to go live, a flexible process to review and approve or deny these exemptions is important. In much the same way your governance solution should make it easy to request a new project or project access, developers or managers should be able to request an exemption to permit use of a service. This process shouldn’t involve out-of-band emails or tickets that are routed to a single operations support desk but, instead, empower individuals within specific roles within various parts of the organization’s hierarchy to make these exemption decisions and then rely on automation to apply the changes.

Fear of violating a policy or security control is the second biggest fear  – behind cost overruns – that we encounter as we engage with customers. Attempting to get your arms around compliance and security through spreadsheets and manual labor isn’t the best approach.

If you’d like to see how cloudtamer.io can help you prevent policy or security violations in the cloud, reach out to our team.

 

---

Brian is the senior vice president of product delivery at cloudtamer.io.

We built cloudtamer.io around three key pillars of governance@scale: account management, budget enforcement, and compliance automation. In a previous post, I talked about the requirements of a robust account management solution.

In this post, I’ll share some thoughts on what makes for good budget enforcement in the cloud and the benefits you should see as a result.

Budgets should cascade from the top

Budgeting works the same way in just about every business on earth. There’s a big pot of money entrusted to the senior leaders within the organization and that money gets transferred down throughout the organization in a hierarchical fashion. It makes sense to set your cloud budget in the same way.

Money has different flavors

For most organizations, not all money is treated the same way. In the government, there is the concept of different funding sources or ‘colors’ of money. In commercial organizations, budget sources differ between externally funded contractual engagements and internal or overhead activities. To further complicate things, each of these different sources of funding typically have different periods of time when they can be spent. Governance requires that the correct projects be funded by the correct sources to ensure proper accounting. At scale, this process must be automated so that people in the accounting or finance department don’t have to spend a week every month reconciling cloud service provider bills.

Budget alerts are only part of the solution

Being notified when cloud spending is approaching a threshold has its uses: it allows for a quick pulse check and evaluation of the current spend plan. However, there are many instances when an alert is simply not enough. What happens when the person receiving the alert is out of the office and cannot act?

When a spend limit is imminent, you need the ability to limit or pause spending without any additional intervention. In certain cases, like sandbox or ‘play’ environments, you may want to terminate spend to prevent further accrual. Budget enforcement actions go a step further than alert functionality.

Alert fatigue is a real phenomenon, and it can be tempting to begin to ignore or defer actions on alerts. In cases where automatic intervention is needed, enforcement actions are the answer.

Budget transparency helps create responsible use

The cloud has flipped the traditional IT spending processes on its head. Long gone are the days when the senior managers within an organization make the decisions on how money should be spent. In the cloud, every engineer makes decisions which cause the organization to accrue costs.

Cost visibility is the bare minimum needed to ensure your entire organization has adequate insight for budgeting, forecasting, cost control, and reporting. Cloud governance solutions should deliver near real-time visibility into service-level and resource-level charges and a view of planned vs spent. But robust governance solutions go a step further to make budget information visible to all cloud users and encourage responsible use. Budget transparency takes the guesswork and mystery out of operating in the cloud, making it more likely that users will approach spend in an informed manner.

During cloudtamer.io demos, the number one concern and the topic that draws most interest is budget. Fear of cost overruns keeps organizations from fully committing to the cloud in many cases. Alerting alone won’t allay this fear; you must have the ability to automatically intervene to be able to sleep at night.

If you’d like to see how cloudtamer.io can help you enforce budgets in the cloud, reach out to our team.

 

---

Brian is the VP of Products at Stratus Solutions, the developer of cloudtamer.io.

I previously wrote about why governance in the cloud must be approached differently than traditional IT governance and why governance matters so much today as organizations move more workloads to the cloud.

We think automation is central to cloud governance, which is why we created cloudtamer.io to take the heavy lifting out of governing your cloud. cloudtamer.io incorporates what we believe are the three key pillars of governance@scale: account management, budget enforcement, and compliance automation.

Here’s a deeper dive into the key requirements of these pillars, starting with account management – the foundation of robust governance in the cloud.

