November 24, 2020
What Is Cloud Governance for AWS?
Firm guidelines are key to scaling and driving value from your cloud resources.
Cloud governance is a framework that guides how end users make use of cloud services by defining and creating policies to control costs, minimize security risks, improve efficiency and accelerate deployment. It’s imperative to have good cloud governance because it’s a foundational element to your cloud practice that provides the ability to scale and be successful.
Migrating to the cloud is an exciting journey as it provides greater flexibility to the IT teams for creating resources and provisioning them. Gone are the days when it used to take weeks and months to request resources and additional provisioning from the infrastructure teams. Cloud vendors now provide the capabilities to create resources such as compute instances plus add-on software, databases, firewall groups, storage, etc. via APIs.
The cloud-provided capabilities are very powerful and can potentially bring many inconsistencies and resource ownership issues into the environment such as:
- Who created the resource
- For what purpose
- The disk not being attached to a compute instance
- Multiple versions of data backup and snapshot
CDW’s Governance Workshop for AWS
CDW’s Governance Workshop for AWS is a service that ensures best practices have been followed and that your cloud architecture is sound and sustainable. It’s a series of workshops focused around key areas including cost management, security and identity. This service is great both for customers who have already started their cloud adoption journey or are just beginning. CDW’s AWS engineers will tailor the content to you based on where you are in your cloud adoption.
Below are some potential use case questions where CDW’s Governance Workshop for AWS service can help. If you answer “yes” to the questions below, this service is perfect for you and your organization.
High operation cost:
- Are your costs getting out of control, causing you to be over budget each month?
- Are your costs increasing and you don’t know why or how to stop it?
- Are you lacking visibility into which group/departments are consuming the most?
- Are you needing analysis on the right strategy to purchase Reserved Instances, Savings Plans or using Spot Instances?
Loose cybersecurity posture:
- Are you lacking proper controls for handling breaches?
- Are you using your root account daily for your normal administrative tasks?
- Are you inconsistent in applying operating system (OS) and security patches to your running compute instances?
- Are you missing an inventory list that includes the classification of data stored in your account and appropriate control to protect data?
- Are you seeing an increase of AWS accounts but can’t control how or when they are being created?
- Are teams using resources in more expensive regions without a justified reason?
- Are you lacking a process for how users are created and what level of access they receive?
Why You Need a Governance Service, Especially in Public Cloud
When determining if you need a governance service, keep in mind the convenience of cloud also brings additional security concerns. The shift from on-premises IT infrastructure to the cloud adds layers of complexity to your infrastructure architecture. It also means that more people across your organization have the potential to impact that architecture because anyone can create resources without being held responsible to decommission them.
Even when the cloud service itself is secure, if resources are deployed with poor access controls or with configuration vulnerabilities your entire system can be at risk. Due to a lack of perimeter security, it’s important to develop each cloud service with strong security in mind. Therefore, it’s imperative to create and maintain a comprehensive cloud governance model.
Implementing a governance plan is a good idea whether you have just begun your cloud journey or have been operating in the cloud for a while. CDW has a defined methodology for conducting our day-to-day operation according to published industry and AWS best practices, and we can share our knowledge around controlling costs, addressing security concerns, implementing automation and utilizing cloud native applications.
The Difference between Governance and Audit/Compliance
The overall objective of governance and audit/compliance is to identify and help mitigate risks associated with an IT environment. However, they are not a substitute for one another. Implementing a governance service does not mean that the IT environment complies with all the compliance policies. They both fall under the general umbrella category of governance, risk management and compliance (GRC).
In the greater scheme of things, governance focuses on the bigger organizational initiatives specified by internal policies. Governance activities are more focused on broad, long-term and strategic initiatives for an organization. In a majority of the cases, governance activities are initiated internally by providing a strategic vision, for example how we ensure that customers’ data is safeguarded, how we control access to critical data and so on. This ensures that best practices, procedures and policies are applied to the overall performance and direction of the organization.
Other examples of governance topics include:
- Escalating operating cost in the cloud
- Increased and complex risk profile of microservices running in the cloud
- Inconsistent development of applications in different departments within an organization
- Application architectures that are difficult to operationalize for activities, such as load balancing and A/B testing
- Shareholders demanding ethics, transparency improves the reputation of the company as well as helps manage risks
- Steps for preventing creation of data silos within different divisions in an organization
- Consistent threat modeling and prevention steps for newly deployed applications
- Ability to gather quality information quickly
- Ability to repeat processes in a consistent manner
Audit compliance, on the other hand, is for ensuring that employees are following organizational policies in their day-to-day operational activities. Audit compliance can be a short-term, tactical viewpoint for validating that policies are being followed. In most of the cases, compliance is specified by agencies external to the organization. And there are different compliance requirements specific to the industry or to the organization’s location such as Personally Identifiable Information (PII), Personal Health Information (PHI), General Data Protection Requirements (GDPR), etc.
Audit and compliance are mandatory, whereas governance is what the company wants to do to provide an ethical value or to improve reputation. Failure to follow compliance guidelines can result in penalties, fines and other legal actions against the company. However, each company may prefer to handle governance differently.
Key Components of CDW’s Governance Service
CDW’s Governance Workshop for AWS is a less-invasive/high-impact engagement with one-on-one AWS engineering support that doesn’t require excessive time or resources from your organization. What follows is a sample of the high-level topics that will be discussed across the three modules: cost management, security and identity.
- Account management
- Organizations and hierarchy
- Networking control
- Identity and access management (IAM)
- Role-based access
- Security, auditing and continuous compliance
- Tagging and resource tracking
- Naming conventions
- Alerting and monitoring
Using the cloud opens the door to a lot of potential opportunities. However, there is greater risk of creating siloed services, making it difficult to manage the environment if the development team is not aware of the best practices for operating in the cloud. CDW’s governance service helps your organization by providing a list of best practices and a prioritized list of recommended steps for the cloud. CDW Professional Services can assist your company in this journey by helping lay a solid foundation on which additional services can be developed for your organization.