A ‘DevOps’ approach to Cloud Governance

Cloud adoption is not a fancy term or esoteric practice any longer. The chasm between the ‘early adopters’ and the ‘slow but steady’  crowd  has been shrinking as well. Almost universally, and more importantly across regulatory agencies worldwide, acceptance of the efficiency & utility of Public cloud has  grown significantly.

However,  the maturity in the adoption process is what separates the wheat from the chaff.  Most customers tend to swing from ‘cloud is not secure’ to  ‘the native cloud tools are sufficient ‘.  The mature adopters, notably financial institutions, spend more resources upfront in devising a well-planned and governed implementation on the cloud. We, at Cloud Kinetics have had the fortune to work with some of these larger institutions and would like to touch upon some experiences in this blog.

Cloud governance, at its simplest, is to ensure that the cloud resources are deployedd and managed and accessed in accordance with the Global security and governance standards, as well as the company’s policies that dictate the what, who, why, when, where and how. This includes everything from 

   . request and approval workflow  for a cloud resource

   . the accounts/networks etc where a resource can be placed

   . the authorization, access control, and security rules for that resource

   . the cost and reporting controls

to

   . Availability, performance and access requirements for the resource

Devising a set of standards  encompassing the above is good, however, if the enforcement of such policies is manual and cumbersome, then it beats the very logic of using a public cloud in the first place- agility and dynamism. Now, try this on multiple clouds for best-of-breed features, and the challenge is compounded.

How then do we ensure compliance with good governance, without compromising agility ? The answer lies in a programmatic method that ensures automated deployment,  comprehensivemonitoring and feedback, and remediation .

As mentioned above, if we take the set of policies , and convert the ‘human’ actions into automated set of actions, it is a good first step. However, automation does not mean a bunch of rag-tag scripts lying around…it is a cohesive set of tools, well integrated, that defines a successful ‘DevOps’ approach.

In a project that we implemented for a large Global Financial services institution​was as below

At Cloud Kinetics we went about the complex process in a set of sequential activities with clear goals and deliverables. The following were the broad set of phases and activities that were involved in it.

•​Define Policies

•​Arrive at Security controls

•​Automate infra provisioning (infra as code)

•​Monitoring and Alerts on Policy enforcement

•​Remediation

• Manual

• Automated

At a solution level, the following where the key features of the governance solution that was implemented

Automate creation of cloud  resources ( subnet, security groups, storage , key vault, IAM & RBAC ) through Terraform

Setup and Configure Alerts  (based on Secure Dev Ops tool kit framework) 

Create a machine-image gallery providing  approved images

Setup and Configure centralized log analytics

Setup a run book for  baseline check

Monitor and report deviations into the feedback loop

Configure auto-healing through Cloud custodian

Thus, in the planned timeframe, we were able to implement our goals such as

Complete automation of 150+ security controls as per ISO and other Compliance requirements

Complete infra as a code Implementation that enables the institution  to setup cloud resources via automated deployments

Separation of resources into various clusters enabling easier automation of Network, Server and other infra components

Setting up of governance policies for proactive monitoring and alerts

Complete remediation of incidents, deviations and events for automated response

Implementation done using open source, cross-platform tools (like Terraform, Cloud custodian)  ensuring reusability and easy maintenance