Governance for the Cloud Age
Effective cloud governance enables business agility while protecting enterprise data assets from external and internal threats; for governance solutions to be effective, operational controls must scale in concert with application and platform growth. Turbot proposes a new architecture with an automated approach to meet these challenges.
Governance for the Cloud Age redefines how the enterprise should approach identity, security, data protection, compliance and cost controls across all public cloud platforms (AWS, Azure, GCP & SaaS). This series of articles addresses the scope and benefits of addressing this challenge, documents best practices for businesses at different stages of maturity and defines the critical automation capabilities needed to be effective at implementing governance for the cloud age.
Full-stack cloud governance
What is governance? The first decade of public cloud growth for large enterprises was driven by business teams seeking more agile alternatives to centralized control of IT operations. Enterprise IT processes were optimized for large capital expenditures and delivery of one size fits all capabilities. This led to a competitive advantage for organizations that could use public cloud services to rapidly experiment and scale technology cost with the business opportunity.
As the volume of projects, applications and teams (that are using public cloud within a business) grows, a governance model becomes necessary to communicate the organization's rules on the responsibility of those teams to protect company assets and manage cost. The spectrum of potential governance approaches directly mirrors that of public governance:
|Governance Approach||Example IT Approach|
|Laissez Faire||Business teams are given a high degree of autonomy to manage their own environments and are expected to individually balance cost, benefit and risk withourt process oversight.|
|Bureaucratic||All activity must follow a highly formalized set|
|Authoritarian||All infrastructure operational work must be processed and executed through a central team; only existing approved services/technologies can be used.|
At Turbot, we have seen the full spectrum of governance approaches in practice at some of the world's largest multi-national organizations. The "correct" governance approach will of course depend on the nature of the business, it's regulatory environment and the maturity of its public cloud strategy. However, the best implementations of governance all share the same DNA:
Debate: A healthy tension to balance business agility and enterprise control.
Laws & Courts: Rules and exception management.
Taxation: Decentralized cost management (pay for what you use).
Infrastructure: Enterprise accelerators for complex or shared resources.
Protection: Automated discovery and remediation of governance controls.
Education: Training, tools and sandbox environments.
Like good government, good cloud governance creates freedom, while ensuring accountability and protection for those governed. This freedom allows application teams to experiment, innovate and accelerate delivery of business value with self-service boundaries.
Turbot's cloud governance provides you a platform to automate enterprise control objectives across the entire spectrum of your public cloud strategy (AWS, Azure, GCP, IaaS, PaaS, SaaS); this full-stack governance approach enables any organization to achieve high degrees of autonomy while protecting assets from internal and external threats. The key capabilities needed to deliver governance at enterprise scale break into six categories:
Organizational hierarchy mapping.
Centralized management tool set.
Account, Identity & access management.
Rules-based policy engine.
Change discovery and configuration database.
Real-time guardrail event processing.
While it is possible to build these capabilities (using platform cloud technologies from the various cloud service providers), it is a challenge for companies to find, attract and retain the talented compliance, security and DevOps engineering resources necessary to build and maintain these custom developed solutions.
Many organizations start by deploying simple scripts to automate key compliance issues that they have experienced; however, the full scope of compliance for a mature organization involves real-time monitoring of change, hundreds of compliance guardrails and ultimately thousands of policies (with many approved exceptions), applied to hundreds of cloud service accounts across three major public clouds (AWS, Azure and GCP).
The scope of this undertaking and the speed of change from the cloud service providers should not be underestimated, as the failure to effectively execute automated guardrails (in an exponentially growing cloud ecosystem) can ultimately be front page news for a multi-national or public sector organization.
Turbot offers a complete platform for operating cloud governance at scale within your environment. Our control plane automatically captures real-time events across all of your cloud service accounts, records the resource configuration and change history for all resources under management and provides 1,800+ pre-built policies to implement your organizations security, compliance and cost control objectives.
Once deployed to your environment, you can choose to implement Turbot's built in guardrails or use the native functionality of our platform to enhance your compliance scripts and polices with real-time events, notifications, reporting and auditing.