The ABCs of Cloud Governance: Account Management
I previously wrote about why governance in the cloud must be approached differently than traditional IT governance and why governance matters so much today as organizations move more workloads to the cloud.
We think automation is central to cloud governance, which is why we created cloudtamer.io to take the heavy lifting out of governing your cloud. cloudtamer.io incorporates what we believe are the three key pillars of governance@scale: account management, budget enforcement, and compliance automation.
Here's a deeper dive into the key requirements of these pillars, starting with account management – the foundation of robust governance in the cloud.
Accounts should align with your organization's hierarchy
The best practice today is to use multiple accounts and subscriptions to manage distinct cloud workloads. This approach delivers precise access control and cost management, and limits the security and financial blast radius in the event of an issue. When it comes to ‘corralling’ and managing these multiple cloud accounts, it typically makes the most sense to mirror your organization’s hierarchy. Putting cloud projects (i.e., a collection of accounts or subscriptions) within the organization where they are worked and managed facilitates access, budget, and compliance efforts. Organizational placement corresponds to where the cloud users reside and how dollars and policies are cascaded down. By doing this, it becomes very easy to answer questions like “Which department has the most/least cloud accounts and active users?” to help determine future training and onboarding investments to accelerate adoption.
Account creation and use should be streamlined
Most organizations’ traditional IT governance model includes several steps – and many hours – between request and access. Robust cloud governance requires speedier provisioning to take advantage of cloud benefits and reduce the risk of shadow IT. Ideally, you want your business or program owners to have the ability to provision an account, provided they have available funding. Automation should then take over to ensure consistent setup and enforce use of compliant cloud services and resources (more on this in the next section).
Your cloud users should be able to easily request a project be created or receive access to a project. Managers should be able to review the proposed budget and purpose and decide promptly. This makes the process fast and easy - and more secure - than the alternative: going directly to AWS or Azure and signing up for an account to expense back to the organization later.
Account access should be smart and secure
Based on where your cloud project resides in the organization, no extra steps should be needed to ‘bake in’ the proper security and policy constraints. By setting up projects according to your organizational hierarchy, you can cascade down budget and compliance rules that are automatically inherited by the project. These rules control what the user can access within the cloud and how much they can consume. There’s no need to pull out a spreadsheet to track who has access to which resources or to determine how to setup a user’s permissions.
Your cloud governance solution should expedite access to resources with single sign-on (SSO) and provide options for enhanced security via multi-factor authentication (MFA). We've worked with several organizations that were managing separate AWS IAM users (with separate usernames and passwords) and, in some cases, separate MFA tokens per accounts. This approach slowed access and frustrated the technical users who needed to access these accounts multiple times per day. We’ve found that allowing authentication to cloud accounts and resources through existing SSO solutions like Active Directory or SAML makes access truly smart and secure and leads to a frustration-free experience.
Account access should deliver native CSP capabilities
If your cloud governance solutions require that you access the cloud through a broker or another intermediary solution, you end up forcing your users to learn additional interfaces and languages. Most importantly, you limit access to those cloud services that have been made available via a broker. In their earlier days, one of our customers opted to use a cloud broker to “simplify” access to AWS. Over time, this broker could only support basic services like S3 and EC2. As the organization matured its cloud experience, an increasing number of end users asked to use managed services like Sagemaker and Polly, which weren’t available. As a result, developers and engineers spent time re-inventing the wheel, which ultimately slowed innovation.
Cloud service providers (CSPs) are releasing functionality at a very fast pace; the only way to keep up is to implement automated, transparent governance and get out of the way. It’s important for cloud users to get native access to the CSP console, CLI, and API and establish the necessary safeguards to ensure controlled access to services.
The decisions you make around account management will obviously have a dramatic impact on cloud adoption success within your organization. When we help customers with initial cloudtamer.io setup, discovery and workshopping around account management is our first priority.
If you'd like to see how cloudtamer.io can give you a solid foundation for account management in the cloud, reach out to our team.
Brian is the VP of Products at Stratus Solutions, the developer of cloudtamer.io.