A ‘DevOps’ approach to Cloud Governance

Cloud adoption is not a fancy term or esoteric practice any longer. The chasm between the ‘early adopters’ and the ‘slow but steady’  crowd  has been shrinking as well. More importantly across regulatory agencies worldwide, acceptance of the efficiency & utility of Public cloud has grown significantly. The blog highlights some experiences on A ‘DevOps’ approach to Cloud Governance in this blog.

However,  the maturity in the adoption process is what separates the wheat from the chaff.  Most customers tend to swing from ‘cloud is not secure’ to  ‘the native cloud tools are sufficient ‘.  The mature adopters, notably financial institutions, spend more resources upfront in devising a well-planned and governed implementation on the cloud.

Cloud governance, at its simplest, is to ensure that the cloud resources are deployed and managed and accessed in accordance with the Global security and governance standards, as well as the company’s policies that dictate the what, who, why, when, where and how. This includes everything from 

   . request and approval workflow  for a cloud resource

   . the accounts/networks etc where a resource can be placed

   . the authorization, access control, and security rules for that resource

   . the cost and reporting controls

to

   . Availability, performance and access requirements for the resource

Devising a set of standards  encompassing the above is good, however, if the enforcement of such policies is manual and cumbersome, then it beats the very logic of using a public cloud in the first place- agility and dynamism. Now, try this on multiple clouds for best-of-breed features, and the challenge is compounded.

How then do we ensure compliance with good governance, without compromising agility ? The answer lies in a programmatic method that ensures automated deployment,  comprehensivemonitoring and feedback, and remediation .

As mentioned above, if we take the set of policies , and convert the ‘human’ actions into automated set of actions, it is a good first step. However, automation does not mean a bunch of rag-tag scripts lying around…it is a cohesive set of tools, well integrated, that defines a successful ‘DevOps’ approach.

In a project that we implemented for a large Global Financial services institution​ was as below

Cloud Governance

At Cloud Kinetics, for Cloud Governance we went about the complex process in a set of sequential activities with clear goals and deliverables. The following were the broad set of phases and activities that were involved in it.

•​ Define Policies

•​ Arrive at Security controls

•​ Automate infra provisioning (infra as code)

• ​Monitoring and Alerts on Policy enforcement

•​ Remediation

• Manual

• Automated

At a solution level, the following where the key features of the cloud governance solution that was implemented

Automate creation of cloud  resources ( subnet, security groups, storage , key vault, IAM & RBAC ) through Terraform

Setup and Configure Alerts  (based on Secure Dev Ops tool kit framework) 

Create a machine-image gallery providing  approved images

Setup and Configure centralized log analytics

Setup a run book for  baseline check

Monitor and report deviations into the feedback loop

Configure auto-healing through Cloud custodian

Thus, in the planned timeframe, we were able to implement our goals such as

Complete automation of 150+ security controls as per ISO and other Compliance requirements

Complete infra as a code Implementation that enables the institution  to setup cloud resources via automated deployments

Separation of resources into various clusters enabling easier automation of Network, Server and other infra components

Setting up of governance policies for proactive monitoring and alerts

Complete remediation of incidents, deviations and events for automated response

Implementation done using open source, cross-platform tools (like Terraform, Cloud custodian)  ensuring reusability and easy maintenance

Follow us on LinkedIn, Facebook, Twitter for more updates on Cloud Governance.