No matter who I speak with about the cloud, the same pain points up repeatedly come up. Organizations are always needing to better manage cloud costs, improve their security posture and meet their compliance requirements.
According to a report from data security company Lepide, the three most common causes of a data breach are:
- Insider threats due to misuse of privileged access
- Weak and stolen passwords
- Unpatched applications
In other words, the most common security threats are often the fault of the organization.
When customers first move into the cloud, their instinct might be to build a cloud security governance model based on one or more regulatory frameworks relevant to their industry. Although this can be a helpful first step, it is also critical organizations understand what the control objectives for their workloads must be.
But before you can build that model, it’s important to know what cloud governance is and consider why you need it.
Cloud governance is how an organization ensures a consistent application of policies across all teams. The best way to implement consistent governance is by codifying as much of the process as possible. Security governance supports business objectives by defining policies and controls to manage risk.
Moving into the cloud provides you with an opportunity to deliver features faster, react to the changing world in a more agile way, and return decision-making to those closest to the business.
In this fast-paced environment, it’s crucial to keep consistency, scalability and security. This is where a strong governance model helps. Creating the right governance model for your organization may seem like a complex task, but it does not have to be.
You should begin by breaking down your governance model into sections to properly build it. Aside from the technical elements, what else does it need to cover? On an elevated level, you have three primary components:
The business aspect gives your organization objectives for cloud deployment and a governance model. They will primarily be set in the following areas:
- Performance. This is defined by how your cloud adoption will translate to performance in terms of your business goals.
- Cost optimization. This is about streamlining and controlling of costs related to your cloud operations.
- Compliance. This is how you meet requirements for compliance regulations, whether internal or external.
- Security. This is how to keep your data and infrastructure safe and secure, which dovetails into the next aspect, which is . . .
- Risk management. What’s your threat model and what risks are you trying to mitigate with cloud deployment?
People are at the center of cloud governance. It’s highly recommended that early in the process you establish a dedicated team to make sure your cloud governance framework covers business objectives and applies the right technology.
The best way to move forward is by creating your own A-Team—a Cloud Strategy Team, ensuring you have it covered. This team must be cross-disciplinary. Best practices for this team include:
- Involving your application specialists, architects, networking team, and others.
- Making sure you have your core disciplines represented.
- Defining and building your governance framework.
The governance framework requires defining the strategy and approach and how it should be rolled out based on your business needs. Align it with business goals and controls like cost optimization and compliance.
Technology is how your people will use the cloud to meet your business requirements. The best outcomes occur when there are common patterns and you’re ready to deploy solutions in these five areas:
- Cost Management
- Security Baseline
- Identity Baseline
- Resource Consistency
- Deployment, Auditing and Monitoring
Step 1: Decide on a Framework
Many of our customers use a standard framework, which is relevant to their industry, to inform those in their decision-making process. Some frameworks commonly used to develop a security governance model include: NIST Cybersecurity Framework (CSF), Information Security Registered Assessors Program (IRAP), Payment Card Industry Data Security Standard (PCI DSS) or ISO/IEC 27001:2013.
Some of these standards provide requirements specific to a particular regulator or region. Others are more widely applicable. Choose one that best meets the needs of your organization.
While frameworks are useful to set the context for a security program and give guidance on governance models, you shouldn’t build either one just to check boxes on a particular standard. It’s critical you build for security first and then use the compliance standards to show you’re doing the right things.
Step 2: Set Up Controls
After you select a framework, the next considerations are controls. A control is a technical or process-based implementation designed to ensure the consequences of an identified risk are reduced to a level acceptable to the organization’s risk appetite.
Sample controls include firewalls, logging mechanisms, access management tools, and many more.
Controls will evolve over time. Sometimes, they do so quickly during the first stages of cloud adoption. With rapid evolution, it’s easy to purely focus on the implementation of a control rather than the objective of it.
However, if you want to build a robust and useful governance model, you must not lose sight of control objectives.
Consider the example of the firewall. When you use a firewall, you implement a control. The objective is to make sure only traffic that should reach your environment is able to reach it. Although a firewall is one way to meet this objective, you can achieve the same outcome with a layered approach using several native cloud services.