Accounts should align with your organization’s hierarchy

The best practice today is to use multiple accounts and subscriptions to manage distinct cloud workloads. This approach delivers precise access control and cost management, and limits the security and financial blast radius in the event of an issue. When it comes to ‘corralling’ and managing these multiple cloud accounts, it typically makes the most sense to mirror your organization’s hierarchy. Putting cloud projects (i.e., a collection of accounts or subscriptions) within the organization where they are worked and managed facilitates access, budget, and compliance efforts. Organizational placement corresponds to where the cloud users reside and how dollars and policies are cascaded down. By doing this, it becomes very easy to answer questions like “Which department has the most/least cloud accounts and active users?” to help determine future training and onboarding investments to accelerate adoption.

Account creation and use should be streamlined

Most organizations’ traditional IT governance model includes several steps – and many hours – between request and access. Robust cloud governance requires speedier provisioning to take advantage of cloud benefits and reduce the risk of shadow IT. Ideally, you want your business or program owners to have the ability to provision an account, provided they have available funding.  Automation should then take over to ensure consistent setup and enforce use of compliant cloud services and resources (more on this in the next section).

Your cloud users should be able to easily request a project be created or receive access to a project. Managers should be able to review the proposed budget and purpose and decide promptly. This makes the process fast and easy – and more secure – than the alternative: going directly to AWS or Azure and signing up for an account to expense back to the organization later.

Account access should be smart and secure

Based on where your cloud project resides in the organization, no extra steps should be needed to ‘bake in’ the proper security and policy constraints. By setting up projects according to your organizational hierarchy, you can cascade down budget and compliance rules that are automatically inherited by the project. These rules control what the user can access within the cloud and how much they can consume. There’s no need to pull out a spreadsheet to track who has access to which resources or to determine how to setup a user’s permissions.

Your cloud governance solution should expedite access to resources with single sign-on (SSO) and provide options for enhanced security via multi-factor authentication (MFA). We’ve worked with several organizations that were managing separate AWS IAM users (with separate usernames and passwords) and, in some cases, separate MFA tokens per accounts. This approach slowed access and frustrated the technical users who needed to access these accounts multiple times per day. We’ve found that allowing authentication to cloud accounts and resources through existing SSO solutions like Active Directory or SAML makes access truly smart and secure and leads to a frustration-free experience.

Account access should deliver native CSP capabilities

If your cloud governance solutions require that you access the cloud through a broker or another intermediary solution, you end up forcing your users to learn additional interfaces and languages. Most importantly, you limit access to those cloud services that have been made available via a broker. In their earlier days, one of our customers opted to use a cloud broker to “simplify” access to AWS. Over time, this broker could only support basic services like S3 and EC2. As the organization matured its cloud experience, an increasing number of end users asked to use managed services like Sagemaker and Polly, which weren’t available. As a  result, developers and engineers spent time re-inventing the wheel, which ultimately slowed innovation.

Cloud service providers (CSPs) are releasing functionality at a very fast pace; the only way to keep up is to implement automated, transparent governance and get out of the way. It’s  important for cloud users to get native access to the CSP console, CLI, and API and establish the necessary safeguards to ensure controlled access to services.

The decisions you make around account management will obviously have a dramatic impact on cloud adoption success within your organization. When we help customers with initial cloudtamer.io setup, discovery and workshopping around account management is our first priority.

If you’d like to see how cloudtamer.io can give you a solid foundation for account management in the cloud, reach out to our team.

 

---

Brian is the VP of Products at Stratus Solutions, the developer of cloudtamer.io.

AWS just released a new white paper with recommendations to help organizations achieve governance as their cloud use scales. If you’re encountering issues as you scale – or want to plan now for anticipated growth –  AWS Governance at Scale provides a detailed look at:

• • The management, financial, and compliance challenges encountered as cloud adoption grows
  • Traditional approaches organizations often take to govern cloud workloads – and their limitations
  • AWS’ approach to achieving governance at scale, derived from best practices and from customers who have successfully operated at scale
  • Decision factors to help you determine if you need a governance solution and whether you should build or buy
  • A capability checklist to use as you assess governance solutions

If you’re curious about cloudtamer.io and how the solution scores on the AWS capability checklist, contact us for a demo and discussion.

