Governance Strategies & Tools for Cloud Formation

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Anya Epishcheva
Senior Consultant, Professional Services, Amazon Web Services
Governance Strategies and Tools for
Cloud Transformation

Why are we talking about
Cloud Governance?

Firms with above-average IT governance
had more than 20% higher profits than
firms with poor governance*
*Peter Weil and Jeanne W. Ross, IT Governance: How Top Performers Manage IT Decision Rights for Superior Results (HBS Press, 2004)

Why Cloud Governance in the Public Sector?
1. Reduction in Access and Security Risks
2. Ensures regulatory compliance (HIPAA, PCI, NIST, etc.)
3. Cost Avoidance/Reduction/Optimisation
4. Elimination of rogue IT and disparate cloud initiatives
5. Defines automation methods and parameters
6. Increases capacity for Innovation in the organisation
7. Enhanced management of the consumption of cloud resources

What is Cloud
Governance?

Governance
“What would you say…you do here?”
–Bob (Office Space 1999)
• Make Laws
• Administrate Laws
• Adjudicate Laws
• Allocate Shared Assets for Shared Goals

Understanding Governance
MAKE GOOD DECISIONS AS A SOCIETY FOR THE SOCIETYWHY GOV’T
GOVERNANCE IDEOLOGY
HOW A
GOV’T IS
DESIGNED
GOVERNANCE SCOPE
MAKE
LAWS
ADMINISTRATE
LAWS
ADJUDICATE
LAWS
ALLOCATE SHARED
ASSETS FOR
SHARED GOALS
WHAT A
GOV’T
DOES
PROCESSES
what are the accepted processes through which
the structures make, administrate, adjudicate, and
allocate
STRUCTURES
what bodies make, administrate, adjudicate, and
allocate, how are members chosen, what rights,
roles, and responsibilities do they have
HOW A
GOV’T IS
DELIVERED

Understanding Governance
PROCESSES
what are the accepted processes through which
the structures make, administrate, adjudicate, and
allocate
MAKE
Policies and
Standards
ADMINISTRATE
Policies and
Standards
ADJUDICATE
Policies and
Standards
MANAGE
Cloud Services
GOVERNANCE IDEOLOGY – Philosophy for governance
STRUCTURES
what bodies make, administrate, adjudicate, and
allocate, how are members chosen, what rights,
roles, and responsibilities do they have
What IT
Governance
Does
How IT
Governance
is Designed
GOVERNANCE SCOPE – Which part of organization?
How IT
Governance
is Delivered
Enjoy Benefits of Good Decisions for the OrganizationWhy IT
Governance

Governance scope

PLAN & ORGANIZE ACQUIRE & IMPLEMENT DELIVER & SUPPORT MONITOR & EVALUATE
• Define a Strategic IT Plan
• Define the Information
Architecture
• Determine Technological
Direction
• Define the IT Processes,
Organisation and
Relationships
• Manage the IT Investment
• Communicate Management
Aims and Direction
• Manage IT Human
Resources
• Manage Quality
• Assess and Manage IT
Risks
• Manage Projects
• Identify Automated Solutions
• Acquire and Maintain
Application Software
• Acquire and Maintain
Technology Infrastructure
• Enable Operation and Use
• Procure IT Resources
• Manage Changes
• Install and Accredit
Solutions and Changes
• Define and Manage Service
Levels
• Manage Third-party
Services
• Manage Performance and
Capacity
• Ensure Continuous Service
• Ensure Systems Security
• Identify & Allocate Costs
• Educate & Train Users
• Manage Service Desk and
Incidents
• Manage the Configuration
• Manage Problems
• Manage Data
• Manage the Physical
Environment
• Manage Operations
• Monitor and Evaluate IT
Performance
• Monitor and Evaluate
Internal Control
• Ensure Compliance With
External Requirements
• Provide IT Governance
* COBIT also defines sub-activities for each core activity
COBIT outlines the scope of the governance function

