What is cloud service governance
Companies want their data to be secured and protected in the cloud. To do this, they need rules that define who is allowed to use the cloud resources and how. This cloud governance must be in place before the first virtual machine (VM) is created. In addition to naming conventions and role-based access control, at least structure and cost allocation should also be regulated.
In Microsoft Azure, for example, companies can define the structure for the cloud. It is divided into virtual data centers, so-called subscriptions, in which users can create resources. Several of these self-contained, logical units can also be created. The advantage here is that virtual networks and VMs in different subscriptions cannot communicate with each other by default. If a test in a virtual data center fails, this has no effect on the productive operation of one department in another.
The departments' requirements for infrastructure and protection standards often differ. In order to provide them with the services they need, a higher-level structure is required. Companies can define such a hierarchy within an Azure Enterprise contract. The contract can be used to control departments, accounts and subscriptions. The hierarchy is based on the department structure, the global structure or the distribution of responsibilities in the organization.
- Amazon Web Services
Forrester attests that AWS has a market-leading portfolio of cloud services. Hybrid cloud scenarios, however, covered the competitors better in some cases.
- Microsoft Azure
In the Azure portfolio, the Forrester experts particularly praise the services for software developers.
- IBM Bluemix
IBM can exploit the advantages of its cloud offering especially in companies with established IT structures.
- Google Cloud
Google's cloud portfolio scores above all with machine learning and data services.
- Oracle Cloud
The Oracle cloud is primarily of interest to existing customers of the IT group, judges Forrester.
- Interoute Virtual Data Center
In a Forrester comparison, the British provider Interoute benefits from its strong local presence in Europe.
- Salesforce App Cloud
The Forrester analysts praise the developer services of the Salesforce App Cloud in particular.
The strengths of CenturyLink's cloud portfolio lie in its sophisticated configuration and automation features.
CloudSigma offers cloud services from Switzerland. Customers benefit from particularly flexible and fine-grained configuration options, comments Forrester.
With the help of several subscriptions, responsibilities can be separated and rights assigned. An international corporation sets up a separate department for each country. Accounts can then be defined in each department that are authorized to create subscriptions. However, only the employees of the respective country are allowed to access it. Role-based access control is the right tool for this. It also contributes to the simpler structure within the virtual data center.
Name resources coherently
Once the structure of the cloud has been established and authorizations have been assigned, rules for naming the booked cloud services must be defined. Such a naming concept is important in order to identify resources that belong together, for example in order to delete them or to settle the accounts with the creator. The background is that a single VM usually entails the creation of additional components such as network, subnet, network card, storage account, public IP address and a firewall. Such a naming convention is particularly advantageous when companies create productive systems using templates or scripts such as PowerShell. The system automatically creates names that are not correctly passed on to the script. The associated virtual system for a "NIC2345" network card can then only be found with difficulty, which complicates the internal billing and administration of the booked services.
Each resource must be in Azure be assigned to a resource group. The naming concept is also used there. The systems are usually grouped according to the traditional IT approach. That is, components with the same life cycle are grouped. However, an application is multi-layered and agile programming entails different life cycles. In this case, web, application, database and deployment layers are separated and a separate resource group is created for each.
Users can also assign tags to resources and resource groups. The naming convention also applies here. In this way, storage accounts, networks, VMs or other items can be quickly found and assigned. Companies can store and query the tags in templates. Microsoft generally recommends at least three tags per resource group: owner, department, and environment. In the case of resources, it makes sense to create a tag for the administrator who is responsible for the database. Such a tag created as a key-value pair for a component can also be transferred to billing. Any costs incurred can be allocated in this way.
Protect running systems
Resource Manager Policies define on the resource group or subscription level which VM sizes are allowed there. Other accesses can also be controlled via auditing logs; they trigger automated approval processes. Such a policy also serves to force users to tag the person responsible and the cost center when booking a service. With the help of Resource Manager Policies, organizations can regulate who creates which cloud components.
The booked services can be protected with resource locks. They regulate who can delete a component. No one except the creator can delete a system, a network or a booked service if the value is "cannot delete". Authorization is required to switch off the resource lock. This normally lies with the owner of the resource. The role of user access administrator also enables IT management, for example, to lock and unlock systems. The setting "read only" prevents changes to a system.
Enforce rules automatically
By automation companies can ensure that employees adhere to the rules in the cloud governance concept. The naming convention can be enforced, for example, with PowerShell functions or templates that only allow permitted names. Companies also use templates to define how a VM is to be created and which components users are allowed to create in which regions. Organizations also have the option of integrating resource management into IT service management. The users then request resources using a service management tool such as ServiceNow or Microsoft Service Manager. The tool uses rule-compliant scripts or templates to process the requests.
Preparing for a cloud governance concept sounds like a lot of work. However, those who avoid it, quickly lose control of the cloud. The subsequent clean-up work, however, means even greater effort. (hal)
- Has Bob Dylan ever married
- Is Islam Cancer 1
- Chanakya was a misogynist
- How was your cooking experience
- Which programming languages should I learn
- When were photos first used in newspapers?
- Has anyone visited the Konkan region
- What is the IAS salary according to GST
- Why is the Nazi swastika often censored
- Why is Instamojo the worst payment gateway
- What do you hate about Democrats?
- Did Pakistanis love their Hindu ancestry?
- What should I do to make a date
- Why did you choose to leave India
- Who will win in the UP election?
- Concept of welfare society
- What is the aperture used for?
- What are all Khandayat box titles
- Why do you support CAB and NRC
- What is the name of Saunf in English
- Have you ever heard a podcast
- How to make dairy-free cheese
- Wedding officials can hold funerals
- Donald Trump is dishonest with himself