Before entering the cloud realm, it is wise and essential to develop a cloud governance model. But what is it? How do I develop one? Fear not, we are here to explain!
If you’re reading this article, then your organization has probably decided to adopt the cloud. It might be easy: do a proof-of-concept, move some machines, or build a new application based on providers like Microsoft or Amazon.
You will find onboard your teams quickly, they will do some training, and soon you’ll be running solutions in the cloud. You will become a cloud organization.
And then IT will happen
IT might be the first bill for resources that someone forgot to de-allocate. Or an invoice for a test machine set up to test some heavy workload and left up and running for weeks.
IT might be your security office hunting you down because some data or ports were exposed to the Internet found during an audit.
IT might be the auditor who checks your environment every year but has now noticed that you are running new workloads in the cloud and asks about your policies.
Or, IT might just be your CFO asking what you are spending money on with Microsoft, a question that you will not be able to answer.
IT typically boils down do one thing: how exactly do we run this “cloud” thing (or HEDWRTTCC, as all of us in IT love complex acronyms)? Eventually, someone will raise a question about the cloud governance model for your organization.
Governance? Huh? Sounds complex and scary.
Luckily, we have built cloud governance models for our on-premise environments, and we do use them. We have cost allocations and budgets, security controls, ways to deploy things and operate them.
So why not to start there! Before the cloud ship, why not also build guidance on how to operate it for your cloud crew-mates?
NOTE: This is the first in a series of posts and videos we will provide on Azure Cloud Governance. Stay tuned so you don’t miss the next one in the series.
ADVICE FOR IMPATIENT READERS WHO WANT TO JUMP DIRECTLY TO TECHNICAL DETAILS
Rest assured, we’ll provide technical guidelines in the last part of the article. But we highly recommend that you first read the “Why?” and “What?” sections before jumping to the “How?” If you want to jump straight into the nitty-gritty details – go to “How?“ section!
Our “Why?” and “What?” sections apply to any cloud environment. If you are an Amazon or Google user, you can benefit from them as well. If you want to educate yourself on an Azure–specific approach, this is where the “How” applies.
It is a good habit to start any action or decision with WHY question (and sometimes repeat it 5 times to make sure that you nailed the answer). So, why do you need a cloud governance model for your organization?
It provides a framework for operations, makes design decisions easier, ensures that you have the proper controls in place in terms of cost, auditing, monitoring, and security. Those are all valid reasons.
Another reason is that it accelerates your cloud adoption and business transformation! Yeah, I know how that sounds. Another B-bingo game.
Look at it from this perspective: why does one adopt the cloud? To speed things up. From a purely operational point of view (faster deployment) to business operations (making changes faster, creating more incremental changes and test results, lowering time to market with services). When things go more quickly, a chance that something will fail is higher.
With a cloud governance framework, you lower the risk that something will break by providing a clear environment to operate in and rules for it, ready to apply patterns, as well as tools and solutions for common elements. Finally, you also supply templates and tools to apply them.
This way you can operate your cloud environment faster, in a consistent way, with controls on top of it, from both operational and business points of view.
It is your organization’s manual for building and operating the cloud environment or services.
When we were working on a framework for operations at Predica, we addressed three main questions: Why? What? And How?
We’ve covered the Why, so let’s deal with the What? What is this thing called the cloud governance framework? (By the way – you can call it governance framework or model – the name is not that important, but rather how it enables change at your organization).
Aside from the technical elements, what does your cloud governance model need to cover? On a high level we have three main components:
(or BPT if we stick to the acronym game in this article).
The business side gives your organization objectives for your cloud deployment and governance model. Those objectives will mostly be defined in the following areas:
- Performance: defined by how your cloud adoption will translate to performance in terms of your business goals
- Cost optimization: optimization and control of costs related to cloud operations
- Compliance: how you meet requirements for your compliance regulations (be it internal or external)
- Security: how to keep your data and infrastructure safe and secure, also concerning the next point which is
- Risk management: what is your risk model and what risks are you trying to mitigate with your cloud deployment?
People are at the center. We highly recommend that early in the process you establish a dedicated team that will make sure your cloud governance framework covers your business objectives and applies the right technology. To ensure that you have it covered, create your own A-Team – Cloud Strategy Team! (you can pick a better name – I’m sure of that).