Process What Changes?
P04 – Define the IT processes, organization PEOPLE: processes, org structures, job descriptions, skillsets,
performance expectations transformed. System “ownership”
redefined. New Cloud-related skills are required.
P07 – Manage IT human resources
P03 – Determine Technology Direction INFRA MANAGEMENT: cloud self-service can bypass current
Procurement processes, flexibility offerings can impact
standardization and accreditation.
AI7 – Install and accredit solutions and changes
P05 – Manage the IT investment COST MANAGEMENT: shifting from CapeX to OpeX and
cost metrics, tracking and reporting tools & processes. Pay-for-
chargeback system can be very different then just a general
of IT costs, and becomes more real-time in nature. Legal and
contractual perspective is transformed.
ME1 – Monitor and evaluate IT performance
DS6 – Identify and allocate costs
AI5 – Procure IT resources
AI4 – Enable operation and use COMPLIANCE AUTOMATION: Infrastructure and application
components transformed, more opportunities to enforce
and automate remediation response
ME3 – Manage compliance and performance
Cloud brings new opportunities and challenges

Governance ideology

L0 – Decentralized
Control
L1 – Centralized
Control
L2 – Decentralized
Control with
Automation
L3 – Centralized
Control with Self-
service
Levels of Cloud Governance (ideology)

3 Phases of Cloud Governance
• Minimal integration
• Reactive environment
• Cost overruns
• Manual deployments
• No cloud structure
Beginning
• Regulatory body is in
place and policies are
maturing
• Policies matched to
process
• Designing for cost
• Rapid deployment
Adopting
• Full automation and
self-service
• Benefits of cloud
services realized
• Agility and control
• Optimized for cost
• Secure and compliant
environment
Mature

Cloud Centre of
Excellence as an enabler
for maturing your
governance

Focus innovators and early adopters on identifying
and promoting best practices early
Leadership
Applications
SecurityInfrastructure
Operations
Functional
A “hands-on” team that acts as a
delivery catalyst, engaging with
project teams to drive cloud initiatives.
Advisory
A consultancy team and policy board,
giving advice and providing guidance
on best practice to teams, establishing
policies and standards.
Prescriptive
A policy board who provides leadership
and blueprints to teams on how cloud
projects should be constituted and
executed within the organisation.
Relaxed
ControlledCloud Tiger Team

Cloud Engineering
(Director)
Scaling your cloud organization beyond a
Tiger Team Do not grow the size of the Tiger
Team. Instead, break it apart into
additional teams.
These teams are cross-functional
product teams that take on
ownership of additional outcomes.
On-Boarding Finance
Enterprise
Architecture Marketing
Operations
Engineering
Infrastructure
Engineering
Security
Engineering
Governance
Cloud Business Office
(Director)
As your Cloud Service
expands and additional
people are required to
complete the scope in your
desired timeframe…
Leadership
Applications
SecurityInfrastructure
Operations
Engineering
teams will
specialize in
an area, but
will have a
common set of
skills shared
across all
product teams

Let’s look at the
governance tools for
every phase

Phase 1: Beginning (strategies)
1. Task a cross-functional group of employees with identifying existing patterns
and internal best practices
2. Start developing early governance model and establish policies for:
• Account Management
• Cost Management
• Compliance Automation
• (Network, Instance and Storage)
3. Immediately prove the model and policies working jointly with one of the
application teams to start iterate
Monitor Control Fix

INFRASTRUCTURE
MANAGEMENT
Account Management: Guardrails to speed-up approval cycles
Tools: AWS Organizations, AWS Trusted Advisor, cross-account roles
COST MANAGEMENT
Ensure AWS accounts and workloads do not exceed budget
Tools: consolidated billing, tagging strategy, AWS Budgets, AWS
Advisor
COMPLIANCE
AUTOMATION
Provide continuous monitoring and enforce security controls
Tools: AWS Config, AWS Trusted Advisor, AWS CloudTrail, AWS
Phase 1: Beginning (tools)

Account Management
• Use a consolidated admin AWS account
• IAM users live in this account
• IAM users assume roles to access other AWS accounts
• Enforce MFA for role assumption
• Use AWS Organisations to define basic guardrails
• Implement “single sign-on” through federation
• Use Enterprise Accelerators as a starting point
• Policy assignment to IAM users/groups/roles
• Consolidated Admin Baseline
• Target Account Baseline
• Account Ownership and contact information

