What is cloud service governance

Cloud computing

Companies want their data to be secured and protected in the cloud. To do this, they need rules that define who is allowed to use the cloud resources and how. This cloud governance must be in place before the first virtual machine (VM) is created. In addition to naming conventions and role-based access control, at least structure and cost allocation should also be regulated.

In Microsoft Azure, for example, companies can define the structure for the cloud. It is divided into virtual data centers, so-called subscriptions, in which users can create resources. Several of these self-contained, logical units can also be created. The advantage here is that virtual networks and VMs in different subscriptions cannot communicate with each other by default. If a test in a virtual data center fails, this has no effect on the productive operation of one department in another.

The departments' requirements for infrastructure and protection standards often differ. In order to provide them with the services they need, a higher-level structure is required. Companies can define such a hierarchy within an Azure Enterprise contract. The contract can be used to control departments, accounts and subscriptions. The hierarchy is based on the department structure, the global structure or the distribution of responsibilities in the organization.

  1. Amazon Web Services
    Forrester attests that AWS has a market-leading portfolio of cloud services. Hybrid cloud scenarios, however, covered the competitors better in some cases.
  2. Microsoft Azure
    In the Azure portfolio, the Forrester experts particularly praise the services for software developers.
  3. IBM Bluemix
    IBM can exploit the advantages of its cloud offering especially in companies with established IT structures.
  4. Google Cloud
    Google's cloud portfolio scores above all with machine learning and data services.
  5. Oracle Cloud
    The Oracle cloud is primarily of interest to existing customers of the IT group, judges Forrester.
  6. Interoute Virtual Data Center
    In a Forrester comparison, the British provider Interoute benefits from its strong local presence in Europe.
  7. Salesforce App Cloud
    The Forrester analysts praise the developer services of the Salesforce App Cloud in particular.
  8. CenturyLink
    The strengths of CenturyLink's cloud portfolio lie in its sophisticated configuration and automation features.
  9. CloudSigma
    CloudSigma offers cloud services from Switzerland. Customers benefit from particularly flexible and fine-grained configuration options, comments Forrester.

With the help of several subscriptions, responsibilities can be separated and rights assigned. An international corporation sets up a separate department for each country. Accounts can then be defined in each department that are authorized to create subscriptions. However, only the employees of the respective country are allowed to access it. Role-based access control is the right tool for this. It also contributes to the simpler structure within the virtual data center.

Name resources coherently

Once the structure of the cloud has been established and authorizations have been assigned, rules for naming the booked cloud services must be defined. Such a naming concept is important in order to identify resources that belong together, for example in order to delete them or to settle the accounts with the creator. The background is that a single VM usually entails the creation of additional components such as network, subnet, network card, storage account, public IP address and a firewall. Such a naming convention is particularly advantageous when companies create productive systems using templates or scripts such as PowerShell. The system automatically creates names that are not correctly passed on to the script. The associated virtual system for a "NIC2345" network card can then only be found with difficulty, which complicates the internal billing and administration of the booked services.

Each resource must be in Azure be assigned to a resource group. The naming concept is also used there. The systems are usually grouped according to the traditional IT approach. That is, components with the same life cycle are grouped. However, an application is multi-layered and agile programming entails different life cycles. In this case, web, application, database and deployment layers are separated and a separate resource group is created for each.

Users can also assign tags to resources and resource groups. The naming convention also applies here. In this way, storage accounts, networks, VMs or other items can be quickly found and assigned. Companies can store and query the tags in templates. Microsoft generally recommends at least three tags per resource group: owner, department, and environment. In the case of resources, it makes sense to create a tag for the administrator who is responsible for the database. Such a tag created as a key-value pair for a component can also be transferred to billing. Any costs incurred can be allocated in this way.

Protect running systems

Resource Manager Policies define on the resource group or subscription level which VM sizes are allowed there. Other accesses can also be controlled via auditing logs; they trigger automated approval processes. Such a policy also serves to force users to tag the person responsible and the cost center when booking a service. With the help of Resource Manager Policies, organizations can regulate who creates which cloud components.

The booked services can be protected with resource locks. They regulate who can delete a component. No one except the creator can delete a system, a network or a booked service if the value is "cannot delete". Authorization is required to switch off the resource lock. This normally lies with the owner of the resource. The role of user access administrator also enables IT management, for example, to lock and unlock systems. The setting "read only" prevents changes to a system.

Enforce rules automatically

By automation companies can ensure that employees adhere to the rules in the cloud governance concept. The naming convention can be enforced, for example, with PowerShell functions or templates that only allow permitted names. Companies also use templates to define how a VM is to be created and which components users are allowed to create in which regions. Organizations also have the option of integrating resource management into IT service management. The users then request resources using a service management tool such as ServiceNow or Microsoft Service Manager. The tool uses rule-compliant scripts or templates to process the requests.

Preparing for a cloud governance concept sounds like a lot of work. However, those who avoid it, quickly lose control of the cloud. The subsequent clean-up work, however, means even greater effort. (hal)