This team should be cross-discipline: include your application guys, architects, networking team and others, and make sure that you have your core disciplines represented. Your team will have two main tasks:
Define and build your governance framework
Define the strategy and approach, and how it should be rolled out based on your business needs. Align it with business goals and controls like cost optimization and compliance.
Build and operate a shared infrastructure environment and components
This is where your shared components of the cloud environment are born and maintained. Your Cloud Strategy Team will build shared elements of the governance framework and its implementation. They will also build and operate a shared infrastructure for an organization (subscriptions, management groups, a connection between your on-prem networks and the cloud, shared services).
Technology is how people from your team will apply the cloud to meet your business side of the requirements. The best outcome is when they have common patterns and ready to deploy solutions to implement in those five areas:
- Cost management
- Security baseline
- Identity baseline
- Resource consistency
- Deployment, auditing, and monitoring.
We have the “Why” and “What” covered – time to move to How!
Finally, we arrive at the How element. Before jumping to the technology itself, a few entry words on the “How”. Do not aim to address all the aspects and concerns in one big shot (OBS for the acronym game). This is not going to work. When you are starting this journey, you might not even know what you are going to deploy.
Start with the Minimal Viable Product (or Policies, MVP) in place. First, set up an approach of governance framework for a single type of your subscription (e.g. development environments) with a minimal set of policies (for instance: all assets must be grouped and tagged, all assets deployed must use the same deployment model, all resources need to be allocated to a cost center) and build around that.
Once you have your MVP built and deployed, set up a process for incremental growth. Review and iterate your governance framework in sprints based on the following:
- New resource types being added / deployed
- The growth of your environment / cloud usage
- New elements of the policies defined based on your business objectives.
Set up triggers for your policy updates. For instance: every time our cloud consumption grows by 20%, we need to review our policies on cost management. Or every time we deploy a new service, we need to review security and auditing controls applied within our framework.
Monitor those triggers! If you have triggers for your policy updates, you need to track them. In the beginning, it might be a manual process. E.g., your Cloud Strategy Team needs to review every deployment ready to be applied to identify if there are new types of resources being implemented and that all deployments are prepared in the right way.
FRIENDLY ADVICE: Automation is cool and needed, but don’t aim to automate all the things right from the start and delay your first iterations of cloud governance because you need to automate them!
The Azure Way of Doing Things
Now let’s look at the practical solutions.
Accept the fact that you will have multiple subscriptions and environments.
Arrange your subscriptions using Management Groups. This is how you can group subscriptions within a single management unit.
As a design strategy, create Management Groups for your environments such as a development and/or a production environment.
Within the Management Groups, arrange subscriptions based on your organizational approach. These may include the following:
- Cost centers
- Application categorization (e.g. critical, non-critical, vendor–managed).
Some organizations use this to simplify billing: one subscription per billing unit.
Within subscriptions, create resource groups per application or workload.
IMPORTANT: Early in the cycle adopt and apply a consistent terminology and naming convention for all these resources. Make it part of your initial cloud governance MVP! You need to have a clear nomenclature for all elements (subs, resource units etc.).
Define your business goals for it, risk model, constraints and put them in writing as policies.
Your objective with this work is to set a foundation for clear and faster adoption of the cloud. Since this might be an early stage of your adoption, some things might go wrong (risks):
- Team awareness of the cloud and development skills
- You don’t know the exact cost structure of resource utilization
- The security model is new to you; you don’t know if it will be applied consistently across all resources and deployments
- Many people and teams will share the environment and might apply conflicting standards and ways of doing things
- Wrong use of identities might lead to security risks and leakage of data
- Data deployed to the cloud might be against your compliance policies.
IMPORTANT: Before going further with your governance framework, identify early business goals and risks. Don’t nail it down – you can always iterate on it!
Based on those goals and risks, you can identify policies for your environment, e.g.:
- All resources need to be deployed with the appropriate tagging and within a resource structure
- All resources must follow a defined deployment model.
- Only organizational accounts from Azure AD and partners through B2B mechanisms are allowed within the environment
- RBAC model to apply across all resources with specific roles (like companywide auditor) and all elevated privileges are assigned and mapped to groups only.
