When it comes to governance, many people think of Governance, Risk management and Compliance, which spans regulatory compliance and overall security posture. Meanwhile, others think that governance is more about a basic foundation of policy enforcement, best practices and frameworks that help organizations define scalable solutions that will grow with the company over time.
However, it isn't about one or the other; it takes both to develop a successful governance strategy. So, how do you achieve that? IT leaders need to look at both the security requirements as well as the requirements of the business -- not just how the business wants to manage and report, but also how it wants to consume resources over time.
Oftentimes, we see organizations dive into the cloud head-first, which is fantastic -- in a sense. But rapid adoption of the cloud usually means that preparatory stages have been rushed. I've seen a lot of these scenarios: Organizations quickly embrace the cloud to accelerate time to market or to access a customer base that perhaps they weren't previously able to reach. The cloud offers many benefits. Its elastic capabilities and flexibility are undoubtedly attractive.
As far as cloud provider options, there are a variety, but they all have fairly similar types of structures to facilitate policy design and enforcement on the platform. Sometimes it's just a matter of turning on available feature sets and functions and performing minimal configuration. But many organizations don't even know what tools exist because they don't know the platforms well enough yet.
Leveraging the tools that are available to you on your cloud platform(s) is critical for the structure of your governance. You also need to leverage management groups to apply policies across multiple subscriptions and resource groups. By enforcing things like tagging, you gain the ability to turn on cost management features on the platform(s) and use those to identify additional opportunities to govern and reduce costs.
A major consideration when developing a governance strategy for the cloud is standards. What standards do you plan to use? If you don't have standards, then you also don't have a good way to track how you're performing against those standards. You've got to establish some kind of baseline and make sure that the baseline is healthy before you start growing on top of it. This way, you'll have a clear understanding of where your starting point is -- and where you want to go.
Consumption and value
It's far too easy to consume more than you planned if you don't turn on some of the basic features available in cloud platforms. For instance, in Microsoft Azure, when you provision a virtual machine, there's a page that allows you to enter time settings (e.g., "I want to turn this off at 5:00 p.m.") that protect you from paying for the compute related to that workload when you're not using it. Using this type of feature can deliver as much as 40% to 80% savings, depending on how you're going to use that resource.
Broadly stated, you can only get value from the cloud in two ways:
- By increasing your ability to deploy and manage infrastructure using cloud capabilities such as frameworks for artificial intelligence, machine learning or the internet of things; or
- By decreasing costs compared to a fully on-premises environment that could require investments to cool, maintain and staff the facility.
If you want to make sure you're getting the most value from the cloud, you've really got to pull both of those levers. You have to get more capability out of the platform, which may require you to invest more in the platform. And you have to look at how you can reduce cloud costs.
Multi-cloud and management options
There's another layer of governance needed for multi-cloud environments: cloud management. Organizations with multiple, large or complex investments in public cloud platforms, for example using both Google Cloud and Azure, need effective cloud management processes, tools and resources. Implementing a cloud management platform may seem like a good quick fix, but it's important to consider what capabilities your organization wants to have on a day-to-day basis.
I urge anyone who's early into the cloud adoption process to make sure you do the work upfront in designing your governance -- it's your foundation, your landing zone. Be sure you're comfortable with how you grow inside of the cloud platform(s) that you're investing in over time, because it costs more to implement governance and controls and remediate challenges later on than it does to do the work upfront.
About the author
Scott Cameron is a senior architect for cloud and data center transformation at Insight Enterprises, a global IT solutions provider.