Cost visibility with tagging
Cost
Center
Business
Unit
Tier
Owner
Dept./
Group
Shutdown
schedule
Support
Contact
Endpoint
Backup
Expiration
AWS Managed Config Rules
AWS Tag Editor
Environment
Product/
Application

Compliance automation using Trusted Advisor
Setup and usage instructions are present
for each tool in its respective directory:
Stop Amazon EC2 instances with low utilization
Create snapshots for EBS volumes with no recent backup
Delete exposed IAM Keys and monitor usage
https://github.com/aws/Trusted-Advisor-Tools

Compliance using AWS Config & AWS Cloudwatch
https://docs.aws.amazon.com/config/latest/developergui
de/evaluate-config_use-managed-rules
1Identity and Access Management
1.1Avoid the use of the "root" account CloudWatch Alarm
…
1.3Ensure credentials unused for 90 days or greater are disabled CloudWatch Rule
1.6Ensure IAM password policy require at least one lowercase letter Config Rule
1.7Ensure IAM password policy require at least one symbol Config Rule
1.8Ensure IAM password policy require at least one number Config Rule
1.9Ensure IAM password policy requires minimum length of 14 or greater Config Rule
1.10Ensure IAM password policy prevents password reuse Config Rule
1.11Ensure IAM password policy expires passwords within 90 days or less Config Rule
…
4.3Ensure VPC flow logging is enabled in all VPCs Config Rule
4.4Ensure the default security group of every VPC restricts all traffic Config Rule
4.5Ensure routing tables for VPC peering are "least access" Config Rule

Phase 2: Adopting
1. Develop Self-Service Policies
2. Develop Data Governance Policies
3. Develop Continuous Integration / Deployment Policy
4. Develop Design-for-Cost Architecture Guidelines
5. Develop Cloud Audit and Compliance Policies
6. Develop a common API Design Framework
Monitor Control Fix

INFRASTRUCTURE
MANAGEMENT
Standardize and streamline provisioning, maintenance, and access
policies for many AWS accounts and workloads
Tools: AWS Service Catalog, partner solutions, customer tools
COST MANAGEMENT
Cost optimization based on collected data (right-sizing), temporary
infrastructure, architect for cost
Tools: AWS Lambda automation, AWS Redshift, AWS Well-Architected
Framework
COMPLIANCE
AUTOMATION
Provide continuous monitoring, configuration management, and
enforce security controls
Tools: AWS Service Catalog, partner solutions
Phase 2: Adopting (tools)

Provisioned
Products
End-UserAdministration
Users / Groups
Portfolios CF Templates /
Products
Tags
ConstraintsAccounts
AWS Cloud
Formation
AWS Service Catalog Provides a
Governance Framework

Key Features
Tag Enforcement
Portfolio Level IAM access
Denial of end-user access to
underlying services
Constraint CloudFormation
Parameters
Share Portfolios
Version & Re-use Products
API, CLI, Console
AWS Marketplace to AWS Service
Catalog Copy

Architect for cost using Well-Architected Framework
+
Standard Setup
• 4 x Medium Instances
$193
• AWS Data Transfer 1 TB
$92
• Total = $285
Optimized
• 1 x Medium Instance
$48
• CloudFront Data 1 TB
$87
• CloudFront Requests (10M)
$7.5
• Total = $142.5
50%
6X
Cheaper
Faster

Better cost visibility using AWS and partner tools
3rd party tools can help you accelerate reporting &
tooling maturity (provides advanced Reserved
Instances and Rightsizing recommendations)
https://aws.amazon.com/aws-cost-management/
https://aws.amazon.com/security/partner-solutions/
AWS Cost and Usage Report data can be
directly uploaded into Amazon Redshift and
Amazon Quicksight. The data allows you to
analyze your costs in greater detail and also
allows you to customize the report (e.g.,
include Resource IDs and view data at an
hourly time level).
https://www.youtube.com/watch?v=2JnfuAA-TiU
https://aws.amazon.com/about-aws/whats-new/2016/08/aws-cost-and-
usage-report-data-is-now-easy-to-upload-directly-into-amazon-redshift-
and-amazon-quicksight/

