May 08, 2020
5 Disciplines of Cloud Governance for Azure
Here’s how to balance innovation and governance in the cloud with Microsoft.
Governance can be an overwhelming undertaking. For the organization, it can be viewed as stifling innovation; for the IT department, it is viewed as necessary to prevent out of control resources causing havoc in billing and security. These two divergent cultures must figure out a way to implement a solid governance structure for the cloud while still allowing developers and business the innovation the cloud promises.
Microsoft has a solution to help bridge this conflict. It uses a framework that was developed recently called the Cloud Adoption Framework (CAF) for Azure and includes a specific module for governance: Governance in the Microsoft Cloud Adoption Framework for Azure. The beauty of this framework for governance is that it proposes setting goals of a Minimal Viable Product (MVP) to solve immediate pain points and then incrementally add to the governance plan as requirements increase.
For CDW, governance in Azure is one of the most in-demand services. We are adopting our service to incorporate this framework into our service delivery. It is a new idea that will focus on the client’s primary pain points and provide recommended solutions to address them. Reading through the CAF documentation from Microsoft can be daunting. This blog post will attempt to distill the relevant information, provide an overview of the governance model and explain how it is implemented.
The 5 Disciplines of CAF
The CAF model for governance consists of five disciplines: cost management, security baseline, identity baseline, resource consistency and deployment acceleration. For a full-blown implementation of governance, it is recommended to review all five. However, the beauty of the concept of disciplines is that you can choose which ones apply to your immediate need and come back later to address the other disciplines. We have seen cost management as the most highly demanded request, followed by security and identity.
Below is a picture of the governance model. It shows not only the disciplines, but the concept of developing the MVP. I will use this model as a way of explaining the value proposition of using this methodology. Governance is a journey. The focus for this framework is to envision what a rough end-state looks like. Rather than dive into technology and make decisions on how you would like to use it, it reverses that concept and focuses on your primary issues at hand and addresses those specifically. The journey model is then having a governance team revisit it as needs arise and add to the original implementation.
Figure 1: Governance Vision
I will address the business risks, policy and compliance and process later. First, it is important to understand the disciplines.
1. Cost Management
This discipline is focused on putting governance on spending and controlling costs. The biggest challenge often faced by organizations with implementing cloud solutions is the concern for runaway costs moving from a capitol expense model to an operating expense model. The business risks are obvious. How do you stay within your budget while still delivering benefits? How do you handle spikes and anomalies? How can you control overusing resources, or having resources that are underutilized?
2. Security Baseline
Security is a complex topic. This discipline is targeted toward identifying the key reservations of a client with moving to Azure and then helping them address those concerns. Is the biggest concern a data breach? Service disruption? Matching corporate policies?
3. Resource Consistency
The purpose of this discipline is to establish policies related to operations, including operations applications or workloads. Without a consistent approach to deploying and managing resources, increasing costs and security risk will accelerate. How do you avoid unnecessary operational costs, or under-provisioned resources? What is your process to handle service or business interruption?
4. Identity Baseline
Besides cost management and security, identity is the third most popular service that customers request in the cloud. There is a realization that the way identity is being implemented today will need some review when moving to Azure. Identity has become a primary security perimeter in the cloud. How do you avoid unauthorized access to your resources, or avoid multiple identity solutions? How does your on-premises identity solution integrate with the Azure identity solution? How is role-based access deployed?
5. Deployment Acceleration
Deployment acceleration is targeted to establish policies for asset configurations and deployment. It reviews DevOps concepts and looks at how you can automate processes to ensure consistency and accountability. How do you address service disruption? Can it be automated? What about unexpected charges resulting for inefficient configuration of services?
Applying the Disciplines
Implementing these disciplines involves understanding the risk tolerance of each specific discipline, determining what the metrics and indicators are that call out the issues, implementing policies and ensuring compliance to mitigate the business risks. In future blogs, I will discuss how this is accomplished.