---

Marianna is the cloudtamer.io Product Marketing Manager.

Whether you’re dipping your toes into the cloud, or you’re fully immersed, chances are you’ve heard the term ‘cloud governance’. What do we mean when we talk about governance in the cloud and why does it matter?

Cloud governance is the development and implementation of controls to manage access, budget, and compliance across your workloads in the cloud. At first glance, this definition may sound a lot like the definition of IT governance, just ‘in the cloud’. In fact, it’s tempting – especially in an organization’s early days of cloud adoption – to attempt to apply traditional IT governance methods to the cloud. But traditional IT governance, which goes like this:

User request→Manager approval→IT review→IT approval→Provisioning

is pretty much antithetical to the decentralized, rapidly growing nature of the cloud, where what you want to get to is this:

User requests cloud account or service→Validation against policies and budget→Access

Without rethinking your governance process, it is impossible to achieve the agility, speed, and cost savings benefits truly possible in the cloud. We fundamentally believe automation is key to re-inventing this process in the cloud. The result is streamlined access for users and rules that will take care of establishing, verifying, and enforcing budget and policy compliance.

Here are four reasons why cloud governance is so critical today:

Governance makes it easier to manage cloud resources

Leading cloud service providers like AWS are now advising customers to move multiple-tenant workloads residing in a single cloud account or subscription into their own distinct account. Using multiple accounts to manage distinct cloud workloads is considered a best practice today to deliver precise access control and cost management, and limit the security and financial blast radius in the event of an issue. An effective governance strategy can help organize the volume of accounts most organizations need and provide visibility around key cloud activities and trends.

Governance helps curb shadow IT

When you don’t know what systems are in use – or where corporate data resides – your risk and spend increase. Employees turn to shadow IT when they are stalled or stymied in getting access to resources to do their job. Cloud governance helps put in place the required framework to easily request and access cloud resources, giving team members access to the breadth of allowed cloud resources within compliance and budget constraints. You reduce employee frustration and the likelihood of a staff member using their personal cloud accounts out of convenience. And, in the process, you raise leadership confidence in the move to the cloud.

Governance reduces risk

Whether it’s exposed data, non-compliance with policies or regulations, or cost overruns, there are risks when operating in the cloud. A cloud governance solution can help ensure S3 buckets have proper controls to keep them private, your resource use is compliant with regulations such as HIPAA and FedRAMP, and spend is enforced so limits are not exceeded.

Governance reduces labor

Instead of having your team use spreadsheets and similar manual processes to track accounts, cost, and compliance, you can set guardrails at the appropriate point in your organizational hierarchy and have these guardrails control access, budget, and policy for the specified projects. In addition, complete governance solutions provide enforcement actions as well, allowing you to do away with necessary follow-up actions after you receive an alert. Preventing budget overruns and non-compliant activities saves time and effort. The result of labor savings is more time to focus on value-add, mission-delivering activities.

So, we’ve defined cloud governance, and we know why it matters. Now, how do you get to cloud governance? Based on our consulting experience with customers, we identified three key pillars of governance@scale: account management, budget enforcement, and compliance automation. We built cloudtamer.io around these three pillars. In future blog posts, we’ll take a detailed look at these pillars and the role they play in cloud governance.

---

Brian is the VP of Products at Stratus Solutions, the developer of cloudtamer.io.

I had the opportunity to participate in a recent episode of Government Matters that was sponsored by Amazon Web Services (AWS). The broad theme of the episode was security in the cloud, and my portion of the discussion focused on how cloud governance helps to ensure cloud security.

Some of the topics I covered:

• • How federal agencies can govern their presence in the cloud at scale
  • Opportunities for agencies to tailor their cloud infrastructure to meet growing missions
  • The importance of compliance regimes, like FedRAMP, to the cloud security discussion

The episode is a great introduction to the problem cloudtamer.io was built to solve: how to govern cloud access and the use of cloud resources as organizations move more workloads to the cloud.

GovLoop has a nice summary of the discussion and a link to the episode replay.

---

Dede is the CEO of Stratus Solutions, the developer of cloudtamer.io.