Automated compliance – build your own…
Capital One’s Cloud Custodian open
source tool enables advanced
tagging compliance and remediation
http://www.capitalone.io/cloud-
custodian/docs/

Operating System Guardrails
Image Management (Whitelist AMIs)
CIS Benchmark Hardening applied
Patch Management
Sudo rights managed
Sync AD User accounts & SSH keys
Networking Guardrails
Security Group & Firewall Mgmt.
VPC Management & Lockdown
IP Space Management
Core Service Mgmt (e.g. DNS, NTP. Etc.)
Network Automation
AWS Service Guardrails
AWS Service White/Blacklisting.
Encryption Management
Automated Logging Mgmt.
IAM & AD User Synchronization
Cost Controls
Automated Best Practices
Data Protection Guardrails
Automated Snapshots
Automated Data Retention
S3 Encryption Policies
EC2 Encryption Policies
RDS Encryption Checks
Full Audit Logging
… or use partner tools (one of examples)
The <OPTION> <REQUIREMENT> be <VALUE> in <SCOPE>.
MUST =
SHOULD =
Required by policy
Recommended default
Cluster
Account A
VM DB …
B
VM …
e.g. Logs Retention Days
e.g. RDS Oracle Enabled
e.g. 90
e.g. False

Phase 3: Mature
1. Develop advanced automation techniques and policies to promote
further cost reduction, agility, and resiliency:
• Automated testing and code promotion from each tier to production
• Automated Disaster Recovery testing
• Automated instance power down / power up for non reserved instances
• Utilization of Spot Instances – when and where to use
2. Develop Transition Policies to Define Services
3. Develop Policies Allowing Existing Applications to Test-for-Cost (scale up
/ scale out)
Monitor Control Fix

INFRASTRUCTURE
MANAGEMENT
Advanced automation techniques and policies to promote further cost
reduction, agility, and resiliency
Tools: operating processes automation
COST MANAGEMENT
Test-for-Cost, cultural change to find additional pockets of cost
Tools: AWS Spot Instances, automated start/stop
COMPLIANCE
AUTOMATION
Business-focused governance reporting
Some tools: AWS Service Catalog, partner solutions
Phase 3: Mature (tools)

Operations should be transformed

Right Sizing and Elasticity example
87%
Saving
m4.4xlarge
$1.72 per hr
m4.large
$0.215 per hr
2. Check (CPU, RAM,
network, disc)
1. Migrate/provision
& Run
3. Right Size
5. Save!4. Review
Performance
Rule of thumb: Right size, then reserve.
(But if you’re in a pinch, reserve first.)
Turn off nonproduction instances
• Look for dev/test, nonproduction instances that are
running always-on and turn them off.
Autoscale production
• Use Auto Scaling to scale up and down based on
demand and usage (for example, spikes).
Spot instances
• Look for opportunities to use spot
instance fleets to achieve even
more savings (dev/test)
Rule of thumb: Shoot for 20–30% of Amazon EC2
instances running on demand to be able to handle
elasticity needs.

Governance Reporting: Measuring Success for
Business Owners
Operational
• Snapshot at time of violation (enough
data to justify the occurrence of the
event)
• Kept for historical analysis
Business Unit
• List of assets that are non-compliant with
a given policy
• Grouped by owners
Executive/Health
• BU level aggregate stats (# of assets out
of compliance)
Financial management policies
Performance Management Policies
Security and Incident Management Policies
Operational Governance Policies
Asset & Configuration Management Policies
Cost optimization Policies

Adoption chasm is a part of cloud transformation
Innovators Early Adopters Early Majority Late Majority
PROJECT
FOUNDATION
MIGRATION
REINVENTION
value
Sceptics
time
RETIRING TECHNICAL
DEBT
CLOUD-NATIVE
INNOVATION

Thank you!

Governance Strategies & Tools for Cloud Formation

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Governance Strategies & Tools for Cloud Formation

Similar to Governance Strategies & Tools for Cloud Formation (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Governance Strategies & Tools for Cloud Formation