Cloud Compliance and Governance: gaining visibility on hybrid and multicloud

Humans like to feel in control… Even if it is just the sense of control… Even if it is a false sense of control..

Yes, we really like to feel in control. From plane trips to driving cars the feeling of not being in the driving seat makes most people anxious. And this is just one among multiple situations where we tend to feel lost, anxious and unsure about what will happen.

And this is also true when talking about IT infrastructure, we like to have the feeling we are in control. In the “old days” of traditional on-premises data centers and centralized IT systems this feeling of control was usually higher, specially on the Enterprise IT: central data centers, standardized client environments, highly structured operations, carefully tracked changes (but I challenge you to show me a perfectly updated CMDB — Configuration Management Database — and change tracking system) all these elements summed up to a, usually false, sense of control. The corporate firewall was the border between the perfectly organized world and the wild chaos of the Internet.

Then public clouds have risen, DevOps and all agile methods and frameworks telling you need to be quick or die. And, to speedup the laggards, now we have the virus pandemics, forcing disruption on all levels.

The concept of a central IT as we have known started to erode, with decisions on which SaaS solution to use, apps to develop and clouds to use being done more and more by the business units driven by need and market speed. The business cannot stop anymore because there is no more bandwidth to run the new marketing campaign or because the developers are fighting the operations teams to get the needed base infrastructure on time.

Enterprises adopted different strategies to cope with the pressure for quicker innovation and business disruption. Some just allowed the business units to create their own worlds (or silos), developing solutions and deploying where it would be cheaper and quicker, usually in one of the big hyperscalers (as I write, basically AWS, Azure and GCP). Others tried to extend the internal IT rules from on-premises to the cloud, using same procurement, provisioning and services as they have on-premises, basically here, instead of provisioning a local VM now the VM is in the cloud. And, to this mix also we have Enterprises that allowed multiple clouds while another group forced a single cloud strategy for all cloud deployments.

There is no golden rule for this control vs freedom, chaos vs order question, but from the common situations there are some best practices to bring order to chaos and set the boundaries for a successful multicloud adoption. I will name a few:

Have a global strategy. “Cloud first” is nice, but what does it means?

• Use a cloud adoption framework. AWS, Azure and GCP have their own, and use them as a guideline, focus in the quick wins and critical points as a start.
• Setup an internal Cloud Center of Excelence (CCoE) which basically is a work group composed by technicians and business key users to define the cloud guidelines and set the boundaries for the adoption in the enterprise.

Know your costs.

“When it was in our internal data center the infrastructure was free.” — Real world reply from an Application owner after discovering his/her application needs a base infrastructure to run in the cloud — and it is not free.

• Know your internal TCO, or at least do not ignore the hidden costs. A common mistake happens when initially migrating workloads to the cloud is that the cost in the cloud is considered higher than on-premises. And it might true if it is just a pure rehosting, meaning from on-premises servers to cloud servers without any cloud-native transformation. But usually the calculation forgets the “hidden” costs of energy, operations, as well risks on a self-managed infrastructure (physical security, natural disasters, etc).

Build guardrails, not walls. This I consider a key consideration for a successful cloud strategy. Do not create road blocks, just set the guardrails in the route to provide guidance and safety.

• This topic is focus on giving freedom to teams to drive innovation while keeping a base set of rules and guidelines on security, compliance and design patterns.
• Typical elements covered here are a enterprise account structure to define central logging, security controls, naming convention, automation definitions and more.

Do not forget the people.

• Start with a core team with cloud skills or interest in cloud and expand to the rest of the team. Bring current IT experts and developers on-board as soon as possible and work also to enhance the team skills with cloud components and services.

Gain visibility into multiple clouds with a cloud cost and compliance management tool

“If you can’t measure it, you can’t improve it.” — Peter Drucker

• As the management guru says, if you do not have any visibility on what is running across clouds and vendors, it will be hard to understand what is going on your organization, which strategy to follow and where the journey is leading. Adding a 3rd party vendor-neutral tool for cloud management, specially cost and usage gives you valuable insights where your money is going, how the cloud is being used, as well how your on-premises and hybrid deployments might look like.
• There are a vast amount of tools on this. Here I will just mention CloudHealth by vmware, one of the market leaders and with the most compelling offering.
• CloudHealth gives you a very granular level of detail and controls over your cloud usage and spending as well allows you track the compliance on your account and adherence to Enterprise rules and guidelines.

Do your journey with a trusted partner. If you are unsure about how to start your journey, involving an expert partner can help you have a bump free ride.

• It is hard to know and decide which are key elements to start working in and which are the already set best practicies and common mistakes. An experienced Cloud partner can avoid endless discussions and common mistakes by injecting knowledge and experience from other customers with similar requirements.