Banner Image: hand holding white chess piece above chess board

Cloud Governance Choices: Build, Broker, or Enable?

As organizations move more to the cloud and look to automate and reduce risk as they scale, many are weighing their cloud governance choices. First, you need to decide whether to build your own or procure a solution. If you're procuring, you have two different types of cloud governance solutions; I think of these as cloud brokers vs cloud enablers. In this post, I'll provide a '100-level' look at your options.

Home-built vs. tools-based

A home-built solution is typically championed by engineers after they take a glance through services such as AWS Organizations, AWS Control Tower, and open source tools and believe they've solved the problem.

Home-built solutions to governance are the epitome of what AWS CTO Werner Vogels considers "undifferentiated heavy lifting". Undifferentiated heavy lifting is summarized as time and effort an organization spends on initiatives that aren’t differentiating themselves from their competitors in their industry. You're doing undifferentiated heavy lifting when you:

  • Focus on integrating disparate tools into a comprehensive governance solution
  • Guess at an ever-evolving threat landscape
  • Write bespoke policy to adhere to industry-standard compliance programs

A better use of time for most organizations is devoting efforts to building a better widget.

The alternative to a home-built solution is to go with a tools-based approach to governance. Tools-based approaches allow you to partner with an organization whose sole focus is governance. A good vendor in the space will provide a rich feature set across the multiple dimensions of cloud governance – identity and access management, financial visibility and budgetary enforcement, and security and compliance. They have staff on hand who are experts in their discipline and stay on top of emerging standards and changes to existing compliance programs.

Cloud brokers vs cloud enablers

Within the overall tools-based approach to cloud governance, there are two types of solutions. The first category of tools are cloud brokers. Brokers act as a buffer between end users and cloud providers. The broker approach allows you to exert the maximum amount of control over your public cloud footprint.

There are two big downsides to using a cloud broker:

  • Staff don't get native cloud experiences but, rather, will learn the broker. Abstracting underlying cloud services is not a good thing. With a workforce that likes using the command line interfaces and has experience in cloud native consoles, going with a brokered approach forces your team to learn an additional tool. Injecting an additional provider between you and your cloud often results in an inefficient, frustrating user experience.
  • No vendor will move as fast as the cloud service providers. After 40 new services are announced at the next AWS re:Invent conference, it can be months before your broker provides support for them.

Opposite of brokers are what I like to call cloud-enabler solutions. This class of tool takes an alternate approach. Instead of abstracting native concepts these solutions facilitate leveraging the cloud using native constructs by lessening the managerial burden of running a cloud at scale. Cloud enablers should use the native cloud provider services. As an example, instead of abstracting AWS IAM and policies, these tools embrace them and facilitate usage in a safe way.

Cloud-enabler solutions put an easy button on the undifferentiated heavy lifting of managing a comprehensive governance program while providing engineers with the cloud environment they know and love.

When doing a tool evaluation, stay away from brokers, who want to inject themselves between you and your cloud. Stick with a cloud-enabler solution and your engineers, security team, and leadership will be thrilled with the experience and the results. Contact us for a demo of our cloud enabler, cloudtamer.io.


Chris leads design and engineering at cloudtamer.io.