In order for public cloud to be used sustainably and in a controlled manner in the enterprise environment, efficient and customised cloud governance is required
Author: Michael Wachter
Many companies realise that existing IT governance procedures cannot be adapted to the more dynamic situation of a public cloud and are therefore asking themselves the question: «How do we address the governance demands for public cloud within our company?»
If you are also asking yourself this question, this blog offers you an introduction to cloud governance for Azure.
Governance is a form of control and generally refers to the control and regulation system in the sense of structures (structural and procedural organisation) of a political-social unit such as the state, administration, municipality, private or public organisation. [Source: Wikipedia]
Cloud governance focuses on steering the use of a (public) cloud.
In a data centre or a private cloud, mainly the two services compute and storage can be obtained. Other services such as network, backup, IAM, etc. are provided by the data centre or private cloud.
In a public cloud, on the other hand, many other services can be obtained in addition to compute and storage. These also include services that are centrally specified in the private cloud. Therefore, the entire use of the public cloud must be regulated: what may be used when, how and where?
Cloud governance can basically be divided into the following topic blocks:
looks at issues such as budget overruns, underutilisation, oversized resources and influences of architecture decisions on cost development.
covers topics including data encryption, network isolation, securing external and internal access, DDoS protection, network monitoring and security auditing.
addresses issues around unauthorised access, use of the same identity across multiple clouds/datacenters, optimal authentication methods and identity verification.
concerns the handling of labels, subscriptions, operating systems, monitoring and emergency situations.
to provide visibility for remediation and verify configuration security.
Cloud governance thus creates the basis for an iterative process to define guard rails for the use of a public cloud.
Enterprise Scale is a framework from Microsoft for setting up cloud governance to manage the state of an Azure environment. It can be compared very well with the planning of a large city:
The framework is based on best practices and Microsoft's experience with (Azure) customers. It is modular, offers a very good introduction to cloud governance and scales with needs.
A landing zone is a subscription that is provided for the implementation of a workload. For smaller Azure environments, a Landing Zone can also be a Resource Group (see below). A workload can be defined in different ways:
The framework itself is based on the principles:
Democratisation of subscriptions
A single level of control and management
Application-centred and archetype-neutral
Alignment with native Azure designs and roadmaps
These principles are considered in the discussion across different topics, such as IAM and network. As part of this discussion, an initial set of rules is created that can be iteratively expanded. For example, cloud usage could initially be limited to two regions. As the company grows abroad, additional regions could be added (if needed).
Furthermore, during the discussion, a better picture emerges of how one intends to group the workloads. For this grouping, the framework focuses primarily on the tenant, the hierarchy of management groups and subscriptions. If necessary, resource groups can also be included.
The framework can therefore be used for large Azure environments with many subscriptions, as well as for small Azure environments with few, or in extreme cases, even only one subscription.
Cloud governance is established and enforced by means of this grouping. For example, a Kubernetes or OpenShift cluster could be set up in one landing zone as a central service and at the same time the setup of a Kubernetes or OpenShift in another landing zone could be blocked. In this way:
Enterprise Scale offers a very good introduction to cloud governance for Azure. On the one hand, the individual topics are intensively explored with considerations and recommendations; on the other hand, it is modular and can be tailored to your needs. Enterprise Scale thus provides an excellent basis for discussion within your company.
We have had very good experiences with the framework and its implementation. However, there are still open questions (e.g. handling multiple Azure AD tenants, MCA instead of EA) to which the framework does not provide a clear answer. The framework can still help as a comparison in these cases. It is important that those people are involved in the discussion who will later take over the tasks in the areas of operations, network and security.