Cloud adoption is not a fancy term or esoteric practice any longer. The chasm between the ‘early adopters’ and the ‘slow but steady’ crowd has been shrinking as well. Almost universally, and more importantly across regulatory agencies worldwide, acceptance of the efficiency & utility of Public cloud has grown significantly.
However, the maturity in the adoption process is what separates the wheat from the chaff. Most customers tend to swing from ‘cloud is not secure’ to ‘the native cloud tools are sufficient ‘. The mature adopters, notably financial institutions, spend more resources upfront in devising a well-planned and governed implementation on the cloud. We, at Cloud Kinetics have had the fortune to work with some of these larger institutions and would like to touch upon some experiences in this blog.
Cloud governance, at its simplest, is to ensure that the cloud resources are deployedd and managed and accessed in accordance with the Global security and governance standards, as well as the company’s policies that dictate the what, who, why, when, where and how. This includes everything from
. request and approval workflow for a cloud resource
. the accounts/networks etc where a resource can be placed
. the authorization, access control, and security rules for that resource
. the cost and reporting controls
. Availability, performance and access requirements for the resource
Devising a set of standards encompassing the above is good, however, if the enforcement of such policies is manual and cumbersome, then it beats the very logic of using a public cloud in the first place- agility and dynamism. Now, try this on multiple clouds for best-of-breed features, and the challenge is compounded.
How then do we ensure compliance with good governance, without compromising agility ? The answer lies in a programmatic method that ensures automated deployment, comprehensivemonitoring and feedback, and remediation .
As mentioned above, if we take the set of policies , and convert the ‘human’ actions into automated set of actions, it is a good first step. However, automation does not mean a bunch of rag-tag scripts lying around…it is a cohesive set of tools, well integrated, that defines a successful ‘DevOps’ approach.
In a project that we implemented for a large Global Financial services institutionwas as below
At Cloud Kinetics we went about the complex process in a set of sequential activities with clear goals and deliverables. The following were the broad set of phases and activities that were involved in it.
•Arrive at Security controls
•Automate infra provisioning (infra as code)
•Monitoring and Alerts on Policy enforcement
At a solution level, the following where the key features of the governance solution that was implemented
Automate creation of cloud resources ( subnet, security groups, storage , key vault, IAM & RBAC ) through Terraform
Setup and Configure Alerts (based on Secure Dev Ops tool kit framework)
Create a machine-image gallery providing approved images
Setup and Configure centralized log analytics
Setup a run book for baseline check
Monitor and report deviations into the feedback loop
Configure auto-healing through Cloud custodian
Thus, in the planned timeframe, we were able to implement our goals such as
Complete automation of 150+ security controls as per ISO and other Compliance requirements
Complete infra as a code Implementation that enables the institution to setup cloud resources via automated deployments
Separation of resources into various clusters enabling easier automation of Network, Server and other infra components
Setting up of governance policies for proactive monitoring and alerts
Complete remediation of incidents, deviations and events for automated response
Implementation done using open source, cross-platform tools (like Terraform, Cloud custodian) ensuring reusability and easy maintenance