- Connectivity between the cloud environment and the on-prem network goes through a dedicated subscription and its networking setup
- All data needs to be encrypted with the available encryption for services
- Usage of credentials is limited with Managed Service Identity, and all credentials are stored within the Key Vault.
- All resources need to be placed within the management structure
- All resources need to be tagged for the cost centre assignment.
This is an initial set. The next iteration needs to be more in-depth and go into more detail on how it is going to be implemented.
Those policies will be mapped to specific Azure tools and their implementation based on particular categories. You may also onboard third-party tools and external services to help you apply them in the environment.
Azure offers several tools to help you implement your policies during the deployment stage. You can use Azure Resources Model (ARM) for all deployments and not allow manual deployments at all.
To identify resources and check their compliance with your policies you can use Azure Resources Graph, which extends the ARM Model.
To enforce your policies and compliance of the resources with them, you have another powerful tool: Azure Policies. You can apply policies to identity compliant / non-compliant resources, verify compliance at the time of creation and verify specific VMs and services settings.
The best way to ensure that things are configured correctly is to utilize templates in the form of Azure Blueprints. Blueprints enable and orchestrate the deployment of:
- Role assignments and RBAC model
- ARM template deployments
- Resource groups
and through this many other services and elements.
IMPORTANT: If you want to make sure that new subscriptions are defined exactly as you want them – put them in the form of Blueprints. In general, AVOID MANUAL DEPLOYMENTS – use automation from day 1.
You will find a quick introduction to Azure Blueprints in this video.
We wrote about this more than enough here on the blog and in our other resources. Establish your co-existence between on-premises and cloud environments and the choice of authentication methods.
A few important notes here:
- Use MFA wherever possible and make sure that your admin accounts all use them. When it is available (it is not or only as a preview at the time of writing) deploy FIDO compliant devices to your administrators.
- If possible, use Privileged Identity Management to implement the strictest possible permission model for your administrators and other team members.
- Remember about Emergency Access Accounts for your environment (please remember to protect them). There might be a time when you need it.
Security is essential, and it is among the first concerns raised when a company adopts the cloud. Because of this, it is also well described and addressed on the platform.
REMEMBER: Cloud is not magic! It doesn’t work on its own. Even if the controls are there – you need to put them in place!
Set the basic requirements for your core elements on Azure:
- RBAC model and permissions management
- Encryption of disks and data storage both in storage accounts but also within services
- Networking protection with VNets, network security groups, firewall, and other networking elements.
There are around 20 security related whitepapers with guidance for those elements available. Use them to educate yourself one topic at a time.
NOTE: We also have Azure Security Workshop within our services – you can check the details here.
Familiarize yourself with tools you have on the platform and apply them as security controls.
Azure Security Center is a one–stop shop for monitoring your security posture and controls. It provides a real-time view into compliance with regulatory requirements for your resources. Make sure to check this as it provides actionable items to improve in this area. Plan your resource coverage with Azure Security Center – it also has a free plan.
Azure Sentinel is a new service that provides SIEM capabilities in the cloud and for cloud resources. It gives insight and monitoring across many data sources. You can try it for free at the time of writing. Make sure to check if this can be a tool of your choice for security and threats monitoring.
Educate yourself on and enter your policies. This is a requirement for the use of platform features and services like the following:
- Azure AD and its security model for resources and access across the platform
- Azure Key Vault for securing sensitive materials, credentials, and keys.
Cost management is always an essential factor in cloud deployments. To implement it efficiently you need three elements:
- A consistent way of deploying resources within your management structure
- A set of Azure Policy policies as the first level of control of resources creation and spending
- Actual cost control tools.
One thing to check for sure is how your subscription payment model supports those solutions. There might be slight differences between EA, CSP or other ways you that you purchase on your Azure.
Time to take a break!
Let’s end our first article here in the series on cloud governance. I believe you are now better equipped to start the process of implementing an Azure Cloud Governance in your organization.
We will continue this series on our blog and our YouTube channel. Stay tuned, follow us and if you have any questions – ask them in the comments!
If you need help on this journey, you know who to call. No, it is not Ghostbusters!