Splitting the control implementation into multiple places can enable workload owners greater flexibility in how they configure resources, while the baseline posture is automatically delivered.
Step 3: Compliance
Compliance is the act of ensuring a standard or set of guidelines is followed, or that proper, consistent accounting and other practices are employed.
When it comes to hybrid cloud, compliance drives many decisions around:
- What must be supported on-premises?
- What must go into the public cloud?
Depending on the sector, an organization may find itself facing a myriad of legal, industry and regulatory requirements, such as:
- among others
For this reason, there must be an effort to manage hybrid cloud through proper policies. This approach makes sure the right decisions are made on what data needs to be on what infrastructure.
Compliance must be supported by relevant governance actions around monitoring and evaluation, which includes regular risk assessments, audits and status reports on data management in hybrid environments. The governance body set up by an organization must:
- Assure all stakeholders, especially employees, are constantly aware of the requirements your organization is subjected to.
- Institute policies that are understood and ensure inventory of data is kept, including relevant security mechanisms, clear guidelines for transfer across on-premises and public clouds, and measures taken in case of policy violations.
Step 4: Control Cost
There’s a notion workloads run more effectively in the cloud than in an on-premises deployment. It’s true, but it’s not always the case. And although moving into the cloud does help an organization save money, it’s always possible to further optimize your cloud spend.
One of the ways to achieve optimal use of the cloud is to invest in the right cloud cost management tools. These tools help you identify expensive systems and usage outliers responsible for escalating cloud costs. Here’s how they can help.
Right-Size Server Instances
You must size your cloud server instances correctly to optimize cloud costs. You must choose the server instance type that’s right for your workloads. If the instance has fewer resources than needed, then it might perform inefficiently during periods of heavy demand. Having too many resources, on the other hand, will pile up costs.
Rightsizing server instances requires a critical assessment of the resource requirements of your workloads. You also need to forecast how your needs might change with time. Follow up this by figuring out which instance best meets your needs.
Public cloud providers offer different instance types that meet all kinds of enterprise needs. Rightsizing is usually a manual affair, but you can always use cloud cost management tools to automate the process.
Switch Off Unused Resources
Be aware of what you’re running on the cloud at any one time. Switching off inactive cloud resources can help lower cloud costs. Cloud cost management tools can send alerts when they identify unused resources. For example, these tools can alert you when you have a database no one has recently accessed.
Automated scaling allows your workloads to access more cloud resources during peak demand. It scales back resources when they are no longer needed. Most cloud providers use autoscaling tools, which you can configure to meet the needs of your enterprise.
Take Advantage of Storage Tiers
Public cloud providers offer storage tiers at different prices. If you store data in the cloud that is infrequently accessed, you might want to move it to a lower-cost storage tier. But you must be sure about how long it takes to import data from that tier whenever you need it.
It’s likely best to move secondary data backups because speed won’t be important when you need it. Cloud cost management tools can help identify the data you rarely use and move them to a lower-cost storage tier.
Optimize Cloud Costs between Providers
The costs of the public cloud widely vary. Often, providers allow users to run virtual servers at discounted prices.
For example, Amazon Web Services (AWS) offers Spot Instances and Microsoft Azure offers Batch Instances, whereby they both provide access to spare infrastructure on their clouds. They cost up to 90% less than they would normally cost when accessed on demand. These instances are not always available, so they are not good for workloads that constantly run.
However, periodic high-intensity tasks can run on those instances and save your enterprise a lot of money.
Some cloud cost management tools synchronize costs from public cloud providers. This enables you to visualize and compare costs in real time.
If you’re ready, then it’s time to partner with a cloud solutions and technology provider like System Soft Technologies (SSTech).
A trusted partner, with an extensive team of highly-experienced cloud experts, can help you with every step along your cloud journey, including cloud governance, as you look to accelerate time to market, increase agility and reduce operational costs.
About the Author: Don Bilbrey
Don Bilbrey serves as Senior Cloud Architect at System Soft Technologies. Don, a technology nerd, knows his stuff when it comes to systems and storage solutions. He’s a people person, too. He showcases his humor and wit, as he energetically manages the service delivery needs of large enterprise customers.