10 Considerations for Cloud Governance

Cloud governance is a guideline covering how to run services in the cloud. The aim of this is to enhance security, operate efficiently and manage the risks of cloud systems. The well-thought through Cloud governance document is extremely crucial for the future of your cloud operation consistency. Therefore, it is worth to properly approach this document.

Why only 10 things to consider?

There are a few major components of cloud governance. Definitely, this list isn’t exhaustive. Every Cloud governance differs depending on the organization and its requirements or needs. Significance of this document, is to ensure understand the cloud, its benefits, as well as differences in comparison to on-premise world. As public Cloud Service Providers are operating in multi-tenancy model, there is a certain level of complexity in scope of security, that definitely needed to be considered.

More about the cloud model and understanding the cloud, I will covered in some future articles. As for this topic, I will concentrate on aspects worth consideration in Cloud Governance guidelines.

1 – Organizing the cloud

First of all it is worth to understand the cloud (especially the Cloud service provider of your choice) and your organization structure to ensure how to design the environment. You need to build proper cloud hierarchy, to reflect your organization needs. Otherwise, it may lead to complexity or issues with managing your environment and permissions.

The example can be how you plan to setup Azure Management Groups, Subscriptions and Resource Groups within your Azure AD Tenant.

2 – Identity

Identity is one of the quite important aspect of your cloud environment. You need to think how you plan to synchronize and/or create your user accounts within the cloud. This of course have to be well assessed, and will depend on your as-is situation and future mode of operations. You should not forget about proper measures of control for your identities. This covers not only evaluations what roles you needs, but also how to manage and protect them. Here features like Conditional Access, Multi-Factor Authentication, Access Reviews or Privilege Identity Management will come handy.

3 – Role-based access control

When you have your identities in the cloud, you should not forget about preparing to set proper level of permissions. For the cloud governance it is crucial to prepare e.g. RASCI, based on which you can identify the activities and tasks that may be executed in the environment. And later on prepare the set of necessary roles. Here, it is suitable to follow the least privilege principle. Why? Because, it helps to provide the right person, the right level of permissions to perform daily duties.

4 – Cloud Governance Security aspects

This topic is quite broad, from encryption, through monitoring, logs and auditing, to security posture management and secure access.

It is worth to highlight, that not all aspects of securing the cloud are your responsibility. There are some parts where you need to fully or partially rely on Cloud Service Provider. Especially, that this is not environment that you own. You just purchase the cloud services and lease some space for defined by you period of time. You should follow e.g. Zero-Trust Model or Defense in depth, to ensure how to apply proper security controls to protect your assets. E.g. Microsoft Defense in depth model highlights 7 layers of defense. These includes physical security, identity & access,  perimeter, networking, compute, application, and data. Depending on source the number of layers or naming may differ. However, generally it leads to same aim, implement solutions to protect various aspects in your landscape.

There are plenty of different solutions you can use for different layers. Examples in Azure:

• physical security – first line of defense. This is something that Microsoft needs to take care of. These are all the measures to ensure that their datacenters are secure.
• identity & access – solutions like MFA, Privilege Identity Management etc.
• perimeter – using e.g. Azure Firewall or Azure DDoS protection.
• networking – reduce or restrict communication between resources e.g. NSG.
• compute – encryption of disks and servers e.g. Server Side Encryption or Azure Disk Encryption, as well as deployment of Antivirus e.g. Microsoft Defender for Cloud. Ensure that system is up to date e.g. Azure Automation Update Management.
• application – applying web application firewall e.g. Azure Application Gateway or Azure Front Door. Ensuring that application keys and secrets are properly protected e.g. Azure Key Vault.
• data – apply encryption at rest, in transit or in use. Control access to resources e.g. RBAC, Policies.

5 – Tagging

For cloud governance this is also quite useful aspect. Tag provides a metadate of the service. This gives the way to properly label the cloud resources. Tagging, in order to bring benefits, should be standardize. Of course this is worth not to overdo. Try to keep the list of tags short and consistent. Tagging will definitely help in grouping of resources, cost management analysis or automation.

6 – Naming convention

This is also the part of building the cloud governance. It is crucial to standardize naming convention that must be followed. This will not only help in management of resources but also may prevent conflict in the name of the services.

7 – Monitoring, Alerting, Logging

Monitoring, Alerting and Logging are crucial to incorporate into your cloud governance. This is not only about enable monitoring or set alerts or collect logs. You need to evaluate what metrics to include and what logs to collect. Also, you should ensure when and in which circumstances to trigger alerts and to whom send those alerts. Lack of Monitoring may lead to limited visibility of your cloud environment health and security, and by extension to painful downtimes.

8 – Cost Management in Cloud Governance

In the cloud you pay for what you use. But, if you do not remove the resources, you will also pay while not using. For the sake’s of your cloud governance it is important to understand how cloud costs model works. Also, good to know, that in prices you pay for resources, you also get a few services at no additional cost.

For you cloud governance document prepare a guideline how to manage and assess the costs of your resources. Additionally, ensure to provide some practices on cloud cost’s optimization. You should have visibility of what you are paying for to gain control over your expenditures.

9 – Management Tools

There are plenty of tools that you can use for the cloud and for resource management. It would be good to have a finite number of solutions. Otherwise you may have solution for every occasion, but you will be lost in what to use. This may increase the complexity or lead to unresolve dependencies.

10 – Cloud Governance Policy

Good to evaluate how you what to manage your environment or what boundaries you need to set. It is not to include final policy definition in your cloud governance. It is more about setting the principles or boundaries to protect your assets. Those later on, can be translated into set of policies for posture management of your cloud environment.