The ABCs of Cloud Governance: Compliance Automation
I’ve previously written about the key pillars of governance@scale that we built cloudtamer.io to address: account management and budget enforcement. Here are the important requirements for the last pillar: compliance automation.
Policies should be set consistently
For compliance to be effective, it’s critical to have a consistent set of policies that govern usage. We often see our customers do a great job of this on paper but it’s another story when it comes to actually enforcing these policies in a way that prevents users from performing an action that would jeopardize the organization’s compliance posture.
One of the major advantages of the cloud is that every action a user performs is executed through an API call, and leading cloud service providers like Amazon Web Services and Microsoft Azure have very robust security controls built in to help define permissions to allow or deny these user actions. But as an organization’s cloud use grows, applying policies one at a time across all the cloud accounts and subscriptions is probably the most time-consuming activity we see customers perform. And when a cloud service provider releases a new service or has an existing service accredited to satisfy a compliance regulation, the process of updating these policies becomes a laborious task that is seemingly never ending.
We believe that setting up and updating policies must be automated through a cloud governance solution to ensure consistency.
Policies should be combinatory and inheritable
In the same way I recommended that you set a budget and have funds cascade down through your organization to accounts, your cloud governance solution should allow you to set policies once and have those policies be inheritable by accounts within the hierarchy.
A lot of policies are dependent on one another, and it’s equally important to allow these different policies to be combined based on where an account or subscription exists within the organizational hierarchy. For example, a lot of our federal customers need to maintain compliance with FedRAMP. Within AWS, this requires many different policies including:
- One or more policies to restrict use of deploying workloads to regions outside of the US
- One or more policies to restrict the services available to only ones approved by the Joint Accreditation Board (JAB)
- One or more policies that enable and configure specific cloud services like CloudWatch and CloudTrail within the account to audit activity
Beyond official compliance regulations like FedRAMP, an organization may want to set its own policies to govern its cloud use or may not have a need for all accounts and subscriptions to maintain the same level of compliance (for example, FedRAMP Moderate vs. FedRAMP High). Based on where the account lives within the hierarchy, the right set of policies should be applied automatically to save time and reduce the risk of non-compliance.
Policy exemptions should be easy
There are instances where exemptions to a policy restriction are needed – and should be granted. Whether it be to just try a newly released cloud service or to design a new system using a managed cloud service that will be approved for use within the organization before the system is scheduled to go live, a flexible process to review and approve or deny these exemptions is important. In much the same way your governance solution should make it easy to request a new project or project access, developers or managers should be able to request an exemption to permit use of a service. This process shouldn’t involve out-of-band emails or tickets that are routed to a single operations support desk but, instead, empower individuals within specific roles within various parts of the organization’s hierarchy to make these exemption decisions and then rely on automation to apply the changes.
Fear of violating a policy or security control is the second biggest fear – behind cost overruns – that we encounter as we engage with customers. Attempting to get your arms around compliance and security through spreadsheets and manual labor isn’t the best approach.
If you’d like to see how cloudtamer.io can help you prevent policy or security violations in the cloud, reach out to our team.
Brian is the senior vice president of product delivery at cloudtamer.io.